National Consumers League

The #DataInsecurity Digest | Issue 24

Issue 24 | July 7, 2016

By John Breyault (@jammingecono, johnb@nclnet.org)
NCL Vice President of Public Policy, Telecommunications and Fraud

Subscribe here. Tell us what you think.

Editor’s Note: Ransomware continues to make news and not in a good way. More than 650,000 patient records are being sold on the dark web thanks to data breaches in three states. The hacks underscore HHS Secretary Burwell’s urgent call on the healthcare industry to treat ransomware as a “major threat to all aspects of your business.” In a new Morning Consult piece, I take a look at this issue in depth and argue that Congress should do more to take on data security reform. Another hack of the Hillary Clinton campaign led to leaks of sensitive information, including an email discussion of how staffers can run interference on reporters. And while companies have for the most part been able to fend off lawsuits when their breaches affect consumers, that could be changing soon according to the Wall Street Journal. Alternatively, perhaps we hold consumers liable for their own lack of cyber hygiene, says a professor at the Rochester Institute of Technology. Finally, proof that not all hacks have to end badly—a NASCAR team netted a new sponsorship deal when they fell victim to a ransomware attack.

And now, on to the clips!

-----------------

HHS Secretary Burwell: ransomware a “major threat to all aspects of your business.” The recent spate of ransomware attacks targeting hospitals is drawing the attention of the HHS. Last week, HHS Secretary Sylvia Burwell weighed into the data security discussion when she released guidance to healthcare providers on how to handle ransomware attacks. In addition to highlighting the importance of data security, Secretary Burwell called for “team member education, proper cyber hygiene, comprehensive backup and recovery procedures, and continuity planning,” also stating that, “Just like health care professionals wash their hands before procedures, we need to develop the habit of keeping our systems and data healthy, secure and recoverable.” (Source: Department of Health and Human Services)

Tooting my own horn: Ransomware attacks highlight need for Congressional action. Ransomware attacks at hospitals like DC’s MedStar Health are having real consequences for patient health, I write in Morning Consult this morning. The FBI reported this spring that more than $209 million in ransoms were paid in the first quarter of 2016 alone. In the MedStar hack, the hospitals actually had to turn away patients. “Hoping for the best—or worse, paying ransoms—is not an effective way to combat ransomware attacks,” I argue. The Senate took a good first step in convening a hearing in May, and the FTC will examine the issue in September, but more can and should be done by Congress. Head over to Morning Consult to read the full story.

For sale: 665,000 patient records, mostly unencrypted. This week, hundreds of thousands of records from three different poorly secured medical databases appeared on the dark web for sale—the largest of which has a price tag of 607 bitcoin. @josephfcox reports, “The breaches supposedly comes from three different healthcare organizations: one in Farmington, Missouri with 48,000 records; another in Atlanta, Georgia with 397,000 entries, and the third in the Central/Midwest US with 210,000 records.” @jdebunt observes, “All of this paints a very worrisome picture for hospital IT security in general. Storing confidential information in plain text is not acceptable. Moreover, using horrible security measures through common usernames and passwords is one of the worst ideas. Something has to change sooner rather than later, as this may only be the tip of the iceberg of what is to come.” (Source: Motherboard and The Merkle)

Could this be just the tip of the iceberg? 665,000 records is a daunting amount of personal information to be sold on the dark web, but reports are now surfacing that the same hacker selling the data could also be selling a database in excess of 9 million medical records. The database was discovered by @owlcyber and “was stolen using a zero-day exploit—otherwise known as an undisclosed software vulnerability—in Microsoft's Remote Desktop Protocol.” (Source: Fed Scoop)

Phishing attack leads to embarrassment for Clinton campaign. News recently surfaced that the Hillary for America campaign suffered a spear phishing attack that ensnared a volunteer through a spoofed login page in March. The attacker targeted both senior and junior “individuals managing Clinton's communications, travel, campaign finances, and advising her on policy,” reported @SecureWorks. @tsgnews obtained some of the stolen information from the campaign, which “provided hackers with a glimpse at the inner workings of a massive presidential campaign—from schedules and talking points to briefing books and assorted logistics.” @tsgnews also provided readers with an email chain from the breach where Clinton staffers coordinated interference efforts to keep certain reporters from getting close enough to ask Secretary Clinton a question at campaign events. (Source: The Smoking Gun and SecureWorks)

