National Consumers League

The #DataInsecurity Digest | Issue 53

Issue 53 | October 5, 2017

#DataInsecurity Digest: Momentum for action on data security standard building

By John Breyault (@jammingecono, johnb@nclnet.org)
NCL Vice President of Public Policy, Telecommunications and Fraud

Subscribe here. Tell us what you think.

Editor’s Note: Momentum for federal action on data security standards continued to grow this week. Equifax’s ousted chief executive is testifying this week at four separate hearings in both the House and Senate to mixed reviews, so far. Verizon announced that a security review of its newly-acquired Yahoo unit discovered that 3 billion accounts were actually compromised in hacks, which was previously estimated at only 1 billion. Director Richard Cordray of the Consumer Financial Protection Bureau (CFPB) may have provided consumers with some peace of mind when he announced that the CFPB will begin monitoring the security practices of the giant credit reporting agencies to ensure that nothing like the Equifax breach ever happens again. Meanwhile, millions of credit cards have been compromised due to a point-of-sale breach at both Sonic Drive-In and Whole Foods.

On to the clips!

-----------------

Bipartisan demand for more data security protections at Equifax hearing. Both sides of the aisle at Tuesday’s Energy and Commerce Committee hearing expressed outrage over the never-ending stream of data breaches. Rep. Joe Barton (R-TX) called for new federal laws to “put some teeth behind penalties for data breaches …[w]e could have this hearing every year from now on if we don’t do something to change the current system.” Rep. Barton also called for additional penalties so “that even a company that’s worth $13 billion would rather protect the data, and probably not collect as much data, than have to come up here and appear and say ‘we’re sorry.’” (Source: New York Times)

Yahoo breach actually impacted 3 billion accounts. The previously-reported 1 billion record breach at Yahoo (now known as Oath after its acquisition by Verizon) was actually much bigger. Try 2 billion records bigger. This makes the biggest-ever breach in history even larger by orders of magnitude. “On the one hand, this new information doesn't really change things in a practical sense, because the initial billion account estimate was already enormous—you could safely assume you were impacted—and Yahoo took protective steps for all users in December,” writes @lilyhnewman. “On the other hand, three billion accounts.” (Source: WIRED

CFPB to be one of the cops on the beat charged with protecting consumers’ data security. Consumer Financial Protection Bureau director Richard Cordray recently commented that, "[i]f [companies] are going to restore public confidence in this marketplace, and if they're going to create the kind of reforms necessary, they're going to have to recognize the old days of just doing what they want, being subject to lawsuits now and then, are over … We're going to have monitoring in place that's preventive. It's going to be a different regime than we're used to." Codray also took a swipe at the credit bureaus’ past indifference to data security, saying. "[i]n the past they (credit bureaus) dealt with these problems on their own. They did the best they could. ... That's not good enough." (Source: CNBC)

While the SEC’s data breach is smaller in size, its impact may be just as damaging as Equifax’s. SEC chairman Walter J. Clayton acknowledges that a breach at his agency “may have provided the basis for illicit gain through trading.” However, Clayton’s public response to the breach made matters even worse when he said that “even the most diligent cybersecurity efforts will not address all cyber risks that enterprises face.” This led @peterjhenning to reflect, “Those words are certain to be cited back to the SEC by any company — especially Equifax — when questions are raised about the systems it uses to prevent digital attacks and make a timely disclosure to the public when they do occur." (Source: New York Times)

Breach du jour: Sonic Drive-In breach compromises up to 5 million credit cards. Last week @briankrebs broke the story that the fastfood drive-in restaurant was the subject of a point-of-sale breach after 5 million credit cards were posted for sale on the dark web. Krebs cautions that Sonic may not be responsible for all of the 5 million cards as, “there are some (as yet unconfirmed) indications that perhaps Sonic customer cards are being mixed in with those stolen from other eatery brands that may be compromised by the same attackers.” (Source: Krebs on Security)

Breach du jour part deux: Whole Foods. Last week Whole Foods announced that its full-service restaurants and taprooms were the subject of a point-of-sale breach. @justinwmmoyer of @washingtonpost reports that 56 stores across the country were impacted by the breach. The grocery store chain stated that as its “restaurants and taprooms use a separate checkout system and information, its grocery shoppers weren’t affected.” (Source: Wall Street Journal)

Government contractor and cybersecurity firm Deloitte hacked. While Deloitte claims that the breach impacted “very few” clients, @briankrebs reports that it may be much more widespread than the company is acknowledging. Krebs’ sources stated that “investigators still are not certain that they have completely evicted the intruders from the network,” and that the hackers “accessed the entire email database and all admin accounts ... [b]ut we never notified our advisory clients or our cyber intel clients.” (Source: Krebs on Security)

Quick hit: McAffee report finds ‘health, public and education sectors collectively comprised more than 50 percent of all cybersecurity incidents.’ McAffee’s report also found that “the majority of publicly-disclosed cybersecurity incidents (78 percent) took place in the Americas.” (Source: Becker’s Hospital Review)

Events

February 28, 2018 - Privacy Con 2018, Washington, DC
In February, the FTC will host its third Privacy Con, convening a broad array of academics, researchers, consumer advocates, government officials, and industry representatives to address the privacy implications of emerging technologies.

National Consumers League
Published October 5, 2017