National Consumers League

Pages tagged "privacy"

The #DataInsecurity Digest | Issue 72

Data broker leaves 340M consumers’ most personal data unsecured

By John Breyault (@jammingecono,
NCL Vice President of Public Policy, Telecommunications and Fraud

Subscribe here. Tell us what you think.

Editor’s Note: As the cyber community assess President Trump’s Supreme Court nominee’s views on privacy and the 4th Amendment, data breaches continue to plague businesses and make headlines. Last week, a data broker left the intimate details of 340 million consumers unsecured online. Likewise, Ticketmaster found itself in the midst of a massive data breach whose scope is not yet fully known. With the midterm elections looming in less than four months, Congress is letting the administration know of its displeasure with the lack of cyber leadership from the White House.

And now, on to the clips!


Data broker Exactis left nearly 340 million consumer profiles unprotected and easily discoverable. While the records did not contain Social Security Numbers, they did include “more than 400 variables on a vast range of specific characteristics: whether the person smokes, their religion, whether they have dogs or cats, and interests as varied as scuba diving and plus-size apparel. …” The data trove also includes information on individuals’ children and other details, including “phone numbers, home addresses, email addresses, and other highly personal characteristics for every name.” (Source: Wired)

Senate Commerce Committee convenes hearing on Spectre and Meltdown vulnerabilities. In the hearing, Sen. Bill Nelson (D-FL) complained that “seven months [was] too long for the companies to wait before disclosing major vulnerabilities.” In response, the companies testifying pointed out that they were mainly focused on informing the affected companies first. However, @alfredwkng reports that some senators rebutted this, pointing out that “companies notified Chinese companies about Spectre and Meltdown before the US government." (Source: CNET)

SCOTUS nominee Brett Kavanaugh has a track record of opposing net neutrality and privacy. @alfredwkng reports that Kavanaugh believes that the “NSA's surveillance program was consistent with the Fourth Amendment, even without a warrant, citing that ‘In my view, that critical national security need outweighs the impact on privacy occasioned by this program.’” The justice also “sided against net neutrality in a 2017 dissent, arguing that it was ‘one of the most consequential regulations ever issued by any executive or independent agency in the history of the United States.’" (Source: CNET)

Lawmakers aim to force Trump to act on cybersecurity. The Senate Armed Services Committee added language to the must-pass defense reauthorization bill that would require the administration to develop a cyberwar doctrine. @D_Hawk reports that “[t]he move highlights mounting frustration with what lawmakers see as a woefully insufficient strategy for responding to cyberattacks, and shows they’re serious about holding officials to their tough rhetoric.” As Sen. Ben Sasse (R-NE) recently said, “Let's not sugarcoat it: Washington is dangerously unserious about cybersecurity. … We're decades into the era of cyberwar and we're still playing catch-up.” (Source: Washington Post)

Cyber lamentations: The cost of doing nothing. In a July 4 piece, New York Times opinion columnist @NickKristof provided a sobering look at the path ahead if nothing is done to improve America’s cybersecurity. When Gen. Paul Nakasone, head of the U.S. Cyber Command, was asked in his 2018 confirmation hearings what he thought would happen if our enemies attack us in cyberspace, Kristof wrote, “They do not think much will happen,” Nakasone replied. “They don’t fear us.” (Source: New York Times)

Ticketmaster breach grows to affect U.S. website and possibly 800 additional e-commerce sites. Security researchers @RiskIQ believe that the “Ticketmaster breach was far bigger than first thought, after several of its global sites -- including its US site, which had initially ruled out being affected -- was running code from another third-party company that had also been compromised.” (Source: ZDNet)

Equifax agrees to a consent decree, avoiding financial penalty with eight states. However, Equifax must perform a detailed assessment of cyber threats, boost board oversight of cybersecurity, and improve processes for patching known security vulnerabilities, according to the terms of the agreement. The consent decree was approved by regulators in Alabama, California, Georgia, Maine, Massachusetts, New York, North Carolina, and Texas. (Source: Reuters)