Hacks take Democratic House offices offline. On the heels of the DNC’s opposition research breach, one might assume that Democrats would be extra careful over their cybersecurity. Nonetheless, the official websites of 17 members were recently downed by hackers for more than a week. With this embarrassing and lengthy hack, Democrats are looking for who is to blame and that role appears to be falling on tech company DCS. Politico’s @ericgeller reports, “With the exception of (Representative) Perlmutter, all of the affected lawmakers have contracts with a company called DCS to manage their websites. DCS builds websites using Joomla, a content management system that has suffered from serious security flaws.” Despite the fix DCS was able to provide on Friday, Politico reports that aids are still unable to update and post new information to their websites through their admin account due to a new security feature. (Source: Politico)

Could your security software be your biggest vulnerability? Installing anti-virus software and keeping it updated is one of the basics of cyber hygiene. But, what can consumers do when the antivirus programs themselves have serious security vulnerabilities? That’s the question Google security researcher @taviso is asking after his research discovered critical flaws in Symantec’s entire suite of antivirus tools. Such vulnerabilities may be symptomatic of the security industry overall, writes @KimZetter. “This isn’t the way it’s supposed to be. Security software tasked with protecting our critical systems and data shouldn’t also be the biggest vulnerability and liability present in those systems. … In many cases, the same software can be running on every desktop or laptop machine on an organization’s network, exposing a large attack surface to compromise if the software contains vulnerabilities.” (Source: WIRED)

FTC opens inquiry into Ashley Madison hack. The massive breach at the dating website Ashley Madison last year cost the CEO his job, resulted in blackmail attacks, and at least one suicide among the 30 million affected users. Now the company is in the crosshairs of the FTC, according to @mmcphate. In an effort to rehabilitate itself, the site intends to now focus on more than just facilitating extramarital affairs. According to parent company Avid Life Media’s president James Millership, the new goal is “to build the world’s most open-minded dating community[.]” (Source: New York Times)

Personal information of nearly 2,500 U.S. military officers hacked and leaked. Ghost Squad, a hacking group that previously attacked the KKK and the Black Lives Matter Movement and has been associated with the Anonymous collective, recently published U.S. military personnel data as a protest against U.S. policies in the Middle East. @BatBlue confirmed the breach stating, “The leaked database is in the format of .txt file and contains nearly 5,000 lines of data on almost 2,500 United States Army officials. The leaked data includes military officials’ full names, phone numbers, email addresses, dates of birth, home addresses and credit card information.” (Source: Bat Blue)

Dating site Muslim Match hacked: Nearly 150,000 dating profiles and 790,000 private messages dumped online. Sensitive information such as user's’ occupation, living situation, marital status, and whether they would consider polygamy were included in the data dump. The dump also contained the private messages of users discussing everything from religious debates to marriage proposals. @josephfcox provides us with a teachable moment in the wake of this poorly secured website breach (the site did not use HTTPS) by stating that, “Users should scope out a service they intend to use beforehand: Does it use encryption on login screens? Is it a forum based on a vulnerable piece of software like IP.Board? These checks could come in especially handy with services that deal with as much sensitive information as dating sites.” (Source: Motherboard)

Hackers slurp up card data at Noodles & Company. Consumers looking to get their pasta fix at the Noodles & Company chain of restaurants may have gotten more than just an excellent mac and cheese. Last week, the company announced that between January 31 and June 2, 2016, hackers installed malware on their systems, which collected customer names, card numbers, expiration dates, and CVV information. It’s unknown how many cards were affected, but the malware infected restaurants in 27 states and the District of Columbia, according to the company. The breach has been resolved, but Noodles & Company is recommending that you monitor your credit for fraudulent activity. (Source: Consumerist and Noodles & Company)

One tenth of OPM breach victims still not notified. It’s been over one year since the OPM breach that compromised the background files and Social Security numbers of 21.5 million people. Yet, upwards of 2 million victims have not yet been notified that their data was compromised. Typically, victims receive a formal letter informing them of their victimization and that, “They are eligible for identity restoration services and insurance for costs related to identity theft. While those benefits are automatic, affected persons have to enroll to gain additional free identity monitoring and credit monitoring services,” reports @EricYoderWP. OPM Acting Director Beth Cobert explained the extensive delay by stating, “About 10 percent of the letters intended to reach those impacted by the background investigation incident were returned because people had moved, the letters were incorrectly addressed, or other factors.” (Source: Washington Post)

