A Breach of Trust: The Aftermath of the Equifax Hack

Episode Notes

Transcript

Digital Detectives

A Breach of Trust: The Aftermath of the Equifax Hack

10/24/2017

[Music]

Intro: Welcome to Digital Detectives, reports from the battlefront. We will discuss computer forensics, electronic discovery and information security issues and what’s really happening in the trenches; not theory, but practical information that you can use in your law practice, right here on the Legal Talk Network.

[Music]

Sharon D. Nelson: Welcome to the 84th edition of Digital Detectives. We are glad to have you with us. I am Sharon Nelson, President of Sensei Enterprises.

John W. Simek: And I am John Simek, Vice President of Sensei Enterprises. Today on Digital Detectives our topic is The Equifax Breach: Death by a Thousand Cuts.

Sharon D. Nelson: Before we get started, I would like to thank our sponsors. We would like to thank our sponsor SiteLock, the global leader in website security solutions. Learn more at HYPERLINK “http://www.sitelock.com/legal/digitaldetectives”sitelock.com/legal/digitaldetectives.

We would also like to thank our sponsor PInow.com. If you need a private investigator you can trust, visit HYPERLINK “http://www.pinow.com”pinow.com to learn more.

John W. Simek: We have no guest today; we are tackling this subject ourselves. We did have a guest, a litigator from a large firm, but a conflicts check suggested a conflict and as rightly noted a lot of large firms may have done work for Equifax. But since Sharon and I have been following Equifax breach with intense interest and of course have a few colorful opinions about it we decided to tag team each other.

Ready to tee me up with a question, Sharon?

Sharon D. Nelson: You bet John. Why don’t you give me a just the fact kind of review of the breach. What did happen? When was it made public? How many Americans had their records compromised and what caused the data breach? Does it appear the data breach was preventable?

John W. Simek: You want the Joe Friday version then.

Sharon D. Nelson: That’s exactly right.

John W. Simek: Just the facts ma’am.

Sharon D. Nelson: Yes sir.

John W. Simek: All right. Let’s start out with when it was first discovered. On July 29 of this year the Equifax security team, they noticed some suspicious things going on in the network, on their online Dispute Portal Application. So they spent the day kind of watching and taking a look at that, and then on July 30 they decided that something wasn’t quite right, so they took it down, and then they started to do an internal review.

They hired a cybersecurity firm Mandiant, who you are well aware of, on August 2, brought those guys in and realized after some time that they were analyzing it that the incident potentially impacted about 143 million US consumers. So I guess round number is about 44% of the population of the US. That’s what they discovered at that time. They made it public on September 7 and sent that notification out. So about 40 days later from the time they discovered it did they send out that notice.

Was it preventable? The short answer yes. The application that was vulnerable had a patch released, it was Apache Struts vulnerability, and that patch was available ever since March, but they just hadn’t gotten around to patching it. And as you know, that’s one of the big things that we are always preaching, make sure you always patch these things as soon as you can.

Sharon D. Nelson: Well, that doesn’t sound real good.

John W. Simek: Oh, it wasn’t. Now it’s your turn. So one of the more colorful, I think, stories that came out of the breach was the timing of the Equifax executives selling off stock before the breach was made public. You want to educate us on that Sharon?

Sharon D. Nelson: Yeah. Well, I would say it’s fair to say that Equifax is facing potential insider trading questions, at the very least, following the news reports that three executives sold stock worth about 1.8 million after the breach was discovered on July 29, but before the public breach notification was made on September 7. This was reported first by Bloomberg News, at least that I am aware of.

The three Equifax executives sold stocks in the company on August 1 and August 2, just days after Equifax discovered the breach. Now, the stock sales generated 946,000 and change for CFO John Gamble, 584,000 and change for US Information Solutions President Joseph Loughran; I may be mispronouncing that, who also exercised an option to purchase 3,000 shares at a price of 3,360 and generated $250,000 and change for Consumer Information Solutions President Rodolfo Ploder.

