National Consumers League

Pages tagged "privacy"

The #DataInsecurity Digest | Issue 89

As Feds pursue Facebook, Schiff warns of cyber vulnerabilities in 2020

By John Breyault (@jammingecono, johnb@nclnet.org)
NCL Vice President of Public Policy, Telecommunications and Fraud

Subscribe here. Tell us what you think.

Editor’s note: Despite having more than two years to beef up our cybersecurity in the wake of the 2016 elections, House Intelligence Chairman Adam Schiff warned that we are" enormously vulnerable" to hacking in the next election.

Meanwhile, Americans appear to be growing fed up with the constant state of data insecurity as a surprising number (more than a third) feel that executives of breached entities should face prison time when a breach occurs under their watch. Despite the growing disdain for corporate America’s allowing of breaches, a new study found that a breached organization's CEO is actually likely to see a pay increase in the wake of a breach.

And now, on to the clips!

-----------------

Chairman of U.S. House Intelligence Committee: 2020 election is ‘enormously vulnerable’ to hacking, foreign influence. Congressman Adam Schiff (D-CA) further said, “the potential for mischief now is extreme,” and he “is concerned about efforts to undermine U.S. democracy.” (Source: Reuters) 

Federal prosecutors conduct criminal investigation into Facebook’s data deals. The investigation was launched after more than 150 companies, including Amazon, Apple, Microsoft, and Sony, “entered into partnerships with Facebook, gaining broad access to the personal information of hundreds of millions of its users,” without their consent. (Source: New York Times) 

Suggested reading: Have you ever wondered what it would be like to be responsible for a 230M-person data breach? Steve Hardigree’s small company Exactis achieved undesired fame after they stored the personal information of 230 million Americans on an unsecured server. Hardigree told @a_greenberg that the “stress over the situation was so severe that he broke out in hives and had to go to the hospital for treatment. …" The ordeal has been a grueling lesson for Hardigree, who says that he's learned the hard way how much even a tiny firm like his must prioritize security. “Be careful with your data and be careful with the people who manage your data. I hired some guys that were careless. But at the end of the day it’s the CEO who’s responsible. I take responsibility.” (Source: Wired)  

Future cyber threats keep DHS Secretary Nielson up at night. In a speech on her future security priorities, Kirstjen Nielsen said that she is not worried about what “threat actors have done, but what they have the capability to do — surveilling sensitive secrets and deceiving us about our own data, distracting us during a crisis, launching physical attacks on infrastructure with a few keystrokes, or planting false flags to embroil us in conflicts with other nations." (Source: Politico)  

Quick hit: 38 percent of consumers believe that C-level executives who fail to protect their data should face prison time or a fine. The survey also found that 20 percent of Americans don’t trust anyone with their data. (Source: HelpNetSecurity)  

Data breaches lead to pay raises for CEOs. A new report found that, despite the financial loss a breach inflicts upon a company, organizations actually tend to increase their CEO’s pay in the wake of a breach. Researchers attributed the pay raise to the “idea that the average response [to a breach] is to invest more in the management to address possible structural flaws, as well as maintaining the integrity of the firm in response to the reputational damage it has suffered.” (Source: PYMTS)  

Beto O’Rourke’s record suggests privacy convictions. After O’Rourke announced his run for president, @timstarks looked into the former House Homeland Security Committee member and found that “he took a few stances on cyber and surveillance issues that put him in company with privacy-oriented Democrats: a vote against a cyber threat information sharing bill, and co-sponsoring legislation meant to curb electronic surveillance. He also co-sponsored an amendment last year to reverse the Trump administration's elimination of the White House cyber coordinator, which House Republicans blocked.” (Source: Politico) 

Senators Wyden and Cotton request congressional breach notification rules. Despite the Senate being a major target for hackers, there is currently very little transparency when a breach occurs. As @alfredwkng reports, "Congress has no legal obligation to disclose breaches, meaning that the public has no idea when elected officials are hit by cyberattacks. ..." Now, Senators Ron Wyden (D-OR) and Tom Cotton (R-AR) are requesting that the Senate Sergeant at Arms help provide more transparency. The Senators have requested the Sergeant at Arms to “provide an annual report on the number of times Senate computers have been hacked, and incidents where hackers were able to access sensitive Senate data,” and “inform the Senate rules committee within 5 days of a breach occurring.” (Source: CNet)

