This article originally appeared in Information Security Buzz on February 14, 2019.
Cybercriminals found a way to penetrate Image-I-Nation Technologies is a North Carolina-based provider of software and hosting services, a company that services the three largest credit reporting services including Equifax. The hackers had access to sensitive information including social security numbers.
Experts Comments below:
Tim Mackey, Technical Evangelist at Synopsys:
“This breach disclosure highlights just how little control individuals have over the security and location of their personal data – let alone the purpose the data might be used for. Regardless of media coverage, it is highly unlikely that most people will pay attention to a data breach at Image-I-Nation Technologies considering they likely never directly did business with the company. In essence this is a repeat of the shock consumers experienced with the Equifax breach in 2017 and which spurred in part the enactment of the California Consumer Privacy Act (CCPA). Given the CCPA comes into effect in less than a year, it would be illustrative to look at this breach through that lens.
“Organisations doing business in the state of California which process information on more than 50,000 devices, individuals or households and which derives more than 50% of their revenue processing personal data would be subject to the CCPA. Consumers would be required to receive notification of the nature of collected data and the purpose of collecting the data when providing any data. Upon request, the organisation would be required to disclose in a human consumable format the collected data, the sources for the data, and the business purpose for both processing and sharing that data. In the event of unauthorised access to consumer data, including as a result of a data breach, the CCPA provides a consumers a right to bring suit against the organisation, including class-wide suits, and recover damages in an amount of not less than $100 per consumer per incident. While the number of California consumers impacted by the Image-I-Nation Technologies breach wasn’t disclosed, under CCPA it’s likely the potential civil suit would be substantial.
“Given the number of data protection laws appearing on the global stage, it’s clear that any business collecting or processing personal data needs to look closely at what data elements they collect, the purpose behind collection, the data retention policy and the consent obtained at the time of collection. Data warehouses with personal data are prime targets for malicious attacks. When the connection between consumer consent and the organisation storing the data is unclear, consumers are placed in a position where they can’t effectively manage and monitor their personal data. Only with greater transparency of data collection and processing practices can consumers effectively manage their digital privacy.”
Chris Olson, CEO at The Media Trust:
“If there is anything we’ve learned from the past few years’ breaches, third parties are an organization’s weakest links in the digital supply chain, and bad actors know it. It is therefore no surprise that the GDPR and, to some extent, California’s landmark consumer privacy law recognize the threats that third parties, unknowingly and otherwise, introduce. Since organizations are held at least partly responsible for their vendors’ actions, they should carefully vet the latter’s security and privacy measures and conduct periodic audits to close any security and privacy loopholes. As regulators ramp up their operations, they will no doubt make examples of high-profile violators of data privacy laws and impose penalties commensurate to their those violations.”
Matan Or-El, Co-founder and CEO at Panorays:
“The hack into Image-I-Nation Technologies, which is connected to the big three credit reporting companies, is a perfect example of how cybercriminals are infiltrating the supply chain to steal data from large organizations. Hackers were able to target a third party in order to gain access to social security numbers, names and addresses of consumers from three credit reporting companies. This breach illustrates why it’s crucial for organizations to perform comprehensive risk assessments of all their supply chain parstners, along with continuous monitoring to spot vulnerabilities.”