National Consumers League

Pages tagged "privacy"

Lessons from pandemic life: we all need the option of paper notice

Jim Haigh leads education and development efforts at Keep Me Posted North America, an advocacy organization focused on the mission of consumer choice in essential communications.

It was only last year that a whopping 86 percent of U.S. consumers expressed the desire of having a choice for how they receive important information from the companies they do business with. For critical correspondence such as bills and statements, the overwhelming majority want the option of paper or electronic delivery, and the ability to control their preferences.


Enough is enough! It’s time for the FTC to protect consumers from deceptive automatic renewal clauses

Brian Young

If you're like most Americans ,you have probably had a bad experience with an automatic renewal or--as they are sometimes referred to--a negative option clause. Regardless of the name they go by, these clauses cause contracts and subscriptions (ranging from equipment leases to gym memberships) to renew if a consumer fails to cancel the contract. Unfortunately for consumers, these clauses are increasingly being slipped into the fine print of contracts or misleadingly disclosed to customers during the checkout process.  


How consumers must respond to the security threat inside nearly every computer

Nearly two years ago, researchers revealed flaws in the chips of virtually every computer made since the mid-1990’s. The flaws—primarily found in Intel’s chips—create a vulnerability that can be exploited by allowing hackers to obtain unauthorized access to privileged information.


The #DataInsecurity Digest | Issue 105

Equifax breach still generating headlines; Congress urging Barr to end attacks on encryption 

By John Breyault (@jammingecono, johnb@nclnet.org)
NCL Vice President of Public Policy, Telecommunications and Fraud

Subscribe here. Tell us what you think.

Editor’s note: More than two years after it was initially disclosed, the Equifax breach continues to generate headlines. Consumers, unsurprisingly, overwhelmingly opted for the breach’s cash settlement offer in lieu of free credit monitoring. This revelation almost certainly guarantees that consumers will again be harmed by the breach when they receive a smaller-than-expected settlement check. If Equifax is not careful, it may have another data breach on its hands as news has come to light that it is using woefully insecure passwords and usernames.  

In other news, lawmakers are urging the Trump Administration not to sabotage the nation’s cybersecurity by undermining encryption. Finally, a third-party DNA service may have inadvertently compromised the DNA of one million consumers. 

And now, on to the clips! 

-----------------

Lawmakers urge Barr to stop attacking encryption. In a letter to Attorney General William Barr, Senator Ron Wyden (D-OR) and Congressman Anna Eshoo (D-CA) wrote, “[w]e urge you to stop demanding that private companies purposefully weaken their encryption for the false pretense of protecting children[.]” The letter continued by stating that Barr’s efforts to limit encryption are "not just hypocritical, but it has been repeatedly criticized by cryptographers and other leading cybersecurity experts." (Source: The Hill) 

Equifax accused of woefully bad cyber practices in class-action lawsuit. The lawsuit claims that “Equifax employed the username ‘admin’ and the password ‘admin’ to protect a portal used to manage credit disputes[.]” @ewolffmann reports that “the lawsuit also notes that Equifax admitted using unencrypted servers to store the sensitive personal information and had it as a public-facing website.” (Source: Yahoo! Finance 

Tweet du jour: Congress reacts to latest Equifax revelation. @repkattieporter tweets: “These data security practices are beyond sloppy; honestly, my 11-year-old son would do a better job. Equifax ought to come explain itself to Congress.” (Source: Twitter 

Only 2 percent of Equifax breach victims have opted for free credit monitoring. The vast majority of consumers appear to have opted for a cash settlement in the Equifax breach settlement. A recent court filing “indicates the bucket of money for the cash compensation, capped at $31 million, will be used up. There’s a separate bucket of money — $69 million — that will be used to compensate victims’ lost time. So far, victims have filed claims for cash and lost time totaling more than $60 million[.]” (Source: Market Watch 

1 million+ DNA records uploaded to GED Match, made vulnerable to breach. Researchers found that “it’s possible to extract genetic details of any individual in the database, leaving their data vulnerable to leaks or hacks. ... In the wrong hands, a person’s genetic data can be used for discrimination or extortion, and the implications are even greater if entire databases are leaked.” (Source: Medium)  

