The #DataInsecurity Digest | Issue 9

Issue 9 | Dec. 2, 2015

By John Breyault (@jammingecono, johnb@nclnet.org)
NCL Vice President of Public Policy, Telecommunications and Fraud

Subscribe here. Tell us what you think.

Editor’s Note: The massive hack of Chinese toymaker VTech has once again put the issue of consumers’ data security squarely in the national spotlight. The VTech breach, coming at the height of the holiday shopping season and involving the exposure of especially sensitive children’s information, is already prompting investigations by attorneys general in Connecticut and Illinois. More regulatory scrutiny of VTech and the data security practices of connected toys is sure to follow. The VTech hack comes nearly two years after the massive data breach at Target that served as the impetus for NCL to launch our #DataInsecurity Project. Since December 2013, we’ve seen data security rise to the top of the DC policy agenda, though actual legislation to improve consumers’ data security remains frustratingly elusive. As we look forward to 2016, we expect that the FTC will continue to push businesses to better protect their customers’ data (despite a recent setback in the LabMD case). Fortunately, more businesses are embracing the need for better security. For example, Amazon recently became the latest tech giant to enable two-factor authentication for its users. In this week’s #DID, we look at personal stories of victims of data insecurity. Author Lisa Bennett describes her experience with an IRS scammer and we get an inside look at how the Sony hack affected their employees.


And now, on to the clips!

—————–

VTech breach: 6.4 million children’s information exposed. The announcement of a massive breach of 6.4 million children’s and 4.9 million parents’ personal information at toymaker VTech during the height of the holiday shopping season looks like it could be a catalyst for data security reform. “The disclosure of the scope of the breach is troubling,” said Jaclyn Falkowski, a spokeswoman for Connecticut’s attorney general. Connecticut and Illinois said on Monday they plan to investigate the breach. Regulators in Hong Kong are also looking into the matter.” (Source: Reuters)

VTech hacker was interested in raising awareness of VTech vulnerability. @lorenzofb of @Motherboard, who first broke the VTech breach story (earlier articles herehere, and here) interviews the hacker behind the breach. The anonymous hacker claims that he doesn’t intend to profit from the sale of the breached data. “The hacker noticed that the site was using Flash, and had a login box. He then quickly found out the site was vulnerable to the ancient, yet still very effective, hacking technique known as SQL injection. The hacker then quickly obtained the maximum level of administrative privileges on the server, known as ‘root’ in technical jargon, and realized he could basically do whatever he wanted. … ‘All the evidence suggested I wasn’t the only person outside of VTech who could have got the data,’ he said.” (Source: Motherboard)

How I fell face-first for an epic IRS scam. There is no one profile for scam victims, as former Harvard Fellow and Ashoka Changemaker @LisaPBennett illustrates with her fascinating, courageous account of how she almost fell victim to an IRS debt scam. “If anyone should have known better, it was me. I’m a somewhat experienced adult, with more than one degree from an Ivy League university. … But the truth is that I fell for this scam — almost completely.” (Source:  narrative.ly)

FTC may “pump the brakes” on data security investigations after LabMD decision. A decision handed down by the FTC’s Administrative Law Judge will likely be a setback for the Commission’s efforts to be the country’s data security cop on the beat, according to @natlawreview. “…this decision challenges the conventional wisdom that the FTC has a lower standard to meet with respect to showing harm than private litigants. … provides potential defenses for companies facing an FTC action based solely on allegedly lax data security practices, and it may also make the FTC less likely to bring such enforcement actions against companies without evidence of likely harm to consumers.” (Source: National Law Review)

ALJ decision comes too late for LabMD, gives ammunition to FTC’s critics. @CauseofActionDC lawyer @DanielZEpstein (who represented LabMD against the FTC) took to the WSJ to decry the Commission’s investigation of LabMD (“Hounded Out of Business by Regulators”). “…the case illustrates the injustice of the federal system that allows agencies to cow companies into submission rather than seek a day in court. … That’s what happens when a federal agency serves as its own detective, prosecutor, judge, jury and executioner.” (Source: Wall Street Journal)

Norton: 348 million identities exposed in 2014. Security giant Norton is out with their latest Cybersecurity Insights Report. Among the pertinent data points: 348 million identities were exposed in 2014, 6 in 10 U.S. consumers believe using public WiFi is riskier than using a public restroom and 1 in 3 consumers do not have a password on their smartphone or computer at all. (h/t @TimStarks) (Source: Norton)

Amazon force-resets passwords, enables two-factor authentication. While the two are likely unrelated, the world’s largest e-tailer is taking steps to protect its users’ data security during the busiest online shopping period of the year. As @zackwhittaker reports, the online giant is force-resetting an unknown number of users’ passwords after discovering that passwords were “improperly stored on your device or transmitted to Amazon in a way that could potentially expose it to a third party.” Good thing Amazon rolled out two-factor authentication last week, right? (Source: ZDNet

Step-by-step: How to enable Amazon’s two-factor authentication. Hacked e-tailer accounts (and Amazon is the biggest of the big) are a valuable ways for hackers to monetize their stolen data. Before you start your holiday shopping, take a minute to enable two-factor authentication on your Amazon account. @t1mmoynihan has provided a helpful step-by-step guide for enabling TFA on Amazon. (Source: WIRED

Life at Sony after the hack. Writing for Slate, @amandahess takes an insider’s look at what life was like inside Sony after one of the most intrusive breaches in history. “Target is just a place they bought bedsheets. Anthem is a card they brandish at doctors’ visits. The Sony hack hit employees in the place where they spend most of their waking hours and expend most of their mental and physical energy, and not necessarily because they’re super passionate about filing paperwork for Adam Sandler movies. The leak of information threatened their personal financial futures, and the destruction of property threatened their livelihoods. As one employee put it: ‘Everything we had to do to make a living became such a chore.’” (Source: Slate)

Hotel breach du jour: Hilton Worldwide. Hotel giant Hilton Worldwide (operator of Hilton Hotels, Doubletree, Embassy Suites, Waldorf Astoria, and others) is the latest company to have its point-of-sale (POS) system breached. It’s unclear at this time how many payment cards were affected, but official word from the company is that the compromised PII includes “cardholder names, payment card numbers, security codes and expiration dates, but no addresses, personal identification numbers (PINs) or Hilton HHonors account information.” (Source: Hilton)

Hilton’s just the latest in a string of hotel breaches. The hack of Hilton’s POS system comes on the heels of breaches over the last twelve months at Starwood Hotels, Trump Hotel Collection, Mandarin Oriental, and White Lodging (twice!) (h/t @briankrebs)

On the move: CDT’s Privacy & Data Project has a new Kopp on the beat. The Center for Democracy & Technology is bringing on Katharina Kopp to head it’s Privacy & Data Project. Most recently with American Express, Kopp will “lead CDT’s efforts to protect and enhance the privacy rights of individuals in all aspects of their digital lives. Beyond privacy, she will also work to broaden the assessment of, and policy solutions to, the impact of technology on individual autonomy and society as a whole.” (Source: CDT)

Two years already? What we learned from the Target hack. We’re coming up on two years since the epic @Target hack woke up the country to the need for better data security. Tech entrepreneur @chrisbihary takes a look at what we’ve learned. Among the lessons: “Hiding the data breach from customers was a PR nightmare. … Target has $10 million in escrow to settle class action lawsuits and paid approximately $200 million in crisis management after insurance coverage.” (Source: Garland Technology)

Upcoming Events 

Dec. 15, 2015 – Gartner: Data Security in the Age of the Road Warrior – Webcast
Data Loss Prevention experts, Heidi Shey, senior analyst at Forrester Research, and Dave Bull, content security solutions product director at Intel Security will discuss data breaches and data protection concerns. Key takeaways include: The current state of sensitive data access, use, and loss; The changing requirements for protecting this data—from privacy laws to threats that employees face as they travel for work; and what you need to do to when architecting your protection strategy to defend against today’s threats.

Jan. 14, 2016 – PrivacyCon – Washington, DC
The FTC will hold a conference on January 14, 2016 to bring together a diverse group of stakeholders, including whitehat researchers, academics, industry representatives, consumer advocates, academics, and a range of government regulators, to discuss the latest research and trends related to consumer privacy and data security.

Feb. 9, 2016 – Start with Security: Seattle – Seattle, WA
The FTC’s third “Start With Security” event will take place on February 9, 2016, in Seattle, Washington, and will be co-sponsored by the University of Washington Tech Policy Lab and the University of Washington School of Law Technology Law & Public Policy Clinic. This one-day conference will continue the FTC’s work to provide companies with practical tips and strategies for implementing effective data security. This event will bring together experts to provide insights on how small companies can secure their applications and products, and how important it is to do so.