The news cycle has been full of late--hurricanes, earthquakes, the tragedy in Las Vegas--and as a result many consumers and business leaders alike aren't fully apprised of the astonishing run of cybersecurity news (with the exception of Equifax) over the past weeks.
While the Equifax breach was and continues to be unfathomable, there have been other notable cyber "events." The U.S. Securities and Exchange Commission, the Big Four accounting firm Deloitte and the fast food chain Sonic have all disclosed sizeable compromises that clearly were eclipsed by the Equifax news. And in case you've been hiking in Nepal for the past little while, let's not forget that "gift that keeps on giving," AKA, the Yahoo breach. That one billion- account hack has now become a three billion-account hack. (Last time I checked that represents almost one-half of the planet.)
While these latest compromises will continue to be discussed and hashed over in the cybersecurity community for months to come, in order to have real meaning the discussion needs to go mainstream.
Here are a few takeaways that should not get lost in the swirl of the now:
Like Equifax, the SEC took way too long to come clean. And had it not been for investigative journalists, Deloitte and Sonic may never have fully disclosed their respective breaches, and more news about the Deloitte compromise is coming out daily. Unfortunately, organizations continue to sweep breaches under the rug, if they can get away with it, despite existing data loss disclosure laws in 48 states (and 4 U.S. jurisdictions), and strict privacy regulations in Europe and Canada.
The SEC acknowledged that hackers got deep inside its EDGAR database in May 2016. EDGAR stands for Electronic Data Gathering, Analysis, and Retrieval. It's where the SEC stores routine public disclosures, such as annual and quarterly reports. Crucially, EDGAR also houses private filings relating to press releases, proposed mergers and acquisitions and other delicate matters that can impact stock prices.
SEC Chairman Jay Clayton issued a carefully worded statement that left room for later disclosures regarding further damage: "We believe the intrusion did not result in unauthorized access to personally identifiable information (PII), jeopardize the operations of the Commission, or result in systemic risk." Key word: "believe." We now know that the PII of at least two individuals was exposed.
Chris Pierson, chief security officer of payments security vendor Viewpost, spoke to me about the SEC breach.
"One has to assume these private files are in the zone of information likely to have been targeted and exfiltrated," Pierson says. "Private filings communicate deals that are about to happen or maybe not happen any longer. If someone was to buy or sell shares using this inside information huge profits could result. This is a direct financial motivation that would benefit both cybercriminals and nation states - either by their acting on the information or selling it for profit."
A step behind
We need to focus on the facts that matter. Disclosures are unreliable, but when it comes to data breaches, the outcomes are highly predictable. Each individual citizen, every organization no matter its size is profoundly injured when sensitive data gets diverted to the Dark Web.
The Deloitte breach reportedly occurred through the theft of the privileged access of an IT staffer who had super-user credentials. "Once in, the hackers had full access to client emails, passwords, and all manner of sensitive information," says Sanjeev Verma, founder and chairman of encryption services vendor PreVeil.
Ironically, Deloitte has branched out from accounting and tax services to high-end cybersecurity consulting. The UK-based firm advises some of the world's biggest banks, multinational companies, media enterprises, pharmaceutical firms and government agencies, including Uncle Sam, on how to protect their networks. Yet the Guardian reports that it lost the contents of email for clients across all those sectors.
"As with the recent Equifax breach, the Deloitte hack is indicative of a growing trend of breaches of enormous scale," observes Nir Gaist, co-founder and CTO of Nyotron, a supplier of managed security services. "Cyber criminals are constantly refining their techniques. Meanwhile much of the security industry is often at least one critical step behind."
National standards needed
Sonic confirmed reports that it sustained a credit card-related data breach, but like the SEC has been sparing when it comes to details of the compromise. It so far has not indicated how many of its nearly 3,600 locations in 45 states were hit. But cybersecurity blogger Brian Krebs found strong evidence of a fire sale on millions of payment card accounts, stolen from the fast food chain on underground forums.
"It's going to be the financial institution that . . . pays off the charges or replaces money in the customer's checking account, or reissues the cards, and all those costs fall back on the financial institutions," Dan Berger, president and CEO of the National Association of Federally Insured Credit Unions, told Krebs. "These big card breaches are going to continue until there's a national standard that holds retailers and merchants accountable."
At the end of the day, banks and credit unions get hurt the most, but they pass that hurt on to consumers by way of surcharges and less advantageous deals and offers.
Company executives and regulators have to get off their asses and make digital commerce as secure as it needs to be. Each of us has a shared responsibility with government and business to protect the community. We didn't ask for it. We don't want it. Still, we do share the burden for as long as government and business fail to protect us.
Perhaps now that Equifax and Deloitte have placed an exclamation point on the entire issue and regulatory roll-back efforts are a tad less in vogue at the moment, Congress will do what needs to be done and business will be more willing to change.