National Consumers League

The #DataInsecurity Digest | Issue 92

Facebook nears settlement with FTC while hackers attack U.S. electric grid

By John Breyault (@jammingecono, johnb@nclnet.org)
NCL Vice President of Public Policy, Telecommunications and Fraud

Subscribe here. Tell us what you think.

Editor’s note:Facebook is reportedly nearing a final settlement with the Federal Trade Commission (FTC).  Once the settlement is complete, however, law enforcement's work may just be getting started. Last week, the Department of Energy acknowledged that a western power grid was forced to battle a prolonged distributed denial-of-service (DDoS) attack, and the FBI found that cost of cybercrime grew to $2.8 billion in 2018. Meanwhile, a data breach exposed the sensitive data of 13.7 million job seekers. 

And now, on to the clips!

-----------------

Experts: Nielsen exit from DHS will harm cybersecurity. As part of its rumored settlement, @ceciliakang reports that Facebook will pay a fine of as much as $5 billion and will also “create a privacy committee to protect its users’ data, as well as an external assessor who would be appointed by the company and F.T.C. The social network will also appoint a head compliance officer — who could be its chief executive, Mark Zuckerberg.” (Source: New York Times)  

DDoS attack launched against power grid in western U.S. The Department of Energy has confirmed that an attack "knocked [an] energy company’s systems offline by overloading them with traffic.” Although the attack lasted nearly 10 hours, it did not cause any customer outages. "The name of the energy company wasn’t named, but it provides power and energy to customers across Los Angeles in California, Salt Lake County in Utah, and Converse County in Wyoming." (Source: Tech Crunch) 

FBI: Internet-enabled crime losses grow to $2.7 billion in 2018. The total losses mark a 90 percent increase from 2017. In 2018, the FBI’s Internet Crime Complaint Center received 900 complaints a day from Internet fraud victims. (Source: Internet Security Alliance)  

‘Blockchain bandit’ steals more than $50 million by guessing. The cryptocurrency industry has long been plagued by theft, but one researcher has found that a cryptocurrency bandit was able to siphon “off a fortune of 45,000 ether,” using a key-guessing technique. (Source: Wired)

Suggested reading: The SIM-swap fix that countries across Africa are using and U.S. telecoms won’t. After one Mozambique bank witnessed SIM swap scams at a rate of 17 frauds per month, it knew it needed to act. The solution was quite straightforward: since “SIM swap hackers rely on intercepting a one-time password sent by text after stealing a victim's banking credentials... the carrier would set up a system to let the bank query phone records for any recent SIM swaps associated with a bank account before they carried out a money transfer. If a SIM swap had occurred in, say, the last two or three days, the transfer would be blocked.” As a result of this new system, the bank’s SIM swap scam rate dropped to nearly zero overnight. (Source: Wired)  

Breach du jour: 13.7 million job recruitment accounts. Ladders, a popular high-end job recruitment platform exposed the data of its users after it stored a database in the cloud without a password. "Each record included names, email addresses and their employment histories, such as their employer and job title. The user profiles also contain information about the industry they’re seeking a job in and their current compensation in US dollars.” In addition, some records included data similar to a user’s résumé, along with other “sensitive information, including email addresses, postal addresses, phone numbers and their approximate geolocation based off their IP address.” (Source: Tech Crunch)

Quick hit: Dems pledge to not reference stolen or hacked documents on campaign trail; Trump campaign refuses to make the commitment. (Source: Washington Post)   

Study watch: Financial firms spend $2,300 per employee to protect their data. The new survey outlined how companies invest in cybersecurity at "a range of around 0.2 percent to 0.9 percent of company revenue, with an average of about 0.3 percent.” (Source: Deloitte)  

Upcoming Events

June 27, 2019: Federal Trade Commission’s PrivacyCon – Washington, DC
Each year, the FTC convenes a group of privacy experts, academics, policymakers, and regulators to discuss the latest research surrounding consumer privacy and data security. (Source: Federal Trade Commission)

National Consumers League
Published May 9, 2019