(00:04:51)

Equifax could not be immediately reached for comment, but MarketWatch, which reported all this said many executives set up a particular kind of plan to sell shares on a regular schedule in order to avoid accusations of insider trading. So I really was prepared to cut them a break and say maybe so. But such plans are typically detailed on the SEC filings. None of these executives’ SEC filings however said that the stock sales were prescheduled, so that made me go hmm. So there wasn’t — yeah, it made me go more than hmm, but hmm is what I can say publicly.

John W. Simek: Little suspicious, are you?

Sharon D. Nelson: Just a tad. Then there was a gentleman, who is the head of Corporate Communications for Equifax who told the British newspaper The Guardian the three executives who sold a small percentage of their shares on Tuesday August 1 and Wednesday August 2 had no knowledge that an intrusion had occurred at the time they sold their shares.

Now, I don’t know why I look at that with some cynicism, but let’s say I don’t know that they knew, I am sure a lot of people by that time knew and I would think people in the C-suite certainly would have known. But I can guarantee you that whatever the truth of the matter, the SEC is sure to investigate those sales.

John W. Simek: Hmm.

Sharon D. Nelson: And then John, it turns out there was a second breach. You want to relay the facts about that one.

John W. Simek: Yeah. They call it the second breach, but actually it was the first one.

Sharon D. Nelson: Right, yeah, yeah, they do call it the second breach, but you are quite right in terms of timing.

John W. Simek: Yeah, it occurred in March, or at least that’s the best guess right now, and it had to do with the, Equifax has a payroll division that provides online payroll, HR and tax services, and it had to deal with the potential compromise of some of their customers’ employee tax records.

And they brought Mandiant in back then in order to investigate it as well, but apparently what — as some of the details comes out as the “first breach a/k/a second breach is that the application really wasn’t secured that well. There was just a little more than like four digit PINs in order to access that application. They used some knowledge-based authentication as well, which is, I will get deeper into that later on about the actual breach that was just announced, but it’s really that kind of information that’s used for the tax refund frauds. So the identity theft and these guys, they gather that information, that payroll information and then they submit unauthorized tax refunds and get that money. So that’s kind of a common thing that the bad guys are doing these days.

But that’s when that account occurred and they found out — we actually found out about it because it was — they reported it to several of state’s Attorneys General, a much smaller set, if you will, of people and they weren’t really sure what the heck was going on at that point as far as the information compromised, if you will.

But the interesting thing about that second breach that occurred in March is it was at that point that they discovered that some of their web applications had that Apache Struts vulnerability and that was the time that they should have, if you will, and if they didn’t, they should have started running through all of their systems, and I think they did. Their IT folks started to patch the systems. They just didn’t get to them all. They didn’t get to them all in time certainly because we got this 143 million folks that are impacted now. So that didn’t go well.

Sharon D. Nelson: Not at all.

John W. Simek: So that’s — we are at what, we are at one, two, three bad things so far Sharon, is my count right?

Sharon D. Nelson: Yeah. And that’s why I titled it Death by a Thousand Cuts. It may not be a thousand, but for sure it was a lot and it looks like an awful lot of it was self-inflicted.

John W. Simek: So I know I heard you laughing as you listened to some of the tales of the Equifax getting sued, but that’s more your department. So let’s move to issue number four and tell us a little bit about that.

Sharon D. Nelson: Well, I guess this was kind of predictable. You didn’t exactly need a crystal ball to predict that the lawsuits would come fast and furious. So we are recording, just so folks know, we are recording in the latter part of September and this story is a moving target, so Lord knows what — by the time this goes public, Lord knows where we will be, but at this point there are at least 23 class action lawsuits. And as a big company they are — we are not a big company, but any big company knows that class action lawsuits, a single one is a pain, 23 is just a nightmare of nightmares.

And so far there have been dozens of lawsuits filed by shareholders, consumers and credit unions, 10,000 Canadians may have been impacted, so expect lawsuits there, and up to 400,000 people in the UK may have had personal data compromised, so I would expect suits from them as well.

