Teach Cyber 2020 logo
NOVEMBER 04, 2020

The Teach Cyber Byte

In this week's Byte, we define the term "Data Breach" and take a quick look at one of the largest data breaches in history. Feel free to forward and share! (Please note: if you forward this to someone else and they click "unsubscribe", you may be unsubscribed from the mailing list.)

"Data Breach"

The term “data breach” generally refers to an unauthorized or unintentional exposure, disclosure, or loss of an organization’s sensitive information. This information includes personally identifiable information (PII) (e.g., Social Security numbers); protected health information (PHI) (e.g., medical records); proprietary information (e.g. company trade secrets); and financial information (e.g., credit card numbers). Data breaches can be very damaging!
PII, PHI, and Proprietary Information are forms of sensitive information.
What can happen when your sensitive information falls into the wrong hands? Imagine someone digitally impersonating you – they could use your stolen social media account login information to pose as you and post offensive content, seriously harming your reputation! Information gathered through a data breach can also be used to SIM-jack your phone – the perpetrator can port your phone number and account to another phone without your permission, thereby gaining control of your phone account. Do you want all of your apps, account information, texts, and more (including access to bank accounts) in the hands of an adversary? Imagine the repercussions of another person gaining access to this!

In other instances, data breaches may lead to identity theft. Identity theft involves stealing another person's PII, usually for financial gain. Identity thieves use victims' PII to fraudulently apply for credit cards, loans, or bank accounts; to file taxes; or to obtain medical services. Victims of identity are often left with ruined credit, and it can take years to recover.

Now that we've defined the term "data breach", let's look at an example... The following breach affected nearly half of the U.S. population and has many serious long-term consequences, including the possibility of identity theft.

Equifax Data Breach (2017)

Equifax is one of three major credit bureau companies in the United States. Credit bureaus collect and store a huge amount of personal information, including where people live, how well they pay their accounts online, how much money they owe and to whom they owe it. This information makes up a person's credit history and is used to assign that person a credit score. Credit scores are used by credit card companies, banks, landlords, and even some employers to approve or deny applications. Anyone who has a credit card, who has loans (including car loans and student loans), or who pays rent in the U.S. has a credit history; and it is virtually impossible to opt out of sharing your personal information with credit bureaus.

From mid-May through October of 2017, criminals accessed Equifax’s database and took names, Social Security numbers, birth dates, and addresses for up to 147 million people.
In some cases, driver’s license numbers and credit card numbers were stolen.

So, what caused the breach? In September 2017, Equifax disclosed that a failure to patch one of its Internet servers against a pervasive software flaw (in a Web component known as Apache Struts) was to blame. (A patch that would have prevented the massive data breach had been available for two months prior to the breach.) Additionally, the breach went undetected for 76 days due to an expired digital certificate. (The expired certificate caused a misconfiguration for monitoring encrypted network traffic.)
Equifax waited six weeks after discovering the breach to disclose it to the public. Despite having this time to formulate a clear and comprehensive plan, Equifax's response was harried and unorganized. The company set up a website under a new domain (equifaxsecurity2017.com) – unfortunately, this site had multiple security bugs, some serious. Also, the company's official Twitter account mistakenly tweeted a phishing link four times, instead of the link to the actual breach response page.

In 2019, the Federal Trade Commission (FTC) determined it would fine Equifax up to $700 million for the breach. The FTC announced the settlement would include up to $425 million to help those affected by the breach. (Victims of the breach can file a claim for monetary losses or fees paid to recover from identity theft, or to compensate them for their time.[1]) However, in early 2020, the settlement was appealed, and there is no timeline for when the settlement will be finalized. Until the settlement is finalized, no claims can be processed. It's been speculated that, in the end, victims who meet the settlement's criteria for a payout will receive $5[2].

Questions to Consider: Is the Equifax settlement fair? Who bears responsibility for the breach? Who was harmed and to what extent?
Explore this data breach in the "Intro to the Challenge of Cybersecurity" course, Unit 1, Lesson 2 (free to registered users).

Students explore this and other attacks in the “Identifying the Attack” exercise. In this exercise, students identify the loss of confidentiality, integrity, and availability resulting from the attack; consider attacker resources; examine real-world impacts of the attack; and identify the cybersecurity measures (or lack thereof) that played a role in the attack.
[1] Federal Trade Commission. (2020, July). Equifax Data Breach Settlement. https://www.ftc.gov/enforcement/cases-proceedings/refunds/equifax-data-breach-settlement

[2] Frankel, Alison. (2019, November 15). Equifax settlement faces objection campaign by class action disruptor. Reuters. https://www.reuters.com/article/legal-us-otc-equifax/equifax-settlement-faces-objection-campaign-by-class-action-disruptor-idUSKBN1XL2LK
Teach Cyber 2020 logo