|
Post by Boomzilla on Jun 17, 2023 17:05:45 GMT -5
It's been recently announced that the Louisiana Department of Motor Vehicles has been hacked in a massive data breach. The potential for identity theft, and subsequent financial loss is virtually unlimited. Every driver and ID holder in the State now has the following information in the hands of the hackers:
Full names Social Security numbers Height Weight Eye Color LA Drivers License numbers Address Date of Birth Gender Signature Blood Type Endorsements Restrictions Living Will status Organ Donor status Photograph
I fail to comprehend how the Louisiana DMV can lose such detailed personal information on every licensed driver and ID holder in the State without some civil (and/or criminal) liability being introduced.
One might argue that the (presumably Russian) hackers who stole the data should be liable, and that's undeniably true. One might also argue that the MOVEit software company shares liability because they could have identified the potential for data loss and closed the vulnerabilities in their software (and if they didn't, they certainly should have).
The next argument is that the State of Louisiana should be partially (if not mostly) liable because they should not, in the first place, have collected and stored the (totally unnecessary) volume of data that they did, and in the second place, should have been more diligent in identifying and preventing data loss.
There is virtually no doubt that innocent victims have been (or will be) harmed by this data breach. The law promises redress to citizens for such harm. Where is that redress in this situation?
|
|
|
Post by jjkessler on Jun 17, 2023 17:52:39 GMT -5
The way we verify identity is dated and really needs to change. Started getting 100’s of emails a day (raunchy to flat out phishing) after the T-Mobile hack all from the same domain which, Apple isn’t allowing entire domain blocking in their email service
|
|
|
Post by AudioHTIT on Jun 17, 2023 19:12:18 GMT -5
It's been recently announced that the Louisiana Department of Motor Vehicles has been hacked in a massive data breach. The potential for identity theft, and subsequent financial loss is virtually unlimited. Every driver and ID holder in the State now has the following information in the hands of the hackers: Full names Social Security numbers Height Weight Eye Color LA Drivers License numbers Address Date of Birth Gender Signature Blood Type Endorsements Restrictions Living Will status Organ Donor status Photograph I fail to comprehend how the Louisiana DMV can lose such detailed personal information on every licensed driver and ID holder in the State without some civil (and/or criminal) liability being introduced. One might argue that the (presumably Russian) hackers who stole the data should be liable, and that's undeniably true. One might also argue that the MOVEit software company shares liability because they could have identified the potential for data loss and closed the vulnerabilities in their software (and if they didn't, they certainly should have). The next argument is that the State of Louisiana should be partially (if not mostly) liable because they should not, in the first place, have collected and stored the (totally unnecessary) volume of data that they did, and in the second place, should have been more diligent in identifying and preventing data loss. There is virtually no doubt that innocent victims have been (or will be) harmed by this data breach. The law promises redress to citizens for such harm. Where is that redress in this situation? It does sound pretty serious and certainly unfortunate, there have been far too many data breaches over the years (and a rash of ransomware this week too). Like past breaches, credit monitoring for some time (or life) is usually a partial redress, and compensation for time spent dealing with the resulting ‘issues’, but it’s all a lot of trouble. Certainly nothing any public entity, nor those it serves needs. I imagine you’ll be getting email regarding a class action lawsuit sometime soon. Sorry for your ‘loss’. If you’re an organ doner I might want to get in line for those golden ears 👂
|
|
|
Post by LuisV on Jun 17, 2023 21:27:40 GMT -5
In this day and age, this is unfortunately very common. Even if you think your data isn't exposed, it's only a matter of time.
|
|
|
Post by novisnick on Jun 18, 2023 0:39:45 GMT -5
Im in the same boat as Boomzilla and we don’t have a peddle! And the government wants to put all our finances on computers and do away with paper money? Hard Pass please! When that happens we are no longer citizens but become civilians! There is a huge difference and they’re already caling us such!
|
|
|
Post by Boomzilla on Jun 18, 2023 9:53:54 GMT -5
Until there are financial, legal, civil, and criminal penalties for data loss that are commensurate with the value of the data lost, there will continue to be hacks. The only way to persuade data holders (governmental or private) to put enough security on customers' data to prevent loss is to make the loss of data more expensive than paying to secure it.
Data CAN be secured from hackers. Doing so is merely a matter of prioritizing that security.
|
|
|
Post by LuisV on Jun 18, 2023 10:07:07 GMT -5
If you haven't done so, freeze your credit at the 3 bureaus; it's simple and only takes a few mins at each website. Most banks provide free credit monitoring, so check your bank for more details. Most importantly, never ever reuse a password nor log on ID between websites nor apps; use a password app like 1Password instead. Consider using 32 character passwords as a minimum as well as enable two factor authentication where available. The only password I know is the one for my password app; the rest, only the app knows them. I change the PWs for banking apps / websites once a quarter. Yes... somewhat very inconvenient, but it only takes one data breach to cause you major grief.