Upcoming Events

June 27, 2019: Federal Trade Commission’s PrivacyCon – Washington, DC
Each year, the FTC convenes a group of privacy experts, academics, policymakers, and regulators to discuss the latest research surrounding consumer privacy and data security. Researchers are encouraged to apply to present at the conference by March 15, 2019. (Source: Federal Trade Commission)

National Consumers League
Published March 21, 2019


The #DataInsecurity Digest | Issue 88

Regulators in Europe, Members of Congress, consumer advocates taking a critical eye at misuse of consumer data 

By John Breyault (@jammingecono, johnb@nclnet.org)
NCL Vice President of Public Policy, Telecommunications and Fraud

Subscribe here. Tell us what you think.

Editor’s note: While EU regulators take aim at social media giants like Facebook, the new leadership in the House of Representatives pledged to protect consumer data. The newly invigorated Democratic Congress has its work cut out for it, though, as more research came out to prove just how vulnerable our entire system is to hacking and how one well-planned attack could collapse our entire financial system.

And now, on to the clips!

-----------------

EU Regulators: First of seven investigations into Facebook to be completed by summer. Ireland’s Data Protection Commissioner commented that he anticipated that the remaining six investigations into the company’s use of personal data should be completed by the end of the year. @conorhumphries reports that in addition to probing Facebook’s data practices, “the commissioner is also probing Facebook subsidiaries WhatsApp and Instagram as well as Twitter, LinkedIn and Apple in relation to their processing of personal data and the transparency of their data processes.” (Source: Reuters) 

Democrats hold first major tech policy hearing since taking over the House. @TonyRomm reports that “party lawmakers charged that long-standing inaction on Capitol Hill had left consumers unprotected in the digital age.” Chairman Frank Pallone said, “It’s time that we move past the old model that protects the companies using our data and not the people.” (Source: Washington Post) 

Banks, securities firms, financial market infrastructures, and hospitals found to be at the highest risk of a devastating cyber-attack. @MoodysInvSvc’s report found that these industry sectors hold around $11.7 trillion of the world’s debt and that an “attack in one of those sectors would also have broad ripple effects.” The report said such an attack could result in “far-reaching impact on other sectors,” and that a single successful attack on a large bank, for example, could “pose a systemwide risk” that affects the entire financial sector. (Source: Washington Post 

North Korea launches cyberattacks against U.S. banks and business while meeting with Trump in Hanoi. While the attacks had been going on for months, thanks to the help of “an unnamed foreign law enforcement agency,” researchers were able to access “one of the main computer servers used by the North Korean hackers to stage their attacks [and watch] in real time, as the North Koreans attacked the computer networks of more than a hundred companies in the United States and around the globe. (Source: New York Times 

Equifax's CEO admits that compromising Social Security numbers causes harm while simultaneously arguing in court that it does not. When asked to share his Social Security number by Rep. Katie Porter (D-CA) in a committee hearing, Equifax CEO Mark Begor declined, citing fears over identity theft. valid concern, but also noteworthy ithat Equifax has been desperately trying to "beat back a class-action lawsuit by arguing that the plaintiffs' claims of breach-related harm are merely theoretical. In asking a judge to dismiss the case, Equifax said last July that the ‘alleged injuries are the very definition of speculative and conjectural.’" (Source: Politico 

In wake of DNA test kit data misuse, consumer advocates call for HIPAA protections for patient info. After news reports disclosed that FamilyTreeDNA.com was giving the FBI access to its DNA database, an act it said it would not do without a customer’s permission, NCL’s @sallygreenberg called on Congress to take action. “We need some rules of the road. ... Right now it puts consumers at great risk of having their very private information shared, sold and misused in ways they didn’t sign up for. ... We need a strengthened HIPAA for DNA testing companies.” (Source: Washington Post 

Breach du jour: Dow Jones watchlist of 2.4 million high risk' individuals. The sensitive data "can include names, addresses, cities and their location, whether they are deceased or not and, in some cases, photographs.” The watchlist includes “current and former politicians, individuals or companies under sanctions or convicted of high-profile financial crimes such as fraud, or anyone with links to terrorism.” This trove of sensitive data was exposed “after a company with access to the database left it on a server without a password.” (Source TechCrunch) 

