National Consumers League

Pages tagged "privacy"

The #DataInsecurity Digest | Issue 93

With Baltimore being held hostage, ransomware fears growing once again 

By John Breyault (@jammingecono, johnb@nclnet.org)
NCL Vice President of Public Policy, Telecommunications and Fraud

Subscribe here. Tell us what you think.

Editor’s note: Fears of another ransomware attack like 2017’s WannaCry virus prompted Microsoft to take the unusual step to provide security updates for otherwise unsupported operating systems. The patch was of little solace to the city of Baltimore, which suffered an unrelated ransomware attack that shut down its email system, among other critical functions. Baltimore’s cyber woes are not unheard of, however, as one study found that ransomware attacks on state and local governments are on the rise despite the fact that many state and local governments are refusing to pay the ransom. One reason for this concerning trend could be that two prominent data recovery firms, whose clients included local municipalities, paid off Iranian hackers in secret, fueling fears that the firms are incentivizing hackers to go after city governments.

And now, on to the clips!

-----------------

City of Baltimore hit with crippling ransomware attack. @magmill95 reports that the attack “took down several of the city’s services last week, including some of the capabilities of the Baltimore City Department of Transportation, the Department of Public Works, and the Department of Finance.” At the time of the drafting of this publication, “the city was still unable to send or receive email.” Officials “could not give an exact time for when the systems would all be fully operational.” (Source: The Hill)

Firms promised to free data from ransomware attacks with technology. In reality, they were secretly paying Iranian hackers. In the wake of the SamSam ransomware attacks, tech firms promised to use their “own data recovery methods but instead payed ransoms, sometimes without informing victims such as local law enforcement agencies. ...” In addition to misleading their clients, the firms “charge[ed] victims substantial fees on top of the ransom amounts.” (Source: ProPublica)

Report watch: Ransomware attacks on state and local governments are on the rise. @uuallan found that “while 2018 saw a small resurgence in overall ransomware attacks, there was a sharp jump in ransomware attacks against state and local governments, and that surge seems to be continuing into 2019.” (Source: Recorded Future)

ICE pays contractors $1.2 million to hack into Americans’ iPhones. The expenditure reveals the high priority that U.S. Immigration and Customs Enforcement has placed on undermining “passcodes and other security features Americans use to keep their information private.” (Source: Washington Post)

Microsoft scrambles to stop WannaCry 2.0 before it happens. Last week, Microsoft took the “unusual step of releasing security updates for unsupported but still widely-used Windows operating systems like XP and Windows 2003, citing the discovery of a ‘wormable’ flaw that the company says could be used to fuel a fast-moving malware threat like the WannaCry ransomware attacks of 2017.” (Source: Krebs on Security)

Russia hacked two Florida election systems during the 2016 election. Florida Gov. Ron DeSantis acknowledged that the breach occurred but stressed that “[n]othing that affected the vote count," took place. Followers of election security will recall that “[l]ast year, former Florida Sen. Bill Nelson warned that Russia had ‘penetrated’ Florida's voter registration systems, but election officials denied that vehemently at the time. Then-Gov. Rick Scott, who defeated Nelson in the Senate race, decried Nelson's claims and said they ‘only serve to erode public trust in our elections at a critical time.’" (Source: NPR)

Rhode Island launches first statewide cybercrime hotline. In Rhode Island, cyber victims need to only dial 211 to “be connected with an operator who is trained to connect the victim with the proper organization to help. These include government organizations, local nonprofits, and local, state and federal agencies and resources to help protect them from further attacks and recover any money that may have been lost.” (Source: Patch)

Ajit Pai’s FCC is keeping commissioners in the dark about phone location data investigation. After news broke that AT&T, Sprint, Verizon, and T-Mobile were selling their customers' real-time cell phone location data without their consent, the FCC vowed to look into the matter. Months later, the public still does not know what happened, and FCC Commissioners are complaining about being kept in the dark by their own agency. Commissioner Jessica Rosenworcel publicly complained that “[s]o far it appears that the FCC is more interested in protecting the privacy of its investigation than the privacy of wireless consumers across the country." (Source: Vice)

Upcoming Events

June 27, 2019: Federal Trade Commission’s PrivacyCon – Washington, DC
Each year, the FTC convenes a group of privacy experts, academics, policymakers, and regulators to discuss the latest research surrounding consumer privacy and data security. (Source: Federal Trade Commission)

National Consumers League
Published May 23, 2019


The #DataInsecurity Digest | Issue 92

Facebook nears settlement with FTC while hackers attack U.S. electric grid

By John Breyault (@jammingecono, johnb@nclnet.org)
NCL Vice President of Public Policy, Telecommunications and Fraud

Subscribe here. Tell us what you think.

