Where the data is flowing: the consequences of the grandiose drain of Equifax
2017 was remembered for a series of serious leaks of personal data of users. The two most striking events of the second half of the year are the publication of information about the "drain" of a huge database of stolen passwords and an attack on one of the three main US credit bureaus - Equifax.
The organization did not report data theft to more than 140 million people for several months. The responsibility of Equifax for the incident and silence is still under discussion. Currently, US authorities are only recommending companies to notify customers of leaks.
But soon the situation may change - in January, the United States was introduceda bill that establishes fines for leaked companies. If he acted at the time of the "discharge", Equifax would have to pay over $ 1.5 billion.
Even if such a law is approved, it will not cancel the fact that the stolen data has already fallen into the hands of attackers. In this article, we will consider how leaked information is used against the will of their owners and what measures are taken to reduce damage to users. / Wikimedia / US Navy photo / CC
In 2016, the Bitglass security company presented the results of its study, “Where is your data?”. To track how stolen personal information fell into the hands of attackers, the company simulated a data leak from a fictional bank employee. According to the scenario, he allowed the discharge of an internal corporate document containing 1,500 credentials of company employees. Fake information leaked into the darkweb marked Bitglass, which allowed to determine the IP and country of residence of the potential buyer.
The company found that within a few days after the leak, the data spread to more than 20 countries on different continents. Every tenth owner of "stolen" information tried to log into Google services, access to which was "leaked." During the day, five attempts were made to enter the internal portal of a fictitious bank. Thus, Bitglass once again confirmed: personal and corporate data is a sought-after product for which there is a vast international market with high demand.
The Equifax situation is called the “worst leak of all time.” She touched on the basic documents that people use: social security numbers, credit cards and driver's licenses. In the wake of what happened was predictedthat the data will go on public sale in darkweb. Often, information enters the market months and even years after the leak, so after the recognition of Equifax, it was only left to guess when the personal data of tens of millions of people would “pop up”.
Not so long ago , the first messages from the "victims" of the leak began to appear . Hundreds of victims are about to sue Equifax. One of them told CBS News how she had received credit card notifications for two months that she didn’t even use. Someone made purchases on behalf of the victim, paid for hotel accommodation in Las Vegas, and she could only deal with the bills.
A similar scenario was unfolding after a serious leakfrom a large retail chain Target in 2013. Then, the information of payment cards of 40 million customers and other personal data of another 70 million people were “merged”. The situation was resolved due to the fact that payments made without the knowledge of cardholders were compensated by banks.
Information leaked from Equifax is called “Fullz” in the language of hackers , that is, a complete set of data. The approximate cost of the base exceeds $ 32 million. At the same time, the cost of personal information of different people may differ depending on factors such as credit history and bank account balance. Data can enter the market as fragmented, and in the format of the database easy to navigate as it happened in the case of largest aggregated database "fusion" passwords.
Brian Krebs (Brian Krebs), an investigative journalist, toldabout how stolen information is sold. There are clandestine forums where attackers trade in credentials and passwords from them. For relatively little money (in dollars or cryptocurrency), one can acquire other people's personal information here.
One of the participants in the popular exchange, discovered by Krebs, in the first seven months of 2017 earned over $ 288 thousand, selling accounts on average at $ 8.19 "apiece" to 9 thousand customers. At the same time, the service charged half the cost as a commission. Thus, the average value of the credentials exposed on the exchange is approximately $ 15. As Krebs found out, the service arranges the credentials in accordance with the credit rating, and the information of people with good credit history "goes under the hammer" for $ 150.
According toQuartz from 2015, on average, a pair of "credentials-password" on the black market was estimated at $ 20. Roughly speaking, over two and a half years, the assessment of personal data as a product decreased by 25%. Most likely, the dynamics between the sellers affected the dynamics.
/ Flickr / chad cooper / cc
Shortly after the drain, Equifax developed a separate portal where customers could check to see if their data was compromised. To do this, enter your last name and the last six digits of the social security number.
The company also canceled fees for the freeze loan procedure at the bureau and offered free one-year credit monitoring. This step prevents attackers from using the information for a year, but does not guarantee that one day, after the expiration of the offer, someone will not return to the information stolen earlier.
In December 2017, Umpqua Bank, with about 300 branches in five western states, established“Freeze day”, including in connection with the situation at Equifax. Thus, he encourages consumers to freeze their loans. Freezing does not allow hackers to open new accounts in the name of consumers. However, it will not help if someone tries to file a tax return on behalf of the victim or uses someone else’s health insurance without the knowledge of the owner.
It is worth noting that 2017 was a record year for the number of reflected cyber attacks. However, no individual or legal entity is fully insured against leaks. According to the US Department of Justice, identity theft costs the victim an average of $ 1,343. Obviously, someone has to pay for it.
Now in the US, reimbursement for expenses from a bank or company that allowed a "drain",comes in for a long time and in court. Therefore, more and more talk is coming about tightening liability for leaks.
New measures to protect users from the consequences of leaks can be taken in Russia - Vedomosti reports that by July it is planned to introduce compulsory insurance in the event of a "leak" for all personal data operators.
One way or another, insurance will not stop attackers from trying to use stolen data. Based on this logic, we recommend that you take care of protection on your own: implement two-factor authentication, use password managers and avoid reusing the same passwords on different sites and services. Equifax also has a list of recommended actions.. Including it includes regular check of bank statements, destruction of all unused documents containing personal information, safe storage of relevant documents and other tips.
