Cadwalader Cabinet: January 6, 2022
NY Attorney General Recommends Safeguards against "Credential Stuffing" Cyberattacks
The New York Attorney General recommended safeguards to defend against "credential stuffing" after an investigation found widespread cyberattacks impacting more than 1.1 million consumers.
In the report, the Office of the Attorney General ("OAG") investigated "credential stuffing" attacks against businesses and consumers, in which hackers attempt to access customer accounts by utilizing stolen usernames and passwords from other online services. According to the OAG, credential stuffing is a common form of cyberattack. One content delivery network reported more than 193 billion attacks in 2020.
The OAG found more than 1.1 million account credentials from compromised accounts at 17 well-known online retailers. The companies were alerted and, at the urging of the OAG, took steps to investigate and protect impacted customers.
The OAG recommended safeguards designed to (i) defend against credential stuffing attacks, (ii) detect credential stuffing breaches, (iii) prevent fraud and the misuse of customer information, and (iv) respond to credential stuffing incidents. As a result of the investigation and subsequent cooperation with the OAG, nearly all of the companies implemented additional customer safeguards. The OAG also highlighted:
the effectiveness of multi-factor and "passwordless" authentication and bot-detection services;
the importance of breach-detection systems with respect to successful attacks that compromise customer accounts; and
the need to have a written incident response plan for responding to credential stuffing attacks.
CFPB Details Credit Bureaus' Failure to Adequately Respond to Consumer Complaints
In a new report, the CFPB asserted that credit bureaus Equifax, Experian and TransUnion did not comply with statutory obligations to respond to consumer complaints submitted through the CFPB's complaint process.
The CFPB cited obligations under the Fair Credit Reporting Act, which requires that credit bureaus review consumer allegations of incomplete or inaccurate information on consumer credit reports, including allegations made by an authorized third-party representative of the consumer. Credit bureaus must then report their findings to the CFPB.
In the report, the CFPB indicated that Equifax, Experian and TransUnion often (i) failed to provide the results of their investigations to the CFPB, (ii) took no action because a complaint was originated by a third party on behalf of the consumer or (iii) failed to respond substantively to complaints because they relied on template complaint responses. The CFPB concluded that many consumers did not receive adequate responses to their complaints filed through the CFPB complaint process.