Earlier this month we released a list rounding up the major internet security breaches of 2017, from WannaCry to HBO's 1.5 terabyte leak to the Petya ransomware attacks. And of course we've already had another cyberattack since then. Read all about it here, after taking a few seconds to sigh heavily at the state of cybersecurity in 2017.
The Deloitte Breach
The Guardian broke the news this morning: Deloitte — one of the largest private firms in the U.S. — was hacked in an attack that went on unnoticed for months afterwards.
Deloitte is only admitting to a few clients having fallen victim to leaked information.
“So far, six of Deloitte’s clients have been told their information was ‘impacted' by the hack. Deloitte’s internal review into the incident is ongoing.
The Guardian understands Deloitte discovered the hack in March this year, but it is believed the attackers may have had access to its systems since October or November 2016,” The Guardian writes.
The weak spot? The firm’s global email server, which was accessed through an administrator’s account that did not have two-step verification. In other words, it wasn't as secure as many people's smartphones. Of all the ways a company should secure its information, that's a basic one.
What It Means
Stephen Cox, Chief Security Architect at SecureAuth, had this to say to TechCo in response to the Deloitte breach.
“The misuse of administrator credentials in the Deloitte incident is strong affirmation that identity is now at the center of information security,” Cox said in a statement. “We’re seeing breach after breach leveraging stolen credentials as an attack vector and even skilled information security practitioners are struggling with this threat. Part of the problem is a general lack of acknowledgement of the importance of identity security in relation to network and endpoint security; these are now the three pillars of security. We have highly distributed organizations across on-premise and cloud infrastructure. Identity is the glue that binds everything together.
Organizations should be rethinking their approach to identity security. The password is dead and even vanilla two-factor authentication is not enough. We must raise the bar with adaptive access control methods that apply risk analysis and introduce a biometric second factor, eliminating the utterly broken technology of password-based authentication.”
And More Equifax Facts
Meanwhile, the Equifax news continues to develop. The credit reporting company's leak was detected on July 29, 2017 and saw the breach of information from 143 million U.S. consumers, including names, Social Security numbers, addresses, birth dates, and even some drivers license numbers.
Now, news is out that the company had purchased ID Watchdog, an identification protection service, on August 10 — two weeks after they knew about the breach but a month before they disclosed it to the public.
“Denver-based ID Watchdog, founded in 2005, provides services like credit monitoring and identity theft notification for $15 to $20 per month. Equifax last month said it acquired the firm for $63 million without revealing at that time that its systems had been penetrated thus drastically enhancing the market for identity protection services,” Fortune explains.
Law enforcement officials in “about 40 states,” Fortune notes, are “investigating Equifax's behavior” leading up to and following the data breach. At the risk of making a pun so bad I'll become the target of a cyberattack, all these hacks are enough to make me wanna cry.
Read more about the tech world's security challenges here at TechCo