National Consumers League

The #DataInsecurity Digest | Issue 105

Equifax breach still generating headlines; Congress urging Barr to end attacks on encryption 

By John Breyault (@jammingecono, johnb@nclnet.org)
NCL Vice President of Public Policy, Telecommunications and Fraud

Subscribe here. Tell us what you think.

Editor’s note: More than two years after it was initially disclosed, the Equifax breach continues to generate headlines. Consumers, unsurprisingly, overwhelmingly opted for the breach’s cash settlement offer in lieu of free credit monitoring. This revelation almost certainly guarantees that consumers will again be harmed by the breach when they receive a smaller-than-expected settlement check. If Equifax is not careful, it may have another data breach on its hands as news has come to light that it is using woefully insecure passwords and usernames.  

In other news, lawmakers are urging the Trump Administration not to sabotage the nation’s cybersecurity by undermining encryption. Finally, a third-party DNA service may have inadvertently compromised the DNA of one million consumers. 

And now, on to the clips! 

-----------------

Lawmakers urge Barr to stop attacking encryption. In a letter to Attorney General William Barr, Senator Ron Wyden (D-OR) and Congressman Anna Eshoo (D-CA) wrote, “[w]e urge you to stop demanding that private companies purposefully weaken their encryption for the false pretense of protecting children[.]” The letter continued by stating that Barr’s efforts to limit encryption are "not just hypocritical, but it has been repeatedly criticized by cryptographers and other leading cybersecurity experts." (Source: The Hill) 

Equifax accused of woefully bad cyber practices in class-action lawsuit. The lawsuit claims that “Equifax employed the username ‘admin’ and the password ‘admin’ to protect a portal used to manage credit disputes[.]” @ewolffmann reports that “the lawsuit also notes that Equifax admitted using unencrypted servers to store the sensitive personal information and had it as a public-facing website.” (Source: Yahoo! Finance 

Tweet du jour: Congress reacts to latest Equifax revelation. @repkattieporter tweets: “These data security practices are beyond sloppy; honestly, my 11-year-old son would do a better job. Equifax ought to come explain itself to Congress.” (Source: Twitter 

Only 2 percent of Equifax breach victims have opted for free credit monitoring. The vast majority of consumers appear to have opted for a cash settlement in the Equifax breach settlement. A recent court filing “indicates the bucket of money for the cash compensation, capped at $31 million, will be used up. There’s a separate bucket of money — $69 million — that will be used to compensate victims’ lost time. So far, victims have filed claims for cash and lost time totaling more than $60 million[.]” (Source: Market Watch 

1 million+ DNA records uploaded to GED Match, made vulnerable to breach. Researchers found that “it’s possible to extract genetic details of any individual in the database, leaving their data vulnerable to leaks or hacks. ... In the wrong hands, a person’s genetic data can be used for discrimination or extortion, and the implications are even greater if entire databases are leaked.” (Source: Medium)  

As ransomware attacks grow, the world continues to wait for Congress to act. @MattLaslo reports that “[w]hile Congress still lacks a tangible plan to help mitigate the impact, some members at least seem to be increasingly aware of the issue.” Senator Richard Blumenthal (D-CT) recently said that “[r]ansomware is one of the growing threats to cybersecurity, and the federal government ought to be doing everything possible to assist towns and cities ... There’s an urgency and an immediacy.” (Source: Wired 

Breach du jour: American Cancer Society. Last week, it was discovered that the American Cancer Society’s online store had become the latest victim of credit card number stealing malware. “The malware was buried in obfuscated code designed to look like legitimate analytics code. The code was designed to scrape credit card payments from the page, like similar attacks targeting British Airways, Ticketmaster, AeroGarden and Newegg.” (Source: Tech Crunch) 

Malicious app downloaded by 40 million Google Play store users. The app, Ai-Type, billed itself as a “free emoji keyboard.” But, in reality, @guykak, comments that the "rogue Google Android app was “one of the many bots of the network controlled by fraudsters to commit ad fraud.” (Forbes) 

National Consumers League
Published November 7, 2019