Technology used by law enforcement to hack mobile devices for sale on eBay for $100. The devices, manufactured by a company known as Cellebrite, are “used by police around the world to break open iPhones, Androids and other modern mobiles to extract data. ...” With an unknown amount of Cellebrite devices being sold second-hand by law enforcement agents on the Internet, “cybersecurity researchers are now warning that valuable case data and powerful police hacking tools could have leaked as a result.” (Source: Forbes)

Upcoming Events

June 27, 2019: Federal Trade Commission’s PrivacyCon – Washington, DC
Each year, the FTC convenes a group of privacy experts, academics, policymakers, and regulators to discuss the latest research surrounding consumer privacy and data security. Researchers are encouraged to apply to present at the conference by March 15, 2019. (Source: Federal Trade Commission)

National Consumers League
Published March 7, 2019


The #DataInsecurity Digest | Issue 87

Facebook reportedly nears hefty FTC settlement; national cybersecurity at risk from external hackers and internal ineptitude

By John Breyault (@jammingecono, johnb@nclnet.org)
NCL Vice President of Public Policy, Telecommunications and Fraud

Subscribe here. Tell us what you think.

Editor’s note: As Facebook and the Federal Trade Commission (FTC) reportedly near a record-setting privacy settlement, Chinese and Iranian hackers are beefing up their efforts to steal military and trade secrets from the United States. Meanwhile, both the Census Bureau and Federal Housing Finance Agency received bad publicity for failing basic cybersecurity best practices. Amid this storm of bad data security news, the Senate Homeland Security Chairman finds himself on the receiving end of condemnation from both sides of the aisle for blocking key cyber bills during his tenure as chairman of the Senate Homeland Security Committee.

And now, on to the clips!

-----------------

Chinese and Iranian hackers take aim at U.S. companies and military. @nicoleperlroth reports that the “Iranian attacks on American banks, businesses and government agencies have been more extensive than previously reported. Dozens of corporations and multiple United States agencies have been hit. ...” Meanwhile, cyber watchers have observed a “renewed Chinese offensive geared toward stealing trade and military secrets from American military contractors and technology companies.” (Source: New York Times)

Chairman Johnson stalls efforts to enact cybersecurity legislation. @timstarksand @ericgellerreport that,while cyber threats have grown, Senate Homeland Security Committee Chairman Sen.Ron Johnson (R-WI) has “derailed many of the most significant cybersecurity-related bills in the past four years, including legislation to secure elections, study whether the growing use of encrypted apps hampers law enforcement and hold companies accountable for the proliferation of insecure connected devices.”@MiekeEoyangcommented that @RonJohnsonWI’s committee “is the place where legislation goes to die on cybersecurity.” Former Chairman Michael McCaul (R-TX) also publicly lamented Johnson’s leadership stating that "[t]he record speaks for itself." Source: Politico)

Facebook reportedly negotiating multi-billion fine with FTC for privacy violations. @tonyromm reports that, while a deal has not yet been reached, the fine “would be the largest the agency has ever imposed on a technology company. ... If talks break down, the FTC could take the matter to court in what would likely be a bruising legal fight.” (Source: Washington Post)

Census Bureau finds data collected in the 2010 Census to be vulnerable. While a breach is not thought to have occurred, the age, gender, location, race, and ethnicity data collected from millions of Americans was found to be improperly secured. “The Census Bureau is now scrapping its old data shielding technique for a state-of-the-art method that [Census Bureau Chief Scientist John] Abowd claimed is far better than Google's or Apple's.” (Source: New York Times)

Quick hit: Patient healthcare data breaches nearly triple. The Protenus 2019 Breach Barometer found that patient record data breaches surged from 5 million records in 2017 to 15 million in 2018. (Source: Health IT Security)

Breach du jour: Dating app notifies users of Valentine’s Day breach. The breach at“Coffee Meets Bagel” is believed to have compromised a partial list of user details, including names and email addresses. Thankfully, users' financial information and passwords do not seem to be at risk in this breach. However, the breach is still troubling as “dating apps run a risk of leaving users'most intimate communications vulnerable.” (Source: Axios)

