Last month, we said that August felt a little quiet in terms of data breaches. We should have known better, because they came roaring back in September and made headlines all month long.
In September, one of the three largest credit agencies in the U.S. suffered a massive breach, potentially affecting 143 million consumers. We also saw hackers infiltrate the top U.S. markets regulator, and two other companies expose sensitive customer information via unsecured Amazon bucket sites. It was a big month—one that left folks feeling a little uneasy about the security of their most personal data.
Here are the recent data breaches that were making headlines in September 2017:
Equifax, one of the three largest credit agencies in the U.S., suffered a breach that may have affected 143 million consumers. In the breach, which was revealed on September 7th, hackers gained access to the company’s system from mid-May to July by exploiting a weak point in website software. According to USA TODAY, this breach happened “two months after an industry group discovered the coding flaw and shared a fix for it, raising questions about why Equifax didn’t update its software successfully when the danger became known.”
The breach was discovered by Equifax on July 29, 2017. At that time, it sought assistance from an outside forensics firm. Compromised data includes full names, addresses, dates of birth, credit card numbers, and other personal information.
U.S. Securities and Exchange Commission (SEC)
On September 21, the SEC issued a statement about cybersecurity and included details of a 2016 data breach. Exploiting a vulnerability in the Commission’s EDGAR system—an archive of financial records for companies listed on the U.S. stock exchange—hackers may have been able to steal information that would have been helpful in buying stocks. The vulnerability had been found in 2016 and patched “promptly,” but in August 2017, the SEC learned that incident “may have provided the basis for illicit gain through trading.” The vulnerability allowed access to nonpublic information, but the SEC does not believe there has been any unauthorized access to personally identifiable information.
TalentPen and TigerSwan
UpGuard, a cybersecurity firm, uncovered over 9,000 publicly available documents containing the personal information of job seekers with Top Secret clearance. The files, owned by private security firm TigerSwan, were in a folder labeled “resumes” on an unsecured Amazon server for just over six months.
After some investigation, it was found that a third-party vendor TigerSwan had previously worked with—TalentPen—had failed to take down the files after transferring them to TigerSwan in February. Instead of removing the files after the transfer had taken place, they were left in a bucket site on Amazon Web Services without a password until August 24, 2017. On that date, Amazon contacted TalentPen and the files were taken down.
Towards the end of September, it was revealed that San Diego-based SVR Tracking allowed more than half a million customer records to be leaked online. The service gives auto dealership and lot owners the ability to locate and recover vehicles—and that GPS information is among the data that was made publicly available via an Amazon S3 bucket. Other private data that became public included email addresses, passwords, license plate numbers, VINs, and even the ability to see every single place a vehicle has been in the last 120 days. Kromtech Security Center found the 540,642 records in an unsecured Amazon S3 bucket on September 18, notified SVR Tracking on September 20, and SVR secured the bucket within three hours.
Check back next month to stay up to date on the most recent data breaches.