Editor’s note:Facebook is reportedly nearing a final settlement with the Federal Trade Commission (FTC).  Once the settlement is complete, however, law enforcement's work may just be getting started. Last week, the Department of Energy acknowledged that a western power grid was forced to battle a prolonged distributed denial-of-service (DDoS) attack, and the FBI found that cost of cybercrime grew to $2.8 billion in 2018. Meanwhile, a data breach exposed the sensitive data of 13.7 million job seekers. 

And now, on to the clips!

-----------------

Experts: Nielsen exit from DHS will harm cybersecurity. As part of its rumored settlement, @ceciliakang reports that Facebook will pay a fine of as much as $5 billion and will also “create a privacy committee to protect its users’ data, as well as an external assessor who would be appointed by the company and F.T.C. The social network will also appoint a head compliance officer — who could be its chief executive, Mark Zuckerberg.” (Source: New York Times)  

DDoS attack launched against power grid in western U.S. The Department of Energy has confirmed that an attack "knocked [an] energy company’s systems offline by overloading them with traffic.” Although the attack lasted nearly 10 hours, it did not cause any customer outages. "The name of the energy company wasn’t named, but it provides power and energy to customers across Los Angeles in California, Salt Lake County in Utah, and Converse County in Wyoming." (Source: Tech Crunch) 

FBI: Internet-enabled crime losses grow to $2.7 billion in 2018. The total losses mark a 90 percent increase from 2017. In 2018, the FBI’s Internet Crime Complaint Center received 900 complaints a day from Internet fraud victims. (Source: Internet Security Alliance)  

‘Blockchain bandit’ steals more than $50 million by guessing. The cryptocurrency industry has long been plagued by theft, but one researcher has found that a cryptocurrency bandit was able to siphon “off a fortune of 45,000 ether,” using a key-guessing technique. (Source: Wired)

Suggested reading: The SIM-swap fix that countries across Africa are using and U.S. telecoms won’t. After one Mozambique bank witnessed SIM swap scams at a rate of 17 frauds per month, it knew it needed to act. The solution was quite straightforward: since “SIM swap hackers rely on intercepting a one-time password sent by text after stealing a victim's banking credentials... the carrier would set up a system to let the bank query phone records for any recent SIM swaps associated with a bank account before they carried out a money transfer. If a SIM swap had occurred in, say, the last two or three days, the transfer would be blocked.” As a result of this new system, the bank’s SIM swap scam rate dropped to nearly zero overnight. (Source: Wired)  

Breach du jour: 13.7 million job recruitment accounts. Ladders, a popular high-end job recruitment platform exposed the data of its users after it stored a database in the cloud without a password. "Each record included names, email addresses and their employment histories, such as their employer and job title. The user profiles also contain information about the industry they’re seeking a job in and their current compensation in US dollars.” In addition, some records included data similar to a user’s résumé, along with other “sensitive information, including email addresses, postal addresses, phone numbers and their approximate geolocation based off their IP address.” (Source: Tech Crunch)

Quick hit: Dems pledge to not reference stolen or hacked documents on campaign trail; Trump campaign refuses to make the commitment. (Source: Washington Post)   

Study watch: Financial firms spend $2,300 per employee to protect their data. The new survey outlined how companies invest in cybersecurity at "a range of around 0.2 percent to 0.9 percent of company revenue, with an average of about 0.3 percent.” (Source: Deloitte)  

Upcoming Events

June 27, 2019: Federal Trade Commission’s PrivacyCon – Washington, DC
Each year, the FTC convenes a group of privacy experts, academics, policymakers, and regulators to discuss the latest research surrounding consumer privacy and data security. (Source: Federal Trade Commission)

National Consumers League
Published May 9, 2019


The #DataInsecurity Digest | Issue 91

Nielsen’s departure from DHS deepens cyber anxietycyber insurance loopholes, and a worsening breach at Facebook

By John Breyault (@jammingecono, johnb@nclnet.org)
NCL Vice President of Public Policy, Telecommunications and Fraud

Subscribe here. Tell us what you think.

