The #DataInsecurity Digest | Issue 8 – National Consumers League

Issue 8 | Nov. 17, 2015

By John Breyault (@jammingecono, johnb@nclnet.org)
NCL Vice President of Public Policy, Telecommunications and Fraud

Subscribe here. Tell us what you think.

Editor’s Note: Over the past two weeks, we’ve learned that the massive hack of U.S. financial institutions was one of the biggest breaches ever, affecting as many as 100 million customers. Bloomberg takes a look at the state of data security in the health care space (spoiler alert: it’s not good). A massive breach at Securus Technologies compromised prison phone records – and attorney-client confidentiality – for 70 million prisoners reminded us of the non-financial data vulnerable to security breaches. We also delve into the FCC’s latest foray into data security and the increased liability that businesses are facing from class-action suits. Finally, the FTC has announced its third “Start with Security” event, this time in Seattle. The action will take place on Feb. 9, so bring your raingear.

—————–

U.S. attorney Bahara brings charges for largest financial breach ever. Coordinated hackings of at least 9 financial institutions including JPMorgan Chase & Co., E*Trade Financial Corp., Scottrade Financial Services Inc., and Dow Jones & Co. from 2012-2014 affected more than 100 million customers, making it the biggest breach in U.S. financial history, according to indictments unsealed by U.S. Attorney Preet Bahara, the U.S. Attorney for the Southern District of New York. “From 2012 to mid-2015, the suspects and their co-conspirators successfully manipulated dozens of publicly traded stocks, sent misleading pitches to clients of banks and brokerages whose e-mail addresses they’d stolen, and profited by using trading accounts set up under fake names, prosecutors said. Along the way, members of the ring tried to extract nonpublic information from financial corporations, processed payment information for fake pharmaceuticals and fake anti-virus software, falsified passports and took control of a New Jersey credit union, said prosecutors. They used 75 companies and bank and brokerage accounts around the world to launder money, prosecutors wrote. Other alleged offenses include hacking, securities fraud, wire fraud and identity theft.” (Source: Bloomberg)

Securus Technologies hack compromised 70 million prison phone records. @chronic_jordan and @micahflee have the remarkable story of a major breach at prison phone provider Securus Technologies. Among the trove of records leaked to The Intercept, which included audio of full conversations recorded by Securus, were at least 14,000 conversations between inmates and their attorneys, an apparent breach of attorney-client confidentiality at Securus. “This may be the most massive breach of the attorney-client privilege in modern U.S. history, and that’s certainly something to be concerned about,” said David Fathi, director of the ACLU’s National Prison Project. “A lot of prisoner rights are limited because of their conviction and incarceration, but their protection by the attorney-client privilege is not.” (Source: The Intercept)

Bloomberg Business: It’s way too easy to hack the hospital. @MonteReel1 and @jordanr100 share bylines on one of the most interesting and frightening long-form articles on health care data security you’ll read this year. “‘The teams didn’t have time to dive deeply into the vulnerabilities they found, partly because they found so many—defenseless operating systems, generic passwords that couldn’t be changed, and so on. … He’d gotten privileged glimpses into all sorts of sensitive industries, but hospitals seemed at least a decade behind the standard security curve.” (Source: Bloomberg Business)

FCC push into data security puts Cox in crosshairs. In its first data security enforcement action against a cable operator, the FCC has dinged Cox for a 2014 hack that allowed hackers associated with the hacker gang “Lizard Squad” to access Cox customer personal information and make changes to accounts. “Cable companies have a wealth of sensitive information about us, from our credit card numbers to our pay-per-view selections,” said Enforcement Bureau Chief Travis LeBlanc. “This investigation shows the real harm that can be done by a digital identity thief with enough information to change your passwords, lock you out of your own accounts, post your personal data on the web, and harass you through social media.” (Source: FCC)

Teplinsky: Cox case signals bigger role for FCC in data security. AU Professor Michelle Teplinsky takes a look at what the FCC’s $595,000 settlement with Cox means for the larger telecom industry: “In any event, the FCC’s recent investigations and consent decrees signal that the agency has added its voice to the growing chorus of federal agencies enforcing data security obligations. While this could spur needed cybersecurity investment, it also could lead to costly and time-consuming turf wars down the road as federal agencies–particularly the FCC and Federal Trade Commission–tussle over which one has authority to regulate new technologies.” (Source: Christian Science Monitor)

With breach-related lawsuits easier to bring, data security is essential for businesses. @heidimaheresq, executive director for the Compliance, Governance and Oversight Council, has an interesting take on how recent court decisions have affected businesses’ liability when a breach occurs: “…the law is catching up with the real impact of data breaches. A truly game-changing ruling in Remijas v. Neiman Marcus has made it easier for consumers to sue companies after breaches involving their personal data. Companies have typically been able to avoid these lawsuits by invoking a Supreme Court case, Clapper v. Amnesty International. The case, which was about phone records and national security, required a showing of a risk of “imminent” and “concrete” injury in order to have standing to bring suit. As a consequence of the Remijas case, however, consumers no longer have to show a risk of imminent and concrete injury in order to file suit, which means that a company’s failure to properly oversee data and how it responds to a breach may be sufficient grounds to sustain class actions by affected customers, whether or not they suffered a financial loss.” (Source: ComputerWorld)

200,000 active Comcast accounts for sale on Dark Web, but breach is unlikely. @TechTimes’s @SteveD3 reports that a listing of nearly 600,000 Comcast account credentials on a Dark Web marketplace were likely the spoils of phishing attacks and malware, not a breach at the cable giant. “…more than 60 percent of the list was based on outdated or false information. However, playing the better safe than sorry card, Comcast will assume the passwords on the matching accounts are valid and force a reset.” (Source: CSO)

Forrester: Health care industry continues to shortchange data security, despite risk in a IoT world. @Harri8t reports for CNBC about sobering analysis from Forrester’s @sbalaouras: “”When it comes to preparedness, they’re woefully behind and that, to me, is the most concerning thing … They’ve done it begrudgingly and they’ve done it as something that they need to comply with at the lowest possible cost, as opposed to something they really embrace.” Forrester predicts that in 2016 hackers will release ransomware for a medical device or wearable. (Source: CNBC)

Acting OPM head to get permanent gig. Beth Cobert will be bumped up from acting director to permanent director at the Office of Personnel Management thanks to the Obama Administration’s appointment, pending Senate approval. Cobert will take over an agency still recovering from one of the largest and most extensive federal agency data breaches in history. (Source: Reuters)

Upcoming Events

Jan. 14, 2016 – PrivacyCon – Washington, DC
The FTC will hold a conference on January 14, 2016 to bring together a diverse group of stakeholders, including whitehat researchers, academics, industry representatives, consumer advocates, academics, and a range of government regulators, to discuss the latest research and trends related to consumer privacy and data security.

Feb. 9, 2016 – Start with Security: Seattle – Seattle, WA
The FTC’s third “Start With Security” event will take place on February 9, 2016, in Seattle, Washington, and will be co-sponsored by the University of Washington Tech Policy Lab and the University of Washington School of Law Technology Law & Public Policy Clinic. This one-day conference will continue the FTC’s work to provide companies with practical tips and strategies for implementing effective data security. This event will bring together experts to provide insights on how small companies can secure their applications and products, and how important it is to do so.