Entry Title: WHID 2011-36: Credit report resellers settle with US FTC after
data losses
WHID ID: 2011-36
Date Occurred: February 3, 2011
Attack Method: Unknown
Application Weakness: Insufficient Authorization
Outcome: Leakage of Information
Attacked Entity Field: Finance
Attacked Entity Geography:
Incident Description: As part of the Federal Trade Commission¹s ongoing
campaign to protect consumers¹ personal information, three companies whose
business is reselling consumers¹ credit reports have agreed to settle FTC
charges that they did not take reasonable steps to protect consumers¹
personal information, failures that allowed computer hackers to access that
data. The settlements require the companies to strengthen their data
security procedures and submit to audits for 20 years. These are the FTC¹s
first cases against credit report resellers for their clients¹ data security
failures.
³These cases should send a strong message that companies giving their
clients online access to sensitive consumer information must have reasonable
procedures to secure it,² said David Vladeck, Director of the FTC¹s Bureau
of Consumer Protection. ³Had these three companies taken adequate steps to
ensure the use of basic computer security measures, they might have foiled
the hackers who wound up gaining access to extensive personal information in
the consumer reporting system.²
According to administrative complaints issued by the FTC, the three
resellers buy credit reports from the three nationwide consumer reporting
agencies (Equifax, Experian, and TransUnion) and combine them into special
reports they sell to mortgage brokers and others to determine consumers¹
eligibility for credit. Due to their lack of information security policies
and procedures, the companies allegedly allowed clients without basic
security measures, such as firewalls and updated antivirus software, to
access their reports. As a result, hackers accessed more than 1,800 credit
reports without authorization via the clients¹ computer networks. In
addition, even after becoming aware of the data breaches, the companies did
not make reasonable efforts to protect against future breaches.
Mass Attack: No
Reference: http://www.ftc.gov/opa/2011/02/settlement.shtm
Attack Source Geography:
Items Leaked: Credit Records
Number of Records: 1,800