As ransomware attacks grow, the world continues to wait for Congress to act. @MattLaslo reports that “[w]hile Congress still lacks a tangible plan to help mitigate the impact, some members at least seem to be increasingly aware of the issue.” Senator Richard Blumenthal (D-CT) recently said that “[r]ansomware is one of the growing threats to cybersecurity, and the federal government ought to be doing everything possible to assist towns and cities ... There’s an urgency and an immediacy.” (Source: Wired 

Breach du jour: American Cancer Society. Last week, it was discovered that the American Cancer Society’s online store had become the latest victim of credit card number stealing malware. “The malware was buried in obfuscated code designed to look like legitimate analytics code. The code was designed to scrape credit card payments from the page, like similar attacks targeting British Airways, Ticketmaster, AeroGarden and Newegg.” (Source: Tech Crunch) 

Malicious app downloaded by 40 million Google Play store users. The app, Ai-Type, billed itself as a “free emoji keyboard.” But, in reality, @guykak, comments that the "rogue Google Android app was “one of the many bots of the network controlled by fraudsters to commit ad fraud.” (Forbes) 

National Consumers League
Published November 7, 2019


The #DataInsecurity Digest | Issue 104

Senator Wyden introduces bill empowering consumers to control their data, hold companies responsible for breaches

By John Breyault (@jammingecono, johnb@nclnet.org)
NCL Vice President of Public Policy, Telecommunications and Fraud

Subscribe here. Tell us what you think.

Editor’s note: Senator Wyden (D-OR) made headlines last week when he introduced the cheekily-named “Mind Your Own Business Act.” The bill would increase the financial penalties companies face for compromising consumers’ data and force executives to face prison time if they lie about misusing consumers’ data. 

In other news, today the National Consumers League released a major report that documents the fallout and limited options consumers have to secure their data in the aftermath of the Spectre/Meltdown security vulnerabilities, which weakened the security of nearly every computer on the planet. You can read the full report here. 

And now, on to the clips! 

-----------------

Senator Wyden introduces new privacy legislation. The “Mind Your Own Business Act” would provide “consumers the ability to opt-out of data collection and sale with a single click. It also demands that corporations be transparent as to how consumer data is collected, used, and who it’s sold to, while imposing harsh fines and prison sentences upon corporations and executives that misuse consumer data and lie about it.” (Source: Vice 

NCL releases new report: 'Data insecurity: How one of the worst computer bugs ever sacrificed security for speed.' The report outlines how a hardware issue has compromised nearly every computer on the planet, and what consumers can do about it. You can find the full paper here. 

Amazon-owned Zappos offers meek restitution to 24 million customers affected by leaked data. “In January 2012, the Amazon-owned online retailer Zappos suffered a major data breach that exposed personal information of about 24 million of the site’s customers, including names, addresses, passwords, and the last four digits of their credit card numbers.” Today, nearly 7 years later, the online retailer is offering victims “a 10-percent-off code for one Zappos order. ... The deal has already received preliminary approval and is likely to be finalized in the coming weeks.” (Source: Slate 

Nearly 3,000 potentially compromised surveillance cameras still used by U.S. military and government. Last year, after fears grew that the Chinese government may have the ability to compromise certain Chinese-made surveillance systems used by the U.S. government, Congress “passed legislation that prohibits federal agencies from buying equipment made by several Chinese firms.” While the legislation doesn’t “require removal of already installed cameras ... experts suggest that was the spirit of the legislation.” (Source: Wall Street Journal 

Suggested reading: @a_greenberg provides a riveting play-by-play of the 2018 Olympic cyberattack and what it means for the future of cybersecurity. (Source: Wired 

26 million stolen payment card numbers leaked after massive fraud bazaar hack. @dangoodin001 notes that “[f]ortunately for the card owners, the database is now in the hands of affected financial institutions, who can invalidate and replace the cards.” (Source: Ars Technica 

Breach du jour: Consumer Product Safety Commission (CPSC) breach compromises information o30,000 consumers. The breach, which was disclosed in a new report issued by the Senate Commerce Committee, compromised the “data of around 30,000 consumers, including street addresses, age and gender, along with information on 10,900 manufacturers.” (Source: The Hill 

Video de jour: Watch what happens when @donie asks hacker to use social engineering to steal his identity. (Source: CNN) 

National Consumers League
Published October 24, 2019


The #DataInsecurity Digest | Issue 103

As fears over foreign election interference grow, Washington remains idle  

By John Breyault (@jammingecono, johnb@nclnet.org)
NCL Vice President of Public Policy, Telecommunications and Fraud

Subscribe here. Tell us what you think.

