September 11, 2017
Credit firm Equifax says 143m Americans’ social security numbers exposed in hack
Atlanta-based company says criminals accessed personal data, as details emerge that Equifax executives sold $1.8m in shares before telling the public
Credit monitoring company Equifax says a breach exposed the social security numbers and other data of about 143 million Americans.
After discovering the breach, but before notifying the public, three Equifax senior executives sold shares in the company worth almost $1.8m. Since the public announcement, the companys share price has tumbled.
The Atlanta-based company said Thursday that criminals exploited a US website application to access files between mid-May and July of this year.
It said consumers names, social security numbers, birth dates, addresses and, in some cases, drivers license numbers were exposed. Credit card numbers for about 209,000 US consumers were also accessed.
This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do, said the companys chairman and CEO Richard Smith. We pride ourselves on being a leader in managing and protecting data, and we are conducting a thorough review of our overall security operations.
The company said hackers also accessed some limited personal information from British and Canadian residents.
Equifax said it doesnt believe that any consumers from other countries were affected.
Such sensitive information can be enough for crooks to hijack peoples identities, potentially wreaking havoc on the victims lives.
Financial institutions, landlords and other businesses draw on data from credit monitoring companies like Equifax to verify peoples identity and ensure they are suitable for leases and loans. This breach has given cybercriminals a treasure trove of data to assume the identities of those affected and carry out fraudulent transactions in their name.
On a scale of one to 10, this is a 10 in terms of potential identity theft, said Gartner security analyst Avivah Litan. Credit bureaus keep so much data about us that affects almost everything we do.
Ryan Kalember, from cybersecurity company Proofpoint said: This has really called into question the entire model of how we authenticate ourselves to financial institutions. The fact that we still use things like mothers maiden name, social security number and date of birth is ridiculous.
The breach could also undermine the integrity of the information stockpiled by two other major credit bureaus, Experian and TransUnion, since they hold virtually all the data that Equifax does, Litan said.
Equifax discovered the hack 29 July, but waited until Thursday to warn consumers. In the interim, as first reported by Bloomberg, chief financial officer John Gamble sold shares worth $946,374 and president of US information solutions Joseph Loughran exercised options to sell stock worth $584,099. President of workforce solutions Rodolfo Ploder also sold stock worth $250,458.
Ines Gutzmer, head of corporate communications for Equifax, said: The three executives who sold a small percentage of their Equifax shares on Tuesday, August 1, and Wednesday, August 2, had no knowledge that an intrusion had occurred at the time they sold their shares.
After the cybersecurity breach was made public, Equifax stock dropped more than 13% in after-hours trading following the announcement at 4.30pm ET.
The Atlanta-based company has set up a special website, where people can check to see if their personal information may have been stolen. Consumers can also call 866-447-7559 for more information.
As is customary when a business has a data breach, Equifax is offering customers free credit monitoring using its own breached service, a response that Kalember calls utterly farcical.
Every single one of us can assume that all our information is the hands of cybercriminals, said Kalember, who recommended that people put a security freeze on their credit report. Its a really onerous process to correct errors in your credit.
Senator Mark Warner, vice-chairman of the senate intelligence committee, described the breach as profoundly troubling and called for Congress to rethink data protection policies so that companies like Equifax have fewer incentives to collect large, centralised sets of highly sensitive data.
It is no exaggeration to suggest that a breach such as this represents a real threat to the economic security of Americans, he said.
Its not the first time Equifax has been targeted by hackers. In 2013 the credit reporting agency (along with Experian and TransUnion) confirmed fraudulent and unauthorised access to the financial files of four high-profile individuals.
Equifax wouldnt name the individuals affected, but the confirmation of the cyber-attack came a day after hackers posted what they claimed to be the social security numbers, credit reports, former addresses and personal banking information of celebrities and politicians, including Paris Hilton, Michelle Obama, former FBI director Robert Mueller and former US attorney general Eric Holder.
The most common response when a corporate database gets hacked is for the business to offer a year of free credit monitoring a better-than-nothing measure that will alert people to suspicious activity involving their credit files but will do nothing to prevent fraud, identity theft or other mischief.
This isnt the biggest data breach in history. Yahoo was targeted in at least two separate digital burglaries that affected more than 1bn of its users accounts throughout the world.
But no social security numbers or drivers licenses were taken in the Yahoo break-in. Equifaxs security lapse could be the largest involving the theft of social security numbers, one of the most common methods used to confirm a persons identity in the US. It eclipses a 2015 hack at the health insurer Anthem Inc that involved the social security numbers of about 80 million people .
