The #DataInsecurity Digest | Issue 63

FTC calls for reforms to smartphone security update policies; White House AWOL on addressing Russian hacking

By John Breyault (@jammingecono, johnb@nclnet.org)
NCL Vice President of Public Policy, Telecommunications and Fraud

Subscribe here. Tell us what you think.

Editor’s Note: The FTC was extra busy making news in the data security front last week. First, the agency released new data that shows that consumers lost more money this year than last year to scams. Most notably, the FTC flagged identity theft as the second most prominent type of scam. Research from NCL has shown that being affected by data breaches correlates to increased risk of identity fraud. The FTC also called for phone manufacturers to be more transparent by clearly disclosing the minimum guaranteed support period for their devices so as to minimize the number of consumers using phones that are no longer receiving security updates. Finally, outgoing Acting Chairman Ohlhausen, in remarks delivered at PrivacyCon, quantified injury from breaches and other privacy violations.

In non-FTC news, new reports found that Russia hacked into seven state’s election systems prior to the 2016 election. Russia also garnered headlines for getting caught hacking the Olympics. In spite of this drumbeat of Russian-related hacking news, NSA Director Mike Rogers admitted in a Senate hearing that he has not yet been ordered by President Trump to stop Russia from interfering in the next election. There was a bit of good news, as well, with Visa reporting that the transition to chip-based debit and credit cards has led to a precipitous drop in payment card fraud.

And now, on to the clips!

—————–

FTC: Consumer fraud losses increased $63 million in 2017. Last week, the FTC released its annual Consumer Sentinel Data Book. The report analyzes millions of consumer complaints submitted to the FTC and other organizations and is considered a leading indicator of the state of fraud. Identity theft was the second biggest category, making up nearly 14 percent of all consumer complaints. Credit card fraud was the most common type of identity theft reported by consumers. Tax fraud was the second most common type of identity, despite falling by 46 percent from 2016. All three types of fraud often rely on consumer info gleaned from data breaches. (Source: Federal Trade Commission)

FTC mobile security report cites steps needed to protect cell phones from hacking. Acting Director of the FTC’s Bureau of Consumer Protection Tom Pahl commented “that more needs to be done to make it easier for consumers to ensure their devices are secure.” Among the recommendations, the FTC advised manufacturers to “consider adopting and disclosing minimum guaranteed support periods for their devices and notifying consumers when support is about to end.” (Source: Federal Trade Commission)

FTC’s Ohlhausen addresses data breach injury at PrivacyCon. Outgoing FTC Acting Chairman Maureen Ohlhausen devoted a big chunk of her remarks at last week’s PrivacyCon conference to a perennial issue in addressing data breaches: how to define injury. “The takeaway is clear: consumers can suffer injury from privacy and data security incidents and that injury isn’t limited to loss of money,” said Ohlhausen.”[N]ot everything that can be measured matters, and not everything that matters can be measured. But we ought to measure the things we can and think hard about how to objectively and consistently evaluate the things we cannot. After all, if we cannot measure – or even estimate – the injury we are trying to address, how can we tell if we are directing government action effectively?” (Source: Federal Trade Commission)

2.4 million additional Americans affected by Equifax breach. The new breach victims only had their “names and a partial driver’s license number stolen by the attackers, unlike the original 145.5 million Americans who had their Social Security numbers impacted.” Equifax’s latest revelation brings its total number of victims up to 147.9 million. (Source: Associated Press)

Point-of-sale fraud drops 70 percent for retailers that use chip readers. While only “59 percent of US storefronts have terminals that accept chip cards, fraud has dropped 70 percent from September 2015 to December 2017 for those retailers that have completed the chip upgrade[.]” (Source: Ars Technica)

Despite ongoing efforts by Russia to interfere in upcoming election, Trump has not ordered NSA to stop Russia. In last week’s Senate Armed Services Committee hearing, NSA Director Mike Rogers said that “[n]obody’s … directly asked me,” when questioned on whether the agency has been directed to address the threat of Russian hackers targeting the U.S. election system. He elaborated by stating: “I’ve certainly provided my opinion in ongoing discussions.” @martinmatishak reports that Mike Rogers’ “comments echoed ones he, and the other intelligence leaders, made earlier this month to the Senate Intelligence Committee.” (Source: Politico)

Russia compromised seven state election systems prior to the 2016 election. Systems in Alaska, Arizona, California, Florida, Illinois, Texas, and Wisconsin were compromised by Russian-backed covert operatives prior to the 2016 election. While no votes were altered, “[t]he officials say systems in the seven states were compromised in a variety of ways, with some breaches more serious than others, from entry into state websites to penetration of actual voter registration databases.” (Source: NBC News)

SEC: Selling shares before a breach is disclosed is a no-no. New guidance from the Securities and Exchange Commission will prohibit directors and officers from selling company shares after a breach is discovered, but before it has been disclosed to the public. The guidance also reinforces prior guidance by stating “that all companies must inform investors in a timely fashion of all material cybersecurity risks.” (Source: Bank Info Security)

Russia hacked the Olympics. U.S. intelligence officials have confirmed that “Russian spies hacked several hundred computers used by authorities at the 2018 Winter Olympic Games in South Korea …They did so while trying to make it appear as though the intrusion was conducted by North Korea, what is known as a ‘false-flag’ operation.” (Source: Washington Post)

Events

March 25-26 – IAPP Global Privacy Summit, Washington, DC
Later this month, privacy experts and regulators will gather at the IAPP’s Global privacy summit in Washington to discuss and learn about the most pressing issues of the day.

National Consumers League
Published March 8, 2018