The #DataInsecurity Digest | Issue 91

/by

Nielsen’s departure from DHS deepens cyber anxietycyber insurance loopholes, and a worsening breach at Facebook

By John Breyault (@jammingecono, johnb@nclnet.org)
NCL Vice President of Public Policy, Telecommunications and Fraud

Subscribe here. Tell us what you think.

Editor’s note: Secretary Kirstjen Nielsen’s exit from DHS signals further uncertainty for U.S. cybersecurity strategy. As the Trump Administration continues to lack a coherent strategy, hackers demonstrated the severity of force they can bring to bear after they interrupted the Weather Channel’s live broadcast. Likewise, in an unrelated incident, the state of Ecuador suffered 40 million cyberattacks last week in retaliation for revoking the asylum of WikiLeak founder Julian Assange. 

In other news, Facebook chose to announce that its Instagram breach affected millions of accounts, not the tens of thousands of accounts it had previously reported, the same morning that the findings of the Muller investigation became public. Many privacy advocates were skeptical of the choice of timing. 

Finally, companies relying on cyber insurance policies to protect them in the event of an attack are increasingly finding that they may not be covered from a state-sponsored hack like 2017’s NotPetya attack. 

And now, on to the clips!

—————–

Experts: Nielsen exit from DHS will harm cybersecurity. A majority of experts surveyed by the Washington Post are concerned that former DHS Secretary Kirstjen Nielsen’s exit will further hamper America’s cybersecurity. Cybersecurity talent at Kirstjen’s level is unique, and someone with government policy experience is even more scarce, commented Mark Weatherford, a former DHS cybersecurity official who is now global information security strategist at Booking Holdings. This is another huge blow to our nation’s momentum in the cybersecurity arena and the effects with be felt even more broadly on the international stage.” (Source: Washington Post 

Cyber insurance providers relying on cyberwar declarations to avoid paying. As cyber threats have escalated, companies relying on cyber insurance policies to protect them are increasingly finding that state-sponsored attacks provide a loophole for their claims to be denied. @satariano and @nicoleperlroth write that “[w]hen the United States government assigned responsibility for NotPetya to Russia in 2018, insurers were provided with a justification for refusing to cover the damage. Just as they wouldn’t be liable if a bomb blew up a corporate building during an armed conflict, they claim not to be responsible when a state-backed hack strikes a computer network. … The cases have broader implications for government officials, who have increasingly taken a bolder approach to naming-and-shaming state sponsors of cyberattacks, but now risk becoming enmeshed in corporate disputes by giving insurance companies a rationale to deny claims.” (Source: New York Times) 

Instagram password breach much larger than originally reported. Last month Facebook announced “that it had stored hundreds of millions of user passwords unencrypted on its servers, a massive security problem. At the time, it said that ‘tens of thousands’ of Instagram passwords were also stored in this way.” Last Thursday, Facebook admitted the breach actually included millions of Instagram users, not “tens of thousands.” (Source: Recode 

Hackers take Weather Channel off the air for 90 minutes.  Last week, hackers attacked the Weather Channel’s live broadcast early in the morning. During the attack, the network was able to play “canned content, before broadcasting from backup services.” (Source: WinBuzzer) 

Presidential candidate John Delaney proposes Department of Cybersecurity. Delaney’s proposal marks the first major cybersecurity push of the 2020 cycle. @kellymakena reports that “the proposed Department of Cybersecurity would be led by a cabinet-level secretary who would be in charge of implementing the United States’ cybersecurity strategy.” (Source: The Verge 

Cost of data breaches grows to $3.86 million per breach. The Ponemon Institute’s 2018 Cost of Data Breach Study found that the total cost of a breach grew by 6 percent last year. Each compromised record now costs companies an average of $148. (Source: NBC News) 

Personal Hotmail, MSN, and Outlook emails have been compromised. As a result of the breach, hackers were “able to access email content from a large number of Outlook, MSN, and Hotmail email accounts.” The breach did not affect corporate accounts. (Source: Motherboard)   

DHS and FBI: Election systems in all 50 states were targeted by Russia. The Joint Intelligence Bulletin (JIB) expanded by stating, the FBI and DHS assess that Russian government cyber actors probably conducted research and reconnaissance against all US states’ election networks leading up to the 2016 Presidential elections.” One DHS spokesman said: “We assume the Russian government researched and in some cases targeted election infrastructure in all 50 states in an attempt to sow discord and influence the 2016 election.” (Source: Ars Technica) 

In wake of Assange arrest, Ecuador was hit with 40 million cyberattacks. After removing Wikileaks founder Julian Assange’s political asylum status, “Javier Jara, undersecretary of the electronic government department of the telecommunications ministry, said the country had suffered ‘volumetric attacks’ that blocked access to the internet following ‘threats from those groups linked to Julian Assange. ...’ Hardest-hit were the foreign ministry, the central bank, the president’s office, the internal revenue service, and several ministries and universities.” (Source: AFP) 

Upcoming Events

June 27, 2019: Federal Trade Commission’s PrivacyCon – Washington, DC
Each year, the FTC convenes a group of privacy experts, academics, policymakers, and regulators to discuss the latest research surrounding consumer privacy and data security. Researchers are encouraged to apply to present at the conference by March 15, 2019. (Source: Federal Trade Commission)

National Consumers League
Published April 25, 2019