NEWS THIS WEEK: Equifax admits losing data for 143 consumers; Symantec finds dozens of U.S. power plants compromised; Trump wants hacked email lawsuit thrown out

September 8th, 2017

By Byron V. Acohido

Credit-reporting agency Equifax said hackers gained access to sensitive personal data—Social Security numbers, birth dates and home addresses—for up to 143 million Americans, a major cybersecurity breach at a firm that serves as one of the three major clearinghouses for credit histories. Equifax said the breach began in May and continued until it was discovered in late July. It said hackers exploited a “website application vulnerability” and obtained personal data about British and Canadian consumers as well as Americans. Social Security numbers and birth dates are particularly sensitive data, giving those who possess them the ingredients for identity fraud and other crimes. Equifax also lost control of an unspecified number of driver’s licenses, along with the credit card numbers for 209,000 consumers and credit dispute documents for 182,000 others. The company said it did not detect intrusions into its “core consumer or commercial credit reporting databases.” Equifax is one of the largest U.S.-based credit reporting agencies that collect and analyze detailed records of financial data for records of a wide range of consumers worldwide.  Source: The Washington Post

SEC chief says smaller investors need more info on cyber crime, fraud

Regulators must do more to help mom-and-pop investors understand the risks posed by cyber crime and new technologies used to commit fraud, said Securities and Exchange Commission Chairman Jay Clayton. He said cybersecurity would be one of the top enforcement issues during his tenure at the head of the Wall Street regulator. “I am not comfortable that the American investing public understands the substantial risks that we face systemically from cyber issues,” he said. One concern relates to a rise in cases of information being stolen by hackers to gain some sort of market advantage. Other areas of focus include: ensuring financial firms take the appropriate steps to safeguard sensitive information; cyber-related disclosure failures; and the growing prevalence of “initial coin offerings (ICOs).” Source: Reuters

U.K. identity theft cases hit 500 a day

Identity theft has reached epidemic levels in the United Kingdom, with almost 500 per day, according to fraud prevention service Cifas. In the first six months of the year, there were a record 89,000 cases, almost exclusively online. The vast amount of personal data available on the internet combined with data breaches is making it easier for bad guys. Source: The Guardian

Woman must serve 54 months, pay $1 million in identity theft case

A Salinas, California, woman was sentenced to 54 months in prison for filing false tax returns, aggravated identity theft and making false statements to a federally insured institution. Court filings state that Elizabeth Calderon admitted she assisted in preparing and filing more than 4,000 federal income tax returns from 2010 to 2013, many of which improperly reported false credits, false expenses or deductions, false filing status or a combination. She was ordered to pay $1,036,547 in restitution. Source: The Californian

Be careful when donating to Harvey victims, DHS warns

The Department of Homeland Security issued the alert urging computer users “to remain vigilant for malicious cyber activity seeking to capitalize on interest in Hurricane Harvey.” This activity could include fraudulent emails masquerading as charity donation requests that are designed to get targets to click on a malicious link. “Fraudulent emails will often contain links or attachments that direct users to phishing or malware-infected websites,” the alert says. Source: The Hill

European Commission proposes new safeguards for cybersecurity

The European Commission wants to bolster cybersecurity in the EU by increasing investment in technology, setting stricter consumer safeguards and stepping up diplomacy to deter attacks by other nations, among other measures. The commission is due to announce its proposals in a report later this month, a copy of which was obtained by Reuters. It also argues for greater national and law enforcement cooperation to halt incoming attacks. Source: Reuters

Hackers attack power companies, get deep into systems

In the past nine months, dozens of U.S. power companies were compromised by an organized hacking group to the extent that some of the attacks could have sabotaged and shut down production and distribution, according to Symantec, a cybersecurity company that discovered the attack. In some cases, this involved access to details about how the company operated, engineering plans and equipment, down to the level of controlling valves, pipes or conveyer belts, said Vikram Thakur, principal research manager at Symantec. “It could have taken out the business for a period of a day or two or maybe a month,” he said. Source: USA Today

Time Warner cable customers’ data exposed through app breach

Charter Communications acknowledged it discovered a data breach that made the private information of some of its customers available to outsiders. Those affected were Time Warner Cable customers who used the My TWC app. The company says those still using the app should change their user names and passwords. About 4 million records were exposed, though that doesn’t mean that it involved 4 million individual customers. Source: The Hollywood Reporter

Apple, India can’t agree on anti-spam rule for iPhones

Apple’s refusal to approve the Indian government’s anti-spam iPhone app is infuriating regulators, potentially harming the company’s efforts to sell more products in the country. The Telecom Regulatory Authority of India has been trying unsuccessfully to get its Do Not Disturb software included in the App Store. The program lets people share spam call and text message logs with the agency, which uses the data to alert mobile operators to block the spammers. Apple has said the app violates its privacy policy, according to the regulator. Source: Bloomberg

Verizon offers rewards if customers share personal data

A new Verizon Communications rewards program asks customers to give the carrier access to their web-browsing history in exchange for credits for special events such as tickets to movie premieres. The program, dubbed Verizon Up, would give customers one credit—which can be redeemed against one reward—for every $300 they spend on their monthly bill. The telecom giant will then refer to users’ web browsing, app usage and device location to personalize the rewards. Source: New York Business Journal

Researchers hack Siri, Alexa, other voice assistants with ultrasonics

Researchers from China’s Zheijiang University found a way to attack Siri, Alexa and other voice assistants by feeding them commands in ultrasonic frequencies. Those are too high for humans to hear, but they’re audible to the microphones on devices. With the technique, researchers could get the AI assistants to open malicious websites and even your door if you had a smart lock connected. The technique is called DolphinAttack. Source: Engadget

President seeks dismissal of hacked email lawsuit

President Trump’s attorneys asked a judge to toss out a lawsuit that accuses his 2016 campaign of conspiring with Russian operatives to publish stolen Democratic National Committee information on WikiLeaks. The case, filed by two Democratic Party donors and a former DNC staff member, contends that the Trump campaign and Trump adviser Roger Stone invaded their privacy by working with Russia to disseminate hacked DNC emails and other campaign files. The plaintiffs failed to provide any “factual grounds” that the Republican campaign “conspired with Russian agents” to publish the stolen DNC data, the Trump attorneys said. Source: Politico

Many major corporations’ websites vulnerable to hack attack

With nothing but a web browser and an internet connection, attackers can hack the websites of at least 65 percent of Fortune 100 companies by exploiting a vulnerability that’s existed for nearly a decade, according to a report by security researchers. The vulnerability was discovered in open-source software package Apache Struts, which is a programming framework for building web applications in Java. “All versions of Struts since 2008 are affected; all web applications using the framework’s popular REST plugin are vulnerable,” according to researchers at the security firm lgtm. Source: Quartz

Instagram exposures much larger than first reported

A bug that exposed Instagram users’ contact information affected a far greater number of accounts than the company originally said. The bug allowed hackers to scrape email addresses and contact information for millions of accounts. While the company first said the hack was limited to holders of verified accounts, it now says that nonverified users were affected, as well. Hackers established a searchable database named Doxagram allowing users to search for victims’ contact information for $10 per search. Source: The Verge

This article originally appeared on ThirdCertainty.com