National Consumers League

The #DataInsecurity Digest | Issue 81

Mid-terms apparently free of hacking incidents; Dem control of House adds momentum to privacy, data security push

By John Breyault (@jammingecono, johnb@nclnet.org)
NCL Vice President of Public Policy, Telecommunications and Fraud

Subscribe here. Tell us what you think.

Editor’s note: In last week’s elections, there were no major reports of election tampering by hackers. However, now that the election has passed, there have been several reports of sloppy security, such as a voting machine vendor that encouraged its clients to use extremely poor cyber hygiene. Despite no major election-related hacking incident, DHS Secretary Kirstjen Nielsen’s departure appears imminent, and could have impacts on the department’s ongoing cybersecurity protection efforts. All of this will likely be grist for the mill in Congress, as incoming House Commerce Committee chair Rep. Frank Pallone (D-NJ) has indicated that privacy legislation will be a priority for the committee under his leadership.

And now, on to the clips!

-----------------

Voting machine vendor instructs poll workers to use abysmally weak passwords. @kimzetter reports that the vendor manual “for voting machines used in about ten states shows the vendor instructed customers to use trivial, easy to crack passwords and to re-use the passwords when changing log-in credentials.” Such a widespread security lapse could have allowed someone to “coordinate an attack across jurisdictions.” (Source: Motherboard)  

Democratic control of the House increases the likelihood of privacy legislation. Rep. Frank Pallone (D-NJ), the anticipated new chairman of the Energy and Commerce Committee “identified privacy and data security protection as priorities” for the committee in the next Congress. However, even if the House is able to pass a pro-consumer privacy bill, “the bill would also have to pass through the Senate and the White House.” @alfredwkng advises that privacy watchers should “expect the details of any proposed data privacy legislation to be highly contested between a Democratic-controlled House and the Republican-controlled Senate.” (Source: CNET)

With midterm elections behind him, Trump moves to oust Homeland Security Secretary Kirstjen Nielsen. President Trump has reportedly been upset with Nielsen’s immigration enforcement  measures despite her readiness to break up Hispanic families at the border and is “looking for a replacement who will implement his policy ideas with more alacrity.” While Nielsen has been reluctant to leave, “Trump has berated her during Cabinet meetings, belittled her to other White House staff, and tagged her months ago as a ‘Bushie,’ a reference to her previous service under President George W. Bush and meant to cast suspicion on her loyalty… .” In a separate Washington Post article, @Cat_Zakrzewski observed that “Nielsen's ouster would also affect the federal government's cybersecurity policies since DHS oversees election security initiatives, critical infrastructure protection, and other cybersecurity efforts.” (Source: Washington Post)

Breach du jour: 75,000 Healthcare.gov records. The Centers for Medicare and Medicaid Services (CMS) has acknowledged that the personal information of many of its users was inappropriately accessed. While no diagnostic or treatment information was accessed, it is believed that other sensitive data “including partial Social Security numbers, immigration status, and some tax information — may have been taken.” (Source: Tech Crunch)

Identity thieves use the Post Office to commit identity theft. The Post Office’s product, “informed delivery,” a service that allows customers to view scanned images of incoming mail online, is being used by fraudsters to intercept mail according to the Secret Service. Apparently, fraudsters are “stealing credit cards from resident mailboxes after signing up as those victims at the USPS’s Web site.” (Source: Krebs on Security)

Breach du jour part deux: HSBC Bank. HSBC bank has announced that attackers compromised the “account numbers and balances, statement and transaction histories and payee details, as well as users' names, addresses, and dates of birth,” for around 1 percent of its U.S. customers. Initial reports suggest that "credential stuffing," a tactic “in which personal details harvested from elsewhere had been used to gain unauthorized access to the accounts.” (Source: BBC)

Quick hit: Consumers believe that data privacy is the #1 issue companies should address. The survey also found that only 16 percent of consumers believe companies were “making a very positive impact,” in the data privacy area. (Source: Harris Insights)  

In the wake of a data breach, 36 percent of consumers would stop engaging with a breached company. The survey also found that 47 percent of respondents “have made changes to the way they secure their personal data as a result of recent breaches and over half (54 percent) are more concerned with protecting their personal information today than they were a year ago.” (Source: Beta News)

Events

June 27, 2019: Federal Trade Commission’s PrivacyCon - Washington DC
Each year, the FTC convenes a group of privacy experts, academics, policy makers and regulators to discuss the latest research surrounding consumer privacy and data security. Researchers are encouraged to apply to present at the conference by March 15, 2019. (Source: Federal Trade Commission)

National Consumers League
Published November 15, 2018