National Consumers League

The #DataInsecurity Digest | Issue 65

Facebook data leak estimated to have affected as many as 87 million accounts; Breaches affect Atlanta, Baltimore, Saks, Panera

By John Breyault (@jammingecono, johnb@nclnet.org)
NCL Vice President of Public Policy, Telecommunications and Fraud

Subscribe here. Tell us what you think.

Editor’s Note: The aftermath from the Facebook/Cambridge Analytica data leak continued this week with reports surfacing that some psychological profiles may not yet be deleted and that the number of affected users may be as many as 87 million. Meanwhile, both Atlanta and Baltimore experienced ransomware attacks that disrupted key services like 911. Atlanta’s attack lasted for days and forced city workers to revert to pen and paper.

On the political front, the FBI’s Inspector General issued a report that suggests that the FBI exploited the circumstances of the San Bernardino shooting case to try coerce Apple into creating a backdoor to its encryption. The report suggests that the FBI knew it would be able to unlock the iPhone in question, but still attempted to pressure Apple so as to create a legal precedent. Finally, despite the shift to more secure chip-based payment cards, card data remains lucrative to hackers. This week, we learned of a massive break at Saks Fifth Avenue that reportedly compromised more than 5 millions customers’ card data.

And now, on to the clips!

-----------------

FBI IG: Bureau more interested in establishing unlocking precedent than pursuing San Bernardino case. The Department of Justice’s Office of the Inspector General (OIG) released a new report finding that a “top FBI official ‘became concerned’ that one of her subordinates was stonewalling efforts to unlock the shooter's phone ‘to pursue his own agenda of obtaining a favorable court ruling against Apple.’ In addition, according to the report, an FBI unit knew that a private vendor was 90 percent done with an unlocking tool when the bureau told a federal court that only Apple could crack the device.” (Source: Morning Cybersecurity)

Outspoken cyberhawk John Bolton tapped as National Security Advisor. On April 9, John Bolton will become President Trump’s National Security Advisor. Bolton has been a champion for cyber retaliation in the aftermath of state-sponsored hacks, saying that the United States should use its “‘muscular cyber capabilities’ to strike back against digital adversaries like China, Russia, Iran and North Korea. The point, he said, would be to impose costs ‘so high that they will simply consign all their cyber warfare plans to their computer memories to gather electronic dust.’” (Source: Politico)

City of Atlanta hit with crippling cyberattack. Last Thursday, Atlanta’s municipal government was “brought to its knees” by a ransomware attack that disabled the city government’s computers. @alanblinder called the attack “one of the most sustained and consequential cyberattacks ever mounted against a major American city.” (Source: New York Times)

Baltimore’s 911 system hit with ransomware attack. Last Sunday, Baltimore’s 911 and 311 systems were shut down by ransomware, forcing city workers to revert to manual dispatching. @RectorSun reports that the attack disabled the system that “automatically populates 911 callers’ locations on maps and dispatches the closest emergency responders there more seamlessly than is possible with manual dispatching.” For a time, the attack forced the city to revert to manual dispatching. (Source: The Baltimore Sun)

Facebook scandal grows to 87 million accounts. Yesterday, Facebook published a blog in which it acknowledged that, “in total, we believe the Facebook information of up to 87 million people — mostly in the US — may have been improperly shared with Cambridge Analytica.” (Source: Facebook)

Cambridge Analytica’s profiles on users have not yet been deleted. The UK’s Channel 4 reports that “Cambridge Analytica US campaign data, is still circulating – despite assurances it has been deleted...The cache of campaign data from a Cambridge Analytica source, details 136,000 individuals in the US state of Colorado, along with each person’s personality and psychological profile.” (Source: Channel 4)

Quick hit: FTC confirms investigation into Facebook. In its release, the FTC said that recent press reports had raised "substantial concerns about the privacy practices of Facebook." (Source: Federal Trade Commission)

DOJ busts “massive” Iranian hacking ring. Iranian hackers are believed to have been “pilfering research and documents from over 100 American universities and government agencies for years.” Geoffrey Berman, the U.S. attorney for the Southern District of New York, commented that the bust is "one of the largest state-sponsored hacking campaigns ever prosecuted” by the United States. (Source: Politico)

Breach du jour: Saks Fifth Avenue. Saks Fifth Avenue, Lord & Taylor, and Saks Off Fifth were the subject of a massive data breach compromising the payment information of more than 5 million shoppers. Gemini Advisory, the cybersecurity research firm that discovered the breach, said that the breach is “is amongst the biggest and most damaging ever to hit retail companies.” (Source: Fortune)

Breach du jour, part deux: Panera Bread. @briankrebs is reporting that Panera Bread leaked millions of “customer records — including names, email and physical addresses, birthdays and the last four digits of the customer’s credit card number — for at least eight months before it was yanked offline.” Customers who ordered food online or through their app are believed to be affected. (Source: Krebs on Security)

Events

April 11, 2018 - House Energy and Commerce Hearing, Washington, DC
Facebook Founder Mark Zuckerberg will appear before the House Energy and Commerce committee to discuss Facebook’s “use and protection of user data.” (Source: Wall Street Journal)

National Consumers League
Published April 5, 2018