U.S. Dept. of Energy's (MOVEit software) data breach - several federal entities (including state offices) affected (1 Viewer)

[Nathan R. Jessep]

This has the potential to be a real cluster#$#@.

Here in LA, it included our freaking OMV office, meaning anyone in the state who has a car registration, driver's license or ID, has potentially had their SSNs, names, addresses, etc. compromised. Recommendations are to freeze credit and change all passwords for everything. FML.

Reaffirms the importance of having 2-factor authentication set for anything that has it available.

Energy Department among ‘several’ federal agencies hit by MOVEit breach | Federal News Network

Sources confirmed the Energy Department is treating it as "major incident," with other agencies uncovering intrusions as well.

federalnewsnetwork.com

 

[BeTheMatch]

I believe all Oregon driver's licenses were compromised as well.

 

[Nathan R. Jessep]

The only silver lining, if you could call it that, is that these huge breaches are often done by state actors who use the data for their own nefarious purposes rather than dark web hackers who sell the data. That was the case with the Equifax and OPM breaches.

2017 Equifax data breach - Wikipedia

en.wikipedia.org

Office of Personnel Management data breach - Wikipedia

en.wikipedia.org

if I recall correctly from reading this morning, this is suspected to be a Russian ransomware hacker group

 

[TripItUp]

I own a cybersecurity consulting firm.

Ask me anything.

 

[Nathan R. Jessep]

I own a cybersecurity consulting firm.

Ask me anything.

How big of a deal is this breach?

 

[AAABatteries]

I own a cybersecurity consulting firm.

Ask me anything.

On a scale of 1-10 how angry are you about Berhalter being renewed?

 

[Orange&Blue]

I own a cybersecurity consulting firm.

Ask me anything.

who does this include and what should those impacted do?

 

[TripItUp]

What/who are the biggest threats to the average company (not government, financial, healthcare, defense, etc)

Ransomware, private actors.

What are the most basic steps an average company can take to prevent a breach/leak?

1. Basic security training for employees
2. pay for a Professional third party risk assessment or consider third party attestation/certification(what my company does)

What are the most basic steps an average person can take to protect their personal privacy/security?

1. Shred sensitive information in hard copy form. Delete unnecessary soft copy documents that have sensitive information.
2. frequently change passwords
3. spread risk - don't have high credit limits or cash amounts in a single account.
4. use multi factor authentication as much as possible

What is your recommended mobile operating system, desktop operating system?

loaded question, but generally for personal devices apple is the best for security purposes due to antivirus strength.

What hardware would you recommend for mobile device, desktop/laptop?

another loaded question...really situation specific

If someone hacked FBG what is worst case scenario in terms of our personal information being leaked (email, name, IP address, etc) and any risks that would pose?

the biggest risk is that people use the same password for everything, so if FBG passwords were exposed along with IPs there is risk. People use the same password for FBG that they use for their 100K credit card.

 

[TripItUp]

who does this include

a very broad range of companies and govt entities and hundreds of thousands of persons.

and what should those impacted do?

Companies impacted should be undergoing incident response procedures and getting third party support....I have multliple colleagues already on this.

Individuals impacted should be changing passwords to all accounts with sensitive information and employing multifactor authentication where provided. Also, monitor all sensitive accounts on a weekly basis at a minimum to detect fraud.