National Consumers League

The #DataInsecurity Digest | Issue 79

Google+ user data compromised, GAO reports on weapon vulnerability, CA legislating stronger passwords

By John Breyault (@jammingecono, johnb@nclnet.org)
NCL Vice President of Public Policy, Telecommunications and Fraud

Subscribe here. Tell us what you think.

Editor’s note: Big Tech again found itself in the headlines after Google revealed that hundreds of thousands of Google+ users may have had their personal data compromised. Even more disturbingly, a GAO report rocked Washington when it found that many (if not all) of our recently manufactured weapons are vulnerable to hacking. California provided a little solace to its hacker-plagued residents when it passed a law requiring stronger default passwords for connected devices.

And now, on to the clips!

-----------------

Breach du jour: Hundreds of thousands of Google+ users. @dmac1 and @bobmcmillan report that a “software glitch in the social site gave outside developers potential access to private Google+ profile data between 2015 and March 2018, when internal investigators discovered and fixed the issue.” The software giant then “opted not to disclose the issue this past spring, in part because of fears that doing so would draw regulatory scrutiny and cause reputational damage,” and “ trigger “immediate regulatory interest.” (Source: Wall Street Journal)  

Google faces Congressional scrutiny. In the aftermath of Google’s breach, Senator Richard Blumenthal (D-CT) said that Google, which is currently operating under an FTC consent decree, “must explain its unwillingness to disclose this breach and the FTC must conduct a fulsome investigation. But to truly end this cycle of broken promises, we need a national privacy framework that protects consumers and empowers the FTC to hold companies accountable.” (Source: Washington Post)

Facebook says its largest security lapse to date was smaller than originally thought. Originally, Facebook estimated that 50 million users had their personal data compromised between July 2017 and September 2018. It now believes the number to be closer to 30 million. @KirstenGrind reports that, “of the 30 million impacted, Facebook said 14 million were the most affected. They had their names and contact details--including phone numbers and email addresses--accessed, along with such data as their gender or relationship status, as well as the last 10 places they checked into or 15 most recent searches. Fifteen million others had their names and contacts accessed.” (Source: Wall Street Journal)

All of the United States military weapons made in the last five years are susceptible to hacking. A bombshell GAO report found that “from 2012 to 2017, (Department of Defense) testers routinely found mission-critical cyber vulnerabilities in nearly all weapon systems that were under development." @rabrowne75 reports that “one of the reasons that the weapons systems are so vulnerable to cyber-attack is their connectivity to other systems, something long seen by the Pentagon as an advantage.” (Source: CNN)

California bans weak default passwords. Starting in 2020, every connected device made or sold in California must have a unique default password. Previously, “easy-to-guess passwords have helped some cyber-attacks spread more quickly and cause more harm.” The law will require strong passwords and “allows customers who suffer harm when a company ignores the law to sue for damages.” (Source: BBC)

Quick hit: Government website administrators to begin using two-factor authentication. “Federal and state employees responsible for running government websites will soon have to use two-factor authentication to access their administrator accounts, adding a layer of security to prevent intruders from taking over dot-gov domains.” (Source: Washington Post)

Op-ed watch: Data security is about to get much worse. @schneierblog argues that security risks “are about to get worse because computers are being embedded into physical devices and will affect lives, not just our data. Security is not a problem the market will solve.” @schneierblog further argues that data security is a market failure that requires good government regulations as “buyers can't differentiate between secure and insecure products, so sellers prefer to spend their money on features that buyers can see.” (Source: New York Times)  

Kanye reveals his woefully poor cyber hygiene. In a meeting with President Trump, the rapper received wide criticism after a clip of him “mashing the “0” button as he unlocked his iPhone to show Trump a picture of a hydrogen-powered airplane he said could replace Air Force One went viral...” inadvertently revealing his six-digit security key of “000000” to the world. (Source: Washington Post)

Events

October 2018 - National Cybersecurity Awareness Month
Every October, the National Cybersecurity Alliance organizes the National Cybersecurity Awareness Month to address specific challenges and identify opportunities for behavioral change. (Source: Stay Safe Online)

National Consumers League
Published October 18, 2018