Editor’s note: Secretary Kirstjen Nielsen’s exit from DHS signals further uncertainty for U.S. cybersecurity strategy. As the Trump Administration continues to lack a coherent strategy, hackers demonstrated the severity of force they can bring to bear after they interrupted the Weather Channel’s live broadcast. Likewise, in an unrelated incident, the state of Ecuador suffered 40 million cyberattacks last week in retaliation for revoking the asylum of WikiLeak founder Julian Assange. 

In other news, Facebook chose to announce that its Instagram breach affected millions of accounts, not the tens of thousands of accounts it had previously reported, the same morning that the findings of the Muller investigation became public. Many privacy advocates were skeptical of the choice of timing. 

Finally, companies relying on cyber insurance policies to protect them in the event of an attack are increasingly finding that they may not be covered from a state-sponsored hack like 2017’s NotPetya attack. 

And now, on to the clips!

-----------------

Experts: Nielsen exit from DHS will harm cybersecurity. A majority of experts surveyed by the Washington Post are concerned that former DHS Secretary Kirstjen Nielsen’s exit will further hamper America’s cybersecurity. Cybersecurity talent at Kirstjen's level is unique, and someone with government policy experience is even more scarce, commented Mark Weatherford, a former DHS cybersecurity official who is now global information security strategist at Booking Holdings. This is another huge blow to our nation's momentum in the cybersecurity arena and the effects with be felt even more broadly on the international stage." (Source: Washington Post 

Cyber insurance providers relying on cyberwar declarations to avoid paying. As cyber threats have escalated, companies relying on cyber insurance policies to protect them are increasingly finding that state-sponsored attacks provide a loophole for their claims to be denied. @satariano and @nicoleperlroth write that “[w]hen the United States government assigned responsibility for NotPetya to Russia in 2018, insurers were provided with a justification for refusing to cover the damage. Just as they wouldn’t be liable if a bomb blew up a corporate building during an armed conflict, they claim not to be responsible when a state-backed hack strikes a computer network. … The cases have broader implications for government officials, who have increasingly taken a bolder approach to naming-and-shaming state sponsors of cyberattacks, but now risk becoming enmeshed in corporate disputes by giving insurance companies a rationale to deny claims.” (Source: New York Times) 

Instagram password breach much larger than originally reported. Last month Facebook announced “that it had stored hundreds of millions of user passwords unencrypted on its servers, a massive security problem. At the time, it said that ‘tens of thousands’ of Instagram passwords were also stored in this way.” Last Thursday, Facebook admitted the breach actually included millions of Instagram users, not “tens of thousands.” (Source: Recode 

Hackers take Weather Channel off the air for 90 minutes.  Last week, hackers attacked the Weather Channel’s live broadcast early in the morning. During the attack, the network was able to play “canned content, before broadcasting from backup services.” (Source: WinBuzzer) 

Presidential candidate John Delaney proposes Department of Cybersecurity. Delaney’s proposal marks the first major cybersecurity push of the 2020 cycle. @kellymakena reports that “the proposed Department of Cybersecurity would be led by a cabinet-level secretary who would be in charge of implementing the United States’ cybersecurity strategy.” (Source: The Verge 

Cost of data breaches grows to $3.86 million per breach. The Ponemon Institute’s 2018 Cost of Data Breach Study found that the total cost of a breach grew by 6 percent last year. Each compromised record now costs companies an average of $148. (Source: NBC News) 

Personal Hotmail, MSN, and Outlook emails have been compromised. As a result of the breach, hackers were “able to access email content from a large number of Outlook, MSN, and Hotmail email accounts.” The breach did not affect corporate accounts. (Source: Motherboard)   

