The company was initially hacked via a consumer complaint web portal, with the attackers using a widely known vulnerability that should have been patched but, due to failures in Equifax's internal processes, wasn't.A top-level picture of how the Equifax data breach happened looks like this: General Accounting Office, and an in-depth analysis from Bloomberg Businessweek based on sources inside the investigation. Most of the discussion in this section and the subsequent one comes from two documents: A detailed report from the U.S. The Equifax breach investigation highlighted a number of security lapses that allowed attackers to enter supposedly secure systems and exfiltrate terabytes of data. Like plane crashes, major infosec disasters are typically the result of multiple failures. And the question of who was behind the breach has serious implications for the global political landscape. The Department of Homeland Security (DHS) has also recently published proposals to make the reporting of security incidents more streamlined at the federal level, including the recommendation for a single reporting portal.In March 2017, personally identifying data of hundreds of millions of people was stolen from Equifax, one of the credit reporting agencies that assess the financial health of nearly everyone in the United States.Īs we'll see, the breach spawned a number of scandals and controversies: Equifax was criticized for everything ranging from their lax security posture to their bumbling response to the breach, and top executives were accused of corruption in the aftermath. Public companies that suffer "material" data breaches will be required to file an Item 1.05 Form 8-K report that includes details of the breach – similar information to that required by the FTC's latest amendment – and will be made public by the regulator.Įxperts speaking to The Register at the time expressed concern over US organizations' ability to determine materiality, saying compliance will be difficult to maintain as a result. The FTC's news comes just a few months after the Securities and Exchange Commission (SEC) announced its own mandatory breach reporting rules in July, but with a far stricter four-day window. ![]() The date for this has not been set but will most likely come into effect in 2024. The amendment will come into effect 180 days after it's published in the Federal Register. Data breaches of any size must always be reported to individuals that are affected, no matter how small the number, within 30 days. For those that impact 1,000 or more, the organization must notify all consumer reporting agencies too. ![]() If the number of affected residents is between 500 and 999, notices must be sent to the Attorney General. Other states, like Colorado, have different rules for different cutoffs. California, for example, requires similar disclosures to be made in the event that 500 state residents are affected by a breach, whereas the cutoff is set at 1,000 individuals in Alabama. The 500-consumer cutoff broadly aligns with state laws around data breach reporting in the US. Lawyers slam SEC for 'blatant fishing expedition' after Exchange mega-attack.Lawyers join forces to fight common enemy: The SEC and its probes into cyber-victims.SEC proposes four-day rule for public companies to report cyberattacks.Crooks pwned your servers? You've got four days to tell us, SEC tells public companies.The FTC ultimately reduced this to 500, but said it would likely only lead to the additional reporting of a small number of incidents a year – around 5 percent more that would, by the FTC's estimates, affect 155 extra organizations. In the original proposal, the drafting process for which started in October 2021, the thinking was that the amendment would apply to events in which 1,000 consumers or more were affected. US law enforcement may seek to delay the public disclosure of an incident, in which case the relevant agency would need to provide a written request for an extension, which can be granted for an additional 60 days beyond the initial 30-day window.Ĭrucially, the amendment will only apply to security breaches that involve the theft of unencrypted data belonging to at least 500 consumers. ![]() In the latter case, contact details for the law enforcement agency would need to be supplied also
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |