• Last week, FireEye, a cybersecurity provider, revealed their tools to detect and block sophisticated cyberattacks were stolen in a security breach. 
  • This week we learned attackers, believed to be affiliated with Russia’s state security service, infiltrated government agencies and potentially thousands of companies through a software update from IT management company SolarWinds that was issued months ago. 
  • So far, there is no indication that the Nation/State attackers were after consumer information. These groups tend to be more interested in information they can use for intelligence or espionage. 
  • For information about recent data breaches, consumers and businesses should visit the Identity Theft Resource Center’s (ITRC) new data breach tracking tool, notifiedTM
  • Keep an eye out for the ITRC’s 15th Annual Data Breach Report. The 2020 Data Breach Report will be released on January 27, 2021.  
  • For more information, or if someone believes they are the victim of identity theft, consumers can contact the Identity Theft Resource Center toll-free at 888.400.5530 or via live-chat on the company website.  

Subscribe to the Weekly Breach Breakdown Podcast  

Every week the Identity Theft Resource Center (ITRC) looks at some of the top data compromises from the previous week and other relevant privacy and cybersecurity news in our Weekly Breach Breakdown Podcast on SoundCloud. This week, on the last breach breakdown podcast of 2020, we look at the FireEye and SolarWinds hacks, which have shaken the cybersecurity community. 

Also available on Apple Podcasts and Spotify.

Data Breaches Down/Security Breaches Up 

2020 has been a difficult year for many. However, there have been some encouraging trends that the ITRC has talked about in previous breach breakdown podcast episodes. One of the most promising trends includes cybercriminal’s lack of interest in consumer information, resulting in a significant drop in data breaches and the number of people impacted by them.  

Unfortunately, you can’t say the same of a companion crime, security breaches. One cannot have a mass data breach without also experiencing a cybersecurity failure. With that said, it is possible to have a security breach without impacting consumer data. That is what dominates the news as we wrap up 2020 – a massive security breach involving two leading technology companies: FireEye and SolarWinds. 

What You Need to Know About FireEye 

FireEye, a cybersecurity provider, supports large organizations worldwide with tools that detect and defend against cyberattacks. When there are attacks on companies and governments, FireEye often gets the call to figure out what happened and how it happened. 

What You Need to Know About SolarWinds 

SolarWinds, a software company, claims to help more than 33,000 companies, including virtually all Fortune 500 companies and every major agency in the U.S. government. SolarWinds’ software helps organizations with large, complex computer systems manage their networks and devices.  

FireEye and SolarWinds Hacked 

Last week, FireEye revealed their tools to detect and block sophisticated cyberattacks, the kind launched by governments, had been stolen due to a security breach. A few days later, the U.S. Treasury and Commerce Departments announced they were hacked. It was followed by announcements of hacks at the National Institutes of Health as well as the Departments of Homeland Security and State. 

This week, we learned that the security breaches were the result of threat actors believed to be affiliated with Russia’s state security service. The attackers infiltrated these government agencies and FireEye through a software update from SolarWinds that was issued months ago. SolarWinds believes as many as 18,000 customers may be affected by the malware inserted by the attackers into the SolarWinds update.  

What the FireEye and SolarWinds Hacks Mean for Consumers 

It is too early to tell what the FireEye and SolarWinds Hacks mean for consumers. So far, there is no indication that the Nation/State attackers were after consumer information. These groups tend to be interested in information that can be used for intelligence or espionage, not making money by stealing and selling consumer data.  

There is another reason to believe consumer information may be safe from the FireEye and SolarWinds hacks. SolarWinds software does not access or manage consumer data. As ITRC Chief Operating Officer James Lee says in the podcast, think of SolarWinds as a traffic cop. They can tell people what businesses are on the street and how to get there, but they cannot take people there and open the door for them. 

With enough time and motivation, the attackers could have wandered around a SolarWinds customer’s networks to access some consumer information. However, experts don’t believe that happened on a mass scale. The ITRC will post more details if we find consumer information is involved.  

How We Know About the Attacks 

We know about this and other breaches because of laws and regulations that require organizations, even government agencies, to issue breach notices. Many of those rules do not set a specific timeline for when a notice must be given. That is about to change for banks governed by the Federal Deposit Insurance Corporation (FDIC).  

For the past 15 years, the FDIC rules only required that regulators be notified of a data or security breach within a reasonable period of time. This week, the FDIC approved a new regulation that sets the notification period at 36 hours whenever a security issue or system’s failure significantly impacts operations. That is stricter than the 72 hours required by the State of New York, the toughest notification law in the U.S. The FDIC rule only requires regulators to receive a notice. State laws still govern public notices.  

notifiedTM    

For information about recent data breaches, consumers and businesses should visit the ITRC’s new data breach tracking tool, notifiedTM. It is updated daily and free to consumers. Organizations that need comprehensive breach information for business planning or due diligence can access as many as 90 data points through one of the three paid notified subscriptions. Subscriptions help ensure the ITRC’s identity crime services stay free.   

Contact the ITRC   

If you believe you are the victim of an identity crime or data breach and need help figuring out what to do next, contact us. You can speak with an expert advisor at no-cost by calling 888.400.5530 or chat live on the web. Just visit www.idtheftcenter.org to get started.  

Twenty-three episodes from 2020 are in the books. We will be back in January to share more insights into data breaches and identity trends. Join us in 2021 on our weekly data breach podcast to get the latest perspectives on the last week in breaches. Subscribe to get it delivered on your preferred podcast platform.