DHS and FBI: Election systems in all 50 states were targeted by Russia. The Joint Intelligence Bulletin (JIB) expanded by stating, "the FBI and DHS assess that Russian government cyber actors probably conducted research and reconnaissance against all US states’ election networks leading up to the 2016 Presidential elections." One DHS spokesman said: "We assume the Russian government researched and in some cases targeted election infrastructure in all 50 states in an attempt to sow discord and influence the 2016 election." (Source: Ars Technica) 

In wake of Assange arrest, Ecuador was hit with 40 million cyberattacks. After removing Wikileaks founder Julian Assange’s political asylum status, “Javier Jara, undersecretary of the electronic government department of the telecommunications ministry, said the country had suffered ‘volumetric attacks’ that blocked access to the internet following ‘threats from those groups linked to Julian Assange. ...’ Hardest-hit were the foreign ministry, the central bank, the president's office, the internal revenue service, and several ministries and universities.” (Source: AFP) 

Upcoming Events

June 27, 2019: Federal Trade Commission’s PrivacyCon – Washington, DC
Each year, the FTC convenes a group of privacy experts, academics, policymakers, and regulators to discuss the latest research surrounding consumer privacy and data security. Researchers are encouraged to apply to present at the conference by March 15, 2019. (Source: Federal Trade Commission)

National Consumers League
Published April 25, 2019


The #DataInsecurity Digest | Issue 90

FEMA leaks data on 2.5 million disaster victims, while President Trump’s budget slashes spending on cybersecurity readiness

By John Breyault (@jammingecono, johnb@nclnet.org)
NCL Vice President of Public Policy, Telecommunications and Fraud

Subscribe here. Tell us what you think.

Editor’s note: Victims of flooding, hurricanes, and wildfires are facing new concerns as a data leak at the Federal Emergency Management Agency (FEMA) compromised the sensitive data of 2.5 million disaster survivors. The private sector was also not immune to breaches, as we learned that Facebook stored millions of its users’ passwords in plaintext; restaurant chain Buca di Beppo compromised 2 million payment cards; and Toyota announced its second breach in five weeks. Despite these warning signs, President Trump caused a stir among cybersecurity advocates by proposing to slash funding for long-term cybersecurity readiness.

Programming note: The #DataInsecurity Digest is heading out for spring break! We will not be publishing on April 18 and will resume publication on April 25. 

And now, on to the clips!

-----------------

FEMA compromises banking information and addresses of 2.5 million disaster survivors. The Department of Homeland Security’s Office of the Inspector General found that FEMA “overshared” victims' personal information “while transferring disaster survivor information to a contractor.” Many of the victims of the California wildfires in 2017 and Hurricanes Harvey, Irma, and Maria are believed to have been affected. (Source: Washington Post) 

Facebook stored millions of Facebook, Instagram, and Facebook Lite passwords in plaintext. The passwords were accessible by any one of Facebook’s thousands of employees. In the coming days, Facebook plans to “notify hundreds of millions of Facebook Lite users, tens of millions of Facebook users, and tens of thousands of Instagram users that their passwords may have been exposed.” (Source: Wired) 

Breach du jour: Buca di Beppo, Earl of Sandwich, and Planet Hollywood. The parent company of the popular restaurants finally acknowledged the chains were the subject of a breach after @briankrebs “contacted the executive team at Buca di Beppo in late February after determining most of this restaurant’s locations were likely involved [in] a data breach that first surfaced on Joker’s Stash, an underground shop that sells huge new batches of freshly-stolen credit and debit cards on a regular basis.” The breach is believed to have compromised 2 million of their customers’ credit and debit card numbers over a 10-month period.  (Source: Krebs on Security 

Breach du jour part deux: Toyota announces second data breach in five weeks. In Toyota’s latest breach, “hackers gained unauthorized access to data for several of its sales subsidiaries based in Tokyo. The servers that hackers accessed stored sales information on up to 3.1 million customers that included names, dates of birth and employment information.” (Source: Bank Info Security 