Stolen Equifax data has yet to surface. Seventeen months after the historic breach, the records of 143 million Americans "never appeared on any [of the] hundreds of underground websites selling stolen information. Security experts haven't seen the data used in any of the ways they'd expect in a theft like this — not for impersonating victims, not for accessing other websites, nothing.” The lack of movement of the valuable data has led many researchers to suspect that the Equifax breach was the work of an international spy agency. (Source: CNBC)

One in three FHFA employees fail phishing test. An audit found that one-third of tested employees at the Federal Housing Finance Agency (which oversees Fannie Mae, Freddie Mac, and the Federal Home Loan Bank Systemfailed to properly handle suspicious emails. (Source: FCW)

Upcoming Events

June 27, 2019: Federal Trade Commission’s PrivacyCon – Washington, DC
Each year, the FTC convenes a group of privacy experts, academics, policymakers, and regulators to discuss the latest research surrounding consumer privacy and data security. Researchers are encouraged to apply to present at the conference by March 15, 2019. (Source: Federal Trade Commission)

National Consumers League
Published February 21, 2019



What broadband privacy?

When you ask consumers about the kind of information that they'd like to keep private, location data is usually near the top of the list. That’s why Motherboard’s recent investigation into cell phone companies’ location data sharing services is so troubling.


Rubio’s bill is an empty promise

Last month, Sen. Marco Rubio (R-FL) joined the growing list of Members of Congress, advocacy groups, and industry players who have released privacy bills. Rubio’s bill, the American Data Dissemination Act (ADD Act), exists primarily to relieve Congress of the January 20, 2020 deadline when the California Consumer Privacy Act (CCPA) takes effect. Absent action by Congress, the CCPA, the subject of a furious lobbying campaign to weaken it, will become the strongest consumer privacy law in the United States less than a year from now.


The #DataInsecurity Digest | Issue 86

Post-shutdown cyber agenda: mitigate government brain drain, investigate Equifax

By John Breyault (@jammingecono, johnb@nclnet.org)
NCL Vice President of Public Policy, Telecommunications and Fraud

Subscribe here. Tell us what you think.

Editor’s note: While the longest government shutdown in history has ended, the consequences are still being realized. Chairmen in both chambers of Congress are working to understand how the shutdown affected crucial cybersecurity programs and stem a feared exodus of government cyber talent to the private sector. And with another shutdown potentially looming, the damage of the first 35-day shutdown could be exacerbated.

Despite having fewer data breaches than 2017, breaches in 2018 compromised twice as many records. Sadly, 2019 is not appearing to offer any relief as 773 million email address, passwords, and potentially other personal data like Social Security numbers has been posted on the Dark Web. With the constant onslaught of data breaches, it is perhaps not surprising that Americans, by a factor of more than two to one, are more concerned about data security than border security.

And now, on to the clips!

-----------------

House Homeland Security Chairman fears cyber vulnerabilities caused by shutdowns. Chairman Bennie Thompson (D-MS) stated that another shutdown would “absolutely” serve as an open invitation for foreign hackers to attack federal systems. "Our concern is that so many of those persons we relied on, they weren't there. ... We could respond to [the Iranian activity] but we couldn't be proactive in looking for bad actors because of the shutdown. And that was a problem because you have to have a system that's both defensive and offensive. But if you're only defensive, you're limited in what you can identify.” (Source: The Hill) 

Breach du jour: Half of the world’s email addresses and passwords. Hackers have dumped a cache of more than 773 million email addresses and passwords on the Dark Web. "The records do not come from a single breach but are a compilation of tens and possibly hundreds of data leaks that have happened over the years, noted @panda_security. To make matters worse, researchers are currently analyzing four more just-released caches that could include "the social security numbers of almost every US citizen and permanent resident in the US.” (Source: Panda Security)

While data breach frequency was down in 2018, the number of compromised records has more than doubled Research from @ITRCSD and @CyberScout found that in 2018, “there were 1,244 reported data breaches, down from an all-time high of 1,632 the previous year.” However, "the number of exposed records more than doubled from 197.6 million in 2017 to 446.5 million last year.” @ITRCCEO notes that “[t]he increased exposure of sensitive consumer data is serious. ...Never has there been more information out there putting consumers in harm’s way.” (Source: Fortune)