Judges grappling with how companies should compensate consumers for breached personal data. As data breaches become increasingly common, more and more lawsuits are being filed on behalf of consumers demanding compensation for the breach of their personal and financial information. @nicole_hong reports that this has set up an interesting legal debate with plaintiffs arguing, “That [consumers] pay for a company’s services with expectations their privacy will be protected, and when that privacy is breached, it means they overpaid and should be reimbursed.” Companies on the other hand argue, “Having personal data compromised doesn’t necessarily equate to an injury that merits compensation.” (Source: Wall Street Journal)

Celebgate hacker pleads guilty. Edward Majerczyk, the man that was believed to be behind the 2014 “Celebgate” incident, in which the nude photos of more than 100 celebrities including Rihanna and Jennifer Lawrence, were leaked on the web, now faces up to 5 years in prison for his actions. Majerczyk, recently plead guilty to running a phishing campaign designed to trick celebrities into visiting malicious “security” websites to steal login names and passwords for more than 300 iCloud and Gmail accounts. Deirdre Fike, assistant director of the FBI’s Los Angeles office, condemned Majerczyk’s actions: "This defendant not only hacked into email accountshe hacked into his victim's' private lives, causing embarrassment and lasting harm." (Source: BBC)

Google CEO’s Quora account gets hacked. OurMine, the same hacker outfit that hacked Mark Zuckerberg’s Twitter account, just hacked Google CEO Sundar Pichai’s Quora account. Pichai’s hack gained notice when his Twitter account, which was linked to his Quora account, began posting updates such as “Hey, it’s OurMine, we are just testing your security please visit OurMine to update it.” (Source: The Verge)

Buy it now: Personal data still on used eBay hard drives. Security firm @BlanccoTech recently purchased 200 used hard drives on eBay and found that 67 percent contained personally identifiable data and that 11 percent contained sensitive corporate data such as emails, sales projections, and spreadsheets. @philmuncaster reports that Blanco Technology Group (BTG) purchased the “solid state drives from eBay and Craigslist in Q1 and then analyzed them to see if any data had been left behind by their previous owners. BTG warned firms that failure to properly wipe drives before putting them up for resale could result in a data breach which ultimately hits the bottom line as well as customer loyalty and the reputation of the brand.” (Source: Info Security)

Should we punish the victims of hacking? Josephine Wolff, a professor at the Rochester Institute of Technology, has raised several interesting questions in regards to whether or not data breach victims themselves should be punished. Wolff ponders, “For the most part, discussion of these careless mistakes and oversights on the part of people with poor computer hygiene centers on the need for better education and awareness-raising. Very rarely do we grapple with the question of whether, perhaps, the only way to get individuals to take this seriously and actually change their behavior––to be more attentive to issues of security––is if there are concrete penalties and consequences associated with participating in bots, falling for phishing attacks, failing to install security updates, and other basics of computer hygiene.” (Source: The Atlantic)

Dessert: NASCAR revs up the fight against ransomware. Driver Michael McDowell's newest sponsor is not the typical NASCAR sponsor. Malwarebyte, a digital security company, recently agreed to sponsor McDowell after his entire computer system was the subject of a ransomware attack. Team Vice President Jeremy Lange was pleased that this sponsorship would enable them to spread the word about the risks of ransomware, stating that McDowell’s experience of being hacked proved that ransomware attacks can really happen to anyone. “It's really to build awareness among the NASCAR community and elsewhere by talking to people … let them know about the story. [That] was really what drove us to reach out to Malwarebytes because it's a real, live case study of sorts.” (Source: NASCAR and InfoSecurity)

Upcoming events

September 7 - Fall Technology Series: Ransomware - Washington, DC
The FTC’s first event in this year's Fall Technology Series will take place on Wednesday, September 7, 2016 in Washington, DC. This half-day workshop will address how ransomware works, what victims should do, the role of education, and what technological measures can be taken to prevent a ransomware attack.

National Consumers League
Published July 7, 2016