“It’s going to get worse before it gets better,” we wrote as 2016 became 2017, citing a Guardian article that had proclaimed our previous year as “The Year of the Hack,” and what it meant for the year ahead, and the years after that — like, for instance, that former “future” we’re living in now.
“Hacking is going to become a price that people pay for doing business over the internet,” the article said, “much in the same way that piracy was once a cost of doing business through shipping.”
And yes, we still have around 75 days or so before 2017 is through, but it turns out the Jolly Roger flew high this year, and continues to do so. Just make sure there’s no gunpowder in your beard!
And what was that piratical price the article worried about? Well, “the past year,” the article continued, “has seen the further evolution of established cybercrime trends”, according to Steven Wilson, head of Europol’s European Cybercrime Centre. “The threat from ransomware has continued to grow and has now expanded into sectors such as healthcare. Europol has also seen the development of malware targeting the ATM network, impacting cash services worldwide.”
So what’s actually happened since then, you ask rhetorically? Well, just about everything — including what is now the granddaddy of all hacks, whose fallout each of us with a credit card, a driver’s license, and a credit card (or two) will be living with for, well, perhaps for the rest of our lives. We refer of course to the Equifax breach, reported on here and at every financial news outlet across the planet.
By way of further update, in addition to losing all of the personal information on you that you never actually granted them permission to collect, it now turns out that just about everyone’s salary history may be at risk, too. As Krebs on Security reports, a payroll division of the now-compromised company “makes it simple to access detailed salary and employment history on a large portion of Americans using little more than someone’s Social Security number and date of birth — both data elements that were stolen in the recent breach.”
This same easily breached system eventually produces “two sets of data: An employee’s salary and employment history going back at least a decade, and a report listing all of the entities that have previously requested and viewed this information.”
All potentially part of involving you in a Philip K. Dick-like financial nightmare where someone can pretend to be you, applying for loans (then defaulting on them), filing for tax refunds, and oh so much more.
And speaking of personal and financial data filched — as we will be for a very long time, alas — the accounting firm Deloitte seems to be unsure just how extensive its own recent breach has been: “Sources with knowledge of the hack say the incident was potentially more widespread than Deloitte has been prepared to acknowledge and that the company cannot be 100% sure what was taken.”
According to a recent MSN article, “a host of clients had material that was made vulnerable by the hack, including:
• The US departments of state, energy, homeland security and defense.
• The US Postal Service.
• The National Institutes of Health.
• “Fannie Mae” and “Freddie Mac”, the housing giants that fund and guarantee mortgages in the US.”
Additionally, “football’s world governing body, Fifa, had emails in the server that was breached, along with four global banks, three airlines, two multinational car manufacturers, energy giants and big pharmaceutical companies.” The list, the article reports, was “far from exhaustive.”
Are there any remedies for any of this in sight? Originally, we wrote of the then-new administration that Pymnts.com said “controversy will abound” with any alleged solutions, since “the overall surveillance push — who is watching what and monitoring who is saying what, where and when is likely to be a centerpiece of Trump’s cybersecurity agenda… One tell is that the (then) nominee for the directorship of the CIA, Mike Pompeo, currently a Republican representative from Kansas, has stated support for strong surveillance measures. Both he and Trump’s attorney general nominee, Jeff Sessions, Republican senator from Alabama, have said they oppose at least some of the civil liberty protections set in place with the 2015 USA Freedom Act.”
But will any such opposition to civil liberties help protect digital data? Pymnts seems to think the jury is likely still out: “more germane to data protection (and, by extension, payments) are issues surrounding encryption. There’s scattered evidence about how Trump feels about the issue, tied to a few public statements.”
And now that we’ve had a “Category 5” breach mere months after that report? Well. “Senate Banking Committee Chairman Mike Crapoasked the heads of the Federal Reserve, Federal Deposit Insurance Corp. and Office of the Comptroller of the Currency whether they have or need authority to help ensure credit bureaus are adequately protecting consumers’ information. ‘I am concerned there may be a gap with respect to supervision of credit reporting agencies for data security standards,’ the Idaho Republican wrote to Fed Chair Janet Yellen, Acting OCC chief Keith Noreika and FDIC Chairman Martin Gruenberg.
“Crapo’s letter suggests that lawmakers might consider giving the Fed, FDIC or OCC more prominent roles in regulating Equifax and its competitors. The Consumer Financial Protection Bureau is the only federal agency that currently supervises Equifax and has officials inside the company conducting exams,” the Bloomberg article reminds us.
Though in terms of tangible actions, the current administration has sought to defund the CFPB, and took one more step regarding Equifax since the breach: They’ve given them a contract to provide digital security for the IRS. That’s right.
As Politico reports, “the IRS will pay Equifax $7.25 million to verify taxpayer identities and help prevent fraud under a no-bid contract issued last week, even as lawmakers lash the embattled company about a massive security breach that exposed personal information of as many as 145.5 million Americans.” There’s more at the link, and no, this isn’t an April Fool’s post either.
FURTHER UPDATE: After we went to press on this update, the IRS announced that in the face of public pressure (and discovery of additional malware on its website!), that it was “temporarily suspending the $7.2 million, no-bid contract.” We shall see how long “temporary” means in this instance.
We will update you further as we head into 2018, and eventually review more of this year, too. Meanwhile, Halloween looms and the holiday season and shopping frenzy is upon us.
We’ll be reporting the economic indicators, the adoption of new payment technologies, and keep an eye out for those breaches. If we’re lucky, perhaps 2017 has given us its last surprises in the “hacking” department. But then again, it appears to be a year perpetually full of surprises.