National Consumers League

The #DataInsecurity Digest | Issue 86

Post-shutdown cyber agenda: mitigate government brain drain, investigate Equifax

By John Breyault (@jammingecono, johnb@nclnet.org)
NCL Vice President of Public Policy, Telecommunications and Fraud

Subscribe here. Tell us what you think.

Editor’s note: While the longest government shutdown in history has ended, the consequences are still being realized. Chairmen in both chambers of Congress are working to understand how the shutdown affected crucial cybersecurity programs and stem a feared exodus of government cyber talent to the private sector. And with another shutdown potentially looming, the damage of the first 35-day shutdown could be exacerbated.

Despite having fewer data breaches than 2017, breaches in 2018 compromised twice as many records. Sadly, 2019 is not appearing to offer any relief as 773 million email address, passwords, and potentially other personal data like Social Security numbers has been posted on the Dark Web. With the constant onslaught of data breaches, it is perhaps not surprising that Americans, by a factor of more than two to one, are more concerned about data security than border security.

And now, on to the clips!

-----------------

House Homeland Security Chairman fears cyber vulnerabilities caused by shutdowns. Chairman Bennie Thompson (D-MS) stated that another shutdown would “absolutely” serve as an open invitation for foreign hackers to attack federal systems. "Our concern is that so many of those persons we relied on, they weren't there. ... We could respond to [the Iranian activity] but we couldn't be proactive in looking for bad actors because of the shutdown. And that was a problem because you have to have a system that's both defensive and offensive. But if you're only defensive, you're limited in what you can identify.” (Source: The Hill) 

Breach du jour: Half of the world’s email addresses and passwords. Hackers have dumped a cache of more than 773 million email addresses and passwords on the Dark Web. "The records do not come from a single breach but are a compilation of tens and possibly hundreds of data leaks that have happened over the years, noted @panda_security. To make matters worse, researchers are currently analyzing four more just-released caches that could include "the social security numbers of almost every US citizen and permanent resident in the US.” (Source: Panda Security)

While data breach frequency was down in 2018, the number of compromised records has more than doubled Research from @ITRCSD and @CyberScout found that in 2018, “there were 1,244 reported data breaches, down from an all-time high of 1,632 the previous year.” However, "the number of exposed records more than doubled from 197.6 million in 2017 to 446.5 million last year.” @ITRCCEO notes that “[t]he increased exposure of sensitive consumer data is serious. ...Never has there been more information out there putting consumers in harm’s way.” (Source: Fortune)

Global authorities crack down on Denial of Service attacks. “The takedown by law enforcement in April 2018 of the illegal marketplace webstresser.org... has given authorities all over Europe and beyond a trove of information about the website’s 151 000 registered users.” The newly available data has allowed law enforcement agencies to “track down the users of these Distributed Denials of Service (DDoS) attacks.” (Source: EUROPOL)

Chairwoman Waters to call on credit reporting companies to testify. @Zachary reports thatRep. Maxine Waters, Chairwoman of the House Financial Services Committee, is expected to invite senior executives from TransUnion and Experian to a mid-February hearing. Waters is an outspoken critic of the credit reporting industry, and the hearing will put a spotlight on legislation she drafted to revamp its practices. Expect the hearing to serve as an “outlet for bipartisan outrage lingering from the historic Equifax data breach that was revealed in 2017.” (Source: Politico)

Quick hit: Americans are more worried about cybersecurity than border security The survey, conducted by Verge Analytics, found that “some 63% of those surveyed said that ‘making sure our computers are protected and privacy respected’ is the most urgent security issue compared to 29% who think that physical border security is the most important.” (Source: Dark Reading)

Sen. Johnson’s focus is to retain top cyber talent in the government Senator Ron Johnson (R-WI) told @Joseph_Marks_ that his number one goal “is to make it more attractive for cybersecurity workers to stay in government jobs rather than flee to the private sector.” Johnson acknowledged that this task may be more difficult in the wake of the government shutdown, which "furloughed about half the Homeland Security Department’s main cyber agency and required the other half to work without pay.” (Source: Washington Post)

Facebook caught (again) paying users to download an app so that it can spy on them. This time around, the app was called “Facebook Research” and paid teens and young adults up to $20 to download the app. "Seven hours after TechCrunch’s original story published, Facebook told TechCrunch it would shut down the iOS version of its Research app.” Last week, anApplespokesperson “confirmed that Facebook violated its policies, and it had blocked Facebook’s Research app on Tuesday before the social network seemingly pulled it voluntarily (without mentioning it was forced to do so).” (Source: TechCrunch)

NCL’s Top Ten Scams report warns about breach-fueled phishing and spoofing scams. Information scammers glean from data breaches can be put to many different uses, including making phishing emails seem more convincing. That’s one potential reason that complaints about phishing and spoofing scams continue to rise, according to NCL’s Fraud.org campaign's annual Top Ten Scams report. (Source: National Consumers League)

Events

June 27, 2019: Federal Trade Commission’s PrivacyCon - Washington, DC
Each year, the FTC convenes a group of privacy experts, academics, policy makers, and regulators to discuss the latest research surrounding consumer privacy and data security. Researchers are encouraged to apply to present at the conference by March 15, 2019. (Source: Federal Trade Commission)

National Consumers League
Published February 7, 2019