National Consumers League

The #DataInsecurity Digest | Issue 17

Issue 17 | March 31, 2016

By John Breyault (@jammingecono, johnb@nclnet.org)
NCL Vice President of Public Policy, Telecommunications and Fraud

Subscribe here. Tell us what you think.

Editor’s Note: If DC policymakers weren’t attuned to the impact of data insecurity by now, the latest data breach at DC’s own Medstar Hospitals could hit them where it hurts (literally!). A reported ransomware infection all but shut down the system’s 10 DC and Maryland hospitals. Did you get turned away from a Medstar office this week? Let us know at johnb@nclnet.org or @ncl_tweets! The Medstar hack is just the latest in a string of ransomware attacks on hospitals that have highlighted the vulnerability of health care providers’ data security. We won’t attempt to cover all of the FBI v. Apple news this week, except to point out that more than 80 percent of security and privacy pro’s are worried that an undisclosed vulnerability could threaten everyone’s security, according to Passcode.

In other data security news, Tennessee enacted one of the strictest breach notification laws in the country. “W2 phishing” is the latest vector for fraudsters who are ramping up for tax ID fraud season. New research finds that March Madness app vulnerabilities could mean tracking your bracket will cost you more than your office pool entry fee. Breaches at Wall Street law firms Cravath and Weil Gotshal illustrate why more clients are requiring their legal eagles to buy cyber insurance.

Finally, don’t forget to check out NCL's newly redesigned Fraud.orgfeaturing a new section dedicated to data breach educationwhich we launched this week. Details below!

And now, on to the clips!

----------------- 

Tooting our own horn: Redesigned Fraud.org launches with new data breach content! We’re proud to show off an all-new Fraud.org this week! The newly redesigned watchdog site features plenty of data breach readiness content aimed at consumers, including links to the latest official breach info, tips for victims, and a step-by-step guide for reducing your data breach risk. And that’s just for starters! Surf over to the new Fraud.org, sign up for our monthly Fraud Alerts, and spread the word! (Source: NCL press release)

Medstar Hospitals hack has DC-area patients being turned away. The cost of data insecurity was vividly revealed this week as 10 MedStar hospitals in Washington, DC and Maryland were shut down, reportedly by a ransomware scam. This is just the latest of many attacks on hospitals by hackers looking to extract hefty ransoms due to often lax health care provider cybersecurity. @JohnWoodrowCox writes for the Washington Post: “[S]ome MedStar Health patients say they are being turned away as the health-care giant’s computer systems remain crippled by a virus that infected it Monday morning. … The spouse of a man receiving cancer treatment at one MedStar facility told The Post he has been unable to receive radiation treatment for two days because of the shutdown.” (Source: Washington Post)

Krebs: Hospital ransomware attacks to become more targeted. The MedStar ransomware hack follows a string of breaches at hospitals in Kentucky and California that have netted hackers thousands of dollars in ransoms. Writes @briankrebs “Ransomware infections are largely opportunistic attacks that mainly prey on people who browse the Web with outdated Web browsers and/or browser plugins like Java and Adobe Flash and Reader. Most ransomware attacks take advantage of exploit kits, malicious code that when stitched into a hacked site probe visiting browsers for the the presence of these vulnerabilities. … It’s a fair bet that as ransomware attacks and attackers mature, these schemes will slowly become more targeted.” (Source: KrebsonSecurity)

It’s not just hospitals that should be worried about protecting health info. The same folks at Verizon who annually publish the hugely influential Data Breach Investigations Report are out with a new report looking at the security of personal health information on corporate networks. The results aren’t pretty: 90 percent of all industries have experienced breaches that lead to a loss in personal health information, according to the report. Writes the @PHIDBIR team: “Detailed health records make it easier for criminals to engage in both identity theft and medical billing fraud—the former having direct impact on an individual or family, and the latter increasing healthcare costs for governments, organizations and individuals.” (Source: Verizon)

Rich to Congress: Pass data security and breach notification laws. FTC Bureau of Consumer Protection Director Jessica Rich went before the House Oversight subcommittee and reiterated the Commission’s long-standing call for Congress to pass comprehensive data security and breach notification bills. Such legislation would give the Commission greater authority to crack down on the growing threat of medical ID theft, which was a significant focus of Rich’s testimony. (Source: Arnold & Porter)

Eighty-one percent of security and privacy experts want FBI to disclose iPhone vulnerability. A poll of 140 high-profile security and privacy experts by Christian Science Monitor’s Passcode group found a significant majority in favor of the FBI disclosing any iPhone vulnerabilities that allow it to hack into the iPhone at the center of its temporarily-resolved battle with Apple. Writes @SaraSorcher and @MalenaCarollo: “[A] strong majority of security and privacy experts from across government and the private sector … cautioned about serious security risks if investigators don’t reveal the security flaw, and the dangerous precedent it might set.” (Source: Passcode)