By the way, here we have collected several recommendations on how to enhance the security of your personal data and gave sources for additional reading on the topic.
Three materials on the topic from our corporate blog 1cloud:
The organization did not report data theft to more than 140 million people for several months. The responsibility of Equifax for the incident and silence is still under discussion. Currently, US authorities are only recommending companies to notify customers of leaks.
But soon the situation may change - in January, the United States was introduceda bill that establishes fines for leaked companies. If he acted at the time of the "discharge", Equifax would have to pay over $ 1.5 billion.
Even if such a law is approved, it will not cancel the fact that the stolen data has already fallen into the hands of attackers. In this article, we will consider how leaked information is used against the will of their owners and what measures are taken to reduce damage to users. / Wikimedia / US Navy photo / CC
What happens to leaked data
In 2016, the Bitglass security company presented the results of its study, “Where is your data?”. To track how stolen personal information fell into the hands of attackers, the company simulated a data leak from a fictional bank employee. According to the scenario, he allowed the discharge of an internal corporate document containing 1,500 credentials of company employees. Fake information leaked into the darkweb marked Bitglass, which allowed to determine the IP and country of residence of the potential buyer.
The company found that within a few days after the leak, the data spread to more than 20 countries on different continents. Every tenth owner of "stolen" information tried to log into Google services, access to which was "leaked." During the day, five attempts were made to enter the internal portal of a fictitious bank. Thus, Bitglass once again confirmed: personal and corporate data is a sought-after product for which there is a vast international market with high demand.
The Equifax situation is called the “worst leak of all time.” She touched on the basic documents that people use: social security numbers, credit cards and driver's licenses. In the wake of what happened was predictedthat the data will go on public sale in darkweb. Often, information enters the market months and even years after the leak, so after the recognition of Equifax, it was only left to guess when the personal data of tens of millions of people would “pop up”.
Not so long ago , the first messages from the "victims" of the leak began to appear . Hundreds of victims are about to sue Equifax. One of them told CBS News how she had received credit card notifications for two months that she didn’t even use. Someone made purchases on behalf of the victim, paid for hotel accommodation in Las Vegas, and she could only deal with the bills.
A similar scenario was unfolding after a serious leakfrom a large retail chain Target in 2013. Then, the information of payment cards of 40 million customers and other personal data of another 70 million people were “merged”. The situation was resolved due to the fact that payments made without the knowledge of cardholders were compensated by banks.
How much is personal data
Information leaked from Equifax is called “Fullz” in the language of hackers , that is, a complete set of data. The approximate cost of the base exceeds $ 32 million. At the same time, the cost of personal information of different people may differ depending on factors such as credit history and bank account balance. Data can enter the market as fragmented, and in the format of the database easy to navigate as it happened in the case of largest aggregated database "fusion" passwords.
Brian Krebs (Brian Krebs), an investigative journalist, toldabout how stolen information is sold. There are clandestine forums where attackers trade in credentials and passwords from them. For relatively little money (in dollars or cryptocurrency), one can acquire other people's personal information here.
One of the participants in the popular exchange, discovered by Krebs, in the first seven months of 2017 earned over $ 288 thousand, selling accounts on average at $ 8.19 "apiece" to 9 thousand customers. At the same time, the service charged half the cost as a commission. Thus, the average value of the credentials exposed on the exchange is approximately $ 15. As Krebs found out, the service arranges the credentials in accordance with the credit rating, and the information of people with good credit history "goes under the hammer" for $ 150.
According toQuartz from 2015, on average, a pair of "credentials-password" on the black market was estimated at $ 20. Roughly speaking, over two and a half years, the assessment of personal data as a product decreased by 25%. Most likely, the dynamics between the sellers affected the dynamics.
/ Flickr / chad cooper / cc
What is the result
Shortly after the drain, Equifax developed a separate portal where customers could check to see if their data was compromised. To do this, enter your last name and the last six digits of the social security number.
The company also canceled fees for the freeze loan procedure at the bureau and offered free one-year credit monitoring. This step prevents attackers from using the information for a year, but does not guarantee that one day, after the expiration of the offer, someone will not return to the information stolen earlier.
In December 2017, Umpqua Bank, with about 300 branches in five western states, established“Freeze day”, including in connection with the situation at Equifax. Thus, he encourages consumers to freeze their loans. Freezing does not allow hackers to open new accounts in the name of consumers. However, it will not help if someone tries to file a tax return on behalf of the victim or uses someone else’s health insurance without the knowledge of the owner.
It is worth noting that 2017 was a record year for the number of reflected cyber attacks. However, no individual or legal entity is fully insured against leaks. According to the US Department of Justice, identity theft costs the victim an average of $ 1,343. Obviously, someone has to pay for it.
Now in the US, reimbursement for expenses from a bank or company that allowed a "drain",comes in for a long time and in court. Therefore, more and more talk is coming about tightening liability for leaks.
New measures to protect users from the consequences of leaks can be taken in Russia - Vedomosti reports that by July it is planned to introduce compulsory insurance in the event of a "leak" for all personal data operators.
One way or another, insurance will not stop attackers from trying to use stolen data. Based on this logic, we recommend that you take care of protection on your own: implement two-factor authentication, use password managers and avoid reusing the same passwords on different sites and services. Equifax also has a list of recommended actions.. Including it includes regular check of bank statements, destruction of all unused documents containing personal information, safe storage of relevant documents and other tips.
By the way, here we have collected several recommendations on how to enhance the security of your personal data and gave sources for additional reading on the topic.
Three materials on the topic from our corporate blog 1cloud: