The #DataInsecurity Digest | Issue 19

Issue 19 | April 27, 2016

By John Breyault (@jammingecono, johnb@nclnet.org)
NCL Vice President of Public Policy, Telecommunications and Fraud

Subscribe here. Tell us what you think.

Editor’s Note: If you’re a registered voter, it’s time to start worrying about the data that election authorities have about you. Coming on the heels of mega-breaches of voter information in Turkey and the Philippines, authorities in Mexico have confirmed that personal information on all 87 million Mexican voters has been leaked. With U.S. elections around the corner, it’s time to ask how American voters’ information can be secure, given the fact that the government sector just came in dead last in a survey of cyber vulnerabilities.

Is having your personal information hacked a turn-off? The 1.1 million users of beautiful people-only dating site BeautifulPeople.com are about to find out. Given the continued sorry state of data security in the U.S. and elsewhere, it should come as no surprise that 423 million identities were exposed by breaches in 2015, according to Symantec.

In other breach news: Tennessee just got rid of its breach notification law’s encryption safe harbor, making the state’s law the toughest in the country. If you sue mega-breach victim Anthem for damages stemming from the hack, be prepared to have them try and search your computer for security vulnerabilities. Finally, if you’re a Windows user who is still relying on Quicktime as your video player, it’s time to uninstall the old standby, since Apple will no longer be shipping security updates.

And now, on to the clips!

—————– 

Symantec: 423 million identities exposed by breaches in 2015. According to security firm Symantec’s annual Internet Security Threat Report, data breaches continue to expose hundreds of millions of consumers to a heightened risk of identity theft. Among the other worrisome findings: a new zero-day vulnerability was discovered every week in 2015, a 125 percent increase from 2014. Other lowlights: more than three-quarters of all websites had unpatched security flaws and the company noted a 35 percent increase in ransomware (H/T @timstarks). (Source: Symantec)

Every Mexican voter just got breached. Security researcher Chris Vickery is at it again. This time, he’s discovered that the entire electoral register of Mexico—names, parents’ names, addresses, and voter registration numbers of 87 million people—were accessible on Amazon Web Services without even a password. Writes @AdamShepherdUK, “While any leak of personal data is bad, this particular example is especially dangerous, according to officials. This is due to Mexico’s problems with kidnapping and gang violence, which could be exacerbated by the revelation.” (Source: CloudPro)

Breached Filipino voter data now searchable online. Last month’s epic hacking of the voter registration system in the Philippines, which exposed more than 55 million citizens, just got worse. That’s because the hacked data—including full names, addresses and passport numbers, fingerprint data, height and weight of voters and maternal and paternal names—is now easily searchable. (Source: WIRED.co.uk)

Are you still beautiful if you get hacked? Dating site BeautifulPeople.com, which bills itself as an “exclusively beautiful community” just lost some of its attractiveness. Data on 1.1 million members, including names, email addresses, encrypted passwords, private messages, geo-location information, and over 100 other individual data attributes such as sexual preferences, drinking habits, hobbies, and favorite movies has ended up on the Dark Web. Writes @campuscodi, “The BeautifulPeople is infamous online because, for many years, it advertised itself as a dating and meeting website for “beautiful people” only. All users had to go through a manual approval process where other site users would vote if they were attractive enough to join the site. In 2009, BeautifulPeople operators were bragging about rejecting 1.8 million from their site. Also, as people aged, lost hair, or gained weight, the website’s staff also regularly removed members deemed not beautiful enough.” (Source: Softpedia)

Quick hit: Ashley Madison class-action plaintiffs must identify themselves, says judge. Something tells me this may limit the number of people willing to come forward. (Source: Reuters)

RAND: Is “breach fatigue” not all it’s cracked up to be? New research from RAND Corporation finds that about a quarter of American adults reported receiving a data breach notification in the past year. However, only 11 percent of those notified said they would stop doing business with the breached entity. And, despite claims by some policymakers that breach notification laws lead to “breach fatigue,” @sciencedaily says the research suggests otherwise. “Surprisingly, 62 percent of consumers reported they accepted offers of free credit monitoring. This counters claims made by others that consumers are experiencing “breach fatigue” — where consumers become desensitized to the notices and either discount them or ignore important information contained in the notices.” (Source: ScienceDaily)

Anthem wanted to search breached plaintiffs’ computers for security flaws. One of last year’s mega-breaches was an insurer Anthem, which exposed 80 million customers’ records. Now, Anthem is trying to shift the blame for harm potentially stemming from the breach on to affected consumers themselves. Writes @HallSd, “Anthem faces multiple lawsuits after a data breach that compromised information for 80 million customers, though it contends that no fraudulent activity has been linked to the breach. Plaintiffs argue otherwise. … Meanwhile, attorneys for Anthem tried to get permission to search the plaintiffs’ computers for security flaws that could have led to identity theft or fraud. The federal court rejected that motion.” (Source: FierceHealthIT)

FBI backs off latest effort to circumvent Apple’s encryption. The FBI’s decision to abandon its efforts to force Apple to break its iPhone encryption in a New York case signals that the FBI is no closer to solving its encryption woes than before. Writing for @verge, @russellbrandom takes a look back at the last few months of Bureau misadventures in court. He writes “The only win the FBI has from the past three months is a secret new method for unlocking iPhones, disclosed to the agency at the close of the San Bernardino case — but in the weeks since then, each new piece of news has made the FBI’s hack look worse. … The FBI’s retreat on Friday means that decision stands, which is bad news for anyone hoping to compel tech companies to unlock their products.” (Source: The Verge)

