National Consumers League

The #DataInsecurity Digest | Issue 2

Issue 2 | Aug. 26, 2015

By John Breyault (@jammingecono, johnb@nclnet.org)
NCL Vice President of Public Policy, Telecommunications and Fraud

Editor’s Note: The posting of subscriber data from extramarital affair site AshleyMadison.com last week underscores the significant harm that can affect millions of consumers when sensitive data is leaked. While little usable financial data was leaked, the nature of the Ashley Madison data means that subscriber information could result in lost jobs, the breakup of marriages, blackmail, or worse. Unfortunately, many of the data security and data breach notification bills that have been proposed in Congress include harm triggers that rely on financial harm to trigger notification. The Ashley Madison leak, despite its embarrassing nature, illustrates that broad definitions of “harm” should be included in any data security legislation that Congress considers when it returns from recess.

On to the clips...

-----------------

Ashley Madison leak is a sign of things to come; could lead to lost pensions, blackmail, suicides. @MikeMillerDC has the WaPo story on the fallout from the public posting of leaked subscriber data from the AshleyMadison.com hack: “Within minutes of the alleged leak, people began combing the data for information and posting their findings. Journalists and security experts quickly noted that there were 15,000 .mil or .gov email addresses among those used for the site. … Under military rules, philanderers can be punished by a year in confinement and a dishonorable discharge, which means losing their pension.” (Source: Washington Post)

Toronto PD: Unconfirmed reports of suicides linked to the leak. @Riannon_Westall @SunnyFreeman report from Avid Life Media’s home base in Toronto: “The Ashley Madison hack … has triggered spinoff extortion crimes and unconfirmed reports of suicides,’ … published U.S. media reports have said a police captain in San Antonio, Texas took his own life after his official email address was linked to an Ashley Madison account.” (H/T @BrianKrebs) (Source: Toronto Star)

Email addresses in Ashley Madison tied to “multiple” gov’t agencies, House, and Senate. @Cory_Bennett notes potential DC connections in leaked data. “Buried in the list are emails that could be tied to multiple administration agencies, including the State Department and Department of Homeland Security, as well as several tied to both the House and Senate. … Other tech news outlets … have discovered British government officials, United Nations employees, and Vatican staff among the millions of people in the leaked database.” (Source: The Hill)

AP connects Ashley Madison subscribers to White House, DOJ, DHS. @jackgillum and @tbridis find the first of what are sure to be many federal employees with sensitive jobs in the leaked data: “By tracing the IP addresses of people who visited the site over more than five years, AP reporters determined the visitors included two assistant U.S. attorneys; an information technology administrator in the Executive Office of the President; a division chief, an investigator, and a trial attorney in the Justice Department; a government hacker at the Homeland Security Department; and another DHS employee who indicated he worked on a U.S. counterterrorism response team.” (Source: Associated Press)

Krebs (@BrianKrebs) already seeing Ashley Madison extortion attempts. “Kellerman is convinced we’ll see criminals leveraging the AshleyMadison data to conduct spear-phishing attacks … ‘There is going to be a dramatic crime wave of these types of virtual shakedowns, and they’ll evolve into spear-phishing campaigns that leverage crypto malware,’ Kellerman said. ‘The same criminals who enjoy deploying ransomware would love to use this data.’” (Source: Krebs on Security)

More on Ashley Madison … “this feels like a momentous event.” @hermann of TheAwl.com sees the future in the AshleyMadison leak: “I’m not sure anyone is really reckoning with how big this could be, yet. If the data becomes as public and available as seems likely right now, we’re talking about tens of millions of people who will be publicly confronted with choices they thought they made in private ... The result won’t just be getting caught, it will be getting caught in an incredibly visible way that could conceivably follow victims around the Internet for years.” (Source: The Awl)

Media interest in Ashley Madison data could linger. @lilyhnewman compares the coming fallout to revelations from the Sony breach: “In the case of the Sony hack, various embarrassing details about the company—or even just interpersonal relationships between high-profile people—came to light for weeks because the North Korean hackers had released huge troves of email correspondences. The Ashley Madison data will probably lead to the same type of slow but persistent revelations. Some discoveries will attract broad interest, but most will be important on a community or individual scale.” (Source: Slate)

What can we learn from the Ashley Madison leak? Via @euroinfosec: “Ashley Madison Fallout: 8 Security Takeaways” (Source: InfoRisk Today)