Trump budget provides short-term cyber fixes while hampering America's long-term cybersecurity strategy. The proposed budget provides generous increases to military cybersecurity but cuts spending for “most government offices that tackle emerging challenges in cybersecurity. The biggest cut ... is to the Homeland Security Department’s science and technology wing, which does much of the long-range research aimed at making technology fundamentally more secure.” If approved, Trump’s budget would cut the division to “slightly less than two-thirds of its 2019 funding.” (Source: Washington Post 

Investigator: Saudis hacked Amazon head Jeff Bezos in retaliation for media coverage. The investigator hired by Bezos alleged that the “Saudis obtained racy text messages between the married Bezos and his girlfriend Lauren Sanchez. The material was leaked to the National Enquirer, which published a story revealing Bezos' affair.” Investigator @GDBAProtects “thinks the Saudis may have been motivated by the Bezos-owned Washington Post's dogged coverage of last October's murder of Washington Post journalist Jamal Khashoggi.” (Source: Ars Technica 

City of Albany, NY struck with ransomware attack. On Saturday, the city was struck with a crippling ransomware attack that forced city employees to utilize paper records. As of Tuesday, the city was still “directing people to the state Office of Records in Menands for birth, death and marriage certificates.” (Source: WNYT 

Suggested listening: An insider’s view of the Equifax breach. @redtapechron sat down with the GAO’s Equifax investigator to talk about the infamous breach. Listeners learn that “it took Equifax 76 days to notice the attack” and that “the attack itself was ‘not sophisticated.’ In fact, Equifax made things easy. Once inside, criminals found a text file with usernames and passwords for 51 other databases.” (Source: Bobsullivan.net

Upcoming Events

June 27, 2019: Federal Trade Commission’s PrivacyCon – Washington, DC
Each year, the FTC convenes a group of privacy experts, academics, policymakers, and regulators to discuss the latest research surrounding consumer privacy and data security. Researchers are encouraged to apply to present at the conference by March 15, 2019. (Source: Federal Trade Commission)

National Consumers League
Published April 4, 2019


The #DataInsecurity Digest | Issue 89

As Feds pursue Facebook, Schiff warns of cyber vulnerabilities in 2020

By John Breyault (@jammingecono, johnb@nclnet.org)
NCL Vice President of Public Policy, Telecommunications and Fraud

Subscribe here. Tell us what you think.

Editor’s note: Despite having more than two years to beef up our cybersecurity in the wake of the 2016 elections, House Intelligence Chairman Adam Schiff warned that we are" enormously vulnerable" to hacking in the next election.

Meanwhile, Americans appear to be growing fed up with the constant state of data insecurity as a surprising number (more than a third) feel that executives of breached entities should face prison time when a breach occurs under their watch. Despite the growing disdain for corporate America’s allowing of breaches, a new study found that a breached organization's CEO is actually likely to see a pay increase in the wake of a breach.

And now, on to the clips!

-----------------

Chairman of U.S. House Intelligence Committee: 2020 election is ‘enormously vulnerable’ to hacking, foreign influence. Congressman Adam Schiff (D-CA) further said, “the potential for mischief now is extreme,” and he “is concerned about efforts to undermine U.S. democracy.” (Source: Reuters) 

Federal prosecutors conduct criminal investigation into Facebook’s data deals. The investigation was launched after more than 150 companies, including Amazon, Apple, Microsoft, and Sony, “entered into partnerships with Facebook, gaining broad access to the personal information of hundreds of millions of its users,” without their consent. (Source: New York Times) 

Suggested reading: Have you ever wondered what it would be like to be responsible for a 230M-person data breach? Steve Hardigree’s small company Exactis achieved undesired fame after they stored the personal information of 230 million Americans on an unsecured server. Hardigree told @a_greenberg that the “stress over the situation was so severe that he broke out in hives and had to go to the hospital for treatment. …" The ordeal has been a grueling lesson for Hardigree, who says that he's learned the hard way how much even a tiny firm like his must prioritize security. “Be careful with your data and be careful with the people who manage your data. I hired some guys that were careless. But at the end of the day it’s the CEO who’s responsible. I take responsibility.” (Source: Wired)  

