National Consumers League

Pages tagged "privacy"

The #DataInsecurity Digest | Issue 97

Regulators strike back as new data puts cost of breaches at $45 billion annually

By John Breyault (@jammingecono, johnb@nclnet.org)
NCL Vice President of Public Policy, Telecommunications and Fraud

Subscribe here. Tell us what you think.

Editor’s note: Corporations were put on notice this week as both EU and U.Sregulators imposed record-setting fines. While UK regulators assessed fines against both British Airways and Marriott, the Federal Trade Commission (FTCreportedly voted to levee a massive $5 billion fine against Facebook. Only time will tell if the regulators’ actions will spur companies to take meaningful steps to curtail data breaches, which the Internet Society estimated inflicted over $45 billion in losses in 2018 alone.             

And now, on to the clips! 

-----------------

FTC reportedly approves massive $5 billion fine against Facebook. The fine is not only the largest ever levied “against a tech company that broke a past promise to the government to improve its privacy practices” but it is "more than 200 times greater than the previous largest fine.” (Source: Washington Post)

ICE officials search state driver's license databases without citizens’ knowledge or consent. In at least three states, Immigration and Customs Enforcement (ICE) officials have “requested to comb through state repositories of license photos,” using facial recognition. At least two states, Utah and Vermont, complied. (Source: New York Times)

House Energy and Commerce Committee look toward Fall 2019 for release of privacy bill. Aides for the committee identified two major sticking points for the bill. The first being state preemption and the second "lies in whether or not the bill should give consumers the right to sue companies for data breaches. ..." One of the aides said that although his office expects the language [a private right of action] to be included in the bill, it could upset moderate Democrats involved in the discussions.” (Source: Morning Consult)

UK regulators propose fining British Airways $230 million. The fine comes in response to the airline's 2018 data breach, which compromised about a half-million passenger records. The fine “represents the latest and by far biggest penalty initiated by national-privacy regulators across the European Union since the enactment last year of [GDPR].” (Source: Wall Street Journal)

UK regulators fine Marriott $123 million. Marriott’s costly fine was in response to a data breach the company suffered last year affecting around 383 million guests, 30 million of whom resided in the EU. “The U.K.’s Information Commissioner’s Office (ICO) said its investigation found that Marriott ‘failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its systems.’” (Source: Tech Crunch)

Lake City, FL hit with ransomware attack. The city’s misfortune is another in a growing trend of ransomware attacks on local governments. "Experts on cybersecurity say the growing number of attacks and escalating ransom demands suggest that cyberattacks have found a ripe target: small governments with weak computer protections and strong insurance policies. The [ransom] payments keep coming even as the F.B.I. says they might be incentivizing more attacks.” In the case of Lake City, Florida, many of its files remain locked even after paying the hefty ransom. (Source: New York Times)

Google admits to listening to smart device recordings. An investigative report found “many recordings that had been captured inadvertently, without users activating their devices.” Google “emphasized that ... audio recordings are not tagged to users’ accounts in Google’s review system.” However, despite Google’s claim, journalists were “able to link some audio snippets to the users who were captured on the recordings because they included sensitive, identifiable information.” (Source: The Hill)

In 2018, there were more than 2 million cyber incidents. The report put out by the Internet Society’s Online Trust Alliance also estimated that the incidents inflicted at least $45 billion in losses. The organization predicted that its numbers were on the low side because “it is still the case that most incidents go unreported.” (Source: The Internet Society)

National Consumers League
Published July 18, 2019


The #DataInsecurity Digest | Issue 96

Despite saber-rattling, U.S. woefully unprepared for cyber war with Iran

By John Breyault (@jammingecono, johnb@nclnet.org)
NCL Vice President of Public Policy, Telecommunications and Fraud

Subscribe here. Tell us what you think.

Editor’s note: As the United States launches cyberattacks against Iran, the Department of Homeland Security (DHS) is warning that defenses against possible retaliation appear to be lacking. A bi-partisan Senate committee found that several high-profile agencies left Americans’ sensitive data vulnerable to hackers. Sen. Warner is one of several Senators asking for answers about the recent spate of healthcare data breaches. And Sen. Hassan could find herself in hot water if it’s found that she failed to notify constituents affected by a data breach in her office.             

And now, on to the clips! 

-----------------

U.S. military launches cyber strike against Iran. The cyberattacks were approved by President Trump and “specifically targeted Iran’s Islamic Revolutionary Guard Corps computer system.” The attacks “disabled Iranian computer systems that controlled its rocket and missile launchers. ...” (Source: The Associated Press)

DHS warns businesses that they will be targeted by Iranian hackers. In the wake of the U.S. cyberattacks, Chris Krebs, director of the Homeland Security Department’s cybersecurity division, warned that Iranian hackers have already begun “targeting U.S. companies with specialized malicious software designed to wipe the contents of their computer networks rather than to simply steal their data.” (Source: Washington Post)

Quick hit: DHS announces that it is unlikely to meet its cybersecurity goals. (Source: Department of Homeland Security)

Healthcare data breaches under new Congressional scrutiny. High-profile breaches at medical bill collectors and diagnostics companies that compromised 20 million consumer records are attracting attention from Congress. “I am concerned about your supply chain management, and your third-party selection and monitoring process,” wrote Sen. John Warner (D-VA) in a letter to Quest Diagnostics, one of the breached entities. (Source: Bloomberg)

