National Consumers League

The #DataInsecurity Digest | Issue 90

FEMA leaks data on 2.5 million disaster victims, while President Trump’s budget slashes spending on cybersecurity readiness

By John Breyault (@jammingecono, johnb@nclnet.org)
NCL Vice President of Public Policy, Telecommunications and Fraud

Subscribe here. Tell us what you think.

Editor’s note: Victims of flooding, hurricanes, and wildfires are facing new concerns as a data leak at the Federal Emergency Management Agency (FEMA) compromised the sensitive data of 2.5 million disaster survivors. The private sector was also not immune to breaches, as we learned that Facebook stored millions of its users’ passwords in plaintext; restaurant chain Buca di Beppo compromised 2 million payment cards; and Toyota announced its second breach in five weeks. Despite these warning signs, President Trump caused a stir among cybersecurity advocates by proposing to slash funding for long-term cybersecurity readiness.

Programming note: The #DataInsecurity Digest is heading out for spring break! We will not be publishing on April 18 and will resume publication on April 25. 

And now, on to the clips!

-----------------

FEMA compromises banking information and addresses of 2.5 million disaster survivors. The Department of Homeland Security’s Office of the Inspector General found that FEMA “overshared” victims' personal information “while transferring disaster survivor information to a contractor.” Many of the victims of the California wildfires in 2017 and Hurricanes Harvey, Irma, and Maria are believed to have been affected. (Source: Washington Post) 

Facebook stored millions of Facebook, Instagram, and Facebook Lite passwords in plaintext. The passwords were accessible by any one of Facebook’s thousands of employees. In the coming days, Facebook plans to “notify hundreds of millions of Facebook Lite users, tens of millions of Facebook users, and tens of thousands of Instagram users that their passwords may have been exposed.” (Source: Wired) 

Breach du jour: Buca di Beppo, Earl of Sandwich, and Planet Hollywood. The parent company of the popular restaurants finally acknowledged the chains were the subject of a breach after @briankrebs “contacted the executive team at Buca di Beppo in late February after determining most of this restaurant’s locations were likely involved [in] a data breach that first surfaced on Joker’s Stash, an underground shop that sells huge new batches of freshly-stolen credit and debit cards on a regular basis.” The breach is believed to have compromised 2 million of their customers’ credit and debit card numbers over a 10-month period.  (Source: Krebs on Security 

Breach du jour part deux: Toyota announces second data breach in five weeks. In Toyota’s latest breach, “hackers gained unauthorized access to data for several of its sales subsidiaries based in Tokyo. The servers that hackers accessed stored sales information on up to 3.1 million customers that included names, dates of birth and employment information.” (Source: Bank Info Security 

Trump budget provides short-term cyber fixes while hampering America's long-term cybersecurity strategy. The proposed budget provides generous increases to military cybersecurity but cuts spending for “most government offices that tackle emerging challenges in cybersecurity. The biggest cut ... is to the Homeland Security Department’s science and technology wing, which does much of the long-range research aimed at making technology fundamentally more secure.” If approved, Trump’s budget would cut the division to “slightly less than two-thirds of its 2019 funding.” (Source: Washington Post 

Investigator: Saudis hacked Amazon head Jeff Bezos in retaliation for media coverage. The investigator hired by Bezos alleged that the “Saudis obtained racy text messages between the married Bezos and his girlfriend Lauren Sanchez. The material was leaked to the National Enquirer, which published a story revealing Bezos' affair.” Investigator @GDBAProtects “thinks the Saudis may have been motivated by the Bezos-owned Washington Post's dogged coverage of last October's murder of Washington Post journalist Jamal Khashoggi.” (Source: Ars Technica 

City of Albany, NY struck with ransomware attack. On Saturday, the city was struck with a crippling ransomware attack that forced city employees to utilize paper records. As of Tuesday, the city was still “directing people to the state Office of Records in Menands for birth, death and marriage certificates.” (Source: WNYT 

Suggested listening: An insider’s view of the Equifax breach. @redtapechron sat down with the GAO’s Equifax investigator to talk about the infamous breach. Listeners learn that “it took Equifax 76 days to notice the attack” and that “the attack itself was ‘not sophisticated.’ In fact, Equifax made things easy. Once inside, criminals found a text file with usernames and passwords for 51 other databases.” (Source: Bobsullivan.net

Upcoming Events

June 27, 2019: Federal Trade Commission’s PrivacyCon – Washington, DC
Each year, the FTC convenes a group of privacy experts, academics, policymakers, and regulators to discuss the latest research surrounding consumer privacy and data security. Researchers are encouraged to apply to present at the conference by March 15, 2019. (Source: Federal Trade Commission)

National Consumers League
Published April 4, 2019