National Consumers League

The #DataInsecurity Digest | Issue 50

Issue 50 | July 19, 2017

#DataInsecurity Digest: Russia behind Wolf Creek? Biometric data, 9-1-1 systems vulnerable 

By John Breyault (@jammingecono, johnb@nclnet.org)
NCL Vice President of Public Policy, Telecommunications and Fraud

Subscribe here. Tell us what you think.

Editor’s Note: Russia’s hacking of America’s critical infrastructure continues to worry security experts, with the hacking of the Wolf Creek nuclear facility in Kansas being the latest source of heartburn. Even our 9-1-1 systems could be at great risk of ransomware and other hacking attacks, according to a new report from Scripps News. A breach at self-service payment company Avanti is raising questions about the ability of companies to respond to breaches of biometric data. After all, while payment information breaches can be addressed by issuing new cards, breached entities can’t give consumers new fingerprints. Hacks at wrestling conglomerate WWE and a chain of family-owned movie theatres, B&B Theatres, suggest that hackers’ may be targeting entertainment companies next.

A quick programming note: The #DataInsecurity Digest will be taking a pause for the August recess after this issue. We’ll return to our normal bi-weekly publishing schedule after Labor Day.

And now, on to the clips!

-----------------

Russia believed to be behind the hacking of the Wolf Creek nuclear facility in Kansas. Officials stated that, “The possibility of a Russia connection is particularly worrisome,” as “Russian hackers have previously taken down parts of the electrical grid in Ukraine and appear to be testing increasingly advanced tools to disrupt power supplies.” Industrial Security expert Galina Antova writes, “We’re moving to a point where a major attack like this is very, very possible. Once you’re into the control systems—and you can get into the control systems by hacking into the plant’s regular computer network —then the basic security mechanisms you’d expect are simply not there.” (Source: Bloomberg)

Avanti Markets investigates potential payment system and biometric data breach. The company behind a popular self-service payment system is investigating a breach that may have compromised consumers’ credit card information and fingerprints. @briankrebs writes, “Credit cards can be re-issued, biometric identifiers are for life. Companies that choose to embed biometric capabilities in their products should be held to a far higher security standard than those used to protect card data.” (Source: Krebs on Security)

9-1-1 systems dangerously outdated, vulnerable to hacking and ransomware. State governments’ policies of diverting 9-1-1 funds to other unrelated projects has put consumers at risk. “Experts warn that the nation’s antiquated patchwork of 911 systems is an easy target for hackers who want to wreak havoc and criminals who want to hijack 911 and demand a ransom,” writes @greenblattmark. (Source: Scripps News)

Breach du jour: WWE wrestling. It was recently found that information on 3 million users of the WWE wrestling website was stored unprotected on an Amazon server for an undetermined amount of time. @branttom reports that compromised information could include “home and email addresses, birthdates, and the age ranges and genders of the account holders' children,” or “addresses, telephone numbers, and names of WWE account holders.” (Source: PCMag)

Breach du jour part deux: B&B Theatres. The seventh-largest movie theatre chain in America is investigating a breach of its payment systems. @briankrebs reports that experts believe credit cards are estimated to have been exposed “between April 2015 and April 2017, meaning cyber thieves have likely been siphoning credit and debit card data from B&B Theatres customers for nearly two years undisturbed.” (Source: Krebs on Security)

Inspector General: OPM still not secure two years after breach. @Joseph_Marks_ reports that a newly-released report from the Office of Personnel Management’s Inspector General found that “two years after suffering a massive data breach, the Office of Personnel Management still isn’t sufficiently vetting many of its information systems.” (Source: NextGov)

Suggested reading: WIRED’s review of the most devastating breaches so far this year. @lilyhnewman brings us a great summary highlighting this year's breaches from the state-sponsored WannaCry ransomware attack, to the Shadow Brokers’ use of the NSA’s leaked spying tools, and more. (Source: WIRED)

 

National Consumers League
Published July 19, 2017