Did Sen. Hassan violate breach notification laws? Right-wing media is abuzz over the sentencing of a former staffer for Sen. Maggie Hassan (D-NH) who engineered a massive breach of the Senator’s IT systems, compromising significant amounts of sensitive constituent data. Now questions are being raised about whether Hassan complied with relevant data breach notification laws related to the incident. “Hassan’s office provided no evidence to the Daily Caller News Foundation (DCNF) that it had disclosed its own breach, and several New Hampshire residents who had communicated with Hassan’s office told the DCNF they had not received any notification that their information could be in the hands of bad actors,” wrote @lukerosiak. (Source: Daily Caller)

EFF: Federal privacy bill should include a data security standard. The Electronic Frontier Foundation (EEF), a leading digital civil liberties group, is calling for stronger data security protections as part of its recommendations for comprehensive privacy legislation. “Also, where a company fails to meet this duty, it should be easier for people harmed by data breaches—including those suffering non-financial harms—to take those companies to court.” (Source: Electronic Frontier Foundation)

Bi-partisan Senate committee found that U.S. agencies left sensitive data vulnerable to breaches for decades. The Committee found that the Departments of State, Homeland Security, Health and Human Services, Transportation, Education, Agriculture, Housing and Urban Development, and the Social Security Administration left “Americans' personal information open and vulnerable to theft.” (Source: The Hill)

City of Baltimore approves additional $10 million in cyberattack relief. As the city moves into its 9th week since a ransomware attack, its water billing system remains offline. (ABC News)

Lawsuit against Facebook for compromising 29 million accounts allowed to move forward. A federal appeals court in San Francisco rejected Facebook’s attempt to block the lawsuit and allowed “claims against Facebook [to] proceed for negligence and for failing to secure users’ data as promised.” (Source: Bloomberg)

Stat du jour: 50 percent of manufacturers experienced a breach in the last 12 months. Of the breached entitles surveyed, @sikichllp found that 11 percent suffered a “major” breach. (Source: Industry Week)

National Consumers League
Published July 3, 2019


The #DataInsecurity Digest | Issue 95

Federal contractors look to weaken Android cybersecurity as Trump Administration makes plans to beef up offensive cyber operations

By John Breyault (@jammingecono, johnb@nclnet.org)
NCL Vice President of Public Policy, Telecommunications and Fraud

Subscribe here. Tell us what you think.

Editor’s note:

The U.S. is ramping up its offensive cyber operations abroad. However, cyber anxieties steadily grow at home as Baltimore city government continues to grapple with the aftermath of their devastating ransomware attack.

Good news on the cyber front was in short supply this week. Senate Majority Leader Mitch McConnell (R-KY) is reportedly telling colleagues that he plans on blocking all election security legislation regardless of party sponsorship–despite Russia’s continued efforts to hack election systems. Senator Merkley (D-OR), for one, isn’t sitting still. He’s pressing U.S. auto manufacturers for information on their data collection and data security practices.

And now, on to the clips!

-----------------

Bolton: U.S. to expand offensive cyber operations. Previously, the United States “had been primarily focused on stopping election interference.” Now, White House national security adviser John Bolton, “intends to expand offensive operations in cyberspace to counter digital economic espionage and other commercial hacks...” (Source: Wall Street Journal)

Federal contractor known for breaking into iPhones turns attention toward Android. A startup that reached fame for helping agencies like U.S. Immigration and Customs Enforcement (ICE) break into iPhones, Grayshift, will now also work to thwart the cybersecurity of Android phones. Grayshift CEO David Miles recently revealed that, “the most logical next step would be [to hack] some of the more modern Android devices, from Samsung and Google...” (Source: Forbes)

Mitch McConnell blocks election security legislation. In the wake of Russia’s interference in the 2016 presidential election, many Republicans and Democrats have worked together to beef up election security. However, Senate Majority Leader Mitch McConnell (R-KY) has reportedly told his colleagues that “he will not allow the Senate to vote on election security legislation this session.” (Source: Sludge)

Breach Du Jour: Evite. The social planning and e-invitation website has suffered a breach that compromised around 10 million users’ accounts. A hacker on the dark web is now “selling ten million Evite user records that include full names, email addresses, IP addresses, and cleartext passwords.” (Source: ZDNet)

One-third of data breaches could have been easily prevented with DNS firewalls. @GlobalCyberAlln found that the installation of domain name system (DNS) firewalls that “prevent users from visiting malicious sites,” could have stopped “between $150-200 billion in cybercrime losses annually.” (Source: Global Cyber Alliance)

Quick hit: More than one in five Americans has considered canceling their plans to attend an event due to cyber or physical security concerns. (Source: Unisys Security Index)

Baltimore update: City of Baltimore still unable to send out water bills. Residents will again not receive water bills this month as the city struggles to return to normal operations in the wake of a ransomware attack on May 7, 2019. In total, the attack is now estimated to have "cost the city more than $18 million.” (Source: The Baltimore Sun)

Senator Merkley investigates car manufacturer’s data collection practices. After a study discovered that cars can collect 25 GB of data per hour, Senator Merkley (D-OR) wrote a letter to leading car manufacturers to discover “whether or not their cars collect personal data from drivers, what data they collect, who owns that data, and whether data collected is securely stored to protect consumers’ privacy.” (Source: Office of Senator Jeff Merkley)

Upcoming Events

June 27, 2019: Federal Trade Commission’s PrivacyCon – Washington, DC
Each year, the Federal Trade Commission (FTC) convenes a group of privacy experts, academics, policymakers, and regulators to discuss the latest research surrounding consumer privacy and data security. (Source: Federal Trade Commission)

National Consumers League
Published June 20, 2019


The #DataInsecurity Digest | Issue 93

With Baltimore being held hostage, ransomware fears growing once again 

By John Breyault (@jammingecono, johnb@nclnet.org)
NCL Vice President of Public Policy, Telecommunications and Fraud

Subscribe here. Tell us what you think.

