Hi, 
Guest
Pic
Sign In

wasc-whid@lists.webappsec.org

WASC Web Hacking Incidents Database

View all threads

WHID 2011-36: Credit report resellers settle with US FTC after data losses

WW
WASC Web Hacking Incidents Database
Fri, Apr 15, 2011 5:07 PM

Entry Title: WHID 2011-36: Credit report resellers settle with US FTC after
data losses
WHID ID: 2011-36
Date Occurred: February 3, 2011
Attack Method: Unknown
Application Weakness: Insufficient Authorization
Outcome: Leakage of Information
Attacked Entity Field: Finance
Attacked Entity Geography:
Incident Description: As part of the Federal Trade Commission¹s ongoing
campaign to protect consumers¹ personal information, three companies whose
business is reselling consumers¹ credit reports have agreed to settle FTC
charges that they did not take reasonable steps to protect consumers¹
personal information, failures that allowed computer hackers to access that
data. The settlements require the companies to strengthen their data
security procedures and submit to audits for 20 years. These are the FTC¹s
first cases against credit report resellers for their clients¹ data security
failures.
³These cases should send a strong message that companies giving their
clients online access to sensitive consumer information must have reasonable
procedures to secure it,² said David Vladeck, Director of the FTC¹s Bureau
of Consumer Protection. ³Had these three companies taken adequate steps to
ensure the use of basic computer security measures, they might have foiled
the hackers who wound up gaining access to extensive personal information in
the consumer reporting system.²
According to administrative complaints issued by the FTC, the three
resellers buy credit reports from the three nationwide consumer reporting
agencies (Equifax, Experian, and TransUnion) and combine them into special
reports they sell to mortgage brokers and others to determine consumers¹
eligibility for credit. Due to their lack of information security policies
and procedures, the companies allegedly allowed clients without basic
security measures, such as firewalls and updated antivirus software, to
access their reports. As a result, hackers accessed more than 1,800 credit
reports without authorization via the clients¹ computer networks. In
addition, even after becoming aware of the data breaches, the companies did
not make reasonable efforts to protect against future breaches.
Mass Attack: No
Reference: http://www.ftc.gov/opa/2011/02/settlement.shtm
Attack Source Geography:
Items Leaked: Credit Records
Number of Records: 1,800

Entry Title: WHID 2011-36: Credit report resellers settle with US FTC after data losses WHID ID: 2011-36 Date Occurred: February 3, 2011 Attack Method: Unknown Application Weakness: Insufficient Authorization Outcome: Leakage of Information Attacked Entity Field: Finance Attacked Entity Geography: Incident Description: As part of the Federal Trade Commission¹s ongoing campaign to protect consumers¹ personal information, three companies whose business is reselling consumers¹ credit reports have agreed to settle FTC charges that they did not take reasonable steps to protect consumers¹ personal information, failures that allowed computer hackers to access that data. The settlements require the companies to strengthen their data security procedures and submit to audits for 20 years. These are the FTC¹s first cases against credit report resellers for their clients¹ data security failures. ³These cases should send a strong message that companies giving their clients online access to sensitive consumer information must have reasonable procedures to secure it,² said David Vladeck, Director of the FTC¹s Bureau of Consumer Protection. ³Had these three companies taken adequate steps to ensure the use of basic computer security measures, they might have foiled the hackers who wound up gaining access to extensive personal information in the consumer reporting system.² According to administrative complaints issued by the FTC, the three resellers buy credit reports from the three nationwide consumer reporting agencies (Equifax, Experian, and TransUnion) and combine them into special reports they sell to mortgage brokers and others to determine consumers¹ eligibility for credit. Due to their lack of information security policies and procedures, the companies allegedly allowed clients without basic security measures, such as firewalls and updated antivirus software, to access their reports. As a result, hackers accessed more than 1,800 credit reports without authorization via the clients¹ computer networks. In addition, even after becoming aware of the data breaches, the companies did not make reasonable efforts to protect against future breaches. Mass Attack: No Reference: http://www.ftc.gov/opa/2011/02/settlement.shtm Attack Source Geography: Items Leaked: Credit Records Number of Records: 1,800
Empathy v1.0   2024 ©Harmonylists.com