National Consumers League

The #DataInsecurity Digest | Issue 61

2017 found to be worst year ever for data breaches

By John Breyault (@jammingecono, johnb@nclnet.org)
NCL Vice President of Public Policy, Telecommunications and Fraud

Subscribe here. Tell us what you think.

Editor’s Note: Just because cybersecurity did not receive a mention in President Trump’s State of the Union, did not mean that data breaches were not garnering headlines in recent weeks. 2017 was found to be the worst year for data breaches ever by the Online Trust Alliance. Nearly half of American organizations were breached in the past 12 months, up from 24 percent in 2016, according to Thales. Other big news this week comes from our colleagues at Consumer Reports, who published the first reviews of smart TVs using the organization’s new Digital Standard for privacy and security. CR’s tests found that leading smart TVs have significant security vulnerabilities that could allow hackers to change channels, raise volumes, or play disturbing YouTube content.

All this comes with fallout from the Meltdown and Spectre vulnerabilities continuing to brew, with many key cybersecurity vacancies remaining in the Trump Administration, and with reports of the new CFPB director abandoning the agency’s investigation of the Equifax mega-breach.

And now, on to the clips!

-----------------

2017 declared the worst year for data breaches ever. The Online Trust Alliance released its annual report, finding that ransomware incidents doubled from 2016 to 2017 and cost consumers and businesses $5 billion. “Surprising no one, 2017 marked another ‘worst year ever’ in personal data breaches and cyber incidents around the world.” The report also found that 93 percent of data breaches could have been avoided. (Source: Online Trust Alliance)

Number of breached organizations nearly doubled in 12 months. A survey conducted by Thales found that, in the last 12 months, 46 percent of U.S. organizations experienced a breach. This is a significant increase from the 24 percent of organizations that were breached in 2016. (Source: Thales)

Lawmakers take aim at Uber. On Tuesday, “Democrats and Republicans alike needled the ride-hailing company for withholding information even as it faced a federal investigation for its privacy and security practices.” Ranking Member Bill Nelson (D-FL) cautioned against current legislative efforts to weaken data security: “better for Congress to pass no bill than to pass a bill that provides less protections to consumers compared to the status quo.” (Source: The Hill)

Smart TVs vulnerable to hacking. In the first use of its new Digital Standard for privacy and security, our colleagues at Consumer Reports have published the findings of their tests on leading “smart” TVs. The results weren’t pretty, particularly for TVs using the Roku platform: “Roku devices have a totally unsecured remote control API enabled by default,” said Eason Goodale, [CR partner] Disconnect’s lead engineer. “This means that even extremely unsophisticated hackers can take control of Rokus. It’s less of a locked door and more of a see-through curtain next to a neon ‘We’re open!’ sign.” (Source: Consumer Reports)

Consumers Union: Report underscores need for Congress to act on data security. Consumers Union, the advocacy arm of Consumer Reports, used the findings of the magazine’s connected TV report to press for Congressional action on data security standards. “Congress needs to pass data security standards for connected products, and federal regulators need to step up and hold companies accountable for the privacy, security and safety of these products,” said CU’s @JustinBrookman. “For years, consumers have had their behavior tracked when they’re online or using their smartphones. But I don’t think a lot of people expect their television to be watching what they do.” (Source: Consumers Union)

More than $1 million stolen from U.S. ATMs. “Jackpotting”--the hijacking of ATMs by hackers to spit out cash much like a slot machine--has long been a problem for European banks. Last week however, the problem arrived in the United States with a half-dozen incidents. “The spate of attacks represented the first widespread jackpotting activity in the United States,” said Matthew O‘Neill, a special agent for the Secret Service. “Previous campaigns have been spotted in parts of Europe and Latin America in recent years. It was just a matter of time until it hit our shores.” (Source: Reuters)

Researchers have found 139 different types of malware designed to exploit Meltdown and Spectre. This is a significant increase from reports in January, when researchers found 77 malware samples. @EduardKovacs reports that, “while a majority of the samples appear to be in the testing phase, we could soon start seeing attacks.” (Source: Security Week)

Quick hit: Intel working “around the clock” to solve Spectre and Meltdown security flaws. Intel informed investors in a quarterly earnings call that it plans to “release updated chips later this year to provide a long-term solution.” (Source: Washington Post)

Acting CFPB director believed to be canceling Equifax investigation. @PatrickMRucker is reporting that acting director Mick Mulvaney is pulling back an investigation into Equifax's behavior, which led to 143 million Americans having their most personal data compromised. Mulvaney “has not ordered subpoenas against Equifax or sought sworn testimony from executives, routine steps when launching a full-scale probe. Meanwhile the CFPB has shelved plans for on-the-ground tests of how Equifax protects data, an idea backed by Cordray.” (Source: Reuters)

Fitness trackers give away locations of secret U.S. military bases. It was recently revealed that, back in November, a social network for athletes called Strava released a heat map showing every run ever uploaded to its network. The map was “detailed enough that it potentially gives away extremely sensitive information… . In locations like Afghanistan, Djibouti and Syria, the users of Strava seem to be almost exclusively foreign military personnel, meaning that bases stand out brightly.” (Source: The Guardian)

After one year in office, many key cybersecurity posts remain unfilled by Trump. “About one-third of agency chief information security officers hold their jobs on an acting basis. The same is true for the federal chief information officer, the federal chief information security officer and the two top posts in the Homeland Security Department’s cybersecurity and infrastructure protection division, which is substantially responsible for the civilian government’s cybersecurity.” According to former officials, the vacancies are damaging “efforts to upgrade the government’s aging IT infrastructure and could endanger national security.” (Source: NextGov)

Japan grapples with fallout from a $534 million cyberheist. Authorities in Japan are investigating the cryptocurrency trading company Coincheck after “hackers stole 58 billion yen ($534 million) of NEM coins, among the most popular digital currencies in the world.” (Source: Reuters)

Events

February 28, 2018 - Privacy Con 2018, Washington, DC
In February, the FTC will host its third Privacy Con, convening a broad array of academics, researchers, consumer advocates, government officials, and industry representatives to address the privacy implications of emerging technologies.

National Consumers League
Published February 8, 2018