(00:10:01)

We also have a chatbot now, the DoNotPay chatbot by Joshua Browder, who was named one of the ABA Legal Rebels for this year. And the chatbot will help you file a suit against Equifax for $15,000 just by walking through the steps. So I imagine that nobody at Equifax is a big fan of DoNotPay, which has been very successful in many other endeavors.

Recently Massachusetts Attorney General filed the first state lawsuit against Equifax, alleging that it knew about the vulnerabilities in its systems for months but failed to take action. As you might imagine, other AGs are also considering filing suits. So this is a variable mountain of lawsuits and I cannot imagine what the ultimate cost of battling all these suits simultaneously will be, but it’s going to be a bear.

John W. Simek: Well, and I love that chatbot thing too. I think he has only got, what is it, is it New York and California, those two states I think?

Sharon D. Nelson: I am not sure about that John. I knew about the capability, but not which jurisdictions, so you may be right, but he is forever expanding and it seems like he moves with the speed of greased lightning.

John W. Simek: Yeah. So it’s just — I think the website, if I remember right, says if you are not one of these two states, then come back soon.

Sharon D. Nelson: Well, when it comes to Joshua, when he says soon he means soon.

John W. Simek: Well, before we move on to our next segment, let’s take a quick commercial break.

[Music]

Sharon D. Nelson: At least 80 of the 100 biggest law firms in the country have been hacked since 2011. Protect your firm and your clients from cyber attacks with SiteLock. Their industry leading cloud-based suite of website security solutions includes website scanning, web application firewall, including DDoS mitigation, and 24×7, 365 US-based customer support. Give your firm and your clients peace of mind knowing their information is secure. Learn more at HYPERLINK “http://www.sitelock.com/legal/digitaldetectives”sitelock.com/legal/digitaldetectives.

[Music]

John W. Simek: Does your law firm need an investigator for a background check, civil investigation or other type of investigation? PInow.com is a one of a kind resource for locating investigators anywhere in the US and worldwide. The professionals listed on PInow understand the legal constraints of an investigation, are up-to-date on the latest technology, and have extensive experience in many types of investigation, including workers’ compensation and surveillance. Find a prescreened private investigator today. Visit  HYPERLINK “http://www.pinow.com” www.pinow.com.

[Music]

Sharon D. Nelson: Welcome back to Digital Detectives on the Legal Talk Network. Today our topic is The Equifax Breach: Death by a Thousand Cuts.

John, I know the security wonks around the world and you, just to make this perfectly clear, are a security wonk yourself, but I know that some of them have had a lot to say. What is the gist of their take on this breach?

John W. Simek: I think generally folks that are taking a look at this, they are just shaking their heads saying, how could you have done this. The whole reaction, I mean it’s like — I don’t know, I walk away as I look at all this stuff and as I have been reading and following this, it smells like it’s a Three Stooges movie, I mean seriously. These guys running into each other and doing whatever, I don’t know, it’s a mess, but that’s my opinion.

Brian Krebs, as you know Brian, is a journalist for security issues and whatever, and he really digs down deep into all that stuff and he is not happy about it either, and has a lot of good information that he has posted out there.

But some of the security folks actually are trying to — when they have published things they have given Equifax a break, if you will. That original breach back in March just saying, well, maybe they didn’t really know. I know one guy even said that it wasn’t — taking a month to communicate the incident really isn’t all that long, and that was Rick Holland, the VP of Strategy at Digital Shadows.

But I don’t know, I think a month is — well, actually it was more than a month before they announced it, once they discovered what it was, but I still think that’s long. I would have thought at least something should have come out originally and said, we have got this, we are not really sure yet, that’s a better I think foot forward than —

(00:14:52)

Sharon D. Nelson: Well, especially given the numbers of people involved. This was so massive to just sit on it, even if it was legally permissible in some state, and we should offer a disclaimer, and I sort of did before that we know what we know today, we are reporting from reputable resources, nonetheless, these stories evolve and change over time and you find out new facts and what you thought was true isn’t true. So we are operating and reporting on the best and most credible sources that we can find up to this point, but this story will change over time in some respects, we know that.

