Sen. Mark Warner, D-Va., has asked the FTC to investigate the June cyberattack on Equifax that resulted in 143 million Americans' information being exposed (see 1709080019, 1709110035 and 1709120055). "This information -- critical to opening a new bank account or taking out a loan -- will expose Americans to identity theft, tax fraud, extortion, and other risks," he wrote in a Wednesday letter to acting FTC Chairman Maureen Ohlhausen. Meanwhile, House Commerce Chairman Greg Walden, R-Ore., and Digital Commerce and Consumer Protection Subcommittee Chairman Bob Latta, R-Ohio, formally invited Equifax CEO Richard Smith to testify on Oct. 3. The company didn't comment. Warner, who co-founded the Senate Cybersecurity Caucus and is a member of the Banking, Budget and Finance committees, said the breach "raises serious questions about whether firms like Equifax adequately protect the enormous amounts of sensitive data they gather and commercialize." Warner cited security issues raised by Equifax's actions before and after the breach, "including use of potentially insecure content management software and improperly configured web encryption" that flagged its Equifaxsecurity2017.com domain as a phishing site among web browsers. He was alarmed by the credit reporting service's handling of customer inquiries by requesting some personal data and providing a simple PIN when customers want to place a credit freeze. He said when viewed as a whole, including past breaches by other credit bureaus, "these lapses may potentially represent a systemic failure by firms." The FTC said it received the letter but declined to comment.

Equifax's revelation that personal information on 143 million Americans may have been compromised prompted House Commerce Committee Chairman Greg Walden, R-Ore., to say Friday he'll hold a hearing on the matter after an initial briefing from the credit-monitoring service. The hearing will focus on "what went wrong and what we need to do to better protect consumers from serious breaches like this in the future," he said in a statement. No hearing date was set. FTC Commissioner Terrell McSweeny and Sen. Mark Warner, D-Va., tweeted last week that the breach shows Congress must pass comprehensive data security legislation. Warner, a co-founder of the Senate Cybersecurity Caucus, also suggested lawmakers create a uniform breach notification standard and rethink protection policies for large, centralized datasets of millions of Americans. McSweeny agreed with New York Attorney General Eric Schneiderman that consumers shouldn't trade their rights for trying to protect their data after the breach. Schneiderman tweeted that his staff asked Equifax to remove "unacceptable and unenforceable" language that consumers forfeit their right to sue or be part of a class-action lawsuit if they check the company's site to see if their data was stolen. Democrats on the House Commerce Committee cited an Aug. 30 letter asking GAO to evaluate whether credit monitoring services provide effective protection in response to data breaches. Equifax revealed Thursday that criminals exploited a website application vulnerability from mid-May through July with access to names, addresses, birth dates, and driver's license and Social Security numbers. Credit card numbers for about 209,000 consumers and some dispute documents with personal identifying information for about 182,000 consumers also were accessed, it said. FTC attorney Seena Gressin blogged that consumers also should check their Experian and TransUnion credit reports, consider placing a credit freeze and fraud alert on their files, and take other steps.

The National Cybersecurity Center of Excellence at the National Institute of Standards and Technology Wednesday released a draft practice guide to help organizations recover from a cyber incident such as a ransomware attack, the center said in a Wednesday notice. It's seeking feedback on the draft -- called NIST Cybersecurity Practice Guide SP 1800-11, Data Integrity: Recovering from Ransomware and Other Destructive Events -- through Nov. 6.

Millions of sensitive records from Time Warner Cable and other companies were among the 600 GB of sensitive files potentially leaked online by cloud-based communications provider BroadSoft, said security vendor Kromtech last week. Two accidentally leaked repositories contained thousands of records for several Broadsoft clients, with TWC being the "most prominent," blogged Bob Diachenko, Kromtech chief communications officer. One text file contained more than 4 million records from TWC and Bright House Networks -- rebranded as Spectrum and also now part of Charter Communications -- from 2010 to this year, "with Transaction ID, user names, Mac addresses, Serial Numbers, Account Numbers, Service, Category details, and more," he wrote. Other databases have billing addresses, phone numbers and other data for hundreds of thousands of TWC customers, he said. Diachenko said the leaked data also included internal credentials that criminals could use to track and access company's network and infrastructure. "Upon discovery, the information was removed immediately by the vendor, and we are currently investigating this incident with them," emailed a Charter spokesman Tuesday, saying the "MyTWC app" potentially became visible to external sources. He said there's no indication the company's systems were affected. He said Charter encourages customers who use the app to change user names and passwords. A BroadSoft spokeswoman emailed the company was notified that "a third-party cloud storage site containing internal BroadSoft documentation and end-user customer data was exposed to the public internet." The data didn't include bank or credit card information or Social Security numbers, and the information was secured once BroadSoft was notified, she said. "BroadSoft core IT and cloud unified communication infrastructures were not exposed or compromised."

