National Consumers League

The #DataInsecurity Digest | Issue 84

As government shutdown continues, data insecurity only grows

By John Breyault (@jammingecono, johnb@nclnet.org)
NCL Vice President of Public Policy, Telecommunications and Fraud

Subscribe here. Tell us what you think.

Editor’s note: Welcome back to #The DataInsecurity Digest, and happy New Year! As the partial government shutdown drags into its third week, cybersecurity is suffering. The Department of Homeland Security (DHS) has sent nearly half of its workforce home causing it to “cease a variety of critical cybersecurity” functions. Likewise, both the Federal Trade Commission (FTC) and the Federal Communications Commission (FCC) have shuttered their offices and stopped offering support to victims of identity theft and investigations into companies like Facebook, which may have violated its obligations to protect consumers’ data. 

In the absence of federal government oversight, there was no shortage of companies mismanaging their users’ data. The Weather Channel was found to be collecting and profiting off its users’ personal data, and the Marriott breach was found to have exposed more data than originally thought.  

And now, on to the clips!

-----------------

Government shutdown forces DHS to furlough 45 percent of its personnel. @timstarks reports that DHS has ceased a variety of critical cybersecurity" functions while it has "maintained baseline operational capabilities." (Source: MorningCybersecurity 

Quick hit: FCC, FTC closed. Both agencies ran out of funds last week and will only reopen once funding is restored. (Source: Gizmodo) 

Weather Channel app sued for profiting off consumers’ personal data. The city of Los Angeles is suing The Weather Company, the creator of the popular Weather Channel appfor manipulating “users into turning on location tracking by implying that the information would be used only to localize weather reports. Yet the company, which is owned by IBM, also used the data for unrelated commercial purposes, like targeted marketing and analysis for hedge fundsaccording to the lawsuit.” (Source: Los Angeles Times) 

Google takes three years to patch security vulnerability. The security flaw, which was originally reported to Google in May 2015, “leaked information about smartphones' hardware model, firmware version, and indirectly the device's security patch level.” @campuscodi observed that in the wrong hands, the data is “indeed, dangerous, as it could have been used for exploit targeting and user fingerprinting.” (Source: ZD Net) 

Marriott breach is both smaller and more extensive than originally thought. While Marriott believes that the overall number of affected customers is smaller than originally thought, the data that was compromised is believed to be more damaging. The breach now includes an additional 5.25 million unencrypted passport numbers, in addition to the 20.3 million encrypted passport numbers that were previously announced. “Unencrypted passport numbers are valuable to state intelligence agencies because they can be used to compile detailed dossiers on people and their international movements.” The FBI believes China is behind the breach, which “would allow that country's security ministry to add to databases of aggregated information on valued individuals. Those data points include information on people's health, finances and travel.” (Source: WSFA News) 

Chart du jour: Democrats and Republicans agree that data security worsened in 2018. Of the 10 subject areas Morning Consult polled, data security was one of only two issue areas that Republicans and Democrats agreed was getting worse. The other issue Democrats and Republicans agreed upon was that the divide between the two parties was getting wider. (Source: Morning Consult 

Facial recognition found to be unsecure. Dutch researchers found that holding up a photo of the phone's owner is enough to unlock 42 of the [110] tested smartphone [models].” @campuscodi reported that “using a printed photo of the owner's face is the first test that regular users, pen-testers, and attackers alike would use to break into a facial ID-protected smartphone before they move to try more complex attacks that involve creating masks or 3D printed heads of the phone's owner. Any facial recognition system that fails the photo test is usually considered useless. (Source: ZDNet) 

Events

January 28, 2019: National Cyber Security Alliance’s Data Privacy Day – San Francisco, CA and online 
Each year on January 28, the National Cyber Security Alliance convenes privacy leaders from the private, government, and non-profit sectors to discuss opportunities and challenges for the road ahead. (Source: National Cyber Security Alliance) 

June 27, 2019: Federal Trade Commission’s PrivacyCon - Washington, DC
Each year, the FTC convenes a group of privacy experts, academics, policy makers, and regulators to discuss the latest research surrounding consumer privacy and data security. Researchers are encouraged to apply to present at the conference by March 15, 2019. (Source: Federal Trade Commission)

National Consumers League
Published January 10, 2019