Equifax takes down web page after report of new hack

NEW YORK (Reuters) – Equifax Inc said on Thursday it has taken one of its customer help website pages offline as its security team looks into reports of another potential cyber breach at the credit reporting company, which recently disclosed a hack that compromised the sensitive information of more than 145 million people.

The move came after an independent security analyst on Wednesday found part of Equifax’s website was under the control of attackers trying to trick visitors into installing fraudulent Adobe Flash updates that could infect computers with malware, the technology news website Ars Technica reported.

“We are aware of the situation identified on the equifax.com website in the credit report assistance link,” Equifax spokesman Wyatt Jefferies said in an email. “Our IT and security teams are looking into this matter, and out of an abundance of caution have temporarily taken this page offline.”

The Atlanta-based company, which has faced seething criticism from consumers, regulators and lawmakers over its handling of the earlier breach, said it would provide more information as it becomes available.

As of 1:15 p.m. (1715 GMT), the web page in question said: “We’re sorry… The website is currently down for maintenance. We are working diligently to better serve you, and apologize for any inconvenience this may cause. We appreciate your patience during this time and ask that you check back with us soon.”

Equifax shares were down 1.2 percent at $ 109.18 in early afternoon trading.

Randy Abrams, the independent analyst who noticed the possible hack, said he was attempting to check some information in his credit report late on Wednesday when one of the bogus pop-up ads appeared on Equifax’s website.

His first reaction was disbelief, he said in an interview with Reuters on Thursday. “You’ve got to be kidding me,” he recalled thinking. Then he successfully replicated the problem at least five times, making a video that he posted to YouTube.

Equifax’s security protocols have been under scrutiny since Sept. 7 when the company disclosed its systems had been breached between mid-May and late July.

The breach has prompted investigations by multiple federal and state agencies, including a criminal probe by the U.S. Department of Justice, and it has led to the departure of the company’s chief executive officer, chief information officer and chief security officer.

As a credit reporting agency, Equifax keeps vast amounts of consumer data for banks and other creditors to use to determine the chances of their customers’ defaulting.

Reporting by John McCrank; Editing by Bill Rigby

Tech

Former Equifax chief apologizes to Congress over hack

WASHINGTON (Reuters) – The former head of Equifax Inc (EFX.N) apologized repeatedly on Tuesday at a congressional hearing for the theft of millions of people’s personal data in a hacking breach, saying it took weeks for the credit bureau to understand the extent of the intrusion.

Richard Smith retired last week but the 57-year-old executive led the company over the time of the hack, which Equifax acknowledged in early September.

Late on Monday, Equifax said an independent review had increased the estimate of potentially affected U.S. consumers by 2.5 million to 145.5 million.

In March, the U.S. Department of Homeland Security alerted Equifax to an online gap in security but the company did nothing, said Smith.

“The vulnerability remained in an Equifax web application much longer than it should have,” Smith said. “I am here today to apologize to the American people myself.”

Equifax keeps a trove of consumer data for banks and other creditors who want to know whether a customer is likely to default.

Former Republican Senator Saxby Chambliss checks his watch as he and City of Pasadena Councilmember Steve Madison stand with Richard Smith, former chairman and CEO of Equifax Inc., prior to Smith’s testimony before House Energy and Commerce hearing on “Oversight of the Equifax Data Breach: Answers for Consumers” on Capitol Hill in Washington, U.S., October 3, 2017. REUTERS/Kevin Lamarque

Smith said both technology and human error opened the company’s system to the cyber hack, which has been a calamity for Equifax, costing it about a quarter of its stock market value and leading several top executives to depart.

A company employee failed to tell the information team a software vulnerability that hackers could exploit should be fixed, Smith said. Then, a later system scan did not uncover the weak point.

Slideshow (3 Images)

Smith said he was notified on July 31 that “suspicious activity had occurred,” after security personnel had already disabled the web application and shut down the hacking. He said he only learned in the middle of August the scope of the stolen data.

On Aug. 2, the company alerted the Federal Bureau of Investigation and retained a law firm and consulting firm to provide advice. Smith notified the board’s lead director on Aug. 22.

That timing could help lift suspicions that three executives who sold stock on the first two days of August illegally used insider knowledge of the hack. Smith said the three “honorable men” did not know about the breach at that time.

