National Consumers League

The #DataInsecurity Digest | Issue 80

Facebook breach is first test of GDPR data security penalties; midterm election integrity worries could depress voter turnout

By John Breyault (@jammingecono, johnb@nclnet.org)
NCL Vice President of Public Policy, Telecommunications and Fraud

Subscribe here. Tell us what you think.

Editor’s note: As more data trickles out from Facebook’s 30 million account data breach, eyes turn to Europe to observe how the first big test of the new GDPR protections will be applied. Back in the United States, Yahoo attempts to settle a suit for $50 million stemming from its massive data breach, and the Pentagon raises eyebrows after it compromises 30,000 military and civilian travel records. Finally, new data from Unisys suggests that worries about election integrity could depress voter turnout in the midterm elections next week.

And now, on to the clips!

-----------------

Facebook believes 30 million account breach was perpetrated by hackers, not state actors. Sources close to the investigation told @bobmcmillan and @deetharaman that, “Internal researchers now believe that the people behind the attack are a group of Facebook and Instagram spammers that present themselves as a digital marketing company, and whose activities were previously known to Facebook’s security team.” (Source: Wall Street Journal) 

Facebook breach setting up the first test of GDPR protections. With somewhere around 3 million European Facebook users affected, “under GDPR, companies handling the personal data of Europeans must adhere to strict requirements for holding and securing that information and must report breaches to authorities within 72 hours. Under the regulation, companies can face fines of up to 4 percent of their annual global revenue. For Facebook, which made more than $40.65 billion in revenue in 2017, that fine could be as much as $1.63 billion.” (Source: CNBC)

Quick hit: Yahoo agrees to pay $50 million and provide two years of free credit monitoring to victims of the largest breach in history. The settlement still needs to be approved by the court. (Source: Associated Press)

Breach du jour: 9.4 million Cathay Pacific airline passengers. Last week, the Hong Kong carrier admitted that in March, “the personal details of 9.4 million passengers were inappropriately accessed, including passport information and credit card numbers.” Fast Passenger reports that, “in addition to passports and credit card info, personal data including names, nationalities, birth dates, phone numbers, email addresses, physical addresses, identity card numbers, frequent flyer program membership numbers, customer service remarks, and historical travel information were all accessed.” (Source: Fast Passenger)

Pentagon breach exposes personal travel data of 30,000 military and civilian personnel. @pkothari comments that “[the] Pentagon data breach could potentially be ‘part of a much larger campaign by several well-known nation-states to build out a comprehensive database on our civilian and military population, our businesses and all of their activity from one end of the supply chain to the other… . They are possibly collecting databases and information and building cross-indexes to utilize all of this data… .’" (Source: TechTarget)

Hackers are selling 35 million voting records. Criminal hackers are selling the voter data of at least 19 states with prices ranging from $150 to $12,500, depending on the state. “To our knowledge, this represents the first reference on the criminal underground of actors selling or distributing lists of 2018 voter registration data, including US voters’ personally identifiable information and voting history. With the November 2018 midterm elections only four weeks away, the availability and currency of the voter records, if combined with other breached data, could be used by malicious actors to disrupt the electoral process or pursue large-scale identity theft.” (Source: Anomal)

In related news: Election integrity concerns likely to depress voter turnout. New data finds that nearly one in five Americans “will not vote” or are “highly unlikely to vote” in the midterm elections due to concerns around the election’s integrity. The 2018 Unisys Security Index also found that 86 percent of respondents “express concerns over the prospect of U.S. election voting systems being compromised by outsiders… .” (Source: Unisys)  

Dating app for Trump supporters exposes entire user base’s personal information on the day of launch. All those Trump supporters who looked to the Donald Daters site as a place to meet people who share their worldviews should brace themselves for a potential onslaught of scammers after the website exposed “users’ names, profile pictures, device type, their private messages — and access tokens, which can be used to take over accounts.” (Source: Tech Crunch)

Events

June 27, 2019: Federal Trade Commission’s PrivacyCon - Washington DC
Each year, the FTC convenes a group of privacy experts, academics, policy makers and regulators to discuss the latest research surrounding consumer privacy and data security. Researchers are encouraged to apply to present at the conference by March 15, 2019. (Source: Federal Trade Commission)

National Consumers League
Published November 1, 2018