Editor’s note: Fears of another ransomware attack like 2017’s WannaCry virus prompted Microsoft to take the unusual step to provide security updates for otherwise unsupported operating systems. The patch was of little solace to the city of Baltimore, which suffered an unrelated ransomware attack that shut down its email system, among other critical functions. Baltimore’s cyber woes are not unheard of, however, as one study found that ransomware attacks on state and local governments are on the rise despite the fact that many state and local governments are refusing to pay the ransom. One reason for this concerning trend could be that two prominent data recovery firms, whose clients included local municipalities, paid off Iranian hackers in secret, fueling fears that the firms are incentivizing hackers to go after city governments.

And now, on to the clips!

-----------------

City of Baltimore hit with crippling ransomware attack. @magmill95 reports that the attack “took down several of the city’s services last week, including some of the capabilities of the Baltimore City Department of Transportation, the Department of Public Works, and the Department of Finance.” At the time of the drafting of this publication, “the city was still unable to send or receive email.” Officials “could not give an exact time for when the systems would all be fully operational.” (Source: The Hill)

Firms promised to free data from ransomware attacks with technology. In reality, they were secretly paying Iranian hackers. In the wake of the SamSam ransomware attacks, tech firms promised to use their “own data recovery methods but instead payed ransoms, sometimes without informing victims such as local law enforcement agencies. ...” In addition to misleading their clients, the firms “charge[ed] victims substantial fees on top of the ransom amounts.” (Source: ProPublica)

Report watch: Ransomware attacks on state and local governments are on the rise. @uuallan found that “while 2018 saw a small resurgence in overall ransomware attacks, there was a sharp jump in ransomware attacks against state and local governments, and that surge seems to be continuing into 2019.” (Source: Recorded Future)

ICE pays contractors $1.2 million to hack into Americans’ iPhones. The expenditure reveals the high priority that U.S. Immigration and Customs Enforcement has placed on undermining “passcodes and other security features Americans use to keep their information private.” (Source: Washington Post)

Microsoft scrambles to stop WannaCry 2.0 before it happens. Last week, Microsoft took the “unusual step of releasing security updates for unsupported but still widely-used Windows operating systems like XP and Windows 2003, citing the discovery of a ‘wormable’ flaw that the company says could be used to fuel a fast-moving malware threat like the WannaCry ransomware attacks of 2017.” (Source: Krebs on Security)

Russia hacked two Florida election systems during the 2016 election. Florida Gov. Ron DeSantis acknowledged that the breach occurred but stressed that “[n]othing that affected the vote count," took place. Followers of election security will recall that “[l]ast year, former Florida Sen. Bill Nelson warned that Russia had ‘penetrated’ Florida's voter registration systems, but election officials denied that vehemently at the time. Then-Gov. Rick Scott, who defeated Nelson in the Senate race, decried Nelson's claims and said they ‘only serve to erode public trust in our elections at a critical time.’" (Source: NPR)

Rhode Island launches first statewide cybercrime hotline. In Rhode Island, cyber victims need to only dial 211 to “be connected with an operator who is trained to connect the victim with the proper organization to help. These include government organizations, local nonprofits, and local, state and federal agencies and resources to help protect them from further attacks and recover any money that may have been lost.” (Source: Patch)

Ajit Pai’s FCC is keeping commissioners in the dark about phone location data investigation. After news broke that AT&T, Sprint, Verizon, and T-Mobile were selling their customers' real-time cell phone location data without their consent, the FCC vowed to look into the matter. Months later, the public still does not know what happened, and FCC Commissioners are complaining about being kept in the dark by their own agency. Commissioner Jessica Rosenworcel publicly complained that “[s]o far it appears that the FCC is more interested in protecting the privacy of its investigation than the privacy of wireless consumers across the country." (Source: Vice)

Upcoming Events

June 27, 2019: Federal Trade Commission’s PrivacyCon – Washington, DC
Each year, the FTC convenes a group of privacy experts, academics, policymakers, and regulators to discuss the latest research surrounding consumer privacy and data security. (Source: Federal Trade Commission)

National Consumers League
Published May 23, 2019


The #DataInsecurity Digest | Issue 92

Facebook nears settlement with FTC while hackers attack U.S. electric grid

By John Breyault (@jammingecono, johnb@nclnet.org)
NCL Vice President of Public Policy, Telecommunications and Fraud

Subscribe here. Tell us what you think.

Editor’s note:Facebook is reportedly nearing a final settlement with the Federal Trade Commission (FTC).  Once the settlement is complete, however, law enforcement's work may just be getting started. Last week, the Department of Energy acknowledged that a western power grid was forced to battle a prolonged distributed denial-of-service (DDoS) attack, and the FBI found that cost of cybercrime grew to $2.8 billion in 2018. Meanwhile, a data breach exposed the sensitive data of 13.7 million job seekers. 

And now, on to the clips!

-----------------

Experts: Nielsen exit from DHS will harm cybersecurity. As part of its rumored settlement, @ceciliakang reports that Facebook will pay a fine of as much as $5 billion and will also “create a privacy committee to protect its users’ data, as well as an external assessor who would be appointed by the company and F.T.C. The social network will also appoint a head compliance officer — who could be its chief executive, Mark Zuckerberg.” (Source: New York Times)  

DDoS attack launched against power grid in western U.S. The Department of Energy has confirmed that an attack "knocked [an] energy company’s systems offline by overloading them with traffic.” Although the attack lasted nearly 10 hours, it did not cause any customer outages. "The name of the energy company wasn’t named, but it provides power and energy to customers across Los Angeles in California, Salt Lake County in Utah, and Converse County in Wyoming." (Source: Tech Crunch) 

FBI: Internet-enabled crime losses grow to $2.7 billion in 2018. The total losses mark a 90 percent increase from 2017. In 2018, the FBI’s Internet Crime Complaint Center received 900 complaints a day from Internet fraud victims. (Source: Internet Security Alliance)  

‘Blockchain bandit’ steals more than $50 million by guessing. The cryptocurrency industry has long been plagued by theft, but one researcher has found that a cryptocurrency bandit was able to siphon “off a fortune of 45,000 ether,” using a key-guessing technique. (Source: Wired)

Suggested reading: The SIM-swap fix that countries across Africa are using and U.S. telecoms won’t. After one Mozambique bank witnessed SIM swap scams at a rate of 17 frauds per month, it knew it needed to act. The solution was quite straightforward: since “SIM swap hackers rely on intercepting a one-time password sent by text after stealing a victim's banking credentials... the carrier would set up a system to let the bank query phone records for any recent SIM swaps associated with a bank account before they carried out a money transfer. If a SIM swap had occurred in, say, the last two or three days, the transfer would be blocked.” As a result of this new system, the bank’s SIM swap scam rate dropped to nearly zero overnight. (Source: Wired)  

Breach du jour: 13.7 million job recruitment accounts. Ladders, a popular high-end job recruitment platform exposed the data of its users after it stored a database in the cloud without a password. "Each record included names, email addresses and their employment histories, such as their employer and job title. The user profiles also contain information about the industry they’re seeking a job in and their current compensation in US dollars.” In addition, some records included data similar to a user’s résumé, along with other “sensitive information, including email addresses, postal addresses, phone numbers and their approximate geolocation based off their IP address.” (Source: Tech Crunch)

Quick hit: Dems pledge to not reference stolen or hacked documents on campaign trail; Trump campaign refuses to make the commitment. (Source: Washington Post)   

Study watch: Financial firms spend $2,300 per employee to protect their data. The new survey outlined how companies invest in cybersecurity at "a range of around 0.2 percent to 0.9 percent of company revenue, with an average of about 0.3 percent.” (Source: Deloitte)  

Upcoming Events

June 27, 2019: Federal Trade Commission’s PrivacyCon – Washington, DC
Each year, the FTC convenes a group of privacy experts, academics, policymakers, and regulators to discuss the latest research surrounding consumer privacy and data security. (Source: Federal Trade Commission)

National Consumers League
Published May 9, 2019


The #DataInsecurity Digest | Issue 91

Nielsen’s departure from DHS deepens cyber anxietycyber insurance loopholes, and a worsening breach at Facebook

By John Breyault (@jammingecono, johnb@nclnet.org)
NCL Vice President of Public Policy, Telecommunications and Fraud

Subscribe here. Tell us what you think.

Editor’s note: Secretary Kirstjen Nielsen’s exit from DHS signals further uncertainty for U.S. cybersecurity strategy. As the Trump Administration continues to lack a coherent strategy, hackers demonstrated the severity of force they can bring to bear after they interrupted the Weather Channel’s live broadcast. Likewise, in an unrelated incident, the state of Ecuador suffered 40 million cyberattacks last week in retaliation for revoking the asylum of WikiLeak founder Julian Assange. 

In other news, Facebook chose to announce that its Instagram breach affected millions of accounts, not the tens of thousands of accounts it had previously reported, the same morning that the findings of the Muller investigation became public. Many privacy advocates were skeptical of the choice of timing. 

Finally, companies relying on cyber insurance policies to protect them in the event of an attack are increasingly finding that they may not be covered from a state-sponsored hack like 2017’s NotPetya attack. 

And now, on to the clips!

-----------------

Experts: Nielsen exit from DHS will harm cybersecurity. A majority of experts surveyed by the Washington Post are concerned that former DHS Secretary Kirstjen Nielsen’s exit will further hamper America’s cybersecurity. Cybersecurity talent at Kirstjen's level is unique, and someone with government policy experience is even more scarce, commented Mark Weatherford, a former DHS cybersecurity official who is now global information security strategist at Booking Holdings. This is another huge blow to our nation's momentum in the cybersecurity arena and the effects with be felt even more broadly on the international stage." (Source: Washington Post 

