The #DataInsecurity Digest | Issue 57

Issue 57 | November 30, 2017

#DataInsecurity Digest: Uber under fire for breach cover-up

By John Breyault (@jammingecono, johnb@nclnet.org)
NCL Vice President of Public Policy, Telecommunications and Fraud

Subscribe here. Tell us what you think.

Editor’s Note: Election insecurity was back in the news this week with reports that President Trump’s election integrity commission made voting data of nearly 100 million citizens vulnerable to hackers. Meanwhile, the potential financial fallout from past data breaches became apparent with Hilton Hotels paying out $700,000 to settle charges from two of its 2015 data breaches. There were also reports that Equifax’s data breach could cost the company $110 million. And, not surprisingly, a new Gallup poll found that Americans are more worried about cyber crime than any other type of crime.

On to the clips!

—————–

Uber attempted to cover up a 57 million-account breach. Last week, Uber disclosed that millions of customer and driver names, phone numbers, and email addresses were stolen from a third-party server. In its disclosure, Uber acknowledged that it payed a $100,000 ransom to the hackers. @MikeIsaac reports that not only did Uber pay the ransom, but also in order to keep the breach secret, “the company tracked down the hackers and pushed them to sign nondisclosure agreements, according to the people familiar with the matter. To further conceal the damage, Uber executives also made it appear as if the payout had been part of a ‘bug bounty.” (Source: New York Times)

Uber facing Congressional scrutiny for breach cover-up. Members of Congress on both sides of the aisle, including Senate Commerce Committee Chairman John Thune (R-SD), are beginning to question Uber’s handling of its massive data breach. Thune, along with three other Senate Republicans, sent a letter to Uber demanding “a full timeline of the breach discovery and Uber’s following actions.” Thune and colleagues noted in the letter that it’s not just that the company “concealed the breach without notifying affected drivers and consumers,” it’s that “prior privacy concerns at Uber” make it “a serious incident that merits further scrutiny.” (Source: Recode)

At least five states are investigating Uber. Illinois, Massachusetts, Missouri, New York, and Connecticut have all pledged to investigate Uber’s mishandling of its breach. In addition, @TonyRomm reports: “Uber must contend with the possible threat of a new probe at the Federal Trade Commission.” While the top privacy enforcement agency has not said it will investigate Uber, it has stated that it is “closely evaluating the serious issues raised.” (Source: Recode)

Criminals are using Equifax data to open credit cards and take out mortgages in victims’ names. Numerous accounts of identity theft came to light after a national class action lawsuit, Allen et al v. Equifax, was filed. One plaintiff has claimed that “multiple ‘unauthorized mortgages’ have been applied for using his stolen information.” (Source: Washington Post)

Pentagon leaves 1.8 billion documents on unsecured server. While the documents were not classified, as they were “internet posts scraped from social media, news sites, forums and other publicly available websites,” @selenalarson reports that the Pentagon’s “failure to fully secure the data raises concerns about government cybersecurity practices.” (Source: CNN)

Iranian hacker charged for HBO breach. Iranian hacker Behzad Mesri is facing charges for the theft of 1.5 terabytes of data that was stolen from HBO last May. The data includes unaired episodes of “Ballers,” “Barry,” “Room 104,” “Curb Your Enthusiasm,” “The Deuce,” and the script of an unaired episode of “Game of Thrones.” The hacker released the data to the public after HBO refused to pay a $6 million ransom. (Source: New York Times)

UK warns that Putin could use your Tinder account to blackmail you. The UK’s National Cyber Security Centre (NCSC) is warning that “Russian hackers are capable of tracking users’ electronic footprints on Tinder and other social media that helps them build up a user profile,” even if users created an anonymous profile. The NCSC further warned consumers: “attackers could use the data for a variety of malicious purposes.” (Source: Daily Mail)

Events

February 28, 2018 – Privacy Con 2018, Washington, DC
In February, the FTC will host its third Privacy Con, convening a broad array of academics, researchers, consumer advocates, government officials, and industry representatives to address the privacy implications of emerging technologies.

National Consumers League
Published November 30, 2017