The #DataInsecurity Digest | Issue 4

/by

Issue 4 | Sept. 23, 2015

By John Breyault (@jammingecono, johnb@nclnet.org)
NCL Vice President of Public Policy, Telecommunications and Fraud

Subscribe here. Tell us what you think.

Editor’s Note: In this edition of the #DataInsecurity Digest, we examine the continuing fallout from the December 2013 Target breach, as revelations from leaker after-action reports detail Target’s vulnerabilities that led to the hack. Expect this new information to give fuel to the plaintiff’s bar. In other news, the Apple App Store, once thought nearly impregnable, shows its vulnerability to hacking, with hundreds of malware-infested apps making it into the store. Finally, we look at the latest mega-breaches—10M consumers affected at New York-based health insurer Excellus and 80,000 Cal State students. These breaches are just a few of many in the troubling spate of breaches targeting health insurers and universities. These institutions often have an enticing (to hackers) combination of valuable data and weak data security.

On to the clips…

—————–

Krebs: Leaked after-action report on Target breach showed little/no impediment to attackers. @briankrebs gets his hands on a leaked Verizon report on the Target breach: “Once inside Target’s network, there was nothing to stop attackers from gaining direct and complete access to every single cash register in every Target store. … In one instance, they were able to communicate directly with cash registers in checkout lanes after compromising a deli meat scale located in a different store.” (Source: KrebsonSecurity)

More pain on the way for Target as bank suit gains class-action status. @megangeuss covers the latest twist in the ongoing Target breach legal fallout: The plaintiffs named five banks that originally sued Target—Umpqua Bank, Mutual Bank, Village Bank, CSE Federal Credit Union, and First Federal Savings of Lorain—to represent the class. These banks claimed that they sustained over $5 million in damages from the Target breach. (Source: Ars Technica)

Apple App Store invulnerable no longer: 344 apps tainted. @jim_finkle has the story for Reuters on how hackers finally cracked the App Store: “The company disclosed the effort after several cyber security firms reported finding a malicious program dubbed XcodeGhost that was embedded in hundreds of legitimate apps. … The hackers embedded the malicious code in these apps by convincing developers of legitimate software to use a tainted, counterfeit version of Apple’s software for creating iOS and Mac apps, which is known as Xcode, Apple said.” (Source: Reuters)

Get smart quick: What Wyndham and Target decisions mean for breach liability. @FYRashid brings us up to speed on the growing legal liability faced by breached businesses in the wake of recent court decision: “Combine the District Court decision against Target with the recent appellate decision in the case between Wyndham and the Federal Trade Commission, and it’s clear organizations are being held to a higher standard than before.” (Source: InfoWorld)

Guilty plea for Heartland hacker, via @ismg_editor. “Vladimir Drinkman, 34, has pleaded guilty to one count of conspiracy to commit unauthorized access of protected computers and one count of conspiracy to commit wire fraud, prosecutors announced Sept. 15. … [He] faces a maximum sentence of 30 years in prison on the wire fraud charge and five years on the other charge, plus fines. … ‘This hacking ring’s widespread attacks on American companies caused serious harm and more than $300 million in losses to people and businesses in the United States.’” (Source: Data Breach Today)

Breach du jour: 10 million Excellus health care subscribers. “Excellus, an upstate New York health care company, says information for as many as 10 million of its clients nationwide may have been exposed in an attack dating back to 2013. … The attackers may have gained access to Excellus clients’ names, dates of birth, Social Security numbers, mailing addresses, telephone numbers, member identification numbers, financial account information and claim information, the company said.” (Source: USA Today)

What makes health care data so valuable to hackers? Longer shelf life than financial data. @FYRashid gets a double-dip in this edition of the #DID: “Financial data has a finite lifespan because it becomes worthless the second the customer detects the fraud and cancels the card or account. … information contained in health care records has a much longer shelf life and is rich enough for identity theft. Social Security numbers can’t easily be cancelled, and medical and prescription records are permanent.” (Source: InfoWorld)

Breach du jour part deux: 80K Cal State students affected by data breach. Affected students were enrolled in an online sexual violence prevention course. Breached info included “passwords, login names, campus-issued email addresses, gender, race, relationship status and sexual identity.” (Source: L.A. Times via @carlareiveralat)

Universities are becoming prime targets for hackers. @KWagstaff and @CASottile examine the growing trend in university data breaches: “In 2014, 10 percent of reported security breaches involved the education sector … That trails only health care (37 percent) and retail (11 percent). … Despite the frequency of attacks, many schools aren’t prepared to defend themselves. … Tinfoil Security tested the networks of 557 state universities with a cross-site scripting (XSS) attack. Twenty-five percent of them were vulnerable.” (Source: NBCNews.com)

Gemalto: Number of breaches up 10%, number of compromised records down 41% in 1st half of 2015. @Gemalto is out with their newest Breach Level Index report, which contains some interesting nuggets: “Identity theft remained the primary type of breach, accounting for 75% of all records compromised and slightly more than half (53%) of data breaches in the first half of 2015. Five of the top ten breaches, including the top three – which were all classified as Catastrophic on the BLI – were identity theft breaches, down from seven of the top 10 from the same period last year.” (Source: Gemalto – Full report)

Xi visit linked to fewer China-based hacks? Major intrusions by Chinese hackers of U.S. companies’ computer systems appear to have slowed in recent months, private-sector experts say, ahead of a meeting between China’s president and President Barack Obama with cyber security on the agenda. (Source: Reuters)

And finally, because we can’t get enough of data breach infographics … Barricade’s @jackleonardme brings us “Anatomy of a Data Breach” (Source: Barricade)

Upcoming Events

October – National Cybersecurity Awareness Month
Designed to engage and educate public and private sector partners through events and initiatives with the goal of raising awareness about cybersecurity and increasing the resiliency of the nation in the event of a cyber incident.

Oct. 6 – U.S. Chamber of Commerce: Fourth Annual Cybersecurity Summit – Washington, DC
The U.S. Chamber of Commerce is pleased to host the Fourth Annual Cybersecurity Summit to explore the latest threat landscape, market-based and public-private solutions, and the new framework. The summit will feature speakers from the business community, international experts, the administration, and Congress. 

Oct. 14-15 – ICF International: CyberSci Summit – Fairfax, VA
ICF International is hosting this workshop to teach attendees about key solutions to challenges in cyber science, technology, and research and development in an age of cyber weapons. Keynote speakers include: William Glodek (U.S. Army Research Laboratory), General Michael Hayden (former CIA director), and Dr. Michael A. Wertheimer (former NSA research director). Free admission for federal employees, contractors, White House staffers, and academia.

Oct. 30 – Follow the Lead: An FTC Workshop About Online Lead Generation – Washington, DC
The workshop will bring together a variety of stakeholders, including industry representatives, consumer advocates, and government regulators. The FTC has invited the public to submit research, recommendations for topics of discussion, and requests to participate as panelists.

Jan. 14, 2016 – PrivacyCon – Washington, DC
The FTC will hold a conference on January 14, 2016 to bring together a diverse group of stakeholders, including whitehat researchers, academics, industry representatives, consumer advocates, academics, and a range of government regulators, to discuss the latest research and trends related to consumer privacy and data security.

National Consumers League
Published September 23, 2015