Cyber insurance providers relying on cyberwar declarations to avoid paying. As cyber threats have escalated, companies relying on cyber insurance policies to protect them are increasingly finding that state-sponsored attacks provide a loophole for their claims to be denied. @satariano and @nicoleperlroth write that “[w]hen the United States government assigned responsibility for NotPetya to Russia in 2018, insurers were provided with a justification for refusing to cover the damage. Just as they wouldn’t be liable if a bomb blew up a corporate building during an armed conflict, they claim not to be responsible when a state-backed hack strikes a computer network. … The cases have broader implications for government officials, who have increasingly taken a bolder approach to naming-and-shaming state sponsors of cyberattacks, but now risk becoming enmeshed in corporate disputes by giving insurance companies a rationale to deny claims.” (Source: New York Times) 

Instagram password breach much larger than originally reported. Last month Facebook announced “that it had stored hundreds of millions of user passwords unencrypted on its servers, a massive security problem. At the time, it said that ‘tens of thousands’ of Instagram passwords were also stored in this way.” Last Thursday, Facebook admitted the breach actually included millions of Instagram users, not “tens of thousands.” (Source: Recode 

Hackers take Weather Channel off the air for 90 minutes.  Last week, hackers attacked the Weather Channel’s live broadcast early in the morning. During the attack, the network was able to play “canned content, before broadcasting from backup services.” (Source: WinBuzzer) 

Presidential candidate John Delaney proposes Department of Cybersecurity. Delaney’s proposal marks the first major cybersecurity push of the 2020 cycle. @kellymakena reports that “the proposed Department of Cybersecurity would be led by a cabinet-level secretary who would be in charge of implementing the United States’ cybersecurity strategy.” (Source: The Verge 

Cost of data breaches grows to $3.86 million per breach. The Ponemon Institute’s 2018 Cost of Data Breach Study found that the total cost of a breach grew by 6 percent last year. Each compromised record now costs companies an average of $148. (Source: NBC News) 

Personal Hotmail, MSN, and Outlook emails have been compromised. As a result of the breach, hackers were “able to access email content from a large number of Outlook, MSN, and Hotmail email accounts.” The breach did not affect corporate accounts. (Source: Motherboard)   

DHS and FBI: Election systems in all 50 states were targeted by Russia. The Joint Intelligence Bulletin (JIB) expanded by stating, "the FBI and DHS assess that Russian government cyber actors probably conducted research and reconnaissance against all US states’ election networks leading up to the 2016 Presidential elections." One DHS spokesman said: "We assume the Russian government researched and in some cases targeted election infrastructure in all 50 states in an attempt to sow discord and influence the 2016 election." (Source: Ars Technica) 

In wake of Assange arrest, Ecuador was hit with 40 million cyberattacks. After removing Wikileaks founder Julian Assange’s political asylum status, “Javier Jara, undersecretary of the electronic government department of the telecommunications ministry, said the country had suffered ‘volumetric attacks’ that blocked access to the internet following ‘threats from those groups linked to Julian Assange. ...’ Hardest-hit were the foreign ministry, the central bank, the president's office, the internal revenue service, and several ministries and universities.” (Source: AFP) 

Upcoming Events

June 27, 2019: Federal Trade Commission’s PrivacyCon – Washington, DC
Each year, the FTC convenes a group of privacy experts, academics, policymakers, and regulators to discuss the latest research surrounding consumer privacy and data security. Researchers are encouraged to apply to present at the conference by March 15, 2019. (Source: Federal Trade Commission)

National Consumers League
Published April 25, 2019


The #DataInsecurity Digest | Issue 90

FEMA leaks data on 2.5 million disaster victims, while President Trump’s budget slashes spending on cybersecurity readiness

By John Breyault (@jammingecono, johnb@nclnet.org)
NCL Vice President of Public Policy, Telecommunications and Fraud

Subscribe here. Tell us what you think.

Editor’s note: Victims of flooding, hurricanes, and wildfires are facing new concerns as a data leak at the Federal Emergency Management Agency (FEMA) compromised the sensitive data of 2.5 million disaster survivors. The private sector was also not immune to breaches, as we learned that Facebook stored millions of its users’ passwords in plaintext; restaurant chain Buca di Beppo compromised 2 million payment cards; and Toyota announced its second breach in five weeks. Despite these warning signs, President Trump caused a stir among cybersecurity advocates by proposing to slash funding for long-term cybersecurity readiness.

Programming note: The #DataInsecurity Digest is heading out for spring break! We will not be publishing on April 18 and will resume publication on April 25. 

And now, on to the clips!

-----------------

FEMA compromises banking information and addresses of 2.5 million disaster survivors. The Department of Homeland Security’s Office of the Inspector General found that FEMA “overshared” victims' personal information “while transferring disaster survivor information to a contractor.” Many of the victims of the California wildfires in 2017 and Hurricanes Harvey, Irma, and Maria are believed to have been affected. (Source: Washington Post) 

Facebook stored millions of Facebook, Instagram, and Facebook Lite passwords in plaintext. The passwords were accessible by any one of Facebook’s thousands of employees. In the coming days, Facebook plans to “notify hundreds of millions of Facebook Lite users, tens of millions of Facebook users, and tens of thousands of Instagram users that their passwords may have been exposed.” (Source: Wired) 

Breach du jour: Buca di Beppo, Earl of Sandwich, and Planet Hollywood. The parent company of the popular restaurants finally acknowledged the chains were the subject of a breach after @briankrebs “contacted the executive team at Buca di Beppo in late February after determining most of this restaurant’s locations were likely involved [in] a data breach that first surfaced on Joker’s Stash, an underground shop that sells huge new batches of freshly-stolen credit and debit cards on a regular basis.” The breach is believed to have compromised 2 million of their customers’ credit and debit card numbers over a 10-month period.  (Source: Krebs on Security 