Future cyber threats keep DHS Secretary Nielson up at night. In a speech on her future security priorities, Kirstjen Nielsen said that she is not worried about what “threat actors have done, but what they have the capability to do — surveilling sensitive secrets and deceiving us about our own data, distracting us during a crisis, launching physical attacks on infrastructure with a few keystrokes, or planting false flags to embroil us in conflicts with other nations." (Source: Politico)  

Quick hit: 38 percent of consumers believe that C-level executives who fail to protect their data should face prison time or a fine. The survey also found that 20 percent of Americans don’t trust anyone with their data. (Source: HelpNetSecurity)  

Data breaches lead to pay raises for CEOs. A new report found that, despite the financial loss a breach inflicts upon a company, organizations actually tend to increase their CEO’s pay in the wake of a breach. Researchers attributed the pay raise to the “idea that the average response [to a breach] is to invest more in the management to address possible structural flaws, as well as maintaining the integrity of the firm in response to the reputational damage it has suffered.” (Source: PYMTS)  

Beto O’Rourke’s record suggests privacy convictions. After O’Rourke announced his run for president, @timstarks looked into the former House Homeland Security Committee member and found that “he took a few stances on cyber and surveillance issues that put him in company with privacy-oriented Democrats: a vote against a cyber threat information sharing bill, and co-sponsoring legislation meant to curb electronic surveillance. He also co-sponsored an amendment last year to reverse the Trump administration's elimination of the White House cyber coordinator, which House Republicans blocked.” (Source: Politico) 

Senators Wyden and Cotton request congressional breach notification rules. Despite the Senate being a major target for hackers, there is currently very little transparency when a breach occurs. As @alfredwkng reports, "Congress has no legal obligation to disclose breaches, meaning that the public has no idea when elected officials are hit by cyberattacks. ..." Now, Senators Ron Wyden (D-OR) and Tom Cotton (R-AR) are requesting that the Senate Sergeant at Arms help provide more transparency. The Senators have requested the Sergeant at Arms to “provide an annual report on the number of times Senate computers have been hacked, and incidents where hackers were able to access sensitive Senate data,” and “inform the Senate rules committee within 5 days of a breach occurring.” (Source: CNet)

Upcoming Events

June 27, 2019: Federal Trade Commission’s PrivacyCon – Washington, DC
Each year, the FTC convenes a group of privacy experts, academics, policymakers, and regulators to discuss the latest research surrounding consumer privacy and data security. Researchers are encouraged to apply to present at the conference by March 15, 2019. (Source: Federal Trade Commission)

National Consumers League
Published March 21, 2019


The #DataInsecurity Digest | Issue 88

Regulators in Europe, Members of Congress, consumer advocates taking a critical eye at misuse of consumer data 

By John Breyault (@jammingecono, johnb@nclnet.org)
NCL Vice President of Public Policy, Telecommunications and Fraud

Subscribe here. Tell us what you think.

Editor’s note: While EU regulators take aim at social media giants like Facebook, the new leadership in the House of Representatives pledged to protect consumer data. The newly invigorated Democratic Congress has its work cut out for it, though, as more research came out to prove just how vulnerable our entire system is to hacking and how one well-planned attack could collapse our entire financial system.

And now, on to the clips!

-----------------

EU Regulators: First of seven investigations into Facebook to be completed by summer. Ireland’s Data Protection Commissioner commented that he anticipated that the remaining six investigations into the company’s use of personal data should be completed by the end of the year. @conorhumphries reports that in addition to probing Facebook’s data practices, “the commissioner is also probing Facebook subsidiaries WhatsApp and Instagram as well as Twitter, LinkedIn and Apple in relation to their processing of personal data and the transparency of their data processes.” (Source: Reuters) 

Democrats hold first major tech policy hearing since taking over the House. @TonyRomm reports that “party lawmakers charged that long-standing inaction on Capitol Hill had left consumers unprotected in the digital age.” Chairman Frank Pallone said, “It’s time that we move past the old model that protects the companies using our data and not the people.” (Source: Washington Post) 