And in non-Ashley Madison news…

BIG win for the FTC; Court upholds data security authority. @b_fung has the story on the 3rd Circuit’s much-anticipated Wyndham decision: “Yes, federal regulators can go after firms whose lax security policies result in big hacks and a loss of personal data, a federal appeals court ruledMonday. … Monday's decision from the Third Circuit Court of Appeals clarifies the FTC's powers, giving it more ammunition against businesses that fail to invest in their own security.” (Source: Washington Post)

House Oversight teeing up another round of OPM hack hearings. @thisismaz preps for continued fallout from the OPM breach: “...Rep. Jason Chaffetz, chairman of the House Oversight and Government Reform Committee, is looking for details on the timeline of the response to the hacks as reported to [U.S. CERT] and details on computer security manuals exfiltrated from the Office of Personnel Management. … Rep. Gerry Connolly, a senior Democrat on the committee, says firings are not the answer … ‘Going after an agency head or CIO is a lot easier, a lot more comfortable, than dealing with the big systemic questions that Congress has failed to deal with.’” (Source: Federal Computer Week)

Box CEO: Gov’t IT “fundamentally broken.” Cloud storage company Box’s CEO @levie took to the pages of the WaPo to highlight the risks the OPM breach exposed: “...legacy software and infrastructure are the biggest weaknesses to protecting information. Attackers know how to exploit archaic technology—software that was designed in an era of less emphasis on security risk—and processes riddled with vulnerabilities.” (Source: Washington Post)

Former DHS CIO Richard Spires (@raspires) piles on with his take on gov’t IT’s security woes. “We will now likely pay an even greater cost in the exposure of the personally identifiable information of millions of current and former government employees—certainly in terms of those individuals’ privacy and potentially in terms of our national security as well.” (Source: Federal Computer Week)

Industry efforts to silence security researchers leaves consumers at risk. @kansasalps writes for WaPo on how Volkswagen's efforts to silence security vulnerability research helps criminals, hurts consumers: “But the story seems to represent a cautionary tale about how efforts to suppress security research can backfire, according to some experts: Companies attempting to save face or avoid costly repairs by keeping quiet about problems may end up leaving consumers at risk and without the information they need to make educated decisions about whom to trust.” (Source:Washington Post)

Target settles breach suit with Visa for $65M, but small lenders aren’t happy. Robin Sidel writes for the WSJ: “Card issuers have long complained about the process by which they are reimbursed for data breaches and the fraud that results from them. … the Visa agreement quickly drew criticism from small financial institutions ... said the latest agreement fails to fully reimburse them for their losses.” (Source: Wall Street Journal)

POTUS 2016 hopefuls need basic cybersec education. @josephcox gives the candidates an earful on basic #cybersec for @WIRED: “...anyone running for office in 2016, or working as an official (or really anyone, period) needs a basic grasp of good privacy and security practices. In February, Jeb Bush dumped a huge cache of his governmental emails onto the web in the name of transparency. What his office forgot to do, however, was redact the personal information of anyone included within that dump—such as the social security numbers of some Florida residents.” (Source: The Verge)

Quick hit: @jtarnow of Drinker Biddle reviews the pending student privacy bills, many of which have data security components. (Source: National Law Review)

Upcoming Events

Sept. 9 - FTC: Start with Security - San Francisco
The FTC’s initial “Start With Security” conference will focus on data security challenges for startups and developers. Last week, the FTC released its speaker lineup, and it’s a doozy. In addition to remarks from Chairwoman Edith Ramirez, we’ll also hear from Michael Coates (Twitter), Raymond Forbes (Mozilla), Paul Moreno (Pinterest), Pierre Farr (Google) and Yan Zhu (Yahoo), among others. Not to be missed: FTC chief technology Ashkan Soltani’s fireside chat with Accel’s Arun Mathew. AgendaStart with Security guide for businesses.

October - National Cybersecurity Awareness Month
Designed to engage and educate public and private sector partners through events and initiatives with the goal of raising awareness about cybersecurity and increasing the resiliency of the nation in the event of a cyber incident.

Oct. 14-15 - ICF International: CyberSci Summit - Fairfax, VA
ICF International is hosting this workshop to teach attendees about key solutions to challenges in cyber science, technology, and research and development in an age of cyber weapons. Keynote speakers include: William Glodek (U.S. Army Research Laboratory), General Michael Hayden (former CIA director), and Dr. Michael A. Wertheimer (former NSA research director). Free admission for federal employees, contractors, White House staffers, and academia.

Oct. 30 - Follow the Lead: An FTC Workshop About Online Lead Generation - Washington, DC
The workshop will bring together a variety of stakeholders, including industry representatives, consumer advocates, and government regulators. The FTC has invited the public to submit research, recommendations for topics of discussion, and requests to participate as panelists.

National Consumers League
Published August 26, 2015