This article originally appeared in SC Magazine on February 13, 2019.
Image-I-Nation Technologies, Inc., which provides hosting services and software to consumer reporting agencies like Equifax, Experian and TransUnion, experienced a supply chain breach that left users’ personal information exposed for as long as two weeks.
Last Dec. 20, the company “discovered that there had been unauthorized access to our database containing the personal information of individuals who had a consumer report through our system at some point in the past,” according to a breach notification filed with the Montana Department of Justice, noting that the incident occurred between Nov. 1-15, 2018.
“Based on our investigation, we have determined that the personal information that was potentially accessed could have included first and last names, dates of birth, home addresses, and Social Security numbers,” the company, which is owned by FRS Software, said.
“The hack into Image-I-Nation Technologies, which is connected to the big three credit reporting companies, is a perfect example of how cybercriminals are infiltrating the supply chain to steal data from large organizations, said Matan Or-El, co-founder and CEO of Panorays.
Image-I-Nation has reviewed its inner workings and has implemented enhanced security measures. It has also notified the major credit bureaus and attached a copy of the Federal Trade Commission’s “Information About Identity Theft Prevention” to its notices for guidance.
“This breach disclosure highlights just how little control individuals have over the security and location of their personal data – let alone the purpose the data might be used for,” said Tim Mackey, senior technical evangelist at Synopsis. “Regardless of media coverage, it is highly unlikely that most people will pay attention to a data breach at Image-I-Nation Technologies, considering they likely never directly did business with the company.”
Data warehouses that store personal data “are prime targets for malicious attacks,” but the connection between the company and consumer might be “unclear” so “consumers are placed in a position where they can’t effectively manage and monitor their personal data, he said.
Attorneys general from 31 states recently asked the FTC to update its Identity Theft Rules. Noting the proliferation of identity theft and consumers’ inability to divine how information stolen from breaches is being used, the AGs said that the rules – also known as the Red Flags Rule and the Card Issuers Rule – “appropriately place the burden on certain entities to detect, prevent and mitigate identity theft.”
This latest breach is essentially “a repeat of the shock consumers experienced with the Equifax breach in 2017 and which spurred in part the enactment of the California Consumer Privacy Act (CCPA),” Mackey said, opining about how the Image-I-Nation might look through the lens of that legislation.
“While the number of California consumers impacted by the Image-I-Nation Technologies breach wasn’t disclosed, under CCPA it’s likely the potential civil suit would be substantial,” said Mackey. The law allows consumers the right to sue the breached organization.
“Third parties are an organization’s weakest links in the digital supply chain, and bad actors know it. It is therefore no surprise that the GDPR and, to some extent, California’s landmark consumer privacy law recognize the threats that third parties, unknowingly and otherwise, introduce,” said The Media Trust CEO Chris Olson. “Since organizations are held at least partly responsible for their vendors’ actions, they should carefully vet the latter’s security and privacy measures and conduct periodic audits to close any security and privacy loopholes.”
He warned that regulators will likely make examples of high-profile organizations that violate privacy laws and pose stiff penalties.
Or-El urged “organizations to perform comprehensive risk assessments of all their supply chain partners, along with continuous monitoring to spot vulnerabilities.”