Editor’s note: Ransomware continues to impact basic services at dozens of local agencies, including hospitalswhile Congress appears to be largely sitting on its hands. Microsoft announced that Iranian hackers attempted to hack a major U.S. presidential campaign the same week researchers found U.Svoting machines “incredibly insecure.” In other news, nearly 5 million DoorDash customers, employeesand merchants had sensitive data stolen by hackers.

And now, on to the clips! 

-----------------

Microsoft: Iranians attempted to hack U.S. presidential campaign. Security researchers at Microsoft found that a hacking group, which “originates from Iran and is linked to the Iranian government," attempted to breach a presidential campaign and “tried to break into the accounts of current and former U.S. government officials, journalists covering politics and prominent Iranians living outside Iran.” (Source: NPR)

U.S. 2020 voting machines 'incredibly insecure.' Security researchers that “tested an array of voting machines and election systems that states plan to use in the next election... were able to crack into every machine they got their hands on. ... All it took was a few days of tinkering on machines[.]” (Source: Washington Post)

DHS: No one can prevent another ‘WannaCry-style attack.’ Jeanette Manfra, the assistant director for cybersecurity for DHS’ Cybersecurity and Infrastructure Security Agency (CISA) commented: “I don’t know that we could ever prevent something like that,” referring to another WannaCry-style attack at a recent event. (Source: TechCrunch)

Breach du jour: 4.9 million DoorDash customers, merchants, workers. One year after the food delivery service’s previous breach, DoorDash has found its data compromised by another one. The latest breach allowed hackers to steal users’ “name, email and delivery addresses, order history, phone numbers and hashed and salted passwords[.]” The breach also compromised driver’s license information on “[a]round 100,000 delivery workers[.]” (Source: Tech Crunch)

Data breach used to file bogus anti-net neutrality comments. In the summer of 2017 millions of fake anti-net neutrality comments were filed in the runup to the FCC’s rollback of its 2015 net neutrality rules. News has now come to light that many of these fake comments were made possible because of a data breach. “In one particular group of 1.9 million comments, according to BuzzFeed News’ analysis, 94% of the email addresses belonged to people who had fallen victim to a hack known as the Modern Business Solutions data breach, in which millions of people's personal information, including full names, birthdates, home addresses, and email addresses, had been stolen.” (Source: Buzzfeed)

Breach du jour part deux: 218 million Words With Friends users. The hackers, who gained access to a trove of user data in September were able to scoop up users’ “email addresses, login IDs, hashed (scrambled) passwords, Zynga account IDs, and in some cases, phone numbers and Facebook IDs.” (Source: Consumer Reports)  

Quick hit: Three hospitals close due to ransomware attack. The hospitals are located in Alabama and have asked ambulances to take patients elsewhere whenever possible. (Source: BBC)

As ransomware continues to ravage cities, Washington remains idle. @timstarks observes that while “lawmakers have offered few ideas on how to respond to the wave of ransom-seeking cyberattacks that have struck at least 80 state and local government agencies ... Members of Congress have introduced only four pieces of legislation since January that even mention the word ransomware. None would begin to address the full scope of the attacks that experts say will become only more numerous and severe.” (Source: Politico)

National Consumers League
Published October 10, 2019


Developing a pro-consumer approach towards privacy and data security—context of the transaction

Polly Turner-Ward

By NCL Google Public Policy Fellow Pollyanna Sanderson

This blog post is the sixth, and final, in a series of blogs offering a consumer perspective on developing an approach towards consumer privacy and data security.

This commentary is the product of a deep dive into the National Telecommunication and Information Administration’s (NTIA) September Request For Comments (RFC), a key part of the process that informs the government’s approach towards consumer privacy. Stakeholder responses to the RFC provide a glimpse into where consensus and disagreement lies on key issues among major consumer and industry players.


