May 24, 2022

Volume XII, Number 144

Advertisement
Advertisement

May 23, 2022

Subscribe to Latest Legal News and Analysis

Cadwalader Cabinet: January 6, 2022

NY Attorney General Recommends Safeguards against "Credential Stuffing" Cyberattacks

The New York Attorney General recommended safeguards to defend against "credential stuffing" after an investigation found widespread cyberattacks impacting more than 1.1 million consumers.

In the report, the Office of the Attorney General ("OAG") investigated "credential stuffing" attacks against businesses and consumers, in which hackers attempt to access customer accounts by utilizing stolen usernames and passwords from other online services. According to the OAG, credential stuffing is a common form of cyberattack. One content delivery network reported more than 193 billion attacks in 2020.

The OAG found more than 1.1 million account credentials from compromised accounts at 17 well-known online retailers. The companies were alerted and, at the urging of the OAG, took steps to investigate and protect impacted customers.

The OAG recommended safeguards designed to (i) defend against credential stuffing attacks, (ii) detect credential stuffing breaches, (iii) prevent fraud and the misuse of customer information, and (iv) respond to credential stuffing incidents. As a result of the investigation and subsequent cooperation with the OAG, nearly all of the companies implemented additional customer safeguards. The OAG also highlighted:

  • the effectiveness of multi-factor and "passwordless" authentication and bot-detection services;

  • the importance of breach-detection systems with respect to successful attacks that compromise customer accounts; and

  • the need to have a written incident response plan for responding to credential stuffing attacks.

CFPB Details Credit Bureaus' Failure to Adequately Respond to Consumer Complaints

In a new report, the CFPB asserted that credit bureaus Equifax, Experian and TransUnion did not comply with statutory obligations to respond to consumer complaints submitted through the CFPB's complaint process.

The CFPB cited obligations under the Fair Credit Reporting Act, which requires that credit bureaus review consumer allegations of incomplete or inaccurate information on consumer credit reports, including allegations made by an authorized third-party representative of the consumer. Credit bureaus must then report their findings to the CFPB.

In the report, the CFPB indicated that Equifax, Experian and TransUnion often (i) failed to provide the results of their investigations to the CFPB, (ii) took no action because a complaint was originated by a third party on behalf of the consumer or (iii) failed to respond substantively to complaints because they relied on template complaint responses. The CFPB concluded that many consumers did not receive adequate responses to their complaints filed through the CFPB complaint process.

Primary Sources

  1. NYAG Press Release: Attorney General James Alerts 17 Companies to "Credential Stuffing" Cyberattacks Impacting More than 1.1 Million Consumers

  2. NYAG Report: Business Guide for Credential Stuffing Attacks

  3. CFPB Press Release: CFPB Releases Report Detailing Consumer Complaint Response Deficiencies of the Big Three Credit Bureaus

 

© Copyright 2022 Cadwalader, Wickersham & Taft LLPNational Law Review, Volume XII, Number 6
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

At Cadwalader, Wickersham & Taft LLP, we put over 225 years of legal experience and innovation to work for you today. As one of the world's most prominent financial services law firms, we have long-standing client relationships with premier financial institutions, funds, Fortune 500 companies and other leading corporations, and individual private clients. We have earned a reputation for crafting innovative business and financial solutions and developing precedent-setting legal strategies to achieve our clients' goals. The result is simple: We stand out from...

212-504-6000
Advertisement
Advertisement
Advertisement