Global authorities crack down on Denial of Service attacks. “The takedown by law enforcement in April 2018 of the illegal marketplace webstresser.org... has given authorities all over Europe and beyond a trove of information about the website’s 151 000 registered users.” The newly available data has allowed law enforcement agencies to “track down the users of these Distributed Denials of Service (DDoS) attacks.” (Source: EUROPOL)

Chairwoman Waters to call on credit reporting companies to testify. @Zachary reports thatRep. Maxine Waters, Chairwoman of the House Financial Services Committee, is expected to invite senior executives from TransUnion and Experian to a mid-February hearing. Waters is an outspoken critic of the credit reporting industry, and the hearing will put a spotlight on legislation she drafted to revamp its practices. Expect the hearing to serve as an “outlet for bipartisan outrage lingering from the historic Equifax data breach that was revealed in 2017.” (Source: Politico)

Quick hit: Americans are more worried about cybersecurity than border security The survey, conducted by Verge Analytics, found that “some 63% of those surveyed said that ‘making sure our computers are protected and privacy respected’ is the most urgent security issue compared to 29% who think that physical border security is the most important.” (Source: Dark Reading)

Sen. Johnson’s focus is to retain top cyber talent in the government Senator Ron Johnson (R-WI) told @Joseph_Marks_ that his number one goal “is to make it more attractive for cybersecurity workers to stay in government jobs rather than flee to the private sector.” Johnson acknowledged that this task may be more difficult in the wake of the government shutdown, which "furloughed about half the Homeland Security Department’s main cyber agency and required the other half to work without pay.” (Source: Washington Post)

Facebook caught (again) paying users to download an app so that it can spy on them. This time around, the app was called “Facebook Research” and paid teens and young adults up to $20 to download the app. "Seven hours after TechCrunch’s original story published, Facebook told TechCrunch it would shut down the iOS version of its Research app.” Last week, anApplespokesperson “confirmed that Facebook violated its policies, and it had blocked Facebook’s Research app on Tuesday before the social network seemingly pulled it voluntarily (without mentioning it was forced to do so).” (Source: TechCrunch)

NCL’s Top Ten Scams report warns about breach-fueled phishing and spoofing scams. Information scammers glean from data breaches can be put to many different uses, including making phishing emails seem more convincing. That’s one potential reason that complaints about phishing and spoofing scams continue to rise, according to NCL’s Fraud.org campaign's annual Top Ten Scams report. (Source: National Consumers League)

Events

June 27, 2019: Federal Trade Commission’s PrivacyCon - Washington, DC
Each year, the FTC convenes a group of privacy experts, academics, policy makers, and regulators to discuss the latest research surrounding consumer privacy and data security. Researchers are encouraged to apply to present at the conference by March 15, 2019. (Source: Federal Trade Commission)

National Consumers League
Published February 7, 2019


The #DataInsecurity Digest | Issue 85

Shutdown puts data security at risk while Big Tech's 'grand bargain' lands with a thud

By John Breyault (@jammingecono, johnb@nclnet.org)
NCL Vice President of Public Policy, Telecommunications and Fraud

Subscribe here. Tell us what you think.

Editor’s note: As the longest shutdown in U.S. history continues, cyber experts are beginning to sound the alarm that our nation’s data security is needlessly being put at risk. The shutdown wasn’t bad news for everyone, as the lapse in federal funding provided some relief for FCC Chairman Ajit Pai, who used the shutdown as an excuse to avoid appearing before Congress to explain his agency’s inaction on telecom companies selling users’ location data. Also in the news, Big Tech’s “grand bargain” on privacy seems to have landed with a resounding thud on the Hill.

And now, on to the clips!