Facebook’s new privacy settings may not be that consumer-friendly. Consumer Reports found that “the design and language used in Facebook's privacy controls nudge people toward sharing the maximum amount of data with the company.” The report also found that “users can’t make changes to default settings before completing the sign-up process. Facebook also directs new users through a confusing dashboard of policies to learn how to change settings, and in some instances users need to perform a dozen or more clicks and swipes to find and adjust the appropriate settings.” (Source: Consumer Reports)

Upcoming Events

August 9-12, 2018 - DEF CON 26 - Las Vegas, NV
DEF CON is the world's longest-running and largest underground hacking conference. Each summer, hackers, corporate IT professionals, and three-letter government agencies all converge on Las Vegas to absorb cutting-edge hacking research from the most brilliant minds in the world. (Source: DEF CON)

National Consumers League
Published July 12, 2018

Carpenter v. United States: Impacts on privacy legislation

The U.S. Supreme Court decision last week in Carpenter v. United States will shape the relationship consumers have with their wireless devices and the services they use every day for years to come. In a 5-4 decision, the Court held that by obtaining cell-site records, the U.S. government performed a search. By doing so without a warrant, this search was judged unconstitutional, violating petitioner Timothy Carpenter’s Fourth Amendment rights and reversing two previous decisions.

The #DataInsecurity Digest | Issue 71

New fraud related to OPM hack underscores growing threat of data breach fallout

By John Breyault (@jammingecono,
NCL Vice President of Public Policy, Telecommunications and Fraud

Subscribe here. Tell us what you think.

Editor’s Note: The fallout from the OPM breach continues as media outlets have learned that criminals are using the data to take out fake loans. Demonstrating harm in data breach cases is often difficult for the individuals affected, but the OPM case gives a peek into how fraud can flow from breaches. Unfortunately, several new studies are suggesting that 2018 is not on track to provide any data breach relief for consumers. The Ponemon Institute estimates that 38 percent of public sector entities will suffer an attack, and two-thirds of small businesses don’t work to improve their cybersecurity in the aftermath of a breach, which sets them up for yet another breach. Good news, however, is that some victims of the Equifax breach are receiving a bit of relief in small claims court.

And now, on to the clips!


Despite warnings of Russian interference in the midterm elections from top intelligence officials, White House remains silent. To fill the leadership void, members of Congress are stepping up by convening a summit next month to determine just how severe the threat is. “We’re getting so many mixed signals, depending on what the agency is,” said Senate Intelligence Chairman Richard Burr (R-NC). “It compels us to bring everybody together in the same room and try to figure out whether or not there’s some stovepipe issues.” (Source: Politico)

Four years after the OPM breach, we now know what criminals are using the data for. The Washington Post reports that “two people have admitted in Newport News federal court they used the stolen identities to take out fake loans through a federal credit union.” Left unexplained is how the individuals obtained the OPM information, as the hack was traced back to China and the criminals “were not accused of any hacking-related crimes.” (Source: Washington Post)

Quick hit: In 2017, the average data breach cost companies $3.6 million. The report also found the average cost per lost or stolen record was $141. (Source: Ponemon Institute)

Data breach victims are taking Equifax to small claims court and winning. While this may be good news, as one plaintiff—a small-business owner in San Francisco—put it, “I’m happy to get the money, but it’s not really over because I know my information has been leaked and you can never put it back.’” (Source: New York Times)

Ponemon Institute estimates that 38 percent of public sector entities will suffer a ransomware attack this year alone. @jon_kamp and @scottmcalvert observe that “[p]ublic-sector attacks appear to be rising faster than those in the private sector.” However, @nppd_krebs notes that hackers generally don’t target specific cities, but instead are constantly searching for vulnerabilities wherever they may occur. “The trick about ransomware right now is that it’s typically not a targeted, focused attack,” says DHS’s Christopher Krebs. (Source: Wall Street Journal)