New Tennessee breach notification law removes encryption safe harbor. Given their role leaders in data breach notification and data security standards lawmaking, it will not be surprising to see groups taking a cue from Tennessee’s new data breach notification law, which will cover breaches of unencrypted AND (for the first time) encrypted data. The law will also add Tennessee to the list of states that mandate a specific time period after a breach is discovered for notice to occur. In Tennessee’s case, the deadline will be 45 days after the beach is discovered. (Source: Davis Wright Tremaine)

Tennessee breach notification law now toughest in the country, could be a model. By removing its encryption safe harbor and mandating a 45 day notification deadline, Tennessee’s new breach notification law makes it the toughest such law in the country, according to legal experts. Writes Jennifer Williams-Alvarez: “Though the law doesn’t require notice without question in all circumstances, it’s clear that companies storing Tennesseans’ information have more to think about when it comes to a data breach. Tennessee is now ‘making a distinction’ between strong and weak encryption, says J. Matt San Roman of Wyatt Tarrant & Combs. That distinction ‘is not being made in other states,’ he says.  Many states are putting heightened requirements on companies hit with breaches, so Tennessee’s new law could be a model. ‘It wouldn’t surprise me to see other states following suit,’ says San Roman.” (Source: Corporate Counsel)

Nebraska’s breach notification law gets an update too. Nebraska Gov. Ricketts last week signed in to law a modification to the state data breach notification law. The amended law will now include user name and email address in combination with a password or security question in the definition of “personal information.” The new law also requires notification of the state Attorney General and strengthens the definition of “encrypted” information. (Source: Kelley Drye)

Survey: 47 percent of broadband households concerned about security of connected devices. As consumers embrace the coming world of connected devices, security is a top concern. Writes @ParksAssociates “47 percent of U.S. broadband households are concerned their private information stored on connected devices could be made public. Another 47 percent are worried companies will sell their personal information.” (Source: Parks Associates)

Report: Government sector dead last in cybersecurity. President Obama’s cybersecurity planners have a big job ahead of them, according to risk benchmarking startup SecurityScorecard’s new report. According to @Reuters, “U.S. federal, state and local government agencies rank in last place in cyber security when compared against 17 major private industries, including transportation, retail and healthcare … [t]he analysis … measured the relative security health of government and industries across 10 categories, including vulnerability to malware infections, exposure rates of passwords and susceptibility to social engineering, such as an employee using corporate account information on a public social network.” (Source: Reuters)

Should OPM provide free credit monitoring for life and pay for credit freezes? The breach at OPM exposed incredibly sensitive information of more than 20 million current and former federal employees and federal job applicants. Should OPM be doing to more to protect those exposed to a heightened risk of ID fraud because of the breach? Writing in @FedNewsRadio, federal retirement expert Randy Silvey seems to think so. “As I have already eluded to, identity protection should be a LIFETIME free service for anyone that has had their identities compromised due to this wide scale identity assault. It should never be the responsibility of the breach victims to ever pay for this type of service … ever! … OPM should also offer to pay for a personal credit freeze to these injured individuals. This would aid in filling some of the gaps that are apparent in the identity protection service.” (Source: Federal News Radio)

US-CERT to Windows users: time to uninstall Quicktime. As Apple ends support for ubiquitous video player Quicktime on Windows, federal cyber experts are recommending that Windows users delete the software. In an alert @USCERT_gov writes, “Computers running QuickTime for Windows will continue to work after support ends. However, using unsupported software may increase the risks from viruses and other security threats. Potential negative consequences include loss of confidentiality, integrity, or availability of data, as well as damage to system resources or business assets. The only mitigation available is to uninstall QuickTime for Windows.” (h/t @BrianKrebs) (Source: US-CERT)

Giant Food requiring gift cards to be paid for with cash or debit because of fraud. Because of a spike in scammers using counterfeit credit cards to purchase prepaid cards (a common way to launder money from stolen cards), Maryland-based Giant Food has started requiring all such purchases to be made with cash or PIN debit, writes @briankrebs. “One of the easiest ways thieves can cash out? Walk into a grocery or retail store and buy prepaid gift cards using stolen credit cards. Such transactions—if successful—effectively launder money by converting the stolen item (counterfeit/stolen card) into a good that is equivalent to cash or can be easily resold for cash (gift cards). … Meanwhile, every Giant I visit still asks me to swipe my chip-based card, effectively negating any added security the chip provides.” (Source: KrebsonSecurity.com)

New exploit targets unpatched Android devices with ransomware. Android malware has typically relied on good old-fashioned social engineering to get consumers to install malicious apps. However, a new breed of ransomware targeting older versions of Android (v.4.0-4.3) requires no user interaction at all. Writes @dangoodin001, “[D]espite the limitations, there are several reasons the attacks represent a threat that’s worth watching. For one, by Google’s own figures, about 23.5 percent of all Android devices remain vulnerable to the attacks, and if Blue Coat version 4.4 users are indeed susceptible as Blue Coat suspects, the percentage jumps to almost 57 percent. Remember, too, that a sizeable portion of vulnerable handsets will never receive an update.” (Source: ArsTechnica)

Quick hit: Even God gets breached sometimes. (Source: SC Magazine)

Upcoming events

June 15 – FTC Start with Security – Chicago – Chicago, IL
The FTC’s fourth “Start With Security” event will take place on Wednesday, June 15, 2016, in Chicago, Illinois, and will be co-sponsored by Northwestern Pritzker School of Law. During this one-day event, the FTC will bring together experts who will provide businesses with practical tips and strategies for implementing effective data security.

National Consumers League
Published April 27, 2016