National Consumers League

Pages tagged "privacy"

The #DataInsecurity Digest | Issue 83

Marriott closes out the year with another mega-breach while Congressional bipartisanship on data security fades

By John Breyault (@jammingecono, johnb@nclnet.org)
NCL Vice President of Public Policy, Telecommunications and Fraud

Subscribe here. Tell us what you think.

Editor’s note: Marriott’s record-setting breachthe second largest in historywas the big headline this week. Although Quora and the National Republican Campaign Committee also disclosed breaches last week, Marriott seems likely to attract a great deal of scrutiny amongst policymakers and class-action lawyers. Unfortunately, bipartisanship on cybersecurity seems to be waning, as evidenced by dueling reports on the Equifax breach by Democrats and Republicans on the House Oversight committee.

Programming note: Due to the upcoming holidays, we will be taking a break from our usual schedule. This will be the last issue of The #DataInsecurity Digest published in 2018. We’ll resume publication on January 10, 2019. Thanks for sticking with us through 2018 best wishes for health, happiness, and improved data security in 2019!

And now, on to the clips!

-----------------

500 million Marriott and Starwood property accounts breached. In the second largest breach in history, 500 million accounts were breached over a period of several years. “For about 327 million customers, the hackers may have gained access to passport numbers, travel details and, in some cases, credit-card information, as well as names and addresses.” (Source: Wall Street Journal)

Swift fallout for MarriottIn the aftermath of the breach, “lawyers quickly filed a class-action lawsuit in Maryland… . In New York, Attorney General Barbara Underwood launched an investigation, and other states are doing the same, with a multistate team-up possible.” (Source: Politico Morning Cybersecurity)

Quick hit: China emerges as likely suspect in Marriott data breach. Although China has not been officially blamed, private investigators “have found hacking tools, techniques, and procedures previously used in attacks attributed to Chinese hackers.” (Source: Reuters) 

House Oversight Committee: Equifax breach entirely preventable.’ On Monday, the House Oversight Committee released its long-awaited report regarding Equifax’s historic breach, which harmed 148 million American consumers. The report found that had Equifax “taken action to address its observable security issues prior to this cyberattack, the data breach could have been prevented." However, the report only called for additional cooperation between the public and private sectors to prevent future breaches. (Source: House Oversight and Government Reform Committee [Majority])

A few hours later, Democrats release competing Equifax oversight report. The Democratic report “called for new laws that would raise financial penalties for data breaches, simplify how consumers are notified about breaches and boost federal regulators’ cybersecurity efforts.”@Joseph_Marks_ comments how the dueling reports “highlight how cybersecurity, which was once considered a largely bipartisan topic, has been infected by partisan conflict... .The fact that the parties can’t even agree on how to properly condemn Equifax makes it seem even less likely that they will be united on how to tackle more complex challenges that have serious political implications, such as election security or protecting the power grid.” (Source: Washington Post

House Republican campaign committee hacked during the midterm electionAlthough details regarding the full extent of the breach have not yet been released, it is believed that “thousands of sensitive emails” were exposed to an outside intruder and that “the email accounts of four senior aides at the National Republican Congressional Committee were surveilled for several months.” (Source: Politico)

AOL pays nearly $5for illegally tracking children and auctioning off their data to the highest bidder. Last week, AOL’s parent company Verizon paid $4.95 million to settle charges that AOL violated the 1998 Children’s Online Privacy Protection Act (COPPA) after “the company had knowingly been disclosing data collected on children under 13 to third parties in violation of the law.” (Source: The Hill) 

Quora breach compromises 100 million user accountsThe breach is believed to have compromised “users' names, email addresses, and encrypted passwords as well as data from social networks like Facebook and Twitter ." (Source: CNN)

Your phone’s apps could be spying on youMost of us know that many of our mobile apps track our locations. But, the New York Times has uncovered that this data could easily be used to “identify a person without consent. They could follow someone they knew, by pinpointing a phone that regularly spent time at that person’s home address. Or, working in reverse, they could attach a name to an anonymous dot, by seeing where the device spent nights and using public records to figure out who lived there.” Similarly, the Times uncovered other unsettling applications for location tracking such as how one company, “Tell All Digital, a Long Island advertising firm,  says it runs ad campaigns for personal injury lawyers targeting people anonymously in emergency rooms.” (Source: New York Times)

Events

June 27, 2019: Federal Trade Commission’s PrivacyCon - Washington DC
Each year, the FTC convenes a group of privacy experts, academics, policy makers, and regulators to discuss the latest research surrounding consumer privacy and data security. Researchers are encouraged to apply to present at the conference by March 15, 2019. (Source: Federal Trade Commission)

National Consumers League
Published December 13, 2018


The #DataInsecurity Digest | Issue 82

Facebook’s past and present handling of Cambridge Analytica scandal continues to draw criticism

By John Breyault (@jammingecono, johnb@nclnet.org)
NCL Vice President of Public Policy, Telecommunications and Fraud

Subscribe here. Tell us what you think.

Editor’s note: Politicians in both the U.K. and the United States remain outraged with Facebook’s continued mismanagement of the Cambridge Analytica scandal. After Facebook’s Mark Zuckerberg repeatedly refused to answer questions from the U.K. Parliament, parliamentary leaders took the rare step of confiscating internal Facebook documents, including confidential emails between senior executives. Meanwhile, new data breaches continued to garner headlines as both Amazon and the Postal Service experienced breaches just before the Black Friday/Cyber Monday rush.

And now, on to the clips!

-----------------

Congress outraged in aftermath of Facebook’s questionable damage control tactics. After a New York Times report revealed that Facebook attempted to paint any criticism of its brand in the wake of the 2016 election as a plot by George Soros, members of Congress expressed outrage. Senator Mark Warner (D-VA): “It’s important for Facebook to recognize that this isn’t a public relations problem – it’s a fundamental challenge for the platform and their business model... . I think it took them too long to realize that. It’s clear that Congress can’t simply trust [Facebook] to address these issues on their own." (Source: Washington Post)  

U.K. Parliament seizes internal Facebook documents after Zuckerberg repeatedly refuses to answer questions. “The cache of documents is alleged to contain significant revelations about Facebook decisions on data and privacy controls that led to the Cambridge Analytica scandal. It is claimed they include confidential emails between senior executives, and correspondence with Zuckerberg.” (Source: The Guardian)

More than half a million Google Play users installed malware posing as gaming apps. @LukasStefanko, a security researcher at ESET, found that 13 apps, two of which were trending on the Google Play store, were loaded with malware. “Combined, the apps surpassed 580,000 installs before Google pulled the plug.” (Source: TechCrunch)

Amazon compromised user emails and then provided few details and potentially bad cyber advice to breach victims. @TonyRomm reports that the retailer “informed some customers on Wednesday that their names and email addresses had been ‘inadvertently disclosed’ as a result of a ‘technical error,’ but declined to provide more details about the security incident.” Many cyber watchers further questioned Amazon after it told its “users there’s ‘no need for you to change your password or take any other action,’ even though hackers ‘still might try to use their names and email addresses for nefarious purposes, including phishing scams.’” (Source: Washington Post)

Japanese cybersecurity minister admits to having never used a computer. Before Parliament, Yoshitaka Sakurada admitted that he has no need for computers, stating that “‘I have been independently running my own business since I was 25 years old.’ When computer use is necessary, ‘I order my employees or secretaries’ to do it. … I don’t type on a computer.’” Asked by a lawmaker if nuclear power plants allowed the use of USB drives, a common technology widely considered to be a security risk, Mr. Sakurada did not seem to understand what they were.” (Souce: New York Times)

Your VPN could be spying on you. A new report found that “60 percent of the top free mobile VPN apps returned by Google Play Store and Apple Play Store searches are from developers based in China or with Chinese ownership, raising serious concerns about data privacy. … The same report also found that 86 percent of the apps analyzed had ‘unacceptable privacy policies.’ For example, some apps didn't say if they logged traffic, some apps appeared to use generic privacy policies that didn't even mention the term VPN, while some apps didn't feature a privacy policy at all. On top of this, other apps admitted in their policies to sharing data with third-parties, tracking users, and sending and sharing data with Chinese third-parties.” (Source: ZD Net)

Breach du jour: 60 million USPS customers. The security vulnerability existed for about a year and “allowed anyone who has an account at usps.com to view account details for some 60 million other users, and in some cases to modify account details on their behalf.” (Source: Krebs on Security)

Two hospitals hit with ransomware attack. The two hospitals, one located in Wheeling, WV and the other in Martins Ferry, OH, “became unable to accept patients from emergency service transports following an attempted ransomware attack…. Officials said the hospitals had since begun using a paper charting system to ensure protection of data, and the hospitals were still accepting walk-in patients.” (Source: WV News)

Events

June 27, 2019: Federal Trade Commission’s PrivacyCon - Washington DC
Each year, the FTC convenes a group of privacy experts, academics, policy makers and regulators to discuss the latest research surrounding consumer privacy and data security. Researchers are encouraged to apply to present at the conference by March 15, 2019. (Source: Federal Trade Commission)

National Consumers League
Published November 29, 2018


The #DataInsecurity Digest | Issue 81

Mid-terms apparently free of hacking incidents; Dem control of House adds momentum to privacy, data security push

By John Breyault (@jammingecono, johnb@nclnet.org)
NCL Vice President of Public Policy, Telecommunications and Fraud

Subscribe here. Tell us what you think.

Editor’s note: In last week’s elections, there were no major reports of election tampering by hackers. However, now that the election has passed, there have been several reports of sloppy security, such as a voting machine vendor that encouraged its clients to use extremely poor cyber hygiene. Despite no major election-related hacking incident, DHS Secretary Kirstjen Nielsen’s departure appears imminent, and could have impacts on the department’s ongoing cybersecurity protection efforts. All of this will likely be grist for the mill in Congress, as incoming House Commerce Committee chair Rep. Frank Pallone (D-NJ) has indicated that privacy legislation will be a priority for the committee under his leadership.

And now, on to the clips!

-----------------

Voting machine vendor instructs poll workers to use abysmally weak passwords. @kimzetter reports that the vendor manual “for voting machines used in about ten states shows the vendor instructed customers to use trivial, easy to crack passwords and to re-use the passwords when changing log-in credentials.” Such a widespread security lapse could have allowed someone to “coordinate an attack across jurisdictions.” (Source: Motherboard)  

Democratic control of the House increases the likelihood of privacy legislation. Rep. Frank Pallone (D-NJ), the anticipated new chairman of the Energy and Commerce Committee “identified privacy and data security protection as priorities” for the committee in the next Congress. However, even if the House is able to pass a pro-consumer privacy bill, “the bill would also have to pass through the Senate and the White House.” @alfredwkng advises that privacy watchers should “expect the details of any proposed data privacy legislation to be highly contested between a Democratic-controlled House and the Republican-controlled Senate.” (Source: CNET)

With midterm elections behind him, Trump moves to oust Homeland Security Secretary Kirstjen Nielsen. President Trump has reportedly been upset with Nielsen’s immigration enforcement  measures despite her readiness to break up Hispanic families at the border and is “looking for a replacement who will implement his policy ideas with more alacrity.” While Nielsen has been reluctant to leave, “Trump has berated her during Cabinet meetings, belittled her to other White House staff, and tagged her months ago as a ‘Bushie,’ a reference to her previous service under President George W. Bush and meant to cast suspicion on her loyalty… .” In a separate Washington Post article, @Cat_Zakrzewski observed that “Nielsen's ouster would also affect the federal government's cybersecurity policies since DHS oversees election security initiatives, critical infrastructure protection, and other cybersecurity efforts.” (Source: Washington Post)

Breach du jour: 75,000 Healthcare.gov records. The Centers for Medicare and Medicaid Services (CMS) has acknowledged that the personal information of many of its users was inappropriately accessed. While no diagnostic or treatment information was accessed, it is believed that other sensitive data “including partial Social Security numbers, immigration status, and some tax information — may have been taken.” (Source: Tech Crunch)

Identity thieves use the Post Office to commit identity theft. The Post Office’s product, “informed delivery,” a service that allows customers to view scanned images of incoming mail online, is being used by fraudsters to intercept mail according to the Secret Service. Apparently, fraudsters are “stealing credit cards from resident mailboxes after signing up as those victims at the USPS’s Web site.” (Source: Krebs on Security)

Breach du jour part deux: HSBC Bank. HSBC bank has announced that attackers compromised the “account numbers and balances, statement and transaction histories and payee details, as well as users' names, addresses, and dates of birth,” for around 1 percent of its U.S. customers. Initial reports suggest that "credential stuffing," a tactic “in which personal details harvested from elsewhere had been used to gain unauthorized access to the accounts.” (Source: BBC)

Quick hit: Consumers believe that data privacy is the #1 issue companies should address. The survey also found that only 16 percent of consumers believe companies were “making a very positive impact,” in the data privacy area. (Source: Harris Insights)  

In the wake of a data breach, 36 percent of consumers would stop engaging with a breached company. The survey also found that 47 percent of respondents “have made changes to the way they secure their personal data as a result of recent breaches and over half (54 percent) are more concerned with protecting their personal information today than they were a year ago.” (Source: Beta News)

Events

June 27, 2019: Federal Trade Commission’s PrivacyCon - Washington DC
Each year, the FTC convenes a group of privacy experts, academics, policy makers and regulators to discuss the latest research surrounding consumer privacy and data security. Researchers are encouraged to apply to present at the conference by March 15, 2019. (Source: Federal Trade Commission)

National Consumers League
Published November 15, 2018


The #DataInsecurity Digest | Issue 80

Facebook breach is first test of GDPR data security penalties; midterm election integrity worries could depress voter turnout

By John Breyault (@jammingecono, johnb@nclnet.org)
NCL Vice President of Public Policy, Telecommunications and Fraud

Subscribe here. Tell us what you think.

Editor’s note: As more data trickles out from Facebook’s 30 million account data breach, eyes turn to Europe to observe how the first big test of the new GDPR protections will be applied. Back in the United States, Yahoo attempts to settle a suit for $50 million stemming from its massive data breach, and the Pentagon raises eyebrows after it compromises 30,000 military and civilian travel records. Finally, new data from Unisys suggests that worries about election integrity could depress voter turnout in the midterm elections next week.

And now, on to the clips!

-----------------

Facebook believes 30 million account breach was perpetrated by hackers, not state actors. Sources close to the investigation told @bobmcmillan and @deetharaman that, “Internal researchers now believe that the people behind the attack are a group of Facebook and Instagram spammers that present themselves as a digital marketing company, and whose activities were previously known to Facebook’s security team.” (Source: Wall Street Journal) 

Facebook breach setting up the first test of GDPR protections. With somewhere around 3 million European Facebook users affected, “under GDPR, companies handling the personal data of Europeans must adhere to strict requirements for holding and securing that information and must report breaches to authorities within 72 hours. Under the regulation, companies can face fines of up to 4 percent of their annual global revenue. For Facebook, which made more than $40.65 billion in revenue in 2017, that fine could be as much as $1.63 billion.” (Source: CNBC)

Quick hit: Yahoo agrees to pay $50 million and provide two years of free credit monitoring to victims of the largest breach in history. The settlement still needs to be approved by the court. (Source: Associated Press)

Breach du jour: 9.4 million Cathay Pacific airline passengers. Last week, the Hong Kong carrier admitted that in March, “the personal details of 9.4 million passengers were inappropriately accessed, including passport information and credit card numbers.” Fast Passenger reports that, “in addition to passports and credit card info, personal data including names, nationalities, birth dates, phone numbers, email addresses, physical addresses, identity card numbers, frequent flyer program membership numbers, customer service remarks, and historical travel information were all accessed.” (Source: Fast Passenger)

Pentagon breach exposes personal travel data of 30,000 military and civilian personnel. @pkothari comments that “[the] Pentagon data breach could potentially be ‘part of a much larger campaign by several well-known nation-states to build out a comprehensive database on our civilian and military population, our businesses and all of their activity from one end of the supply chain to the other… . They are possibly collecting databases and information and building cross-indexes to utilize all of this data… .’" (Source: TechTarget)

Hackers are selling 35 million voting records. Criminal hackers are selling the voter data of at least 19 states with prices ranging from $150 to $12,500, depending on the state. “To our knowledge, this represents the first reference on the criminal underground of actors selling or distributing lists of 2018 voter registration data, including US voters’ personally identifiable information and voting history. With the November 2018 midterm elections only four weeks away, the availability and currency of the voter records, if combined with other breached data, could be used by malicious actors to disrupt the electoral process or pursue large-scale identity theft.” (Source: Anomal)

In related news: Election integrity concerns likely to depress voter turnout. New data finds that nearly one in five Americans “will not vote” or are “highly unlikely to vote” in the midterm elections due to concerns around the election’s integrity. The 2018 Unisys Security Index also found that 86 percent of respondents “express concerns over the prospect of U.S. election voting systems being compromised by outsiders… .” (Source: Unisys)  

Dating app for Trump supporters exposes entire user base’s personal information on the day of launch. All those Trump supporters who looked to the Donald Daters site as a place to meet people who share their worldviews should brace themselves for a potential onslaught of scammers after the website exposed “users’ names, profile pictures, device type, their private messages — and access tokens, which can be used to take over accounts.” (Source: Tech Crunch)

Events

June 27, 2019: Federal Trade Commission’s PrivacyCon - Washington DC
Each year, the FTC convenes a group of privacy experts, academics, policy makers and regulators to discuss the latest research surrounding consumer privacy and data security. Researchers are encouraged to apply to present at the conference by March 15, 2019. (Source: Federal Trade Commission)

National Consumers League
Published November 1, 2018


The #DataInsecurity Digest | Issue 79

Google+ user data compromised, GAO reports on weapon vulnerability, CA legislating stronger passwords

By John Breyault (@jammingecono, johnb@nclnet.org)
NCL Vice President of Public Policy, Telecommunications and Fraud

Subscribe here. Tell us what you think.

Editor’s note: Big Tech again found itself in the headlines after Google revealed that hundreds of thousands of Google+ users may have had their personal data compromised. Even more disturbingly, a GAO report rocked Washington when it found that many (if not all) of our recently manufactured weapons are vulnerable to hacking. California provided a little solace to its hacker-plagued residents when it passed a law requiring stronger default passwords for connected devices.

And now, on to the clips!

-----------------

Breach du jour: Hundreds of thousands of Google+ users. @dmac1 and @bobmcmillan report that a “software glitch in the social site gave outside developers potential access to private Google+ profile data between 2015 and March 2018, when internal investigators discovered and fixed the issue.” The software giant then “opted not to disclose the issue this past spring, in part because of fears that doing so would draw regulatory scrutiny and cause reputational damage,” and “ trigger “immediate regulatory interest.” (Source: Wall Street Journal)  

Google faces Congressional scrutiny. In the aftermath of Google’s breach, Senator Richard Blumenthal (D-CT) said that Google, which is currently operating under an FTC consent decree, “must explain its unwillingness to disclose this breach and the FTC must conduct a fulsome investigation. But to truly end this cycle of broken promises, we need a national privacy framework that protects consumers and empowers the FTC to hold companies accountable.” (Source: Washington Post)

Facebook says its largest security lapse to date was smaller than originally thought. Originally, Facebook estimated that 50 million users had their personal data compromised between July 2017 and September 2018. It now believes the number to be closer to 30 million. @KirstenGrind reports that, “of the 30 million impacted, Facebook said 14 million were the most affected. They had their names and contact details--including phone numbers and email addresses--accessed, along with such data as their gender or relationship status, as well as the last 10 places they checked into or 15 most recent searches. Fifteen million others had their names and contacts accessed.” (Source: Wall Street Journal)

All of the United States military weapons made in the last five years are susceptible to hacking. A bombshell GAO report found that “from 2012 to 2017, (Department of Defense) testers routinely found mission-critical cyber vulnerabilities in nearly all weapon systems that were under development." @rabrowne75 reports that “one of the reasons that the weapons systems are so vulnerable to cyber-attack is their connectivity to other systems, something long seen by the Pentagon as an advantage.” (Source: CNN)

California bans weak default passwords. Starting in 2020, every connected device made or sold in California must have a unique default password. Previously, “easy-to-guess passwords have helped some cyber-attacks spread more quickly and cause more harm.” The law will require strong passwords and “allows customers who suffer harm when a company ignores the law to sue for damages.” (Source: BBC)

Quick hit: Government website administrators to begin using two-factor authentication. “Federal and state employees responsible for running government websites will soon have to use two-factor authentication to access their administrator accounts, adding a layer of security to prevent intruders from taking over dot-gov domains.” (Source: Washington Post)

Op-ed watch: Data security is about to get much worse. @schneierblog argues that security risks “are about to get worse because computers are being embedded into physical devices and will affect lives, not just our data. Security is not a problem the market will solve.” @schneierblog further argues that data security is a market failure that requires good government regulations as “buyers can't differentiate between secure and insecure products, so sellers prefer to spend their money on features that buyers can see.” (Source: New York Times)  

Kanye reveals his woefully poor cyber hygiene. In a meeting with President Trump, the rapper received wide criticism after a clip of him “mashing the “0” button as he unlocked his iPhone to show Trump a picture of a hydrogen-powered airplane he said could replace Air Force One went viral...” inadvertently revealing his six-digit security key of “000000” to the world. (Source: Washington Post)

Events

October 2018 - National Cybersecurity Awareness Month
Every October, the National Cybersecurity Alliance organizes the National Cybersecurity Awareness Month to address specific challenges and identify opportunities for behavioral change. (Source: Stay Safe Online)

National Consumers League
Published October 18, 2018


The #DataInsecurity Digest | Issue 73

Cyber threats are ‘blinking red’ as U.S. readiness struggles continue

By John Breyault (@jammingecono, johnb@nclnet.org)
NCL Vice President of Public Policy, Telecommunications and Fraud

Subscribe here. Tell us what you think.

Editor’s Note: While Director of National Intelligence Dan Coats was raising the alarm over U.S. lack of cybersecurity readiness to lawmakers last week, cybersecurity issues continued to plague American businesses–especially concerning given new research that data breaches are more financially devastating to U.S. companies than to any others around the globe. In further bad news for businesses, researchers have found a site on the dark web that is selling backdoors to computers (including three at a single international airport) for a mere $10. Finally, Russian state-sponsored hacking has compromised “hundreds” of American electrical utilities, potentially giving adversaries the power to literally turn out the lights on millions of U.S. consumers.

And now, on to the clips!

-----------------

Director of National Intelligence Dan Coats: Cyber threat warnings are ‘blinking red.’ The top intelligence official compared America’s current cyber threat with pre-9/11 characterizations of our preparedness for terror attacks. “‘Here we are nearly two decades later and I’m here to say the warning lights are blinking red again,’ Coats said.” (Source: Washington Post)

Russians ‘could have thrown switches’ at utilities. State-sponsored Russian hackers have compromised “hundreds” of supposedly secure American electric utilities and possess the ability to cause blackouts, said Department of Homeland Security officials this week. “‘They got to the point where they could have thrown switches’ and disrupted power flows, said Jonathan Homer, chief of industrial-control-system analysis for DHS.” (Source: Wall Street Journal)

The government continues to struggle with sharing cyber threat intelligence. Last week, at a Washington Post Live event, current and former policymakers lamented that “the U.S. government needs do a better job sharing cyber threat information with the private sector if it’s going to defeat increasingly complex cyberattacks from nation states. …” During the event, government officials acknowledged they “have been too focused on trying to get companies to share information with them -- and less on sharing with private companies who want threat intelligence the government detects.” (Source: Washington Post)

Data breaches cost U.S. companies more in 2018 than foreign counterparts. A new report from Statistica shows that American companies “paid significantly more on average for every data breach in 2018 than [did] companies in any other country — a little over $3 million more than companies in runner-up Canada, and more than twice [as much] as everyone other than Canada, Germany, and France.” (Source: Business Insider)

Backdoors into your computer could be for sale on the dark web for $10. A dark web store is advertising backdoors into computer systems and offering tips on how to use the logins without being caught. In one frightening case, cybersecurity researchers examined the IP address of compromised machines advertised on the store’s site “to discover that three belonged to a single international airport. ‘This is definitely not something you want to discover on a Russian underground RDP shop,’ said John Fokker, head of cyber investigations for McAfee Advanced Threat Research.” (Source: ZDNet)

2018 has not been a good year for cybersecurity. With a little more than half of 2018 behind us, we have a pretty good idea of what is going well and what isn’t in the cybersecurity space. @lilyhnewman reports that, while “there haven't been as many government leaks and global ransomware attacks as there were by this time last year... that's pretty much where the good news ends. Corporate security isn't getting better fast enough, critical infrastructure security hangs in the balance, and state-backed hackers from around the world are getting bolder and more sophisticated.” (Source: Wired)

Quick hit: none of Google’s 85,000 employees have been a victim of a phishing attack since it began requiring their use of physical security keys to log into their workspaces in early 2017. (Source: Krebs on Security)

Advocates raise concern over CFPB nominee Kraninger’s questionable data security track record. While working at DHS, Kathy Kraninger advocated for a biometric data collection program that would later be criticized by the GAO for “significant information security control weaknesses.” (Source: Allied Progress)

SEC opens probe against Facebook. The SEC has now acknowledged that it is investigating whether Facebook “adequately warned investors that developers and other third parties may have obtained users’ data without their permission or in violation of Facebook policies.” (Source: Wall Street Journal)

Upcoming Events

August 9-12, 2018 - DEF CON 26 - Las Vegas, NV
DEF CON is the world's longest-running and largest underground hacking conference. Each summer, hackers, corporate IT professionals, and three-letter government agencies all converge on Las Vegas to absorb cutting-edge hacking research from the most brilliant minds in the world. (Source: DEF CON)

October 2018 - National Cybersecurity Awareness Month
Every October, the National Cybersecurity Alliance organizes the National Cybersecurity Awareness Month to address specific challenges and identify opportunities for behavioral change. (Source: Stay Safe Online)

National Consumers League
Published July 26, 2018


The #DataInsecurity Digest | Issue 72

Data broker leaves 340M consumers’ most personal data unsecured

By John Breyault (@jammingecono, johnb@nclnet.org)
NCL Vice President of Public Policy, Telecommunications and Fraud

Subscribe here. Tell us what you think.

Editor’s Note: As the cyber community assess President Trump’s Supreme Court nominee’s views on privacy and the 4th Amendment, data breaches continue to plague businesses and make headlines. Last week, a data broker left the intimate details of 340 million consumers unsecured online. Likewise, Ticketmaster found itself in the midst of a massive data breach whose scope is not yet fully known. With the midterm elections looming in less than four months, Congress is letting the administration know of its displeasure with the lack of cyber leadership from the White House.

And now, on to the clips!

-----------------

Data broker Exactis left nearly 340 million consumer profiles unprotected and easily discoverable. While the records did not contain Social Security Numbers, they did include “more than 400 variables on a vast range of specific characteristics: whether the person smokes, their religion, whether they have dogs or cats, and interests as varied as scuba diving and plus-size apparel. …” The data trove also includes information on individuals’ children and other details, including “phone numbers, home addresses, email addresses, and other highly personal characteristics for every name.” (Source: Wired)

Senate Commerce Committee convenes hearing on Spectre and Meltdown vulnerabilities. In the hearing, Sen. Bill Nelson (D-FL) complained that “seven months [was] too long for the companies to wait before disclosing major vulnerabilities.” In response, the companies testifying pointed out that they were mainly focused on informing the affected companies first. However, @alfredwkng reports that some senators rebutted this, pointing out that “companies notified Chinese companies about Spectre and Meltdown before the US government." (Source: CNET)

SCOTUS nominee Brett Kavanaugh has a track record of opposing net neutrality and privacy. @alfredwkng reports that Kavanaugh believes that the “NSA's surveillance program was consistent with the Fourth Amendment, even without a warrant, citing that ‘In my view, that critical national security need outweighs the impact on privacy occasioned by this program.’” The justice also “sided against net neutrality in a 2017 dissent, arguing that it was ‘one of the most consequential regulations ever issued by any executive or independent agency in the history of the United States.’" (Source: CNET)

Lawmakers aim to force Trump to act on cybersecurity. The Senate Armed Services Committee added language to the must-pass defense reauthorization bill that would require the administration to develop a cyberwar doctrine. @D_Hawk reports that “[t]he move highlights mounting frustration with what lawmakers see as a woefully insufficient strategy for responding to cyberattacks, and shows they’re serious about holding officials to their tough rhetoric.” As Sen. Ben Sasse (R-NE) recently said, “Let's not sugarcoat it: Washington is dangerously unserious about cybersecurity. … We're decades into the era of cyberwar and we're still playing catch-up.” (Source: Washington Post)

Cyber lamentations: The cost of doing nothing. In a July 4 piece, New York Times opinion columnist @NickKristof provided a sobering look at the path ahead if nothing is done to improve America’s cybersecurity. When Gen. Paul Nakasone, head of the U.S. Cyber Command, was asked in his 2018 confirmation hearings what he thought would happen if our enemies attack us in cyberspace, Kristof wrote, “They do not think much will happen,” Nakasone replied. “They don’t fear us.” (Source: New York Times)

Ticketmaster breach grows to affect U.S. website and possibly 800 additional e-commerce sites. Security researchers @RiskIQ believe that the “Ticketmaster breach was far bigger than first thought, after several of its global sites -- including its US site, which had initially ruled out being affected -- was running code from another third-party company that had also been compromised.” (Source: ZDNet)

Equifax agrees to a consent decree, avoiding financial penalty with eight states. However, Equifax must perform a detailed assessment of cyber threats, boost board oversight of cybersecurity, and improve processes for patching known security vulnerabilities, according to the terms of the agreement. The consent decree was approved by regulators in Alabama, California, Georgia, Maine, Massachusetts, New York, North Carolina, and Texas. (Source: Reuters)

Facebook’s new privacy settings may not be that consumer-friendly. Consumer Reports found that “the design and language used in Facebook's privacy controls nudge people toward sharing the maximum amount of data with the company.” The report also found that “users can’t make changes to default settings before completing the sign-up process. Facebook also directs new users through a confusing dashboard of policies to learn how to change settings, and in some instances users need to perform a dozen or more clicks and swipes to find and adjust the appropriate settings.” (Source: Consumer Reports)

Upcoming Events

August 9-12, 2018 - DEF CON 26 - Las Vegas, NV
DEF CON is the world's longest-running and largest underground hacking conference. Each summer, hackers, corporate IT professionals, and three-letter government agencies all converge on Las Vegas to absorb cutting-edge hacking research from the most brilliant minds in the world. (Source: DEF CON)

National Consumers League
Published July 12, 2018


Carpenter v. United States: Impacts on privacy legislation

The U.S. Supreme Court decision last week in Carpenter v. United States will shape the relationship consumers have with their wireless devices and the services they use every day for years to come. In a 5-4 decision, the Court held that by obtaining cell-site records, the U.S. government performed a search. By doing so without a warrant, this search was judged unconstitutional, violating petitioner Timothy Carpenter’s Fourth Amendment rights and reversing two previous decisions.


The #DataInsecurity Digest | Issue 71

New fraud related to OPM hack underscores growing threat of data breach fallout

By John Breyault (@jammingecono, johnb@nclnet.org)
NCL Vice President of Public Policy, Telecommunications and Fraud

Subscribe here. Tell us what you think.

Editor’s Note: The fallout from the OPM breach continues as media outlets have learned that criminals are using the data to take out fake loans. Demonstrating harm in data breach cases is often difficult for the individuals affected, but the OPM case gives a peek into how fraud can flow from breaches. Unfortunately, several new studies are suggesting that 2018 is not on track to provide any data breach relief for consumers. The Ponemon Institute estimates that 38 percent of public sector entities will suffer an attack, and two-thirds of small businesses don’t work to improve their cybersecurity in the aftermath of a breach, which sets them up for yet another breach. Good news, however, is that some victims of the Equifax breach are receiving a bit of relief in small claims court.

And now, on to the clips!

-----------------

Despite warnings of Russian interference in the midterm elections from top intelligence officials, White House remains silent. To fill the leadership void, members of Congress are stepping up by convening a summit next month to determine just how severe the threat is. “We’re getting so many mixed signals, depending on what the agency is,” said Senate Intelligence Chairman Richard Burr (R-NC). “It compels us to bring everybody together in the same room and try to figure out whether or not there’s some stovepipe issues.” (Source: Politico)

Four years after the OPM breach, we now know what criminals are using the data for. The Washington Post reports that “two people have admitted in Newport News federal court they used the stolen identities to take out fake loans through a federal credit union.” Left unexplained is how the individuals obtained the OPM information, as the hack was traced back to China and the criminals “were not accused of any hacking-related crimes.” (Source: Washington Post)

Quick hit: In 2017, the average data breach cost companies $3.6 million. The report also found the average cost per lost or stolen record was $141. (Source: Ponemon Institute)

Data breach victims are taking Equifax to small claims court and winning. While this may be good news, as one plaintiff—a small-business owner in San Francisco—put it, “I’m happy to get the money, but it’s not really over because I know my information has been leaked and you can never put it back.’” (Source: New York Times)

Ponemon Institute estimates that 38 percent of public sector entities will suffer a ransomware attack this year alone. @jon_kamp and @scottmcalvert observe that “[p]ublic-sector attacks appear to be rising faster than those in the private sector.” However, @nppd_krebs notes that hackers generally don’t target specific cities, but instead are constantly searching for vulnerabilities wherever they may occur. “The trick about ransomware right now is that it’s typically not a targeted, focused attack,” says DHS’s Christopher Krebs. (Source: Wall Street Journal)

Employee negligence is perceived to be the main cause of data breaches by employers. A report by Shred-it found that “47 percent of business leaders said human error such as accidental loss of a device or document by an employee had caused a data breach at their organization.” (Source: CNBC)

New report: Two-thirds of small business do not improve their data security after a hack. Perhaps unsurprisingly, the same report also found that 44 percent of small business suffered multiple attacks last year, according to a survey by insurer Hiscox. (Source: Associated Press)

FBI to World Cup fans: Leave your devices at home. The FBI is advising Americans to not take electronic devices with them “because they are likely to be hacked by criminals or the Russian government.” William Evanina, director of the U.S. National Counterintelligence and Security Center, warned travelers that “[i]f you’re planning on taking a mobile phone, laptop, PDA, or other electronic device with you—make no mistake—any data on those devices (especially your personally identifiable information) may be accessed by the Russian government or cybercriminals.” (Source: Reuters)

Upcoming Events

August 9-12, 2018 - DEF CON 26 - Las Vegas, NV
DEF CON is the world's longest-running and largest underground hacking conference. Each summer, hackers, corporate IT professionals, and three-letter government agencies all converge on Las Vegas to absorb cutting-edge hacking research from the most brilliant minds in the world. (Source: DEF CON)

National Consumers League
Published June 28, 2018


The #DataInsecurity Digest | Issue 70

The FCC 'hack' that never was; U.S. thought to be nation most vulnerable to hacking

By John Breyault (@jammingecono, johnb@nclnet.org)
NCL Vice President of Public Policy, Telecommunications and Fraud

Subscribe here. Tell us what you think.

Editor’s Note: Concern that John Bolton’s decision to eliminate the White House’s cyber coordinator position continued to grow this week, with more experts speaking out that the move could leave the United States more vulnerable to hacks. The FCC continues to face questions over the alleged hack of its complaint database after internal emails revealed that Commission staff purposely mislead the media to think that the database was hacked (rather than reveal it had simply crashed from the overwhelming number of net neutrality comments submitted by the public).

Facebook remained in hot water after news came to light that it potentially violated its FTC consent decree by sharing users’ personal data with device manufacturers--even after users opted out of having their data shared.

And now, on to the clips!

-----------------

Cyber experts and lawmakers worry that Bolton’s decision to fire cyber coordinator will hurt U.S. cyber efforts. @ericgeller reports that “Both Republicans and Democrats are expressing concern that the White House is rudderless on cybersecurity at a time when hostile nations’ hackers are moving aggressively, inspiring fears about disruptive attacks on local governments, power plants, hospitals and other critical systems.” The consensus among lawmakers, former officials from the White House, the intelligence community, and the departments of Justice, Homeland Security, Defense and State “is that Bolton’s moves are a major step backward for the increasingly critical and still-evolving world of cyber policy.” (Source: Politico)

The FCC 'hack' that never was. In May of 2017, when the FCC was accepting comments on its plan to roll back net neutrality protections, Americans responded by flooding the FCC with comments in support of net neutrality. The deluge of comments was so large that the FCC’s comment collection system crashed. In the days that followed, the FCC would blame its inability to accept comments on hackers. @dellcam has now learned from internal FCC emails that senior FCC officials “purposely misled several news organizations, choosing to feed journalists false information, while at the same time discouraging them from challenging the agency’s official story...the agency conducted a quiet campaign to bolster its cyberattack story with the aid of friendly and easily duped reporters, chiefly by spreading word of an earlier cyberattack that its own security staff say never happened.” @dellcam reports that to sell their story, agency staff even spread misinformation about former Chairman Wheeler stating that he supposedly covered up a similar breach back in 2014. (Source: Gizmodo)

Facebook shares personal data with at least 60 device makers. “Some device partners can retrieve Facebook users’ relationship status, religion, political leaning and upcoming events, among other data.” In addition, @nytimes found that “Facebook allows the device companies access to the data of users’ friends without their explicit consent, even after declaring that it would no longer share such information with outsiders. Some device makers could retrieve personal information even from users’ friends who believed they had barred any sharing.” This revelation raises “concerns about the company’s privacy protections and compliance with a 2011 consent decree with the Federal Trade Commission.” (Source: New York Times)

United States is the world’s most vulnerable-to-a-massive-cyber-attack nation. The report, conducted by Rapid 7 concluded that "The United States leads all other countries in the 2018 exposure rankings, scoring the highest in nearly every exposure metric we measure.” (Source: Rapid 7)

Only 23 percent of people understand that wearable devices and connected toys for children need to have security protection. This is problematic as the “data collected by cybercriminals paints a picture of the children’s lives, making them vulnerable to all kinds of cybercrime and potential attacks.” (Source: Forbes)

Breach du jour: 26 million Ticketfly users. The online ticket marketplace has been taken down by hackers, and 26 million of Ticketfly users have had their email address, home addresses, and phone numbers compromised. (Source: Motherboard)

Trump/Kim summit tests journalists’ cybersecurity IQ. Every journalist that was covering the historic summit received a goodie bag that included “a blue, innocent-looking mini USB fan. ... Not so hot about it was the information security community,” which warned that “the device could be a covert method of installing malware onto the computers of journalists covering the summit.” (Source: Mashable)

Events

August 9-12, 2018 - DEF CON 26 - Las Vegas, NV
DEF CON is the world's longest-running and largest underground hacking conference. Each summer, hackers, corporate IT professionals, and three-letter government agencies all converge on Las Vegas to absorb cutting-edge hacking research from the most brilliant minds in the world. (Source: DEF CON)

National Consumers League
Published June 14, 2018


1  2  3  Next →