|
|
|
Post by LuisV on Jun 18, 2023 10:35:01 GMT -5
Until there are financial, legal, civil, and criminal penalties for data loss that are commensurate with the value of the data lost, there will continue to be hacks. The only way to persuade data holders (governmental or private) to put enough security on customers' data to prevent loss is to make the loss of data more expensive than paying to secure it. Data CAN be secured from hackers. Doing so is merely a matter of prioritizing that security. I agree something needs to be done... but it's kinda difficult to impose criminal penalties on those you can't or will never find or if they outside of one's jurisdiction. Folks always blame Russia or China, but it's not always the case with hacking. Data can only be protected up to the point where as a vulnerability is exploitable... these vulnerabilities will always exist as nothing is perfect... it's only a matter of time before something is or can be exploited as tech evolves, so do the methods of exploitation. The main concern from an IT perspective is to minimize the attack surface area, and then what can be done to protect the next layer behind that initial attack surface... rinse and repeat until a connection is needed to that data set. The only way to secure data from "hackers" is to never have data in the first place. Regardless if you expose the data to the internet or not, any data is exploitable... for instance, it only takes one rogue postal worker to open a bank statement or mailed in tax return, one home intruder to rifle through your file cabinet, etc. etc. Sorry to say, but data can only be secured until that next vulnerability / exploit is uncovered.... it's how fast you react to that exploit that truly matters. Sad to say, but yes it's a never ending battle...
|
|
|
Post by Boomzilla on Jun 18, 2023 10:53:20 GMT -5
...Data can only be protected up to the point where as a vulnerability is exploitable... I agree, but data aggregators have had no incentive (previously or now) to invest in minimizing vulnerabilities. They'll buy a software package, and rely solely on the "security" of the package instead of adding more layers of protection unique to their own company and data. This makes it EASY for hackers - crack the software package and all the data used by each and every one of that software company's clients is yours. You're right that you can't penalize or hold accountable any malefactors that aren't in your jurisdiction - but that's just an easy way of passing the buck. If YOU (the company, or governmental entity) are the one collecting the data in the first place, then YOU hold the primary responsibility of keeping that data secure. Until the data collectors are held accountable for the security of the data they collect, this WILL keep happening. Put a few CEOs and IT managers in prison and see how quickly data security improves. Put a few multi-million to trillion dollar penalties on agencies and companies that lose data and see how quickly data security improves. If the only penalty for data loss is a slap on the wrist and temporary bad publicity then there'll never be a significant internal budget for data security.
|
|
|
Post by LuisV on Jun 18, 2023 11:11:05 GMT -5
Working with such data scientists and forensic specialists for decades, I can only speak for the ones I have worked with, each has had data integrity and security as their top priority.
Believe me when I say, that I agree with you, but those in power, regardless of position within the government, public or private sector, they will never be truly held accountable. My recommendation is to make sure that you limit your attack surface as that is much easier to control over anything else.
|
|
|
Post by novisnick on Jun 18, 2023 20:27:18 GMT -5
Until there are financial, legal, civil, and criminal penalties for data loss that are commensurate with the value of the data lost, there will continue to be hacks. The only way to persuade data holders (governmental or private) to put enough security on customers' data to prevent loss is to make the loss of data more expensive than paying to secure it. Data CAN be secured from hackers. Doing so is merely a matter of prioritizing that security. Reminds me of the phrase, “I’d rather ask forgiveness then ask for permission.” Make them pay, but ultimately you must attach the Executive bonuses to the penalty or we will be footing the bill for security!
|
|
|
Post by Boomzilla on Jun 18, 2023 21:00:15 GMT -5
Working with such data scientists and forensic specialists for decades, I can only speak for the ones I have worked with, each has had data integrity and security as their top priority... But did they have the RESOURCES they really needed to implement those priorities? I bet the vast majority of them would answer “not really.”
|
|
|
Post by LuisV on Jun 18, 2023 21:07:10 GMT -5
At the corporations I've had the pleasure working at, yes, they have had both the resources and funding required.
|
|
|
Post by wilburthegoose on Jun 19, 2023 6:32:00 GMT -5
Keep in mind that this was a zero-day attack on software from Progress called MOVEit. The only way to defend against zero-days is usually for the software company (Progress Software, in this case) to release a patch and then to apply the patch.
Until that patch was published, the only defense was to stop using MOVEit. Easier said than done if it's critical to your business. Unfortunately, the State of Louisiana (and many others) determined that the risk was within their risk appetite.
Problem is that organized crime is so well equipped these days to jump on zero-days and to use their exploits to make money. This isn't the 1990's kid wearing a hoddie in his mother's basement.
|
|
|
Post by Boomzilla on Jun 19, 2023 8:09:59 GMT -5
...Unfortunately, the State of Louisiana (and many others) determined that the risk was within their risk appetite... And therein lies the problem. Since there's no penalty for data loss, the State's "risk appetite" is determined by "who is the low bidder?" Since the software vendor undoubtedly has liability limitations written into their contract with the State, there's no financial incentive for MOVEit Software company to do any exploit testing on their software beyond the minimum required. The fact that a State-sponsored hacker can find a vulnerability to exploit means that the software company COULD have found that vulnerability themselves and patched it BEFORE it was used to steal data. I refuse to believe that a bunch of hackers in Russia are smarter than a group of IT students at any of our major universities. There are annual, international student competitions to find ways to invent the fastest algorithm for performing specific tasks. Students from the U.S. occasionally win. Shouldn't software companies be sponsoring teams of students in trying to hack their own software? Even a modest monetary prize to successful teams would allow the software companies to stay ahead of malefactors. And if software companies ARE doing this, they're obviously not doing it enough. So, let me summarize - Considering the damage that data loss does, there is absolutely NO EXCUSE good enough for allowing it to happen. Reactive "patches" to close already-exploited vulnerabilities are NOT good enough. Software companies and entities that store data can and must be more proactive in preventing data loss. Finis.
