National Consumers League

The #DataInsecurity Digest | Issue 83

Marriott closes out the year with another mega-breach while Congressional bipartisanship on data security fades

By John Breyault (@jammingecono, johnb@nclnet.org)
NCL Vice President of Public Policy, Telecommunications and Fraud

Subscribe here. Tell us what you think.

Editor’s note: Marriott’s record-setting breachthe second largest in historywas the big headline this week. Although Quora and the National Republican Campaign Committee also disclosed breaches last week, Marriott seems likely to attract a great deal of scrutiny amongst policymakers and class-action lawyers. Unfortunately, bipartisanship on cybersecurity seems to be waning, as evidenced by dueling reports on the Equifax breach by Democrats and Republicans on the House Oversight committee.

Programming note: Due to the upcoming holidays, we will be taking a break from our usual schedule. This will be the last issue of The #DataInsecurity Digest published in 2018. We’ll resume publication on January 10, 2019. Thanks for sticking with us through 2018 best wishes for health, happiness, and improved data security in 2019!

And now, on to the clips!

-----------------

500 million Marriott and Starwood property accounts breached. In the second largest breach in history, 500 million accounts were breached over a period of several years. “For about 327 million customers, the hackers may have gained access to passport numbers, travel details and, in some cases, credit-card information, as well as names and addresses.” (Source: Wall Street Journal)

Swift fallout for MarriottIn the aftermath of the breach, “lawyers quickly filed a class-action lawsuit in Maryland… . In New York, Attorney General Barbara Underwood launched an investigation, and other states are doing the same, with a multistate team-up possible.” (Source: Politico Morning Cybersecurity)

Quick hit: China emerges as likely suspect in Marriott data breach. Although China has not been officially blamed, private investigators “have found hacking tools, techniques, and procedures previously used in attacks attributed to Chinese hackers.” (Source: Reuters) 

House Oversight Committee: Equifax breach entirely preventable.’ On Monday, the House Oversight Committee released its long-awaited report regarding Equifax’s historic breach, which harmed 148 million American consumers. The report found that had Equifax “taken action to address its observable security issues prior to this cyberattack, the data breach could have been prevented." However, the report only called for additional cooperation between the public and private sectors to prevent future breaches. (Source: House Oversight and Government Reform Committee [Majority])

A few hours later, Democrats release competing Equifax oversight report. The Democratic report “called for new laws that would raise financial penalties for data breaches, simplify how consumers are notified about breaches and boost federal regulators’ cybersecurity efforts.”@Joseph_Marks_ comments how the dueling reports “highlight how cybersecurity, which was once considered a largely bipartisan topic, has been infected by partisan conflict... .The fact that the parties can’t even agree on how to properly condemn Equifax makes it seem even less likely that they will be united on how to tackle more complex challenges that have serious political implications, such as election security or protecting the power grid.” (Source: Washington Post

House Republican campaign committee hacked during the midterm electionAlthough details regarding the full extent of the breach have not yet been released, it is believed that “thousands of sensitive emails” were exposed to an outside intruder and that “the email accounts of four senior aides at the National Republican Congressional Committee were surveilled for several months.” (Source: Politico)

AOL pays nearly $5for illegally tracking children and auctioning off their data to the highest bidder. Last week, AOL’s parent company Verizon paid $4.95 million to settle charges that AOL violated the 1998 Children’s Online Privacy Protection Act (COPPA) after “the company had knowingly been disclosing data collected on children under 13 to third parties in violation of the law.” (Source: The Hill) 

Quora breach compromises 100 million user accountsThe breach is believed to have compromised “users' names, email addresses, and encrypted passwords as well as data from social networks like Facebook and Twitter ." (Source: CNN)

Your phone’s apps could be spying on youMost of us know that many of our mobile apps track our locations. But, the New York Times has uncovered that this data could easily be used to “identify a person without consent. They could follow someone they knew, by pinpointing a phone that regularly spent time at that person’s home address. Or, working in reverse, they could attach a name to an anonymous dot, by seeing where the device spent nights and using public records to figure out who lived there.” Similarly, the Times uncovered other unsettling applications for location tracking such as how one company, “Tell All Digital, a Long Island advertising firm,  says it runs ad campaigns for personal injury lawyers targeting people anonymously in emergency rooms.” (Source: New York Times)

Events

June 27, 2019: Federal Trade Commission’s PrivacyCon - Washington DC
Each year, the FTC convenes a group of privacy experts, academics, policy makers, and regulators to discuss the latest research surrounding consumer privacy and data security. Researchers are encouraged to apply to present at the conference by March 15, 2019. (Source: Federal Trade Commission)

National Consumers League
Published December 13, 2018