-----------------

Government cyber workers warn that shutdown is making government and personal data more vulnerable to hackers. @Joseph_Marks_ reports that the government's cybersecurity professionals are growing concerned that “hackers will take advantage of the partial shutdown to tamper with sensitive government data or steal citizens' information -- and that the bare-bones staff won't be able to fend them off... .” (Source: Washington Post) 

Senator Wyden asks IRS how it plans to combat taxpayer identity theft during shutdown. @RonWyden tweets: "If IRS is working with a skeleton staff as a result of the shutdown, is there an elevated risk that cybercriminals filing fraudulent returns with stolen taxpayer identities will be able to steal taxpayers' refunds?" (Source: Twitter)

Chairman Pallone requests emergency hearing to discuss why FCC did not stop carriers from selling user location data. In the wake of revelations that every major carrier was violating consumer privacy, the Energy and Commerce Chair wrote, “The FCC once again appears to have dragged its feet in protecting consumers...,” in his request that FCC Chairman Ajit Pai appear before the committee. (Source: CNET)

Quick hit: FCC Chairman Pai to Chairman Pallone’s invite to testify: Thanks, but no thanks... (Source: The Hill)

FTC considers record-setting fine against Facebook for violating consent order. While not confirmed, @TonyRomm and @lizzadwoskin report that “U.S. regulators have met to discuss imposing a record-setting fine against Facebook for violating a legally binding agreement with the government to protect the privacy of its users' personal data, according to three people familiar with the deliberations but not authorized to speak on the record.” (Source: Washington Post)

Breach du jour: 26+ million text messages with reset links and passwords. When you use two-factor authentication, or are texted a password form a company, you probably assume that the text message is secure. However, “a massive database containing tens of millions of text messages, including password reset links, two-factor codes, shipping notifications and more,” was found “easily readable, browsable and searchable for names, cell numbers and the contents of the text messages themselves,” on an unsecured server. (Source: Tech Crunch)

Big Tech proposes ‘grand bargain,’ privacy law. The “grand bargain” would preempt states and eliminate previously won protections like HIPPA and COPPA. Senator Blumenthal (D-CT) commented: “If Big Tech thinks this is a reasonable framework for privacy legislation, they should be embarrassed... . This proposal would protect no one – it is only a grand bargain for the companies who regularly exploit consumer data for private gain and seek to evade transparency and accountability.” (Source: The Verge)

Events

January 28, 2019: National Cyber Security Alliance’s Data Privacy Day – San Francisco, CA and online 
Each year on January 28, the National Cyber Security Alliance convenes privacy leaders from the private, government, and non-profit sectors to discuss opportunities and challenges for the road ahead. (Source: National Cyber Security Alliance) 

June 27, 2019: Federal Trade Commission’s PrivacyCon - Washington, DC
Each year, the FTC convenes a group of privacy experts, academics, policy makers, and regulators to discuss the latest research surrounding consumer privacy and data security. Researchers are encouraged to apply to present at the conference by March 15, 2019. (Source: Federal Trade Commission)

National Consumers League
Published January 24, 2019


The #DataInsecurity Digest | Issue 84

As government shutdown continues, data insecurity only grows

By John Breyault (@jammingecono, johnb@nclnet.org)
NCL Vice President of Public Policy, Telecommunications and Fraud

Subscribe here. Tell us what you think.

Editor’s note: Welcome back to #The DataInsecurity Digest, and happy New Year! As the partial government shutdown drags into its third week, cybersecurity is suffering. The Department of Homeland Security (DHS) has sent nearly half of its workforce home causing it to “cease a variety of critical cybersecurity” functions. Likewise, both the Federal Trade Commission (FTC) and the Federal Communications Commission (FCC) have shuttered their offices and stopped offering support to victims of identity theft and investigations into companies like Facebook, which may have violated its obligations to protect consumers’ data. 

In the absence of federal government oversight, there was no shortage of companies mismanaging their users’ data. The Weather Channel was found to be collecting and profiting off its users’ personal data, and the Marriott breach was found to have exposed more data than originally thought.  

And now, on to the clips!

-----------------

Government shutdown forces DHS to furlough 45 percent of its personnel. @timstarks reports that DHS has ceased a variety of critical cybersecurity" functions while it has "maintained baseline operational capabilities." (Source: MorningCybersecurity 

Quick hit: FCC, FTC closed. Both agencies ran out of funds last week and will only reopen once funding is restored. (Source: Gizmodo) 

Weather Channel app sued for profiting off consumers’ personal data. The city of Los Angeles is suing The Weather Company, the creator of the popular Weather Channel appfor manipulating “users into turning on location tracking by implying that the information would be used only to localize weather reports. Yet the company, which is owned by IBM, also used the data for unrelated commercial purposes, like targeted marketing and analysis for hedge fundsaccording to the lawsuit.” (Source: Los Angeles Times) 