Developing a pro-consumer approach towards privacy and data security—user expectations

Polly Turner-Ward

By NCL Google Public Policy Fellow Pollyanna Sanderson

This blog post is the fifth of a series of blogs offering a consumer perspective on developing an approach towards consumer privacy and data security.

This commentary is the product of a deep dive into the National Telecommunication and Information Administration’s (NTIA) September Request For Comments (RFC), a key part of the process that informs the government’s approach towards consumer privacy. Stakeholder responses to the RFC provide a glimpse into where consensus and disagreement lies on key issues among major consumer and industry players.


The #DataInsecurity Digest | Issue 102

Ecuador leaks personal data for its entire population 

By John Breyault (@jammingecono, johnb@nclnet.org)
NCL Vice President of Public Policy, Telecommunications and Fraud

Subscribe here. Tell us what you think.

Editor’s note: Anger over FTC missteps in the Equifax settlement is growing, with more than 200,000 consumers signing a petition urging the courts to reject the record settlement. As ransomware attacks continue to bedevil companies and governments around the world, many are questioning whether the availability of cyber insurance (which can be used to pay ransoms) may be contributing to the uptick in attacks. In breach news, 20.8 million records from the country of Ecuadorwhich detailed the entire populations most sensitive datahave been compromised. Back in the United States, FEMA accidentally shared the personal information of 2.5 million disaster survivors, and 5 million medical records were left easily accessible on the web.

And now, on to the clips! 

-----------------

FEMA accidentally shared personal information of 2.5 million disaster survivors. FEMA admitted that “it unintentionally shared home addresses and banking information with a third-party contractor.” @RaquelMartinTV reports that FEMA is not “sure if anyone’s data has already been compromised.” (Source: NBC4)

Breach du jour: Personal information for the entire country of Ecuador. Records of 20.8 million people were found on an unsecured server in Miami, apparently including the personal data of every citizen of Ecuador. The breach compromised individual names, dates, and places of birth, addresses, marital statuses, educational information, employment statuses and locations, tax information, and bank account data such as users’ balance, financing, and credit information. (Source: Forbes)  

Breach du jour part deux: 5 million medical records. “Medical images and health data belonging to millions of Americans, including X-rays, MRIs and CT scans, are sitting unprotected on the internet and available to anyone with basic computer expertise. The records cover more than 5 million patients in the U.S. and millions more around the world.” (Source: ProPublica)  

Yahoo! offers breach victims the choice of cash or credit monitoring. Victims who choose the cash option can claim up to $100. “However, actual payouts for all claims could be much lower if the total amount claimed exceeds what's available from the $117.5 million settlement. The settlement class potentially includes up to 194 million people, so these amounts would be paid in full only if the vast majority of eligible people don't ask for money.” (Source: Ars Technica)

Quick hit: Congress to advance legislation designed to help cash-strapped state and local governments beef up cybersecurity. (Source: State Scoop)  

Cyber insurance blamed for spike in ransomware attacks and payment demands. @katiefoody reports that “some cybersecurity professionals are concerned that insurance policies designed to limit the damage of ransomware attacks might be encouraging hackers, who see insurers covering increasingly large ransoms and choose to target the type of institutions likely to have coverage... . This year alone, the average ransom payment climbed from $12,762 at the end of March to $36,295 by the end of June — a 184% jump.” (Source: Washington Post)  

Petition against Equifax breach settlement gains 200k+ signatures. Anger over what many view as a weak FTC settlement with Equifax appears to be growing. “The petition argues that the terms of the deal as presented to the public are misleading and most of the customers affected won’t see any recompense over the breach. With only $31 million actually allocated to fund this portion of the settlement, less than ONE PERCENT (roughly 248 thousand out of over 148 million) could receive this money.” (Source: ThreatPost)  

National Consumers League
Published September 26, 2019


Protecting information privacy: challenges and opportunities in federal legislation

Polly Turner-Ward

By NCL Google Public Policy Fellow Pollyanna Turner-Ward

On September 11, 2019, policymakers, industry stakeholders, and consumer advocates gathered at The Brookings Institution to discuss the pressing question of how to protect information privacy through federal legislation. Representing the National Consumers League was Executive Director, Sally Greenberg.


1  2  3  4  5  6  Next →