Associated Press contributed reporting
Read more: https://www.theguardian.com/us-news/2017/sep/07/equifax-credit-breach-hack-social-security
November 27, 2017
Uber concealed massive hack that exposed data of 57m users and drivers
by MeDaryl • Cars • Tags: Hacking, technology, Uber, US news, World news
Company paid hackers $100,000 to delete data and keep the breach quiet, it emerged on Tuesday, as CEO says I will not make excuses for it
Uber concealed a massive global breach of the personal information of 57 million customers and drivers in October 2016, failing to notify the individuals and regulators, the company acknowledged on Tuesday.
Uber also confirmed it had paid the hackers responsible $100,000 to delete the data and keep the breach quiet, which was first reported by Bloomberg.
None of this should have happened, and I will not make excuses for it, Ubers chief executive, Dara Khosrowshahi, said in a statement acknowledging the breach and cover-up. While I cant erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes.
Hackers stole personal data including names, email addresses and phone numbers, as well as the names and drivers license numbers of about 600,000 drivers in the United States. The company said more sensitive information, such as location data, credit card numbers, bank account numbers, social security numbers, and birth dates, had not been compromised.
In his statement, Khosrowshahi said the company had obtained assurances that the downloaded data had been destroyed and improved its security, but that the companys failure to notify affected individuals or regulators had prompted him to take several steps, including the departure of two of the employees responsible for the companys 2016 response.
Ubers chief security officer, Joe Sullivan, was one of the two employees who left the company, Bloomberg reported.
The companys failure to disclose the breach was amateur hour, said Chris Hoofnagle of the Berkeley Center for Law and Technology. The only way one can have direct liability under security breach notification statutes is to not give notice. Thus, it makes little sense to cover up a breach.
Under California state law, for example, companies are required to notify state residents of any breach of unencrypted personal information, and must inform the attorney general if more than 500 residents are affected by a single breach.
The hack and the cover-up is typical Uber only caring about themselves, said Robert Judge, an Uber driver in Pittsburgh, who said he had yet to receive any communication from the company. I found out through the media. Uber doesnt get out in front of things, they hide them.
Uber said in a statement to drivers that it would offer those affected free credit monitoring and identity theft protection.
According to Bloomberg, the breach occured when two hackers obtained login credentials to access data stored on Ubers Amazon Web Services account. Paul Lipman, CEO of cybersecurity firm BullGuard, said that the fact that the data was being stored unencrypted was unforgivable.
Thats just a complete misstep from an information security viewpoint, he added.
The New York state attorney generals office has opened an investigation into the data breach, a spokeswoman confirmed.
Ubers potential civil liability from the breach is complicated by the fact that the United States various federal appellate courts are divided over how to treat data breach lawsuits. Some courts allow individuals to join class action lawsuits if they are simply at greater risk of having their identities stolen due to a breach, while other courts require plaintiffs to show that their personal information has actually been misused.
In June, health insurer Anthem settled litigation over a 2015 breach affecting 79 million people for a record $115m.
Non-disclosure creates a practical risk in the hundreds of millions, said Hoofnagle, who noted that companies can pay third parties to handle the fallout from a security breach including notifications for fees in the tens of millions. Heres the good news: drivers will finally squeeze money out of Uber.
The hack and subsequent concealment is just the latest in a string of scandals and crises that Khosrowshahi inherited from his predecessor, Travis Kalanick, who was forced out of the $68bn startup in June.
The year started out with the trend-setting #DeleteUber viral boycott campaign, which arose after the company was accused of exploiting a New York taxi drivers work stoppage protesting against Trumps travel ban.
Then in February, former employee Susan Fowler published a blogpost alleging a pervasive culture of gender discrimination and sexual harassment at the company.
The next month saw a New York Times report that for years Uber had been running a secret program to systematically deceive law enforcement officials in cities where its service violated regulations. Officials attempting to hail an Uber during a sting operation were greyballed; they might see icons of cars within the app navigating nearby, but no one would pick them up.
Fowlers blogpost prompted Uber to commission an investigation of its workplace culture, and led to a public airing of the startups considerable dirty laundry. The company had soared to its position as the highest-value startup and dominant ride-hail app by defying rules and regulations, but the post-Fowler reckoning saw at least 20 employees fired and the company acknowledge that it needed to change. It also led to the eventual ousting of Kalanick himself.
Khosrowshahi displayed the new conciliatory style in September when Transport for London decided not to renew its license to operate in London. Weve got things wrong along the way, the CEO said at the time. On behalf of everyone at Uber globally, I apologise for the mistakes weve made.
Follow Guardian Business on Twitter at @BusinessDesk, or sign up to the daily Business Today email here.
Read more: https://www.theguardian.com/technology/2017/nov/21/uber-data-hack-cyber-attack