Breach du jour part deux: Toyota announces second data breach in five weeks. In Toyota’s latest breach, “hackers gained unauthorized access to data for several of its sales subsidiaries based in Tokyo. The servers that hackers accessed stored sales information on up to 3.1 million customers that included names, dates of birth and employment information.” (Source: Bank Info Security 

Trump budget provides short-term cyber fixes while hampering America's long-term cybersecurity strategy. The proposed budget provides generous increases to military cybersecurity but cuts spending for “most government offices that tackle emerging challenges in cybersecurity. The biggest cut ... is to the Homeland Security Department’s science and technology wing, which does much of the long-range research aimed at making technology fundamentally more secure.” If approved, Trump’s budget would cut the division to “slightly less than two-thirds of its 2019 funding.” (Source: Washington Post 

Investigator: Saudis hacked Amazon head Jeff Bezos in retaliation for media coverage. The investigator hired by Bezos alleged that the “Saudis obtained racy text messages between the married Bezos and his girlfriend Lauren Sanchez. The material was leaked to the National Enquirer, which published a story revealing Bezos' affair.” Investigator @GDBAProtects “thinks the Saudis may have been motivated by the Bezos-owned Washington Post's dogged coverage of last October's murder of Washington Post journalist Jamal Khashoggi.” (Source: Ars Technica 

City of Albany, NY struck with ransomware attack. On Saturday, the city was struck with a crippling ransomware attack that forced city employees to utilize paper records. As of Tuesday, the city was still “directing people to the state Office of Records in Menands for birth, death and marriage certificates.” (Source: WNYT 

Suggested listening: An insider’s view of the Equifax breach. @redtapechron sat down with the GAO’s Equifax investigator to talk about the infamous breach. Listeners learn that “it took Equifax 76 days to notice the attack” and that “the attack itself was ‘not sophisticated.’ In fact, Equifax made things easy. Once inside, criminals found a text file with usernames and passwords for 51 other databases.” (Source: Bobsullivan.net

Upcoming Events

June 27, 2019: Federal Trade Commission’s PrivacyCon – Washington, DC
Each year, the FTC convenes a group of privacy experts, academics, policymakers, and regulators to discuss the latest research surrounding consumer privacy and data security. Researchers are encouraged to apply to present at the conference by March 15, 2019. (Source: Federal Trade Commission)

National Consumers League
Published April 4, 2019


The #DataInsecurity Digest | Issue 89

As Feds pursue Facebook, Schiff warns of cyber vulnerabilities in 2020

By John Breyault (@jammingecono, johnb@nclnet.org)
NCL Vice President of Public Policy, Telecommunications and Fraud

Subscribe here. Tell us what you think.

Editor’s note: Despite having more than two years to beef up our cybersecurity in the wake of the 2016 elections, House Intelligence Chairman Adam Schiff warned that we are" enormously vulnerable" to hacking in the next election.

Meanwhile, Americans appear to be growing fed up with the constant state of data insecurity as a surprising number (more than a third) feel that executives of breached entities should face prison time when a breach occurs under their watch. Despite the growing disdain for corporate America’s allowing of breaches, a new study found that a breached organization's CEO is actually likely to see a pay increase in the wake of a breach.

And now, on to the clips!

-----------------

Chairman of U.S. House Intelligence Committee: 2020 election is ‘enormously vulnerable’ to hacking, foreign influence. Congressman Adam Schiff (D-CA) further said, “the potential for mischief now is extreme,” and he “is concerned about efforts to undermine U.S. democracy.” (Source: Reuters) 

Federal prosecutors conduct criminal investigation into Facebook’s data deals. The investigation was launched after more than 150 companies, including Amazon, Apple, Microsoft, and Sony, “entered into partnerships with Facebook, gaining broad access to the personal information of hundreds of millions of its users,” without their consent. (Source: New York Times) 

Suggested reading: Have you ever wondered what it would be like to be responsible for a 230M-person data breach? Steve Hardigree’s small company Exactis achieved undesired fame after they stored the personal information of 230 million Americans on an unsecured server. Hardigree told @a_greenberg that the “stress over the situation was so severe that he broke out in hives and had to go to the hospital for treatment. …" The ordeal has been a grueling lesson for Hardigree, who says that he's learned the hard way how much even a tiny firm like his must prioritize security. “Be careful with your data and be careful with the people who manage your data. I hired some guys that were careless. But at the end of the day it’s the CEO who’s responsible. I take responsibility.” (Source: Wired)  

Future cyber threats keep DHS Secretary Nielson up at night. In a speech on her future security priorities, Kirstjen Nielsen said that she is not worried about what “threat actors have done, but what they have the capability to do — surveilling sensitive secrets and deceiving us about our own data, distracting us during a crisis, launching physical attacks on infrastructure with a few keystrokes, or planting false flags to embroil us in conflicts with other nations." (Source: Politico)  

Quick hit: 38 percent of consumers believe that C-level executives who fail to protect their data should face prison time or a fine. The survey also found that 20 percent of Americans don’t trust anyone with their data. (Source: HelpNetSecurity)  

Data breaches lead to pay raises for CEOs. A new report found that, despite the financial loss a breach inflicts upon a company, organizations actually tend to increase their CEO’s pay in the wake of a breach. Researchers attributed the pay raise to the “idea that the average response [to a breach] is to invest more in the management to address possible structural flaws, as well as maintaining the integrity of the firm in response to the reputational damage it has suffered.” (Source: PYMTS)  