Banks, securities firms, financial market infrastructures, and hospitals found to be at the highest risk of a devastating cyber-attack. @MoodysInvSvc’s report found that these industry sectors hold around $11.7 trillion of the world’s debt and that an “attack in one of those sectors would also have broad ripple effects.” The report said such an attack could result in “far-reaching impact on other sectors,” and that a single successful attack on a large bank, for example, could “pose a systemwide risk” that affects the entire financial sector. (Source: Washington Post 

North Korea launches cyberattacks against U.S. banks and business while meeting with Trump in Hanoi. While the attacks had been going on for months, thanks to the help of “an unnamed foreign law enforcement agency,” researchers were able to access “one of the main computer servers used by the North Korean hackers to stage their attacks [and watch] in real time, as the North Koreans attacked the computer networks of more than a hundred companies in the United States and around the globe. (Source: New York Times 

Equifax's CEO admits that compromising Social Security numbers causes harm while simultaneously arguing in court that it does not. When asked to share his Social Security number by Rep. Katie Porter (D-CA) in a committee hearing, Equifax CEO Mark Begor declined, citing fears over identity theft. valid concern, but also noteworthy ithat Equifax has been desperately trying to "beat back a class-action lawsuit by arguing that the plaintiffs' claims of breach-related harm are merely theoretical. In asking a judge to dismiss the case, Equifax said last July that the ‘alleged injuries are the very definition of speculative and conjectural.’" (Source: Politico 

In wake of DNA test kit data misuse, consumer advocates call for HIPAA protections for patient info. After news reports disclosed that FamilyTreeDNA.com was giving the FBI access to its DNA database, an act it said it would not do without a customer’s permission, NCL’s @sallygreenberg called on Congress to take action. “We need some rules of the road. ... Right now it puts consumers at great risk of having their very private information shared, sold and misused in ways they didn’t sign up for. ... We need a strengthened HIPAA for DNA testing companies.” (Source: Washington Post 

Breach du jour: Dow Jones watchlist of 2.4 million high risk' individuals. The sensitive data "can include names, addresses, cities and their location, whether they are deceased or not and, in some cases, photographs.” The watchlist includes “current and former politicians, individuals or companies under sanctions or convicted of high-profile financial crimes such as fraud, or anyone with links to terrorism.” This trove of sensitive data was exposed “after a company with access to the database left it on a server without a password.” (Source TechCrunch) 

Technology used by law enforcement to hack mobile devices for sale on eBay for $100. The devices, manufactured by a company known as Cellebrite, are “used by police around the world to break open iPhones, Androids and other modern mobiles to extract data. ...” With an unknown amount of Cellebrite devices being sold second-hand by law enforcement agents on the Internet, “cybersecurity researchers are now warning that valuable case data and powerful police hacking tools could have leaked as a result.” (Source: Forbes)

Upcoming Events

June 27, 2019: Federal Trade Commission’s PrivacyCon – Washington, DC
Each year, the FTC convenes a group of privacy experts, academics, policymakers, and regulators to discuss the latest research surrounding consumer privacy and data security. Researchers are encouraged to apply to present at the conference by March 15, 2019. (Source: Federal Trade Commission)

National Consumers League
Published March 7, 2019


The #DataInsecurity Digest | Issue 87

Facebook reportedly nears hefty FTC settlement; national cybersecurity at risk from external hackers and internal ineptitude

By John Breyault (@jammingecono, johnb@nclnet.org)
NCL Vice President of Public Policy, Telecommunications and Fraud

Subscribe here. Tell us what you think.

Editor’s note: As Facebook and the Federal Trade Commission (FTC) reportedly near a record-setting privacy settlement, Chinese and Iranian hackers are beefing up their efforts to steal military and trade secrets from the United States. Meanwhile, both the Census Bureau and Federal Housing Finance Agency received bad publicity for failing basic cybersecurity best practices. Amid this storm of bad data security news, the Senate Homeland Security Chairman finds himself on the receiving end of condemnation from both sides of the aisle for blocking key cyber bills during his tenure as chairman of the Senate Homeland Security Committee.

And now, on to the clips!

-----------------

Chinese and Iranian hackers take aim at U.S. companies and military. @nicoleperlroth reports that the “Iranian attacks on American banks, businesses and government agencies have been more extensive than previously reported. Dozens of corporations and multiple United States agencies have been hit. ...” Meanwhile, cyber watchers have observed a “renewed Chinese offensive geared toward stealing trade and military secrets from American military contractors and technology companies.” (Source: New York Times)

Chairman Johnson stalls efforts to enact cybersecurity legislation. @timstarksand @ericgellerreport that,while cyber threats have grown, Senate Homeland Security Committee Chairman Sen.Ron Johnson (R-WI) has “derailed many of the most significant cybersecurity-related bills in the past four years, including legislation to secure elections, study whether the growing use of encrypted apps hampers law enforcement and hold companies accountable for the proliferation of insecure connected devices.”@MiekeEoyangcommented that @RonJohnsonWI’s committee “is the place where legislation goes to die on cybersecurity.” Former Chairman Michael McCaul (R-TX) also publicly lamented Johnson’s leadership stating that "[t]he record speaks for itself." Source: Politico)

Facebook reportedly negotiating multi-billion fine with FTC for privacy violations. @tonyromm reports that, while a deal has not yet been reached, the fine “would be the largest the agency has ever imposed on a technology company. ... If talks break down, the FTC could take the matter to court in what would likely be a bruising legal fight.” (Source: Washington Post)

Census Bureau finds data collected in the 2010 Census to be vulnerable. While a breach is not thought to have occurred, the age, gender, location, race, and ethnicity data collected from millions of Americans was found to be improperly secured. “The Census Bureau is now scrapping its old data shielding technique for a state-of-the-art method that [Census Bureau Chief Scientist John] Abowd claimed is far better than Google's or Apple's.” (Source: New York Times)

Quick hit: Patient healthcare data breaches nearly triple. The Protenus 2019 Breach Barometer found that patient record data breaches surged from 5 million records in 2017 to 15 million in 2018. (Source: Health IT Security)

Breach du jour: Dating app notifies users of Valentine’s Day breach. The breach at“Coffee Meets Bagel” is believed to have compromised a partial list of user details, including names and email addresses. Thankfully, users' financial information and passwords do not seem to be at risk in this breach. However, the breach is still troubling as “dating apps run a risk of leaving users'most intimate communications vulnerable.” (Source: Axios)

Stolen Equifax data has yet to surface. Seventeen months after the historic breach, the records of 143 million Americans "never appeared on any [of the] hundreds of underground websites selling stolen information. Security experts haven't seen the data used in any of the ways they'd expect in a theft like this — not for impersonating victims, not for accessing other websites, nothing.” The lack of movement of the valuable data has led many researchers to suspect that the Equifax breach was the work of an international spy agency. (Source: CNBC)

One in three FHFA employees fail phishing test. An audit found that one-third of tested employees at the Federal Housing Finance Agency (which oversees Fannie Mae, Freddie Mac, and the Federal Home Loan Bank Systemfailed to properly handle suspicious emails. (Source: FCW)

Upcoming Events

June 27, 2019: Federal Trade Commission’s PrivacyCon – Washington, DC
Each year, the FTC convenes a group of privacy experts, academics, policymakers, and regulators to discuss the latest research surrounding consumer privacy and data security. Researchers are encouraged to apply to present at the conference by March 15, 2019. (Source: Federal Trade Commission)

National Consumers League
Published February 21, 2019



What broadband privacy?

When you ask consumers about the kind of information that they'd like to keep private, location data is usually near the top of the list. That’s why Motherboard’s recent investigation into cell phone companies’ location data sharing services is so troubling.


Rubio’s bill is an empty promise

Last month, Sen. Marco Rubio (R-FL) joined the growing list of Members of Congress, advocacy groups, and industry players who have released privacy bills. Rubio’s bill, the American Data Dissemination Act (ADD Act), exists primarily to relieve Congress of the January 20, 2020 deadline when the California Consumer Privacy Act (CCPA) takes effect. Absent action by Congress, the CCPA, the subject of a furious lobbying campaign to weaken it, will become the strongest consumer privacy law in the United States less than a year from now.


1  2  3  4  Next →