National Consumers League

The #DataInsecurity Digest | Issue 11

Issue 11 | Jan. 6, 2016

By John Breyault (@jammingecono, johnb@nclnet.org)
NCL Vice President of Public Policy, Telecommunications and Fraud

Subscribe here. Tell us what you think.

Editor’s Note: Welcome back to a new year and a new edition of The #DataInsecurity Digest!  With 2016 upon us, it’s time to dive back into the data security realm. What’s to come in the new year? Connected device hacking and increasing use of breaches to extort victims are at the top of the list for more than one expert. A full list of predictions from two of our favorite experts is below. Unfortunately, 2015 will be remembered as the year that health care data became a popular target for hackers, with 112 million records compromised, according to HHS. Here in Washington, Rep. Goodlatte’s class-action reform bill could see the light of day this week, which could be bad news for breach victims trying to be made whole through the courts. While we were out, hacks of industrial control systems in Ukraine and New York made news and reminded us of the real-world implications of data insecurity in our critical infrastructure. There’s also a lot to cheer for data security reformers like yours truly in the EU’s Network Information Security rules and California’s newly-effective breach notification law.

Finally, don’t forget about the FTC’s PrivacyCon conference coming up next Thursday, Jan. 14. Judging by the agenda, data security is going to be a big part of the discussion, so mark your calendars.

And now, on to the clips!

-----------------

WIRED: IoT zombie botnets, rising card-not-present fraud among security trends to expect in 2016. @KimZetter brings us her predictions for the biggest threats to data security coming down the pike in the new year. Top of her list? 1) Extortion hacks à la AshleyMadison.com; 2) Hacks that change or manipulate (instead of simply deleting or stealing) data; 3) Chip-and-PIN migration leading to increased card-not-present (e.g., online) card fraud; 4) IoT devices being hacked to drive “zombie” botnets; 5) Continued push for encryption backdoors. (Source: WIRED)

More 2016 predictions! Not to be outdone, David Thompson of @LegalTechNews chimed in with his own data breach predictions for 2016: “1. Health care companies will continue to be the top target for hackers. … 2. Data breaches will increasingly be used to gain investment information. … 5. Email Shaming: Increased Targeted Attacks with Defamation as the Objective.” (Source: Legaltech News)

Final 2015 tally on breaches of health care records: 112 million. Forbes’ @danmunro takes a look at the disappointing 2015 health care breach numbers published by HHS. “I wish we could look back on 2015 as the year that healthcare took data security and patient privacy more seriously, but the ‘wall of shame’ isn’t encouraging. In a data-driven world, medical information is just too lucrative and too easy to steal at scale. As long as that’s the case–and the tigers are toothless–we should reasonably expect more of the same for 2016.” (Source: Forbes)

House class-action reform bill could affect health data breach victims. @lschencker writes in Modern Healthcare that HR 1927, a bill sponsored by Rep. Goodlatte (R-VA) and slated to be sent to the House floor by the Rules Committee, could make it significantly harder for those harmed by healthcare data breaches to seek compensation through class-action suits. “An attorney representing plaintiffs suing Premera, James Bilsborrow with Weitz & Luxenberg, said HR 1927 ‘could potentially have devastating effects for victims of healthcare breaches.’” The bill would face a likely veto should it make it to President Obama’s desk. (Source: Modern Healthcare)

Quick hit: Après moi, le déluge. Following the leak of personally-identifiable information on more than 10 million children and parents by software maker VTech, class-action suits have begun to roll in.(Source: Top Class Actions)

Taste of what’s to come? Ukrainian power grid disruption tied to Russian malware. ISMG’s Mathew Schwartz(@euroinfosec) writes of a major power disruption in Ukraine on December 23 that was reportedly linked to malware traced back to Russian sources. In, apparently, a-first-of-its kind event, a power outage in eastern Ukraine that left 1.4 million Ukrainians in the dark is being blamed on hackers infiltrating an industrial control system at Prykarpattyaoblenergo, a Ukrainian energy supplier. “This is the first time we have proof and can tie malware to a particular outage," Kyle Wilhoit, a senior researcher at security firm Trend Micro, tells Reuters. "It is pretty scary." (Source: ISMG)

ICYMI over the break: Iranian hackers had access to New York dam’s control systems. Writing for the Wall Street Journal, @dannyyadron reports that a previously-disclosed 2013 infiltration by Iranian hackers gained access to control systems on a dam 20 miles away from New York City. “For the 12 months ended Sept. 30, the department [DHS] had received and responded to reports of 295 industrial-control-system hacking incidents, up from 245 for fiscal year 2014, according to agency statistics shared with The Wall Street Journal. … The incident at the New York dam was a wake-up call for U.S. officials, demonstrating that Iran had greater digital-warfare capability than believed and could inflict real-world damage, according to people familiar with the matter.” (Source: Wall Street Journal)

White hat hacker got access to 191 million voter records. @iblametom, writing for Forbes, has the story of Chris Vickery, a white-hat security researcher who made news over the break that he was able to gain access to a publicly-available (and now offline) database of 191 million voters’ records dating back to 2000 and containing names, home addresses, phone numbers, dates of birth, party affiliations, and logs of whether or not they had voted in primary or general elections. According to Vickery, the database does not contain financial data or Social Security numbers. (Source: Forbes)

A list like Vickery’s would cost campaigns $269,000 to obtain traditionally. Illustrating the worth of such data, Vickery claims in an interview with Upvoted’s @michellewoo that he reached out to political campaign advertising firm Gravis Marketing, which told him that a similar list would cost him $269,000 to purchase. (Source: Upvoted)

Whose data is it? Steve Ragan (@SteveD3) of CSO’s Salted Hash blog has been hot on the heels of this story, trying to track down the source of the leaked data and a smaller, more targeted leak of 56 million records, which could be “a Phishing crew’s dream come true.” (Source: CSO)

Get smart quick: EU’s new data protection rules. IAPP’s Gabriel Maldoff takes us for a spin through the European Union’s new Network Information Security (NIS) Directive, which has a lot to like for advocates looking for templates for data security reforms in the U.S. (Source: IAPP)

New California breach notification law takes effect Jan. 1, could become de facto national standard. An update to California’s first-in-the-nation data breach notification law could make California’s notification format a de facto national standard, according to @SidleyNewsroom attorneys Colleen Brown and Frances Faircloth. “The new laws address what license plate data automated readers may collect, defined encryption, and critically, made significant changes to the details of the required content and format of data breach notifications. … These formatting requirements would not be prohibited under other state breach notification laws, and so we will likely soon see this format become a de facto national standard for efficiency’s sake.” (Source: Lexology)

Quick hit: Post-breach ID protection services not included in taxable wages, says IRS. (Source: BNA)

Upcoming Events 

Jan. 14, 2016 - PrivacyCon - Washington, DC
The FTC will hold a conference on January 14, 2016 to bring together a diverse group of stakeholders, including whitehat researchers, academics, industry representatives, consumer advocates, academics, and a range of government regulators, to discuss the latest research and trends related to consumer privacy and data security.

Feb. 9, 2016 - Start with Security: Seattle - Seattle, WA
The FTC’s third “Start With Security” event will take place on February 9, 2016, in Seattle, Washington, and will be co-sponsored by the University of Washington Tech Policy Lab and the University of Washington School of Law Technology Law & Public Policy Clinic. This one-day conference will continue the FTC’s work to provide companies with practical tips and strategies for implementing effective data security. This event will bring together experts to provide insights on how small companies can secure their applications and products, and how important it is to do so.