John W. Simek: Well, I think to your point about the number of people that was there, I mean there was even one, who was it, Jeremiah Grossman, who is the Chief of Security Strategy at SentinelOne, he said “Equifax’s customer service and incident response may have been better if the potentially 143M people affected were customers-they’re not.”

I am sorry Jeremiah, and he is right, they are not customers. The people that are impacted are actually the product, because Equifax sells data and we are the data for them, but I don’t think that lightens the load of the responsibility at all.

So I thought that was an interesting quote that he had in trying to give Equifax a break, because we, the folks that were potentially impacted, we are not really the customers.

Sharon D. Nelson: Yeah, I am not so crazy about that way of thinking either.

John W. Simek: But I think generally, to answer your question, the wonks think it was poorly handled and certainly was preventable, as we know. Equifax has even admitted that. That’s certainly not going to help their case for those lawsuits you were just talking about

Sharon D. Nelson: No, it will not.

John W. Simek: So Sharon, what do you think, is there going to be any trouble expected for Equifax on Capitol Hill?

Sharon D. Nelson: Oh yes, oh yes, oh yes, oh yes. Already CEO Richard Smith, assuming he survives the carnage, is scheduled to testify before a House and the Senate Committee in October. And Senator Elizabeth Warren, who we know she persists in a big way, has launched an inquiry into the breach and introduced legislation that would allow consumers to freeze and unfreeze their credit for free.

So there’s a lot of turmoil about this going on, on Capitol Hill, and that’s just what I know today. Beyond Capitol Hill itself Equifax is being investigated by the Department of Justice and the FBI and the FTC has also announced a probe. So this is just a dust storm that’s growing in power, strength and velocity.

John W. Simek: Just to go along with the recent hurricanes, you mean?

Sharon D. Nelson: It sort of looks that way, absolutely. But it does seem to me that this whole breach was mishandled from day one. I mean, I don’t understand why they, at least at the beginning, appeared to be attempting to make people give up the right to file a lawsuit and go to arbitration and then they took it away, it was just a mess. Tell us that story John.

John W. Simek: Well, as I said earlier, they announced it on September 7 and folks started jumping on. They created this new website, new domain name so that you could go to it and essentially determine whether or not you were impacted, and maybe that’s why it took so long for them to announce, because they were trying to build all the stuff in place to allow these people to do this.

And that didn’t go well either, because the website that they put up there, they had a service that they called the, what is it, TrustedID?

Sharon D. Nelson: Yeah.

John W. Simek: And then as a result of this they changed and they wanted to do – rebrand it to TrustedID Premier, which carries these five different tools to it. But they purchased the domain like within a couple of weeks of when they made the announcement.

So to add insult to injury, once people started going there a lot of the browsers were considering this thing to be a phishing site and so they were blocking. You couldn’t even go to see whether or not you were impacted. And then if you did go to the site and you put your information in there, and I know I told you, once we heard about this, I even pumped in some wonky bunch of letters and then put six zeroes as a Social Security number, because that’s what it asks you to do, the last six digits of your Social Security number and to put your name in, I know when I first did it, it bounced back and said I was impacted. And now they have since fixed all that stuff.

But as far as the arbitration thing goes, some very clever folks that actually were reading the terms of service, which most folks just click, right, accept, and they actually screen capture, don’t you love screen capture stuff, so you can’t hide from the Internet. You can send a tweet out and delete it.

Sharon D. Nelson: Yeah, the minute I see something real squirrely, I do that screen capture.

(00:19:52)

John W. Simek: So within that screen capture of the terms of service, there was a clause in there basically, and I will read it, it was highlighted specifically, it says, “By consenting to submit Your Claims to arbitration, You will be forfeiting Your right to bring or participate in any class action (whether as a named plaintiff or a class member) or to share in any class action awards, including class claims where a class has not yet been certified, even if the facts and circumstances upon which the Claims are based already occurred or existed.” Well, man, once the press and the bunch of folks saw that, they went ballistic, so it didn’t go well for Equifax.

They subsequently then clarified and said, no, no, no, no, we are not — that doesn’t apply to this particular incident and ya-di-da. And even if you go today and go and look at the terms of service, that entire section is gone. It’s no longer there. So there is no mention at all about arbitration or about litigation or any of that stuff that’s there.

So I lost count Sharon, are we up to number five or six now?

Sharon D. Nelson: Quite a few, quite a few.

John W. Simek: Maybe it’s seven, I don’t know. Anyway, your turn though is bottom line, how much has the Equifax stock fallen since the breach was revealed?

Sharon D. Nelson: Okay, remember that this will change over time, but according to a story published in the New York Times on September 23, the stock has fallen by 30%, and since we were also people who had our data compromised, there will be no tears from me.

John W. Simek: Wow, 30%, that’s — didn’t our 401(k) do that in 1986?

Sharon D. Nelson: Please, that’s a bad memory, let’s not go there John.

John W. Simek: All right. But before we move on to our last segment, let’s take a quick commercial break.

[Music]

Bob Ambrogi: Hi. This is Bob Ambrogi. I have been writing, podcasting and speaking about legal technology for over two decades. Monica Bay and I co-host a show called Law Technology Now, where we interview experts behind the newest legal tech. Tune in on iTunes, Stitcher or at  HYPERLINK “http://www.legaltalknetwork.com” legaltalknetwork.com to learn why technology is improving the legal industry for lawyers, their clients, and everyone, as it brings us closer to access to justice for all.

[Music]

Sharon D. Nelson: Welcome back to Digital Detectives on the Legal talk Network. Today our topic is The Equifax Breach: Death by a Thousand Cuts.

John, I think many folks listening want to know about whether they should freeze or lock their credit reports and probably don’t understand the difference, how much it costs, and if they should get identity thief protection from Equifax who has the TrustedID Premier program or another company. So tell us what your thoughts are and please also tell us about how it may be easy to obtain your PIN if you choose to use Experian.

John W. Simek: Yeah. Well, I guess let’s start with the credit monitoring and identity theft protection stuff. Equifax is offering that for free. It’s like any data breach in any company. I know, as you know, I got a free year from the Home Depot data breach, the credit protection stuff. But I feel that that’s kind of after the fact. So if there is some sort of a — and that’s the credit monitoring thing going on, the damage potentially has already been done. So it’s not a real strong thing. I mean it’s free, if you want to do it, fine, go ahead and do it.

More of the experts though are suggesting that you freeze your credit report, and freezing is different than locking. And I thought Brian Krebs did a really, really good job of describing the two differences. And primarily a credit lock is a service that the Equifaxs, the Experians, those folks of the world, they want to make you think that it’s a freeze. And what it does is it stops access to your credit reports, so people trying to make requests to them.

The lock is different than a freeze in that a lock allows some people to access your credit information. Typically they are going to be partners of Equifax or Experian or those guys, TransUnion, and where a freeze does not.

So it’s interesting that if you go to, I think it’s a Equifax site, and you try to put a credit freeze on, they continue to send you to pages that talk about credit locking and the free service that they offer, because it is free for them. But you as a consumer have less control over that credit data if you use their lock service as opposed to a freeze, where you freeze the data, nobody, not even their own third party guys that they do business with or affiliates or any of that, can access your information, your credit information unless you unfreeze it.

Now, it typically, depending on the state that you live, is going to cost anywhere from $5 to $20 to put a freeze on. It’s not a free process. Equifax is saying that it’s free now, if you put a freeze on your credit report with Equifax, they are not going to charge you, but they may charge you to unfreeze it and then refreeze it.

(00:25:04)

It’s only good for 12 months, so if you want to continue to lock down your, that’s a poor choice of words, to stop access to your credit data after you have done this freeze, you will have to renew it after that 12 month period.

But I think the major difference between the two is that the lock, as I said, gives access to your credit information, you are not stopping all people’s request from it; some selected folks can still access that as well.

