Cadwalader Cabinet: January 6, 2022
Thursday, January 6, 2022

NY Attorney General Recommends Safeguards against "Credential Stuffing" Cyberattacks

The New York Attorney General recommended safeguards to defend against "credential stuffing" after an investigation found widespread cyberattacks impacting more than 1.1 million consumers.

In the report, the Office of the Attorney General ("OAG") investigated "credential stuffing" attacks against businesses and consumers, in which hackers attempt to access customer accounts by utilizing stolen usernames and passwords from other online services. According to the OAG, credential stuffing is a common form of cyberattack. One content delivery network reported more than 193 billion attacks in 2020.

The OAG found more than 1.1 million account credentials from compromised accounts at 17 well-known online retailers. The companies were alerted and, at the urging of the OAG, took steps to investigate and protect impacted customers.

The OAG recommended safeguards designed to (i) defend against credential stuffing attacks, (ii) detect credential stuffing breaches, (iii) prevent fraud and the misuse of customer information, and (iv) respond to credential stuffing incidents. As a result of the investigation and subsequent cooperation with the OAG, nearly all of the companies implemented additional customer safeguards. The OAG also highlighted:

  • the effectiveness of multi-factor and "passwordless" authentication and bot-detection services;

  • the importance of breach-detection systems with respect to successful attacks that compromise customer accounts; and

  • the need to have a written incident response plan for responding to credential stuffing attacks.

CFPB Details Credit Bureaus' Failure to Adequately Respond to Consumer Complaints

In a new report, the CFPB asserted that credit bureaus Equifax, Experian and TransUnion did not comply with statutory obligations to respond to consumer complaints submitted through the CFPB's complaint process.

The CFPB cited obligations under the Fair Credit Reporting Act, which requires that credit bureaus review consumer allegations of incomplete or inaccurate information on consumer credit reports, including allegations made by an authorized third-party representative of the consumer. Credit bureaus must then report their findings to the CFPB.

In the report, the CFPB indicated that Equifax, Experian and TransUnion often (i) failed to provide the results of their investigations to the CFPB, (ii) took no action because a complaint was originated by a third party on behalf of the consumer or (iii) failed to respond substantively to complaints because they relied on template complaint responses. The CFPB concluded that many consumers did not receive adequate responses to their complaints filed through the CFPB complaint process.

Primary Sources

  1. NYAG Press Release: Attorney General James Alerts 17 Companies to "Credential Stuffing" Cyberattacks Impacting More than 1.1 Million Consumers

  2. NYAG Report: Business Guide for Credential Stuffing Attacks

  3. CFPB Press Release: CFPB Releases Report Detailing Consumer Complaint Response Deficiencies of the Big Three Credit Bureaus

 

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins