National Consumers League

Pages tagged "privacy"

The #DataInsecurity Digest | Issue 105

Equifax breach still generating headlines; Congress urging Barr to end attacks on encryption 

By John Breyault (@jammingecono, johnb@nclnet.org)
NCL Vice President of Public Policy, Telecommunications and Fraud

Subscribe here. Tell us what you think.

Editor’s note: More than two years after it was initially disclosed, the Equifax breach continues to generate headlines. Consumers, unsurprisingly, overwhelmingly opted for the breach’s cash settlement offer in lieu of free credit monitoring. This revelation almost certainly guarantees that consumers will again be harmed by the breach when they receive a smaller-than-expected settlement check. If Equifax is not careful, it may have another data breach on its hands as news has come to light that it is using woefully insecure passwords and usernames.  

In other news, lawmakers are urging the Trump Administration not to sabotage the nation’s cybersecurity by undermining encryption. Finally, a third-party DNA service may have inadvertently compromised the DNA of one million consumers. 

And now, on to the clips! 

-----------------

Lawmakers urge Barr to stop attacking encryption. In a letter to Attorney General William Barr, Senator Ron Wyden (D-OR) and Congressman Anna Eshoo (D-CA) wrote, “[w]e urge you to stop demanding that private companies purposefully weaken their encryption for the false pretense of protecting children[.]” The letter continued by stating that Barr’s efforts to limit encryption are "not just hypocritical, but it has been repeatedly criticized by cryptographers and other leading cybersecurity experts." (Source: The Hill) 

Equifax accused of woefully bad cyber practices in class-action lawsuit. The lawsuit claims that “Equifax employed the username ‘admin’ and the password ‘admin’ to protect a portal used to manage credit disputes[.]” @ewolffmann reports that “the lawsuit also notes that Equifax admitted using unencrypted servers to store the sensitive personal information and had it as a public-facing website.” (Source: Yahoo! Finance 

Tweet du jour: Congress reacts to latest Equifax revelation. @repkattieporter tweets: “These data security practices are beyond sloppy; honestly, my 11-year-old son would do a better job. Equifax ought to come explain itself to Congress.” (Source: Twitter 

Only 2 percent of Equifax breach victims have opted for free credit monitoring. The vast majority of consumers appear to have opted for a cash settlement in the Equifax breach settlement. A recent court filing “indicates the bucket of money for the cash compensation, capped at $31 million, will be used up. There’s a separate bucket of money — $69 million — that will be used to compensate victims’ lost time. So far, victims have filed claims for cash and lost time totaling more than $60 million[.]” (Source: Market Watch 

1 million+ DNA records uploaded to GED Match, made vulnerable to breach. Researchers found that “it’s possible to extract genetic details of any individual in the database, leaving their data vulnerable to leaks or hacks. ... In the wrong hands, a person’s genetic data can be used for discrimination or extortion, and the implications are even greater if entire databases are leaked.” (Source: Medium)  

As ransomware attacks grow, the world continues to wait for Congress to act. @MattLaslo reports that “[w]hile Congress still lacks a tangible plan to help mitigate the impact, some members at least seem to be increasingly aware of the issue.” Senator Richard Blumenthal (D-CT) recently said that “[r]ansomware is one of the growing threats to cybersecurity, and the federal government ought to be doing everything possible to assist towns and cities ... There’s an urgency and an immediacy.” (Source: Wired 

Breach du jour: American Cancer Society. Last week, it was discovered that the American Cancer Society’s online store had become the latest victim of credit card number stealing malware. “The malware was buried in obfuscated code designed to look like legitimate analytics code. The code was designed to scrape credit card payments from the page, like similar attacks targeting British Airways, Ticketmaster, AeroGarden and Newegg.” (Source: Tech Crunch) 

Malicious app downloaded by 40 million Google Play store users. The app, Ai-Type, billed itself as a “free emoji keyboard.” But, in reality, @guykak, comments that the "rogue Google Android app was “one of the many bots of the network controlled by fraudsters to commit ad fraud.” (Forbes) 

National Consumers League
Published November 7, 2019


The #DataInsecurity Digest | Issue 104

Senator Wyden introduces bill empowering consumers to control their data, hold companies responsible for breaches

By John Breyault (@jammingecono, johnb@nclnet.org)
NCL Vice President of Public Policy, Telecommunications and Fraud

Subscribe here. Tell us what you think.

Editor’s note: Senator Wyden (D-OR) made headlines last week when he introduced the cheekily-named “Mind Your Own Business Act.” The bill would increase the financial penalties companies face for compromising consumers’ data and force executives to face prison time if they lie about misusing consumers’ data. 

In other news, today the National Consumers League released a major report that documents the fallout and limited options consumers have to secure their data in the aftermath of the Spectre/Meltdown security vulnerabilities, which weakened the security of nearly every computer on the planet. You can read the full report here. 

And now, on to the clips! 

-----------------

Senator Wyden introduces new privacy legislation. The “Mind Your Own Business Act” would provide “consumers the ability to opt-out of data collection and sale with a single click. It also demands that corporations be transparent as to how consumer data is collected, used, and who it’s sold to, while imposing harsh fines and prison sentences upon corporations and executives that misuse consumer data and lie about it.” (Source: Vice 

NCL releases new report: 'Data insecurity: How one of the worst computer bugs ever sacrificed security for speed.' The report outlines how a hardware issue has compromised nearly every computer on the planet, and what consumers can do about it. You can find the full paper here. 

Amazon-owned Zappos offers meek restitution to 24 million customers affected by leaked data. “In January 2012, the Amazon-owned online retailer Zappos suffered a major data breach that exposed personal information of about 24 million of the site’s customers, including names, addresses, passwords, and the last four digits of their credit card numbers.” Today, nearly 7 years later, the online retailer is offering victims “a 10-percent-off code for one Zappos order. ... The deal has already received preliminary approval and is likely to be finalized in the coming weeks.” (Source: Slate 

Nearly 3,000 potentially compromised surveillance cameras still used by U.S. military and government. Last year, after fears grew that the Chinese government may have the ability to compromise certain Chinese-made surveillance systems used by the U.S. government, Congress “passed legislation that prohibits federal agencies from buying equipment made by several Chinese firms.” While the legislation doesn’t “require removal of already installed cameras ... experts suggest that was the spirit of the legislation.” (Source: Wall Street Journal 

Suggested reading: @a_greenberg provides a riveting play-by-play of the 2018 Olympic cyberattack and what it means for the future of cybersecurity. (Source: Wired 

26 million stolen payment card numbers leaked after massive fraud bazaar hack. @dangoodin001 notes that “[f]ortunately for the card owners, the database is now in the hands of affected financial institutions, who can invalidate and replace the cards.” (Source: Ars Technica 

Breach du jour: Consumer Product Safety Commission (CPSC) breach compromises information o30,000 consumers. The breach, which was disclosed in a new report issued by the Senate Commerce Committee, compromised the “data of around 30,000 consumers, including street addresses, age and gender, along with information on 10,900 manufacturers.” (Source: The Hill 

Video de jour: Watch what happens when @donie asks hacker to use social engineering to steal his identity. (Source: CNN) 

National Consumers League
Published October 24, 2019


The #DataInsecurity Digest | Issue 103

As fears over foreign election interference grow, Washington remains idle  

By John Breyault (@jammingecono, johnb@nclnet.org)
NCL Vice President of Public Policy, Telecommunications and Fraud

Subscribe here. Tell us what you think.

Editor’s note: Ransomware continues to impact basic services at dozens of local agencies, including hospitalswhile Congress appears to be largely sitting on its hands. Microsoft announced that Iranian hackers attempted to hack a major U.S. presidential campaign the same week researchers found U.Svoting machines “incredibly insecure.” In other news, nearly 5 million DoorDash customers, employeesand merchants had sensitive data stolen by hackers.

And now, on to the clips! 

-----------------

Microsoft: Iranians attempted to hack U.S. presidential campaign. Security researchers at Microsoft found that a hacking group, which “originates from Iran and is linked to the Iranian government," attempted to breach a presidential campaign and “tried to break into the accounts of current and former U.S. government officials, journalists covering politics and prominent Iranians living outside Iran.” (Source: NPR)

U.S. 2020 voting machines 'incredibly insecure.' Security researchers that “tested an array of voting machines and election systems that states plan to use in the next election... were able to crack into every machine they got their hands on. ... All it took was a few days of tinkering on machines[.]” (Source: Washington Post)

DHS: No one can prevent another ‘WannaCry-style attack.’ Jeanette Manfra, the assistant director for cybersecurity for DHS’ Cybersecurity and Infrastructure Security Agency (CISA) commented: “I don’t know that we could ever prevent something like that,” referring to another WannaCry-style attack at a recent event. (Source: TechCrunch)

Breach du jour: 4.9 million DoorDash customers, merchants, workers. One year after the food delivery service’s previous breach, DoorDash has found its data compromised by another one. The latest breach allowed hackers to steal users’ “name, email and delivery addresses, order history, phone numbers and hashed and salted passwords[.]” The breach also compromised driver’s license information on “[a]round 100,000 delivery workers[.]” (Source: Tech Crunch)

Data breach used to file bogus anti-net neutrality comments. In the summer of 2017 millions of fake anti-net neutrality comments were filed in the runup to the FCC’s rollback of its 2015 net neutrality rules. News has now come to light that many of these fake comments were made possible because of a data breach. “In one particular group of 1.9 million comments, according to BuzzFeed News’ analysis, 94% of the email addresses belonged to people who had fallen victim to a hack known as the Modern Business Solutions data breach, in which millions of people's personal information, including full names, birthdates, home addresses, and email addresses, had been stolen.” (Source: Buzzfeed)

Breach du jour part deux: 218 million Words With Friends users. The hackers, who gained access to a trove of user data in September were able to scoop up users’ “email addresses, login IDs, hashed (scrambled) passwords, Zynga account IDs, and in some cases, phone numbers and Facebook IDs.” (Source: Consumer Reports)  

Quick hit: Three hospitals close due to ransomware attack. The hospitals are located in Alabama and have asked ambulances to take patients elsewhere whenever possible. (Source: BBC)

As ransomware continues to ravage cities, Washington remains idle. @timstarks observes that while “lawmakers have offered few ideas on how to respond to the wave of ransom-seeking cyberattacks that have struck at least 80 state and local government agencies ... Members of Congress have introduced only four pieces of legislation since January that even mention the word ransomware. None would begin to address the full scope of the attacks that experts say will become only more numerous and severe.” (Source: Politico)

National Consumers League
Published October 10, 2019


Developing a pro-consumer approach towards privacy and data security—context of the transaction

Polly Turner-Ward

By NCL Google Public Policy Fellow Pollyanna Turner-Ward

This blog post is the sixth, and final, in a series of blogs offering a consumer perspective on developing an approach towards consumer privacy and data security.

This commentary is the product of a deep dive into the National Telecommunication and Information Administration’s (NTIA) September Request For Comments (RFC), a key part of the process that informs the government’s approach towards consumer privacy. Stakeholder responses to the RFC provide a glimpse into where consensus and disagreement lies on key issues among major consumer and industry players.


Developing a pro-consumer approach towards privacy and data security—user expectations

Polly Turner-Ward

By NCL Google Public Policy Fellow Pollyanna Turner-Ward

This blog post is the fifth of a series of blogs offering a consumer perspective on developing an approach towards consumer privacy and data security.

This commentary is the product of a deep dive into the National Telecommunication and Information Administration’s (NTIA) September Request For Comments (RFC), a key part of the process that informs the government’s approach towards consumer privacy. Stakeholder responses to the RFC provide a glimpse into where consensus and disagreement lies on key issues among major consumer and industry players.


The #DataInsecurity Digest | Issue 102

Ecuador leaks personal data for its entire population 

By John Breyault (@jammingecono, johnb@nclnet.org)
NCL Vice President of Public Policy, Telecommunications and Fraud

Subscribe here. Tell us what you think.

Editor’s note: Anger over FTC missteps in the Equifax settlement is growing, with more than 200,000 consumers signing a petition urging the courts to reject the record settlement. As ransomware attacks continue to bedevil companies and governments around the world, many are questioning whether the availability of cyber insurance (which can be used to pay ransoms) may be contributing to the uptick in attacks. In breach news, 20.8 million records from the country of Ecuadorwhich detailed the entire populations most sensitive datahave been compromised. Back in the United States, FEMA accidentally shared the personal information of 2.5 million disaster survivors, and 5 million medical records were left easily accessible on the web.

And now, on to the clips! 

-----------------

FEMA accidentally shared personal information of 2.5 million disaster survivors. FEMA admitted that “it unintentionally shared home addresses and banking information with a third-party contractor.” @RaquelMartinTV reports that FEMA is not “sure if anyone’s data has already been compromised.” (Source: NBC4)

Breach du jour: Personal information for the entire country of Ecuador. Records of 20.8 million people were found on an unsecured server in Miami, apparently including the personal data of every citizen of Ecuador. The breach compromised individual names, dates, and places of birth, addresses, marital statuses, educational information, employment statuses and locations, tax information, and bank account data such as users’ balance, financing, and credit information. (Source: Forbes)  

Breach du jour part deux: 5 million medical records. “Medical images and health data belonging to millions of Americans, including X-rays, MRIs and CT scans, are sitting unprotected on the internet and available to anyone with basic computer expertise. The records cover more than 5 million patients in the U.S. and millions more around the world.” (Source: ProPublica)  

Yahoo! offers breach victims the choice of cash or credit monitoring. Victims who choose the cash option can claim up to $100. “However, actual payouts for all claims could be much lower if the total amount claimed exceeds what's available from the $117.5 million settlement. The settlement class potentially includes up to 194 million people, so these amounts would be paid in full only if the vast majority of eligible people don't ask for money.” (Source: Ars Technica)

Quick hit: Congress to advance legislation designed to help cash-strapped state and local governments beef up cybersecurity. (Source: State Scoop)  

Cyber insurance blamed for spike in ransomware attacks and payment demands. @katiefoody reports that “some cybersecurity professionals are concerned that insurance policies designed to limit the damage of ransomware attacks might be encouraging hackers, who see insurers covering increasingly large ransoms and choose to target the type of institutions likely to have coverage... . This year alone, the average ransom payment climbed from $12,762 at the end of March to $36,295 by the end of June — a 184% jump.” (Source: Washington Post)  

Petition against Equifax breach settlement gains 200k+ signatures. Anger over what many view as a weak FTC settlement with Equifax appears to be growing. “The petition argues that the terms of the deal as presented to the public are misleading and most of the customers affected won’t see any recompense over the breach. With only $31 million actually allocated to fund this portion of the settlement, less than ONE PERCENT (roughly 248 thousand out of over 148 million) could receive this money.” (Source: ThreatPost)  

National Consumers League
Published September 26, 2019


Protecting information privacy: challenges and opportunities in federal legislation

Polly Turner-Ward

By NCL Google Public Policy Fellow Pollyanna Turner-Ward

On September 11, 2019, policymakers, industry stakeholders, and consumer advocates gathered at The Brookings Institution to discuss the pressing question of how to protect information privacy through federal legislation. Representing the National Consumers League was Executive Director, Sally Greenberg.


Developing a pro-consumer approach towards offering defaults and controls to consumers

Polly Turner-Ward

By NCL Google Public Policy Fellow Pollyanna Turner-Ward

This blog post is the fourth of a series of blogs offering a consumer perspective on developing an approach towards consumer privacy and data security.

This commentary is the product of a deep dive into the National Telecommunication and Information Administration’s (NTIA) September Request For Comments (RFC), a key part of the process that informs the government’s approach towards consumer privacy. Stakeholder responses to the RFC provide a glimpse into where consensus and disagreement lies on key issues among major consumer and industry players.


As phone scams rise, so does the need for action

Brian Young

American consumers receive 200 million robocalls per day, and that number appears to be growing. As the number of illegal robocalls increases, so do the odds for a scammer to find a victim to cheat out of their savings. In 2019, Americans were 70 percent more likely to fall victim to a phone scam than they were in 2018. For the first time ever, phone scammers were able to steal more than $10 billion in a single year from their victims.


The #DataInsecurity Digest | Issue 101

Google warns of new iPhone hacking scheme while Texas towns continue to struggle with ransomware attack

By John Breyault (@jammingecono, johnb@nclnet.org)
NCL Vice President of Public Policy, Telecommunications and Fraud

Subscribe here. Tell us what you think.

Editor’s note:As Texas continues to reel from its ransomware attack, Google researchers discovered a massive attempt to hack into consumers’ iPhonevia booby trapped websites. Google admitted its own security problems, too, with a vulnerability in its calendar app potentially affecting 1.5 billion users. In other news, Facebook received additional negative headlines after word spread that hundreds of millions of users’ phone numbers were compromised by being stored on aunsecured server.

And now, on to the clips! 

-----------------

Hackers attempt mass iPhone hack. Google security researchers "discovered a small collection of hacked websites ‘that exploited vulnerabilities in Apple's smartphone software. ... Simply visiting the hacked site was enough for the exploit server to attack your device, and if it was successful, install a monitoring implant." Google estimates that these hacked websites received thousands of visitors each week. @Iyengarish reports that, “the implant was capable of giving hackers access to iPhone users' contacts, photos and location, as well as data from apps like iMessage, WhatsApp, Telegram, Gmail and Google Hangouts.” (Source: CNN) 

Texas ransomware update: Half of affected agencies are still not back up and running. Texas authorities have admitted that at least 10 of the 20+ local agencies have still not recovered from the ransomware attack, which took place on August 16. (Source: Associated Press) 

Google confirms vulnerability of calendar app to phishing attacks. After a spate of news stories noting that a security vulnerability could impact the 1.5 billion users of its calendar app, Google confirmed it. “When a calendar invitation is sent to a user, a pop-up notification appears on their smartphone. The threat actors craft their messages to include a malicious link, leveraging the trust that user familiarity with calendar notifications brings with it,” writes @happygeek. “Those links can lead to a fake online poll or questionnaire with a financial incentive to participate and where bank account or credit card details can be collected.” (Source: Forbes) 

Bolton's departure leaves murky cyber legacy for Trump Administration. Earlier this week, John Bolton made a dramatic exit from the Trump Administration. Bolton's cyber legacy as the national security advisor will likely be mixed; on one hand Bolton was something of a cyber hawk, repeatedly warning "U.S. adversaries that the Trump administration would use its cyber warriors to punish them for jeopardizing American interests." And yet, on the other hand, he undermined U.S. ability to respond to cyber threats by "eliminating the White House cybersecurity coordinator position and downgrading the rank of the homeland security adviser, who supervised the coordinator and oversaw all cyber policy matters." (Source: Morning Cybersecurity)

Breach du jour: Hundreds of millions of phone numbers linked to Facebook accounts. @zachwhittaker reports that "the exposed server contained more than 419 million records. ... But, because the server wasn’t protected with a password, anyone could find and access the database. Each record contained a user’s unique Facebook ID and the phone number listed on the account.” Facebook’s latest cyber incident places its users at risk of spam calls and SIM-swapping attacks.” Source: Tech Crunch 

Perspective: Why is Mitch McConnell blocking all election security bills? One former Obama official speculated to @Joseph_Marks_ that Leader McConnell could be “concerned about the political fallout for Republican senators, several of whom have supported and even co-sponsored election security bills in the past. ‘It would put Republican senators in an awkward spot of having to vote against election security or vote for it and potentially anger Trump or anger some of his base if he were to tweet how bad the bill is.” (Source: Washington Post 

Google agrees to pay $170 million to settle allegations that it illegally collected children’s data. The settlement comes after Google “bragged to toy makers such as Mattel and Hasbro about its popularity among children. In one boast cited by regulators, YouTube claimed to be watched by 93 percent of tweens.” @washingtonpost reports that the fine amounts “to less than two days’ worth of profits for the tech giant.” (Source: Washington Post 

REMINDER: Multi-factor authentication still blocks 99.9 percent of all automated attacks. (Source: ZD Net) 

IRS identity theft enforcement actions plummet by more than 75 percentA new audit from the Treasury Inspector General for Tax Administration found that the IRS opened a mere 75 identity theft cases in 2017 compared with 263 in 2013. @DerekDoesTech reports that “the Criminal Investigations Division has been squeezed over the past decade, losing more than 380 special agents (15% of the division's total workforce)[.] (Source: FCW 

Your state’s DMV could be selling your personal information to private investigators. @josephfcox found that departments of motor vehicles in states across the country are selling the personal data of their customers to private investigation firms, sometimes for as little as one cent per record. Erica Olsen, director of Safety Net at the National Network to End Domestic Violence, commented that “[t]he selling of personally identifying information to third parties is broadly a privacy issue for all and specifically a safety issue for survivors of abuse, including domestic violence, sexual assault, stalking, and trafficking... For survivors, their safety may depend on their ability to keep this type of information private." (Source: Motherboard 

National Consumers League
Published September 12, 2019


1  2  3  4  5  6  Next →