When you do the freeze, then you either get a system generated PIN or you define what the PIN is in order to do the unlocking in the future. The problem with Experian’s way and how to — because not everybody can remember what the PIN is as an example, so they have this PIN retrieval mechanism that’s in place with them. And what you do is you go and you put in your information, your name, your first name, your last name, your address, your city, state, ZIP code, Social Security number, date of birth, email address for delivery of this information, et cetera.

And then you have to agree that the information that you are giving is true and accurate. So I don’t know about you, but call me crazy, that’s really going to stop a lot of data thieves, right, checking that box?

Sharon D. Nelson: Yeah, really.

John W. Simek: And then after you do that it asks from — KBA is what they call them, Knowledge-Based Answers, so things that supposedly you as the person requesting this would know. Oh, and by the way, that email address that you can put in, it doesn’t have to be your email address, it could be anybody’s, there is no validation to go back to check that it’s an email address that you previously used.

So when you ask the KBA the knowledge-based questions, which are pretty easy to get answers to, and I know you know I use the service Spokeo, which has a lot of information about people. I mean it’s a paid services, it’s not much. What is it, $30 for six months or something like that?

But as an example, some of the questions that were asked would say, select a city that you previously resided in. Well, if you would go to Spokeo, it has all that information for people.

Or another question would be, according to our records you previously lived on such and such a street. Please choose the city from the following list where that street is located? Well, that’s easy enough, right? You can do the same thing from some of these database tools.

Which people previously lived at the address that you put in there? What’s the model and year of the vehicle that you purchased or leased? So a lot of this information, the Knowledge-Based Answers, you can find those, they are available, they are already indexed or in databases, whatever, on the Internet. That’s how they found the secret question for Sarah Palin, right, to reset her email in order to get to it.

So it’s not a very secure method and you can just walk right in there and then get the PIN and once you have got the PIN for somebody, then you can unfreeze it and now you can go and apply for credit and do all this other stuff.

Sharon D. Nelson: It sounds like a wonderfully secured system.

John W. Simek: Not.

Sharon D. Nelson: Right.

John W. Simek: All right, finally then Sharon, nobody has ever accused you of not telling it like you see it. So give us some closing thoughts both for Equifax and for the public in general.

Sharon D. Nelson: Well, basically the public is screwed.

John W. Simek: Don’t sugarcoat it.

Sharon D. Nelson: I kind of hope that Equifax having been the cause of that is equally screwed. People who are familiar with the necessity of protecting a database like that held by Equifax, I mean they understand just how bad this is. It’s trouble that’s about as bad as it gets. And certainly Equifax is going to be beset by all sides.

Right from the beginning that website of theirs was supposed to allow customers to determine if they had been affected, it didn’t work properly. The company’s Twitter account accidently steered people toward a fake site, and when millions of consumers, as you said, went to freeze their Equifax credit files, some had to pay before the company waived their fees.

This is just a nightmare on both sides and it underscores what you and I talk about all the time, which this is not fear, uncertainty and doubt, this is not FUD. Look at how easy it is to get in to the deepest crevasses of our private lives and expose us to the kind of danger that’s out there today from cyber criminals, from nation states, from everybody.

So I guess the last thing I want to say is that I can’t believe that I am going to be quoting FOX News, because I never in my life thought I would quote FOX News, but FOX News added Equifax to its cyber hack hall of shame, so that’s the first entry if you go there. And that’s all I have to say about that. Bring us home John.

John W. Simek: All right, I am going to make sure that we get a snip of that closing so I can play it back for you later.

Well, that does it for this edition of Digital Detectives. And remember, you can subscribe to all the editions of this podcast at  HYPERLINK “http://www.legaltalknetwork.com” legaltalknetwork.com or in Apple Podcasts. If you enjoyed this podcast, please review us in Apple Podcasts.

Sharon D. Nelson: And you can find out more about Sensei’s digital forensics technology and cybersecurity services at  HYPERLINK “http://www.senseient.com” senseient.com.

We will see you next time on Digital Detectives.

Outro: Thanks for listening to Digital Detectives on the Legal Talk Network. Check out some of our other podcasts on  HYPERLINK “http://www.legaltalknetwork.com” legaltalknetwork.com and in iTunes.