The #DataInsecurity Digest | Issue 13 – National Consumers League

Issue 13 | Feb. 3, 2016

By John Breyault (@jammingecono, johnb@nclnet.org)
NCL Vice President of Public Policy, Telecommunications and Fraud

Subscribe here. Tell us what you think.

Editor’s Note: Snowzilla may have brought DC to a halt, but the data security news continued to pile up along with the snow drifts. The big news comes via the FTC, which announced that it received a staggering 47 percent increase in tax ID theft complaints last year (full disclosure: NCL’s Fraud.org campaign shares complaint data with the FTC). The newly-updated IdentityTheft.gov couldn’t come at a better time for those victimized by the surge in ID fraud. In more depressing news, new research out from Bitglass finds that medical records of 1 in 3 Americans were compromised last year, primarily in the Premera and Anthem breaches. The Wall Street Journal takes a look at how cybercrooks are using children’s information (much of it accessed via data breaches) to commit ID fraud. Perhaps it’s time for Congress to take another look at Rep. Langevin’s child credit freeze bill? Finally, the breach news keeps on coming, with big breaches at Wendy’s and the Fraternal Order of Police popping on our radar.

And now, on to the clips!

—————–

FTC: Tax ID fraud driving 47% increase in ID theft complaints in 2015. The FTC kicked off Tax Identity Theft Awareness Week with an updated and improved IdentityTheft.gov and some sobering statistics about just how far we have to go to address tax identity fraud. More than 221,000 of the 491,000 ID theft complaints to FTC last year involved tax or wage-related ID theft. (Source: FTC, Infographic)

ICYMI: DoD to take over storage of background check data from OPM. You can be excused for missing the news last Friday—dropped one hour before the federal government closed in preparation for Snowzilla—that the Department of Defense will soon be tasked with overseeing the security of government personnel background check data. The move comes in the wake of the massive Office Personnel Management hacking, which compromised sensitive background check data on more than 21 million consumers. Writes @juliehdavis for the New York Times: “A major component of the overhaul will be the creation of a new agency that will process federal background checks. That agency, called the National Background Investigations Bureau, will be part of the personnel office but will be led by a presidential appointee.” (Source: New York Times)

Speaking of the OPM breach… OPM’s response (or lack thereof) to its massive breach are sure to come up at tomorrow’s hearing of the Senate Homeland Security and Governmental Affairs Committee on the nomination of Beth Cobert to head the agency. The fireworks get under way at 10 a.m. (h/t @timstarks). (Source: Senate Homeland Security and Governmental Affairs Committee)

Bitglass: One in three Americans affected by health care breaches in 2015. Cloud security firm @bitglass is out with a highly depressing take on the the state of health care data security. “The 80 percent increase in data breach hacks in 2015 makes it clear that hackers are targeting healthcare with large-scale attacks affecting one in three Americans,” said Nat Kausik, CEO, Bitglass. (Source: Bitglass)

“[N]o culture of privacy in the healthcare industry,” says Peel. @JeffStone500 covers the Bitglass report for the @IBTimes. This quote from health care privacy advocate Deborah Peel (@dpeelmd) of Patient Privacy Rights is notable. “The key here is that there’s no culture of privacy in the healthcare industry, which is very strange since this is our most sensitive information,”… “The main reason is that for the first 10 years or so since HIPAA passed the Department of Health and Human Services investigated almost no one for security breaches.” (Source: International Business Times)

WSJ: ID theft against children can take years to discover. @priyasideas (with an assist from NCL friend @ITRCCEO) reports on the alarming trend of ID thieves using breached data to go after a vulnerable target: kids. “Cyberthieves target children because their identities offer a clean slate with which to apply for bank accounts, credit cards or loans, government benefits and tax breaks. Criminals will often combine a child’s Social Security number with a fake date of birth and address to avoid suspicion, experts say.” (Source: Wall Street Journal)

Rep. Hurd: Congress investigating Juniper backdoors. The hack of Juniper Networks ScreenOS networking firmware, possibly by U.S. or foreign intelligence agencies, has Texas Republican Congressman Will Hurd asking pointed questions of the two dozen agencies that use the compromised technology. Hurd, chair of the House Committee on Oversight and Government Reform Subcommittee on Information Technology, took to the pages of the Wall Street Journal to raise the alarm about the potential impact of the Juniper breach. (Source: Wall Street Journal)

Sen. Johnson: Juniper backdoor issue could help push breach bill. Speaking before the American Enterprise Institute, Sen. Ron Johnson (R-WI) highlighted the need for progress on a national data breach notification standard. Writes @gregotto: “A lack of knowledge combined with a reluctance to start fighting on Capitol Hill has led to a ‘denying of reality,’ according to Johnson. … Nonetheless, Johnson wants to continue moving forward on legislation, touting a data breach law that would codify a national uniform standard for companies to notify the public when personal information is stolen, for instance by credit card hackers.” (Source: FedScoop)

SANS Institute: Impact of breaches for business can linger long after initial remediation. @SANSInstitute is out with a new survey of breached organizations to find out just how long “cleanup” can take, and the results aren’t pretty. “At least 12% of those surveyed for this report are still feeling ongoing consequences of their breaches after remediation, including potential fines, ongoing cleanup, customer churn, or loss of brand confidence/reputation.” (Source: SANS Institute)

IoT security concerns spreading in Europe. Security experts gathering at the Security Innovation Nfetwork’s U.S./U.K. Global Cybersecurity Innovation Summit in London sounded the alarm bell about the security vulnerabilities inherent in the expanding IoT device world, writes @jeremyakahn. “[Airbus CTO Paddy] Francis also worried that ‘cyber-assisted burglary’ might become increasingly common, with criminals hacking into household networks to extract data from routine items—like smart-metered lighting or heating systems—to determine if the occupant was home, looking for the best time to break in.” (Source: Bloomberg)

TalkTalk lost 250,000 customers as a result of data breach. The October 2015 hack at U.K. telecom company TalkTalk exposed data on more than 150,000 customers, but the company’s costs could be far higher according to market analysts. Imran Choudhary of Kantar Worldpanel (@MeetTheConsumer) recently announced that the firm has lost 250,000 subscribers as a result of the breach. (Source: SC Magazine UK)

Fight tax ID fraud by pushing Tax Day to June? @Adam_k_levin of Credit.com (and formerly of the New Jersey Division of Consumer Affairs) has a novel solution for combatting tax ID fraud—make Tax Day later in the year, to give the IRS time to match tax returns to employer W-2 data. (Source: Huffington Post)

Breach du jour: Wendy’s. The ever-resourceful @briankrebs is breaking breach news once again. This time, it appears thatfast-food chain Wendy’s is investigating a data breach that reportedly affected point-of-sale systems at more than 6,500 locations worldwide. (Source: KrebsOnSecurity.com)

Breach du jour (part deux): Fraternal Order of Police. @jonswaine and @georgejoseph94 report on a breach of the Fraternal Order of Police’s systems, which exposed officers’ names and addresses, forum posts, and other information highly critical of the Obama Administration and others. (Source: The Guardian)

Upcoming Events

Feb. 9 – Start with Security: Seattle – Seattle, WA
The FTC’s third “Start With Security” event will take place on February 9, 2016, in Seattle, Washington, and will be co-sponsored by the University of Washington Tech Policy Lab and the University of Washington School of Law Technology Law & Public Policy Clinic. This one-day conference will continue the FTC’s work to provide companies with practical tips and strategies for implementing effective data security. This event will bring together experts to provide insights on how small companies can secure their applications and products, and how important it is to do so.