Cybercrime wake-up call - Albuquerque Journal

Cybercrime wake-up call

Cybersecurity experts say the massive breach of credit-reporting company Equifax Inc.’s data systems may be a needed wake-up call to galvanize business and government into much more aggressive action to protect online data in today’s hyperconnected cyber world.

Fallout from the breach, which could impact about 143 million U.S. consumers, is mounting, as federal and state-level agencies assess the full extent of the damage. Larger data breaches have occurred in recent years, but the Equifax breach exposed sensitive personal data – names, Social Security numbers, birth dates, and addresses for fully half of the U.S. population.

Equifax faces congressional investigations, class-action lawsuits, inquiries by the Federal Trade Commission and the Consumer Financial Protection Bureau, and action by attorneys general from around the country.

That includes New Mexico Attorney General Hector Balderas.

“Equifax needs to make right by our families,” Balderas said in a public statement last week. “We launched an immediate investigation into Equifax, the circumstances surrounding the breach, and the delay in disclosure to New Mexicans. Our office is working to hold Equifax accountable.”

Equifax is under fire for its actions before and after the data breach, particularly its decision to wait six weeks to publicly disclose the attack after discovering it on July 29.

Details are still scarce, but apparently hackers broke into Equifax through a flaw in the Apache Struts software package that runs one of its online web portals. That generated even more intense criticism, because that software vulnerability had already been publicly known since March, with a software patch available to fix it, but Equifax didn’t apply it until after its website was breached.

That apparently lax security, plus the immense damage cybercriminals could now inflict on consumers and businesses, may convert Equifax into a watershed event that pushes government and industry into much more aggressive efforts to fight cybercrime, according to industry experts.

“Awareness unfortunately comes from attacks like these,” said John Yun, marketing director for California-based cybersecurity firm ZingBox. “They almost need to happen to wake up to the possibilities of hacking. It brings a lot more awareness to the industry and security vendors themselves, as well as consumers.”

An epidemic

Cybercrime had already reached epidemic proportions. Nearly 1.1 billion identities were stolen worldwide through data breaches last year, almost double the 2015 tally, according to the latest annual Internet Security Threat Report released last spring by global cybersecurity firm Symantec Corp.

In the last eight years, such breaches have exposed more than 7.1 billion identities worldwide.

Attacks are radically escalating on all fronts, including massive heists with billions of dollars stolen, and chronic blackmail of businesses and consumers through ransomware that, in the U.S., is forcing victims to pay an average of $1,077 each time to retrieve control of their systems, according to Symantec. The number of ransomware attacks grew 36 percent worldwide last year, and Symantec estimates one in every 131 emails today contain a malicious link or attachment.

Apart from cybercrime, sabotage potentially linked to cyberwarfare by nation states is growing exponentially in frequency and reach, such as the alleged Russian hacking of U.S. elections last year.

And hackers may be gaining control over critical infrastructure. Just days before the Equifax breach, Symantec warned that a group called Dragonfly 2.0 targeted dozens of energy companies last spring and summer. They gained access to utility networks, and in a handful of cases in the U.S. and elsewhere, the intruders had potential control over grid operations, enabling them to cause blackouts if they had actually flipped the power switches.

Also, last Thursday, the U.S. Securities and Exchange Commission revealed that its Electronic Data Gathering, Analysis and Retrieval system was hacked last year. EDGAR processes more than 1.7 million electronic filings annually, including sensitive financial disclosures that can cause enormous movements in the market, sending billions of dollars in motion on stock exchanges in fractions of a second.

A hyperconnected world

Industry experts say the cybercrime tidal wave is less a reflection of hackers becoming more sophisticated than of the explosion of Internet connections and data sharing in today’s hyperconnected world.

RiskSense CEO Srinivas Mukkamala says consolidation of big data leaves companies vulnerable to attackers who need minimal skills to break in. (Dean Hanson/Albuquerque Journal)

“Growing hacker sophistication is a factor, but it’s the evolution in online data sharing that’s creating havoc,” said Srinivas Mukkamala, co-founder and CEO of Albuquerque-based cybersecurity firm RiskSense. “There’s more and more computing and consolidation of big data all in one location, and attackers need minimal skills to break in, while companies need real sophistication to protect themselves.”

In recent years, local data management has given way to national and international management, with data continuously shared across the globe, Mukkamala said. And many of the companies managing or handling that data are startups without the resources and technology to protect against hackers.

The evolution toward an Internet of Things, which refers to thousands of online devices connecting everything from appliances and security cameras to heating and cooling systems in homes and businesses, is creating a whole new cyber world ripe for hacking. In some cases, such as devices in hospitals, that can give criminals control over life and death, said Yun of ZingBox, which is developing new tools to monitor those connections.

At this year’s Def Con hacker convention last July in Nevada, one ZingBox expert demonstrated ability to hack into a widely used brand of IV infusion pump, allowing him to alter medicine flow to a patient.

“There are just so many more devices and services now available online, and they weren’t designed to fend off hackers,” Yun said.

RiskSense employees at work in Albuquerque. The cybersecurity company markets a software-as-a-service platform that constantly monitors and analyzes networks for customers. (Dean Hanson/Albuquerque Journal)

As a result, cybersecurity’s traditional focus on teaching employees what to do and not to do to protect systems is inadequate, said Jack Miller, chief information security officer for cybersecurity firm SlashNext, which created hardware to monitor all traffic on a company’s network.

“We’ve relied too much on training employees, when what we need is better technology to protect systems,” Miller said. “We need tools that rely on artificial intelligence to track and fix things.”

That includes the new technologies being developed by firms like ZingBox and SlashNext. It’s also the foundation on which RiskSense built its business, creating a software-as-a-service platform that constantly monitors and analyzes networks for customers.

It’s the interface between artificial intelligence and humans, plus the sharing of lessons learned among everybody, that will allow industry and government to get ahead of cybercrime, Mukkamala said.

“We have to look at the entire ecosystem,” he said. “Maybe you as an entity are not vulnerable, but who are you connected to and what are you sharing? We don’t operate in silos, but in an ecosystem that creates seamless data sharing and, as a result, seamless data breaches.”

Federal regulation is also critical, Miller said.

“The public needs to push the government and industry leaders to have policy conversations,” Miller said. “We need real transparency with regulations that are prescriptive enough to follow through and implement them. We need much clearer, detailed guidelines on what needs to be done.”

Albuquerque Journal and its reporters are committed to telling the stories of our community.

• Do you have a question you want someone to try to answer for you? Do you have a bright spot you want to share?
   We want to hear from you. Please email

Nativo Sponsored Content

Ad Tango

taboola desktop


Most city voters oppose stadium bond measure
2021 city election
Only 27% say that if approved, ... Only 27% say that if approved, facility should be Downtown
Half of city voters favor Keller's job performance
2021 city election
60% approval rating a year ago ... 60% approval rating a year ago likely due to pandemic response
Book merchant Jim Hoffsis was a pillar of Old ...
ABQnews Seeker
Korean War veteran was an admirer ... Korean War veteran was an admirer of military, supporter of local authors
Gonzales' current job approval stands at 34%
2021 city election
Democratic sheriff has little support from ... Democratic sheriff has little support from members of own party
NM film and television community honors Halyna Hutchins
ABQnews Seeker
New Mexico's film and television community ... New Mexico's film and television community came together to remember cinematographer Halyna Hutchins at a candlelight vigil at Civic Plaza in Albuquerque on Saturday ...
Journal Poll: Keller has large lead over mayoral opponents
2021 city election
Gonzales, Aragon lag behind; runoff may ... Gonzales, Aragon lag behind; runoff may not be needed
Hours before showtime, Las Cruces High's band truck is ...
ABQnews Seeker
The Las Cruces High School Showcase ... The Las Cruces High School Showcase band's trip to Albuquerque this weekend started on a sour note. Hours before the Zia Marching Band Fiesta ...
APS bus drivers get a pay boost amid ongoing ...
ABQnews Seeker
Board of Education OKs hiring, referral ... Board of Education OKs hiring, referral bonuses as rate reaches $18 per hour
Crime Stoppers release photo of car in fatal ABQ ...
ABQnews Seeker
Crime Stoppers released a photo of ... Crime Stoppers released a photo of the silver Mustang involved in the fatal shooting of a 20-year-old man during a road rage incident last ...