Tennessee updates data breach notification law; now one of the strictest in U.S. Tennessee Gov. Bill Haslam has signed into law an update to the state’s data breach notifications. Now, breached organizations are required to notify customers within 14 days of the discovery of the breach. Writes Bruce Sarkisian of @AlstonBirdLLP, “Tennessee joins a small number of states requiring notice to be made within a certain time after an organization becomes aware of the breach. Tennessee’s is one of the shortest periods adopted to date. Puerto Rico’s data breach statute requires notice to be made to the Department of Consumer Affairs within ten days of discovery of a breach. Florida requires notice to individuals to be made within thirty days following discovery of the breach.” (Source: JDSupra)

Krebs (take two): W2 phishing attacks on companies netting a haul for tax ID fraudsters. As tax prep season kicks into high gear, tax ID fraudsters are using a new scheme to bring in employee information: sending phishing emails to corporate HR and finance departments seeking employee W2 information. Writes Krebs: “Over the past week, KrebsOnSecurity similarly has heard from employees at a broad range of organizations that appear to have fallen victim to W2 phishing scams, including some 28,000 employees of the market research giant Kantar Group; 17,000+ employees of Sprouts Farmer’s Market; call center software provider Aspect; computer backup software maker Acronis; Kids Dental Kare in Los Angeles; Century Fence, a fencing company in Wisconsin; Nation’s Lending Corporation, a mortgage lending firm in Independent, Ohio; QTI Group, a Wisconsin-based human resources consulting company; and the jousting-and-feasting entertainment company Medieval Times.” (Source: KrebsonSecurity)

March Madness apps vulnerable to malware. Your bracket may not be the only thing that gets busted if you use apps to track the NCAA tournament scores, says Flexera Software. Writes @BSnyderSF, “Flexera analyzed 28 iOS apps, including the popular March Madness Live, Yahoo Sports, ESPN Tournament Challenge, and CBS Sports, and found that nearly all of them had potentially problematic features. March Madness Live, for example, can access and share users' calendar information on social media sites, and it links to ad networks, which can act as backdoors for malware. In fact, 26 of the 28 tested apps can access and share this information, and another 79 percent, including CBS Sports, Dish Anywhere and ESPN Tournament Challenge, can access iOS devices' location tracking features, according to Flexera.” (Source: CIO)

Attention DC lawyers: Clients increasingly demanding cyber insurance... Law firm clients are increasingly asking their legal eagles to purchase cyber insurance policies to help address the risk of data breach, writes @NellGluckman. “The policies that law firms typically carry, such as lawyers’ professional liability insurance, general liability insurance and property insurance, do not always provide coverage when employee rather than client data is compromised, or when the firm must hire a forensic team to determine what data was lost and how. They also most likely won’t cover the cost of notifying regulators or engaging a public relations firm. … Daniel Garrie, co-head of the cybersecurity practice at Zeichner Ellman & Krause, identified another factor that is pushing firms to buy cyber insurance. ‘Their clients are compelling the action,’ Garrie said. “They’re requiring the law firms to have cyber insurance as a matter of business.’” (Source: The American Lawyer)

… and breaches at Cravath and Weil Gotshal show why. Hackers’ renewed focus on law firms as a target was illustrated again this week as Wall Street firms Cravath and Weil Gotshal announced that they’ve been breached. @nicole_hong and Robin Sidel have the story for @WSJD: “The attacks on law firms appear to show thieves scouring the digital landscape for more sophisticated types of information. Law firms are attractive targets because they hold trade secrets and other sensitive information about corporate clients, including details about undisclosed mergers and acquisitions that could be stolen for insider trading.” (Source: Wall Street Journal)

Report: 60 percent of federal agencies have suffered a data breach. New research from data security firm @Vormetric finds that 60% of federal agencies have suffered a data breach, with 20% of those breaches happening in the past year. Among the other takeaways from the report, “federal agencies are planning to adopt modern security tools including cloud security gateways (40%), application encryption (34%), data masking (31%), and tokenization (27%) to protect sensitive data.” (Source: Information Week)

Report: One-fifth of companies experienced a mobile data breach. A survey of IT pro’s by Crowd Research Partners found that employees connecting to malicious WiFi hotspots is a significant vector for mobile device-based threats. According to the report, “one in five organizations (21%) suffered a security breach involving a mobile device sometime in the past, primarily due to connections to malicious Wi-Fi hotspots and malware.” (Source: CIO)

Upcoming events

Today - FCC March Open Meeting- Washington, DC
The Commission will consider a Notice of Proposed Rulemaking seeking comment on a proposed framework for ensuring that consumers have the tools they need to make informed choices about how their data is used and when it is shared by their broadband providers.

June 15 - FTC Start with Security - Chicago - Chicago, IL
The FTC’s fourth “Start With Security” event will take place on Wednesday, June 15, 2016, in Chicago, Illinois, and will be co-sponsored by Northwestern Pritzker School of Law. During this one-day event, the FTC will bring together experts who will provide businesses with practical tips and strategies for implementing effective data security.

National Consumers League
Published March 31, 2016