If you haven’t heard by now, the internet was under attack thanks to insecure “internet of things” (IoT) devices. The weapon of choice was the Mirai botnet, which crippled well known sites like CNN, Netflix, Twitter, etc. to a grinding halt. But how exactly did insecure IoT devices help the largest to date cyberattack experienced in the Western hemisphere?
The source of the outage was a distributed distributed denial of service (DDoS) attack, which leveraged a network of IoT devices infected with special malware, known as a “botnet”. The botnet was orchestrated to bombard a server with traffic until it collapsed under the strain. The IoT devices included Xerox, Panasonic and Samsung printers, as well as an array of Chinese manufactured short circuit TVs, DVRs, etc.
Botnets are not new, unfortunately. But a botnet comprised of IoTs is what makes last week’s massive DDoS jaw dropping and terrifying. Why should you or anyone care, especially if technology is not in your wheelhouse? Think of finding out that your garage has served as shelter for a terrorist, who is part of a much larger cell, ready to take down half the country. The terrorist was able to get into your garage easily because you don’t secure it. Guess what? You’re one of the most vulnerable targets if the attack goes down.
Now, bring this back to the IoT framework. Many households are moving toward an connected, IoT world–from refrigerators, thermostats, security systems and security cameras. When everything goes smoothly, we forget how much rely on our IoT devices. It’s only when they’re compromised do we then realize that we may have a big problem.
The crux of the data security challenge that faces us all is that the Mirai botnet revealed how vulnerable we are because of insecure IoTs. The Mirai attack exploited 100,000 connected devices or “malicious endpoints,” which resulted in an epoch attack of 1.2 terabytes/second. Your DVR or short-circuit camera may have served as an unwitting accomplice in the now legendary DDoS attack.
EARLIER THIS YEAR, news of massive data breaches of Premera and Anthem felt like a one-two punch to many of us focused on protecting consumers. I got a lot of questions from clients and other attorneys, including “What can I do to protect my identity?” and “Should I sign up for any of those ID theft guards like LifeLock?” My responses to these questions are not simple. We can learn to guard against ID theft by remaining vigilant about our credit reports, credit card statements, bank statements, and the like. Sure, if one wants to delegate this responsibility to a third-party, then be prepared for disappointment.
The story of LifeLock’s last several years is a great example of why it’s not wise to leave the security of our ID to a turn-key operator. Some are astounded to find that the company claiming to provide ID theft guard solutions to consumers and businesses have failed in some key respects according to the FTC.
Customers of ID theft-protection firm Lifelock who expected the company to monitor their identities after their data was stolen in a breach were in for a surprise. It turns out Lifelock failed to properly secure their data. Ugh.
According to a complaint filed in court in late July 2015 by the Federal Trade Commission, Lifelock has failed to adhere to a 2010 order and settlement that required the company to establish and maintain a comprehensive security program to protect sensitive personal data users entrust to the company as part of its identity-theft protection service.
Wow. What a strange twist of irony: After all, Lifelock touts its self as the solution to companies that experience data breaches and urges them to offer a complimentary Lifelock subscription to people whose data has been compromised in a breach. To properly monitor victims’ credit accounts to protect them against ID theft, Lifelock requires a wealth of sensitive data, including names and addresses, birth dates, Social Security numbers, and bank card information.
Protecting that data should be a primary concern to Lifelock, particularly in light of the fact that many of its customers have already been victims of a breach. But the FTC found in 2010 that the company had failed to provide “reasonable and appropriate security to prevent unauthorized access to personal information stored on its corporate network,” either in transit through its network, stored in a database, or transmitted over the internet.
Lifelock had been ordered to remedy that situation, but according to the complaint filed today, it has failed to do so. The complaint is currently sealed, but the previous finding from 2010 provides insight into the company’s security failures.
Lifelock’s CEO was himself a victim of data breach at least 13 times, btw. Call it karma.
NOTE: If you were/are an Amerigroup/Anthem insured in the State of Washington and received notice of a data breach, we want to talk to you. Please contact me via email at Catherine@Stritmatter.com. Participating in a class action lawsuit against a company who neglected to safeguard your personal information will not affect your ability to qualify for “free” id protection services offered by Anthem.
Washington State Insurance Commissioner Mike Kreidler is not the only one who is wondering why it took Premera so long to act, after realizing that at least 11 million individuals’ information were exposed to a data breach. We are too and want to see the large class of Premera customers find justice.
Hackers had unauthorized access to approximately 6 million in Washington and the other 5 million in Alaska and Oregon whose information. There are possibly other markets associated with this breach that extends beyond Washington, Oregon, and Alaska.
Our firm is pursuing a class action to obtain a meaningful recovery for all of the victims involved as the result of Premera’s lack of vigilance over their customer’s data. Please contact PremeraClass@Stritmatter.com, as our attorneys want to speak with you ASAP. Our own Brad J. Moore, who is at the helm of the country’s largest public interest law firm (Public Justice) has a long track record of success with some of the largest consumer protection class action lawsuits.
According to KUOW, after Premera called Kreidler to inform him about the data breach that had occurred over a month before, he asked his staff to find out why it took the health insurer so long to inform everyone about this significant news.
He’s launched a multistate investigation of Premera, explaining: “We would have been heavily engaged in this activity weeks ago if we’d been afforded the opportunity to know in a more timely basis. It was clear once we were notified. Which is part of the irritation right now. It took six weeks.”
The class action/consumer protection attorneys are all for Kreidler’s idea about establishing rules that would have compelled Premera to reveal the information within hours, not weeks.
Again, if you or someone you know was or is a Premera insured and believe that sensitive information was accessed in an unauthorized manner, contact us at PremeraClass@Stritmatter.com