Beto O’Rourke’s record suggests privacy convictions. After O’Rourke announced his run for president, @timstarks looked into the former House Homeland Security Committee member and found that “he took a few stances on cyber and surveillance issues that put him in company with privacy-oriented Democrats: a vote against a cyber threat information sharing bill, and co-sponsoring legislation meant to curb electronic surveillance. He also co-sponsored an amendment last year to reverse the Trump administration's elimination of the White House cyber coordinator, which House Republicans blocked.” (Source: Politico) 

Senators Wyden and Cotton request congressional breach notification rules. Despite the Senate being a major target for hackers, there is currently very little transparency when a breach occurs. As @alfredwkng reports, "Congress has no legal obligation to disclose breaches, meaning that the public has no idea when elected officials are hit by cyberattacks. ..." Now, Senators Ron Wyden (D-OR) and Tom Cotton (R-AR) are requesting that the Senate Sergeant at Arms help provide more transparency. The Senators have requested the Sergeant at Arms to “provide an annual report on the number of times Senate computers have been hacked, and incidents where hackers were able to access sensitive Senate data,” and “inform the Senate rules committee within 5 days of a breach occurring.” (Source: CNet)

Upcoming Events

June 27, 2019: Federal Trade Commission’s PrivacyCon – Washington, DC
Each year, the FTC convenes a group of privacy experts, academics, policymakers, and regulators to discuss the latest research surrounding consumer privacy and data security. Researchers are encouraged to apply to present at the conference by March 15, 2019. (Source: Federal Trade Commission)

National Consumers League
Published March 21, 2019


The #DataInsecurity Digest | Issue 88

Regulators in Europe, Members of Congress, consumer advocates taking a critical eye at misuse of consumer data 

By John Breyault (@jammingecono, johnb@nclnet.org)
NCL Vice President of Public Policy, Telecommunications and Fraud

Subscribe here. Tell us what you think.

Editor’s note: While EU regulators take aim at social media giants like Facebook, the new leadership in the House of Representatives pledged to protect consumer data. The newly invigorated Democratic Congress has its work cut out for it, though, as more research came out to prove just how vulnerable our entire system is to hacking and how one well-planned attack could collapse our entire financial system.

And now, on to the clips!

-----------------

EU Regulators: First of seven investigations into Facebook to be completed by summer. Ireland’s Data Protection Commissioner commented that he anticipated that the remaining six investigations into the company’s use of personal data should be completed by the end of the year. @conorhumphries reports that in addition to probing Facebook’s data practices, “the commissioner is also probing Facebook subsidiaries WhatsApp and Instagram as well as Twitter, LinkedIn and Apple in relation to their processing of personal data and the transparency of their data processes.” (Source: Reuters) 

Democrats hold first major tech policy hearing since taking over the House. @TonyRomm reports that “party lawmakers charged that long-standing inaction on Capitol Hill had left consumers unprotected in the digital age.” Chairman Frank Pallone said, “It’s time that we move past the old model that protects the companies using our data and not the people.” (Source: Washington Post) 

Banks, securities firms, financial market infrastructures, and hospitals found to be at the highest risk of a devastating cyber-attack. @MoodysInvSvc’s report found that these industry sectors hold around $11.7 trillion of the world’s debt and that an “attack in one of those sectors would also have broad ripple effects.” The report said such an attack could result in “far-reaching impact on other sectors,” and that a single successful attack on a large bank, for example, could “pose a systemwide risk” that affects the entire financial sector. (Source: Washington Post 

North Korea launches cyberattacks against U.S. banks and business while meeting with Trump in Hanoi. While the attacks had been going on for months, thanks to the help of “an unnamed foreign law enforcement agency,” researchers were able to access “one of the main computer servers used by the North Korean hackers to stage their attacks [and watch] in real time, as the North Koreans attacked the computer networks of more than a hundred companies in the United States and around the globe. (Source: New York Times 

Equifax's CEO admits that compromising Social Security numbers causes harm while simultaneously arguing in court that it does not. When asked to share his Social Security number by Rep. Katie Porter (D-CA) in a committee hearing, Equifax CEO Mark Begor declined, citing fears over identity theft. valid concern, but also noteworthy ithat Equifax has been desperately trying to "beat back a class-action lawsuit by arguing that the plaintiffs' claims of breach-related harm are merely theoretical. In asking a judge to dismiss the case, Equifax said last July that the ‘alleged injuries are the very definition of speculative and conjectural.’" (Source: Politico 

In wake of DNA test kit data misuse, consumer advocates call for HIPAA protections for patient info. After news reports disclosed that FamilyTreeDNA.com was giving the FBI access to its DNA database, an act it said it would not do without a customer’s permission, NCL’s @sallygreenberg called on Congress to take action. “We need some rules of the road. ... Right now it puts consumers at great risk of having their very private information shared, sold and misused in ways they didn’t sign up for. ... We need a strengthened HIPAA for DNA testing companies.” (Source: Washington Post 

Breach du jour: Dow Jones watchlist of 2.4 million high risk' individuals. The sensitive data "can include names, addresses, cities and their location, whether they are deceased or not and, in some cases, photographs.” The watchlist includes “current and former politicians, individuals or companies under sanctions or convicted of high-profile financial crimes such as fraud, or anyone with links to terrorism.” This trove of sensitive data was exposed “after a company with access to the database left it on a server without a password.” (Source TechCrunch) 

