Another week goes by in the cyberverse and more action continues in the world of cyber security. Some weeks remain relatively uneventful, but it seems like such a very few. Still, it’s rare to have a “Category 5” week such as this. Like the Floridians who maintained their humor in the face of a storm the size of an entire state, we’ve gleaned the fun (and the lessons) in this week’s cyber chaos.
Equifax’s Epic Disaster
If you’ve not heard of the Equifax hack, you’ve probably had your head in the sand. But if you’ve ever had a credit card, applied for credit on anything at all, or otherwise even considered the idea of credit (which means you are anyone in the civilized world over age 18), you need to know about the Equifax disaster.
Equifax is a credit rating company, which means their customers are technically the people asking them for their data on your creditworthiness. They have an enormous amount of data about everyone with any sort of credit history–names, addresses, aliases, credit card numbers, account locations, and more. Which means, to a certain kind of cyber criminal, they’re a treasure trove.
But as Spider-Man fans know, with great power comes great responsibility. That’s where Equifax failed. On September 17th Equifax announced a data breach affecting 143 million Americans. Considering there are less than 300 million adults in the United States, that’s about half of the population with personal information such as social security numbers and credit card numbers compromised.
Credit card dumps have happened before, but this is an unprecedented hack. Compromised credit card information gets sold on the cyber black market, often with credit limits and other sensitive data included. While the general media on how hackers get credit card information often focuses on one-on-one theft, such as RFID-blocking wallets, the bigger threat can come from much further away, such as this infiltration.
While Equifax blundered and threw Apache Struts under the bus, the flaw had been patched months before the attack (according to research). Of all the many lessons learned from the breach, the most important might be this: always update systems immediately. So many headaches are avoidable.
A 911 Emergency
On a smaller scale, of a different sort of alarming nature, comes a cyber attack on a Sheriff’s Department on US soil. The Schuyler County Sheriff’s Department experienced a disruption to 911 call facilities and had to rely on neighboring counties until the interruption could be resolved.
It brings to light two very crucial pieces of information:
- That spear-phishing campaigns and other targeted attacks can disrupt vital public operations, from remote attackers such as state-actors and
- That public infrastructure may not have as much cyber security protection as compared to physical facility protection and as compared to private organizations.
Considering the continued and dramatic increase in attacks targeting critical infrastructure, this is a 911 emergency.
No Light Threat
Speaking of threats to infrastructure…the concern for years has been a major power outage. What if remote threat actors could gain access to a power grid and turn out the lights, as they did in Ukraine (twice!)?
Well, that threat has become a reality. Continued attempts to gain access to US and UK power systems have proven successful, with threat actors even able to hijack the cursor of a mouse in front of a hapless onlooker. Clearly, this is no light threat, as power outages cost millions by the minute, in terms of business operations and safety.
To track, learn from, and get ahead of cyber threats, stay tuned each week to our cyber week in review.