National Consumers League

The #DataInsecurity Digest | Issue 78

Facebook, Uber, others in the firing line as Big Tech data breaches draw increased scrutiny

By John Breyault (@jammingecono, johnb@nclnet.org)
NCL Vice President of Public Policy, Telecommunications and Fraud

Subscribe here. Tell us what you think.

Editor’s note: The hammer is poised to fall on several of Big Tech’s biggest names thanks to numerous recent data security missteps. Facebook again made headlines after it announced that at least 50 million of its users had their accounts compromised. The fallout for Facebook could just be starting as European regulators are already investigating whether Facebook did all it could to safeguard European consumers’ data. If the very recent past provides an omen of things to come, Facebook could be in trouble. Last week, Uber agreed to pay the largest multi-state penalty ever levied by state officials for its 2016 data breach. In the face of the breaches, it seems that top executives may finally be coming around on comprehensive privacy and data security legislation, if their statements at last week’s Senate Commerce Committee hearing are to be taken at face value. How much teeth such legislation has and, importantly, whether it preempts existing state laws, are sure to pad DC lobbyists’ paychecks for the foreseeable future.

And now, on to the clips!

-----------------

At least 50 million Facebook accounts hacked. @aarontmak reports that “hackers were essentially able to log in and take over users’ accounts...The hackers may also have been able to manipulate the Facebook Login feature, which allows people to use their Facebook usernames and passwords as login credentials for other apps and websites. This means that the hackers could, theoretically, have breached apps like Instagram, Tinder, and Airbnb using the access tokens they stole.” (Source: Slate)

Quick hit: Facebook risks a fine of $1.63 billion if the EU finds that it violated GDPR. “The main question regulators will face is whether Facebook invested enough in security to avert a breach.” (Source: Wall Street Journal)

Uber to pay $148 million to settle national data breach case. Last week Uber settled with 50 states and the District of Columbia when it agreed to pay out the “largest multistate penalty ever levied by state authorities for a data breach,” for waiting a year to disclose the breach to its riders and drivers. In addition to the financial penalty, “Uber will be required to make changes to its practices and to its corporate culture. Uber agreed to undergo regular third-party audits of its security practices and to set up a program allowing employees to file concerns about ethics violations they may have witnessed while on the job. It also agreed to take precautions to safeguard any Uber data that may be held by third parties…” (Source: Washington Post)

Tech companies are fine with a federal privacy law… just so long as it undermines strong state laws. In last week’s Commerce Committee hearing, executives from Amazon, Alphabet, Apple, AT&T, Charter, and Twitter told Senators that they “support federal legislation to protect data privacy but want Congress to preempt tough new rules adopted by California.” One concession the tech executives made was to not “rule out...allowing the FTC to write rules,” in regards to privacy. The executives, however, wanted to see more details before committing to the proposal. (Source: Reuters)

Quick hit: Tech executives remain opposed to reasonable breach notifications. In last week’s privacy hearing, when “Sen. Amy Klobuchar (D-MN) asked whether companies should be required to notify customers of data breaches within 72 hours, they shook their heads silently. ‘I’m going to take that as a no,” the senator commented. (Source: Washington Post)

United States updates foreign cyber strategy by opening door to military retaliation. National Security Advisor John Bolton said, “We will respond offensively as well as defensively,” adding that "it's important for people to understand that we're not just on defense.” @jacq_thomsen reports that Bolten “added that not every response to a cyberattack would necessarily occur in cyberspace, opening the door for possible sanctions or military actions.” (Source: The Hill)

Report watch: 73 percent of data breaches are financially motivated. Verizon’s newly released data breach report also found that 68 percent of data breaches take months or longer to discover and that around 4 percent of users will still fall victim to any given phishing scam. (Source: Verizon)

Medical data breaches continue to increase. In the last seven years, there have been “2,149 breaches involving a total of 176.4 million patient records…. During the period, the total number of breaches increased nearly every year starting at 199 in 2010 and rising to 344 in 2017. (Source: Reuters)

Blog watch: A look at what the GAO’s long-awaited Equifax report missed. @RobWright22 argues that while the “GAO report offers a comprehensive look at the numerous missteps made by Equifax, which allowed attackers to maintain a presence in the company’s network for 76 days and extract massive amounts of personal data without being detected,” it neglected to go into such things as Equifax’s “website issues,” pin problems, insider trading, and Equifax’s lack of response plan. (Source: Tech Target)

Upcoming Events

October 2018 - National Cybersecurity Awareness Month
Every October, the National Cybersecurity Alliance organizes the National Cybersecurity Awareness Month to address specific challenges and identify opportunities for behavioral change. (Source: Stay Safe Online)

National Consumers League
Published October 4, 2018