Technology used by law enforcement to hack mobile devices for sale on eBay for $100. The devices, manufactured by a company known as Cellebrite, are “used by police around the world to break open iPhones, Androids and other modern mobiles to extract data. ...” With an unknown amount of Cellebrite devices being sold second-hand by law enforcement agents on the Internet, “cybersecurity researchers are now warning that valuable case data and powerful police hacking tools could have leaked as a result.” (Source: Forbes)

Upcoming Events

June 27, 2019: Federal Trade Commission’s PrivacyCon – Washington, DC
Each year, the FTC convenes a group of privacy experts, academics, policymakers, and regulators to discuss the latest research surrounding consumer privacy and data security. Researchers are encouraged to apply to present at the conference by March 15, 2019. (Source: Federal Trade Commission)

National Consumers League
Published March 7, 2019


The #DataInsecurity Digest | Issue 87

Facebook reportedly nears hefty FTC settlement; national cybersecurity at risk from external hackers and internal ineptitude

By John Breyault (@jammingecono, johnb@nclnet.org)
NCL Vice President of Public Policy, Telecommunications and Fraud

Subscribe here. Tell us what you think.

Editor’s note: As Facebook and the Federal Trade Commission (FTC) reportedly near a record-setting privacy settlement, Chinese and Iranian hackers are beefing up their efforts to steal military and trade secrets from the United States. Meanwhile, both the Census Bureau and Federal Housing Finance Agency received bad publicity for failing basic cybersecurity best practices. Amid this storm of bad data security news, the Senate Homeland Security Chairman finds himself on the receiving end of condemnation from both sides of the aisle for blocking key cyber bills during his tenure as chairman of the Senate Homeland Security Committee.

And now, on to the clips!

-----------------

Chinese and Iranian hackers take aim at U.S. companies and military. @nicoleperlroth reports that the “Iranian attacks on American banks, businesses and government agencies have been more extensive than previously reported. Dozens of corporations and multiple United States agencies have been hit. ...” Meanwhile, cyber watchers have observed a “renewed Chinese offensive geared toward stealing trade and military secrets from American military contractors and technology companies.” (Source: New York Times)

Chairman Johnson stalls efforts to enact cybersecurity legislation. @timstarksand @ericgellerreport that,while cyber threats have grown, Senate Homeland Security Committee Chairman Sen.Ron Johnson (R-WI) has “derailed many of the most significant cybersecurity-related bills in the past four years, including legislation to secure elections, study whether the growing use of encrypted apps hampers law enforcement and hold companies accountable for the proliferation of insecure connected devices.”@MiekeEoyangcommented that @RonJohnsonWI’s committee “is the place where legislation goes to die on cybersecurity.” Former Chairman Michael McCaul (R-TX) also publicly lamented Johnson’s leadership stating that "[t]he record speaks for itself." Source: Politico)

Facebook reportedly negotiating multi-billion fine with FTC for privacy violations. @tonyromm reports that, while a deal has not yet been reached, the fine “would be the largest the agency has ever imposed on a technology company. ... If talks break down, the FTC could take the matter to court in what would likely be a bruising legal fight.” (Source: Washington Post)

Census Bureau finds data collected in the 2010 Census to be vulnerable. While a breach is not thought to have occurred, the age, gender, location, race, and ethnicity data collected from millions of Americans was found to be improperly secured. “The Census Bureau is now scrapping its old data shielding technique for a state-of-the-art method that [Census Bureau Chief Scientist John] Abowd claimed is far better than Google's or Apple's.” (Source: New York Times)

Quick hit: Patient healthcare data breaches nearly triple. The Protenus 2019 Breach Barometer found that patient record data breaches surged from 5 million records in 2017 to 15 million in 2018. (Source: Health IT Security)

Breach du jour: Dating app notifies users of Valentine’s Day breach. The breach at“Coffee Meets Bagel” is believed to have compromised a partial list of user details, including names and email addresses. Thankfully, users' financial information and passwords do not seem to be at risk in this breach. However, the breach is still troubling as “dating apps run a risk of leaving users'most intimate communications vulnerable.” (Source: Axios)

Stolen Equifax data has yet to surface. Seventeen months after the historic breach, the records of 143 million Americans "never appeared on any [of the] hundreds of underground websites selling stolen information. Security experts haven't seen the data used in any of the ways they'd expect in a theft like this — not for impersonating victims, not for accessing other websites, nothing.” The lack of movement of the valuable data has led many researchers to suspect that the Equifax breach was the work of an international spy agency. (Source: CNBC)

One in three FHFA employees fail phishing test. An audit found that one-third of tested employees at the Federal Housing Finance Agency (which oversees Fannie Mae, Freddie Mac, and the Federal Home Loan Bank Systemfailed to properly handle suspicious emails. (Source: FCW)

Upcoming Events

June 27, 2019: Federal Trade Commission’s PrivacyCon – Washington, DC
Each year, the FTC convenes a group of privacy experts, academics, policymakers, and regulators to discuss the latest research surrounding consumer privacy and data security. Researchers are encouraged to apply to present at the conference by March 15, 2019. (Source: Federal Trade Commission)

National Consumers League
Published February 21, 2019


1  2  3  4  Next →