|
|
|
Post by wilburthegoose on Jul 29, 2023 7:09:13 GMT -5
By the way, do a Google for "Bug Bounty".
|
|
|
Post by 405x5 on Aug 1, 2023 12:59:39 GMT -5
Massive data hack is only massive if you give a rats ass about it. Now I’m gonna go wash my car.
|
|
KeithL
Administrator
Posts: 10,269
|
Post by KeithL on Aug 1, 2023 15:28:48 GMT -5
I'm with you there... None of this information is really "secret". When I went to college my Social Security number was used for both my college ID number and my library card... This is obviously all information that would be found on a Driver's License... At one time, all of that information was "publicly available"... And it is still readily available today for pretty much anyone who works at the DMV... And I'm pretty sure you don't need Top Secret clearance to get hired by the DMV... (And can you imagine what it would cost to get a Driver's License or Car Registration if every employee at the DMV DID require security clearance?) I also distinctly recall what my original, official, government issue, Social Security card looked like... It was paper, with no picture, and big blue letters on the front stating "NOT TO BE USED FOR IDENTIFICATION". Therefore the problem is not that "your SSN isn't secure"... The PROBLEM is that some idiot decided to use your SSN, which was never intended to be secure, for something that it was never intended to be used for. And, to be fair, this was not a single lame-brained decision... it evolved over time... before anyone worried about security...and would now be very difficult to fix. Also, to be equally fair, whenever someone suggests creating a truly secure identity card or universal identity database, there is a huge outcry of objections AGAINST it, for various reasons. You might like the IDEA that all of the information the DMV has about you could actually be kept secure. HOWEVER you would not at all like the price tag associated with maintaining that level of security. (Implementing "real security" tends to be quite expensive.) Also, if I were to ask you casually, I suspect you would say that "you would want your bank account number and password to be totally secure"... But do you realize that, if your bank account really was TOTALLY secure, and you forgot your password, your money would be permanently lost? (The fact that there is a way to reset or override your password is a significant security weakness.. because it offers a way for someone to access your account and steal your money.) There is actually a perfectly viable compromise... Where, if you lost your password, it would require three bank employees, acting together, to enact the override... That way no single employee would have to be trusted with the ability to access your account. But, of course, that would be a huge nuisance, so we don't bother... We live in a society that almost totally "runs" on information... And, if we REALLY handled that information SECURELY, it would all come to a screeching halt... You can think about it another way... If the customers of the Louisiana DMV actually could sue the DMV for their security lapse... WHO WOULD THEY BE SUING? (Any funds required to pay the settlement would inevitable end up coming out of either taxes... or next years license and registration fees.) (And, if the DMV outsourced their security, and consider the company they hired to be liable for being sloppy, their only alternative will be to hire a more expensive company to "do it right".) I should also point out that, because security is actually difficult, and is rarely the top priority, data breaches like this are EXTREMELY common. And the frequent victims include medical institutions, banks, stores, credit card processing companies, and government agencies and organizations... (Data breaches and hacks simply usually don't make the news beyond the security industry.) Therefore you should ALWAYS be at least somewhat "on the alert" for suspicious activity on things like bank accounts and credit cards. Massive data hack is only massive if you give a rats ass about it. Now I’m gonna go wash my car.
|
|
KeithL
Administrator
Posts: 10,269
|
Post by KeithL on Aug 1, 2023 15:43:48 GMT -5
Keep in mind that this was a zero-day attack on software from Progress called MOVEit. The only way to defend against zero-days is usually for the software company (Progress Software, in this case) to release a patch and then to apply the patch. Until that patch was published, the only defense was to stop using MOVEit. Easier said than done if it's critical to your business. Unfortunately, the State of Louisiana (and many others) determined that the risk was within their risk appetite. Problem is that organized crime is so well equipped these days to jump on zero-days and to use their exploits to make money. This isn't the 1990's kid wearing a hoddie in his mother's basement. For those interested in technical details, and financial motivations, here are a few interesting articles: www.infosecurity-magazine.com/news/clop-could-make-100m-moveit/www.infosecurity-magazine.com/news/clop-ransom-gang-big-names-moveit/
|
|
|
Post by 405x5 on Aug 1, 2023 20:39:33 GMT -5
Very informative posts put out here. At the end of the day, the best we can do is be as diligent and watchful as possible at our end, and just assume that the hacks are coming at the end of the day, the better you have covered your bases, the greater you will have minimalized your own personal risks. Beyond that what can be done I don’t know!
|
|