The FCC’s Communications Security, Reliability and Interoperability Council will meet Oct. 26, said a Friday public notice. The FCC also released the assignments of CSRIC members to its three working groups (see the personals section in this issue). The groups are: Working Group 1: Transition Path to NG911, chaired by Mary Boyd, vice president-regulatory, policy and government affairs at West Safety Services; Working Group 2: Comprehensive Re-imagining of Emergency Alerting, chaired by Farrokh Khatibi, director-engineering at Qualcomm Technology; and Working Group 3: Network Reliability and Security Risk Reduction, chaired by Travis Russell, director-telecommunications cybersecurity at Oracle. The rechartered CSRIC held its first meeting June 23 (see 1706230049).

The U.S. will post intellectual property experts in the coming weeks to provide regional cooperation in Abuja, Nigeria; Bangkok; Bucharest; Hong Kong; and Sao Paulo, said Deputy Attorney General Rod Rosenstein at an Interpol's international IP crime conference in New York Tuesday. He said Justice will respond more quickly to mutual legal assistance requests from other countries. The department is strengthening its ability to pursue charges through its U.S. attorney's offices and roughly 260 computer hacking and IP coordinators across the country and has developed a Cybercrime Lab, he said.

The Public Safety Bureau Thursday encouraged service providers to implement Signaling System 7 security countermeasures recommended by the FCC’s Communications Security, Reliability and Interoperability Council. “SS7 supports fixed and mobile service providers in processing and routing calls and text messages between networks, enabling fixed and mobile networks to connect, and providing call session information such as Caller ID and billing data for circuit switched infrastructure,” said a public notice. “Over the last several years, numerous research findings and media reports call attention to security vulnerabilities present within SS7 networks.”

U.S. Cyber Command will be raised to the status of a unified combatant command, said President Donald Trump Friday in a statement and in a memo to the Defense Secretary James Mattis. The move is aimed at strengthening and streamlining cyberspace operations and providing more opportunities to improve defense, Trump said. He directed Mattis to provide a recommendation and possible plan about the "future command relationship" between Cyber Command and the NSA, potentially separating them. During the campaign, Trump promised to improve the command (see 1610030025).

Symantec’s Norton Core security product is available for purchase at Norton.com, Best Buy and Amazon, said the company Thursday. The $279 device, introduced at CES, had been on preorder since May (see 1705150035). Symantec is one of several cybersecurity companies targeting residential customers’ connected devices. A 2016 Symantec report identified security vulnerabilities in 50 connected home devices. As the IoT industry continues to evolve and connected devices become more common, it’s “vital that consumers have a way to protect their family’s connected devices from new and sophisticated attacks,” said General Manager Francis Rosch. Features include network level protection through deep packet inspection, data encryption protection for routers, parental controls, security analysis, bandwidth optimization and guest access, said the company. The dome-shaped device is available in gold or gray finishes, and subscription cost after the first year is $9.99 per month.

FCC Chief Information Officer David Bray declined to provide specific details on the agency's plans to protect its Electronic Comment Filing System against future cyberattacks. The refusal was in response to queries from House Commerce Committee ranking member Frank Pallone, D-N.J., House Oversight Committee ranking member Elijah Cummings, D-Md., and other House Democrats. Pallone and other lawmakers repeatedly pushed for further information on the circumstances behind a reported May 8 distributed denial-of-service attack against ECFS that occurred during the comment period on the NPRM on rolling back its 2015 net neutrality rules and reclassification of broadband as a Communications Act Title II service (see 1705170067, 1706280044 and 1707070039). “Given the ongoing nature of the threats to disrupt the Commission’s electronic comment filing system, it would undermine our system's security to provide a specific roadmap of the additional solutions to which we have referred,” Bray said in a memo to lawmakers accompanying letters from FCC Chairman Ajit Pai. “FCC’s IT staff has worked with commercial cloud providers to implement Internet-based solutions to limit the amount of disruptive bot-related activity if another bot-driven event occurs.” The cloud-based infrastructure supporting ECFS is “provided by our commercial partners,” the memo said. “FCC IT staff has notified its cloud providers of the need to have sufficient 'hardware resources' available to accommodate high-profile proceedings.” The May 8 DDoS attack doesn’t qualify as a “significant cyber incident” under current White House definitions and thus didn’t require a Federal Information Security Management Act-based notification to Congress, the memo said. The FCC consulted with the FBI in making the determination, Bray said. Pai told lawmakers he “cannot guarantee that we will not experience further attempts to disrupt our systems, [but] our staff is constantly monitoring and reviewing the situation so that that everyone seeking to comment on our proceedings will be afforded the opportunity to do so.”