National Consumers League

The #DataInsecurity Digest | Issue 64

Facebook data leak prompts renewed calls for privacy legislation

By John Breyault (@jammingecono, johnb@nclnet.org)
NCL Vice President of Public Policy, Telecommunications and Fraud

Subscribe here. Tell us what you think.

Editor’s Note: Facebook’s data leak (let’s not call it a “breach”) is top of mind this week, with data on at least 50 million users being misused by Cambridge Analytica, reportedly to the benefit of the 2016 Trump presidential campaign. The leak is prompting renewed calls from advocates and Congress to enact more regulation on digital media platforms like Facebook. The Equifax saga continues, with a senior company executive indicted on insider trading charges for dumping his stock shortly before the breach’s news hit the papers. Finally, those who argue you should never pay a ransomware scammer were supported this week by findings that less than half of those who do pay are able to actually recover their data. Remember to back up early, and back up often, folks!

And now, on to the clips!

-----------------

Private Facebook data leaked, reportedly benefiting Trump’s 2016 campaign. Cambridge Analytica, a conservative voter profiling firm “harvested private information from the Facebook profiles of more than 50 million users without their permission,” through an app created by a Russian-American academic. The leak is the largest in the social network’s history, allowing the company “to exploit the private social media activity of a huge swath of the American electorate, developing techniques that underpinned its work on President Trump’s campaign in 2016.” (Source: New York Times)

NCL’s Greenberg: Facebook leak “a wake-up call.” The leak of data on millions of Facebook users to political data analytics firm Cambridge Analytica is generating significant concern from privacy advocates, including NCL. “This is a wake-up call,” said Sally Greenberg, NCL’s executive director. “‘The number of apps who want to use your Facebook log-in is endless. We all run into it.’” (Source: San Francisco Chronicle)

Congress takes aim at Facebook. Outrage from Facebook’s massive leak came from both sides of the aisle. On Monday, Sens. Amy Klobuchar (D-MN) and John Kennedy (R-LA), members of the Senate Judiciary Committee, wrote to chairman Chuck Grassley (R-IA) requesting a hearing with social media companies’ CEOs, including Facebook’s Mark Zuckerberg. Sen. Mark Warner (D-VA), the ranking member of the Senate Intelligence Committee warned “These tech platforms .... need to be more forthcoming or Washington is going to start imposing rules and regulations that may not fit.” (Source: ABC News)

Former Equifax executive charged with insider trading. Jun Ying, former chief information officer of a U.S. business unit of Equifax, was charged last week with insider trading. Ying sold his stock prior to the public disclosure of the company’s massive breach, saving himself from an estimated $117,000 in losses. Richard Best, director of the SEC’s Atlanta regional office, said, “Ying used confidential information to conclude that his company had suffered a massive data breach, and he dumped his stock before the news went public.” (Source: Washington Post)

Tillerson’s departure could be a good thing for cyber at State Department. Former Secretary of State Rex Tillerson’s firing last week could be a positive in at least one area: cybersecurity. According to Christopher Painter, former State Department cybersecurity coordinator, the arrival of CIA Director Mike Pompeo at State could lead to a greater focus on cyber threats. "I don't think the cyber issue was ever a passion for Tillerson; I don't think this was ever a personal priority for him," Painter said. "My sense - and all of this is speculative because it's hard to predict - my sense is that Pompeo because of his background in the CIA and others will have a better appreciation of the security parts of the portfolio." (Source: POLITICO)

Pennsylvania AG sues Uber for failing to notify consumers of its data breach. Pennsylvania Attorney General Josh Shapiro has filed a lawsuit against Uber after it took more than 12 months to notify PA residents of the data breach. "Instead of notifying impacted consumers of the breach within a reasonable amount of time, Uber hid the incident for over a year -- and actually paid the hackers to delete the data and stay quiet." @alfredwkng notes that “[u]nder Pennsylvania law, Shapiro can sue for $1,000 for each violation. That means the attorney general's office could seek $13.5 million from Uber.” (Source: CNet)

Quick hit: Yahoo data breach victims allowed access to the courts. Last week, a court rejected Verizon’s bid to have many of Yahoo’s data breach victims’ claims dismissed. (Source: Reuters)

Despite SEC Guidance to report data breaches, few companies do so. In 2017, there were nearly 5,000 cyber attacks on American businesses. Yet, only 24 companies reported a breach to the SEC. While the SEC has investigated late data breach disclosures, it “has yet to bring an enforcement action against a company that failed to disclose an incident.” @craignewman notes that at least part of the hesitation to report a breach could be explained by wanting to avoid undermining an ongoing investigation. (Source: New York Times)

Less than half of ransomware victims who pay get data back. A new study from security firm CyberEdge underscores why it is so critical to maintain up-to-date, offline backups. The firm found that less than half (49.4 percent) of ransomware victims who paid a ransom were able to recover their data. “It's like flipping a coin twice consecutively – once to determine if your organization will be victimized by ransomware, and then, if you decide to pay the ransom, flip it again to determine if you'll get your data back." (Source: The Register)

Dessert: Girl Scouts can now earn a cybersecurity badge. Want some Samoas with your two-factor authentication? Girl Scouts can now earn a cybersecurity badge while they learn the basics of computer networks, cyber attacks, and online safety. (Source: NBC News)

Events

March 27-28 - IAPP Global Privacy Summit, Washington, DC
Starting this weekend, privacy experts and regulators will gather at the IAPP’s Global privacy summit in Washington to discuss and learn about the most pressing issues of the day.

National Consumers League
Published March 22, 2018