Smith deferred to the FBI on questions of whether the hack had been sponsored by a nation-state.

“It’s possible,” he said when asked if the hackers were from another country.

Writing by Lisa Lambert and Patrick Rucker; Editing by Clive McKeef and Bill Rigby

Our Standards:The Thomson Reuters Trust Principles.

Tech

The SEC Hack Shows That Not Even Top Government Data Is Safe

A major computer hack at America’s top stock market regulator is the latest sign that data stored in the highest reaches of the U.S. government remains vulnerable to cyber attacks, despite efforts across multiple presidencies to limit high-profile breaches that are so frequent many consider them routine.

In recent years, nation-state and criminal hackers, as well as rogue employees, have stolen data from the Internal Revenue Service, the State Department and intelligence agencies, including millions of government employee files allegedly exfiltrated by the Chinese military, U.S. officials say.

The Sec urities and Exchange Commission ( SEC ), America’s chief stock market regulator, said on Wednesday that cyber criminals may have used data stolen last year to make money in the stock market, making it the latest federal agency to grab headlines for losing control of its data.

Related

JAPAN-US-IT-FINANCE-BITCOIN -COMPUTERS-HACKING-SERVICES-BANKING

At the same time, being only the latest major breach is not special, said Dan Guido, chief executive of Trail of Bits, which does cyber sec urity consulting for the U.S. government.

“It simply reflects the status quo of our digital sec urity,” said Guido, who is a former member of the cyber sec urity team at the Federal Reserve, America’s central bank.

Central bank officials have detected dozens of cases of cyber breaches, including several in 2012 that were described internally as “espionage.”

The U.S. federal government has sharply increased funding dedicated to protecting its own digital systems over the last several years, attempting to counter what is widely viewed as a worsening national sec urity liability.

But as one of the world’s largest collectors of sensitive information, America’s federal government is a major target for hackers from both the private sec tor and foreign governments.

“When you have one central repository for all this information – man, that’s a target,” said Republican Representative Bill Huizenga, chairman of the House subcommittee on Capital Markets, Sec urities, and Investment, which oversees the SEC .

Last year, U.S. federal, state and local government agencies ranked in last place in cyber sec urity when compared against 17 major private industries, including transportation, retail and healthcare, according to benchmarking firm Sec urityScorecard.

An update of the rankings in August showed the U.S. government had improved to third worst, ahead of only telecommunications and education.

“We also must recognize – in both the public and private sec tors, including the SEC – that there will be intrusions, and that a key component of cyber risk management is resilience and recovery,” said SEC Chairman Jay Clayton.

The federal government audits cyber sec urity measures every year at top agencies, producing reports that routinely expose shortfalls and sometimes major breaches. The Federal Bureau of Investigation also looks for hacking attempts and helped spot an alleged intrusion by Chinese military-backed hackers into a major banking regulator between 2010 and 2013.

Weekly scans of government systems by the Department of Homeland Sec urity showed in January that the SEC had critical cyber sec urity weaknesses but that vulnerabilities were worse at three agencies, including the Environmental Protection Agency, the Department of Health and Human Services and the General Services Administration.

Some agencies said they had improved their cyber sec urity posture since that report.

For more about cybersecurity, see Fortune’s video:

A GSA spokeswoman said the agency has not had any critical vulnerabilities in the past six months, and that the ones identified in January were patched in under 10 days.

A Department of Labor spokesman said all identified vulnerabilities had been fixed and that its systems were not compromised by the identified flaws.

But, he added, “addressing vulnerabilities associated with legacy systems can be challenging.”

Tech

LinkedIn zombie hack returns for your braaains

LinkedIn was hacked way back in 2012, but the leak of passwords four years ago wasn’t the end of the story. Another 117 million have turned up, and many of those old passwords still seem to be valid.

But surely, I hear you ask, LinkedIn invalidated those old passwords in 2012? Nope. That turns out not to be the case — LinkedIn only forced a reset of the 6.5 million leaked ones, for fear of inconveniencing the other users.

Initially, LinkedIn’s response this time was the same, but thankfully saner heads prevailed and the company’s finally doing the right thing.

In IT Blogwatch, bloggers also consider changing their email addresses. Your humble blogwatcher curated these bloggy bits for your entertainment.

To read this article in full or to leave a comment, please click here

Computerworld Cloud Computing