Employee negligence is perceived to be the main cause of data breaches by employers. A report by Shred-it found that “47 percent of business leaders said human error such as accidental loss of a device or document by an employee had caused a data breach at their organization.” (Source: CNBC)

New report: Two-thirds of small business do not improve their data security after a hack. Perhaps unsurprisingly, the same report also found that 44 percent of small business suffered multiple attacks last year, according to a survey by insurer Hiscox. (Source: Associated Press)

FBI to World Cup fans: Leave your devices at home. The FBI is advising Americans to not take electronic devices with them “because they are likely to be hacked by criminals or the Russian government.” William Evanina, director of the U.S. National Counterintelligence and Security Center, warned travelers that “[i]f you’re planning on taking a mobile phone, laptop, PDA, or other electronic device with you—make no mistake—any data on those devices (especially your personally identifiable information) may be accessed by the Russian government or cybercriminals.” (Source: Reuters)

Upcoming Events

August 9-12, 2018 - DEF CON 26 - Las Vegas, NV
DEF CON is the world's longest-running and largest underground hacking conference. Each summer, hackers, corporate IT professionals, and three-letter government agencies all converge on Las Vegas to absorb cutting-edge hacking research from the most brilliant minds in the world. (Source: DEF CON)

National Consumers League
Published June 28, 2018

The promise and peril of always-on ad filtering

Last year, we examined whether the growth of ad blocking was partly a logical response to consumers’ desire to reduce their data security risk. The catalyst for that blog post was Google’s announcement that it intended to include ad filtering-by-default in its Chrome browser, the most popular browser on the market. Earlier this year, that promise became a reality as Google rolled out an update to Chrome that included the ad filtering function.

Target CEO is out

This week, the CEO of Target, Gregg Steinhafel, resigned. He was unable to recover from the damage caused by a massive data breach at the company – which happened right in the middle of the holiday shopping season last year. Last December, Target announced that 40 million customers’ credit and debit cards and personal information had been compromised.  Steinhafel was with the company for 35 years.

Announcing the #DataInsecurity Project

Last December, millions of consumers busily rang up more than $600 billion in holiday purchases. Unfortunately, hackers were also having a field day — at consumers’ expense. We learned that lax security procedures combined with an insecure payment mechanism resulted in as many as 110 million shoppers at retail giant Target having their personal information compromised.

FTC report shines light on continuing problem of ID theft

In the world of fraud fighting, the release of the Federal Trade Commission’s Consumer Sentinel Data Book is something of a wonky holiday. Yesterday was no exception, with the agency publishing the annual report, which examines trends in the 2 million-plus complaints the FTC receives annually. The headline of the report was depressingly familiar: identity theft continued to be the biggest driver of complaints to the FTC for the 14th straight year. 

Target data breach a wake-up call for retailers, policymakers

92_creditcard.jpgAmericans assume that, when they shop, their personal financial information will be kept private and away from identity thieves. Unfortunately, that is not always the case, as evidenced by the more than 4,000 data breaches that have been reported since 2005 -- an average of more than one a day over the last nine years. The latest headline-making breach involving the mega retailer Target is making many of us wonder just how safe our data is.

The time for credit card security reform is now

During the busiest shopping time of the year – the period between Thanksgiving and Christmas – Target, one of America’s largest retailers, suffered the second biggest data breach in U.S. history as 40 million credit and debit cards were compromised. 

Parents: Take control over your children's use of technology

From smart phones to tablet computers, to the hundreds of channels and thousands of on-demand video offerings on TV, consumers have never had more options for how to spend their time. For parents, however, the amount of content that is out there can often lead to anxiety – about what their children watch on TV, what Web sites they are visiting and who they are talking to from behind all those electronic screens. So what’s a concerned parent to do?

1  2  Next →