Google takes three years to patch security vulnerability. The security flaw, which was originally reported to Google in May 2015, “leaked information about smartphones' hardware model, firmware version, and indirectly the device's security patch level.” @campuscodi observed that in the wrong hands, the data is “indeed, dangerous, as it could have been used for exploit targeting and user fingerprinting.” (Source: ZD Net) 

Marriott breach is both smaller and more extensive than originally thought. While Marriott believes that the overall number of affected customers is smaller than originally thought, the data that was compromised is believed to be more damaging. The breach now includes an additional 5.25 million unencrypted passport numbers, in addition to the 20.3 million encrypted passport numbers that were previously announced. “Unencrypted passport numbers are valuable to state intelligence agencies because they can be used to compile detailed dossiers on people and their international movements.” The FBI believes China is behind the breach, which “would allow that country's security ministry to add to databases of aggregated information on valued individuals. Those data points include information on people's health, finances and travel.” (Source: WSFA News) 

Chart du jour: Democrats and Republicans agree that data security worsened in 2018. Of the 10 subject areas Morning Consult polled, data security was one of only two issue areas that Republicans and Democrats agreed was getting worse. The other issue Democrats and Republicans agreed upon was that the divide between the two parties was getting wider. (Source: Morning Consult 

Facial recognition found to be unsecure. Dutch researchers found that holding up a photo of the phone's owner is enough to unlock 42 of the [110] tested smartphone [models].” @campuscodi reported that “using a printed photo of the owner's face is the first test that regular users, pen-testers, and attackers alike would use to break into a facial ID-protected smartphone before they move to try more complex attacks that involve creating masks or 3D printed heads of the phone's owner. Any facial recognition system that fails the photo test is usually considered useless. (Source: ZDNet) 

Events

January 28, 2019: National Cyber Security Alliance’s Data Privacy Day – San Francisco, CA and online 
Each year on January 28, the National Cyber Security Alliance convenes privacy leaders from the private, government, and non-profit sectors to discuss opportunities and challenges for the road ahead. (Source: National Cyber Security Alliance) 

June 27, 2019: Federal Trade Commission’s PrivacyCon - Washington, DC
Each year, the FTC convenes a group of privacy experts, academics, policy makers, and regulators to discuss the latest research surrounding consumer privacy and data security. Researchers are encouraged to apply to present at the conference by March 15, 2019. (Source: Federal Trade Commission)

National Consumers League
Published January 10, 2019


The #DataInsecurity Digest | Issue 83

Marriott closes out the year with another mega-breach while Congressional bipartisanship on data security fades

By John Breyault (@jammingecono, johnb@nclnet.org)
NCL Vice President of Public Policy, Telecommunications and Fraud

Subscribe here. Tell us what you think.

Editor’s note: Marriott’s record-setting breachthe second largest in historywas the big headline this week. Although Quora and the National Republican Campaign Committee also disclosed breaches last week, Marriott seems likely to attract a great deal of scrutiny amongst policymakers and class-action lawyers. Unfortunately, bipartisanship on cybersecurity seems to be waning, as evidenced by dueling reports on the Equifax breach by Democrats and Republicans on the House Oversight committee.

Programming note: Due to the upcoming holidays, we will be taking a break from our usual schedule. This will be the last issue of The #DataInsecurity Digest published in 2018. We’ll resume publication on January 10, 2019. Thanks for sticking with us through 2018 best wishes for health, happiness, and improved data security in 2019!

And now, on to the clips!

-----------------

500 million Marriott and Starwood property accounts breached. In the second largest breach in history, 500 million accounts were breached over a period of several years. “For about 327 million customers, the hackers may have gained access to passport numbers, travel details and, in some cases, credit-card information, as well as names and addresses.” (Source: Wall Street Journal)

Swift fallout for MarriottIn the aftermath of the breach, “lawyers quickly filed a class-action lawsuit in Maryland… . In New York, Attorney General Barbara Underwood launched an investigation, and other states are doing the same, with a multistate team-up possible.” (Source: Politico Morning Cybersecurity)

Quick hit: China emerges as likely suspect in Marriott data breach. Although China has not been officially blamed, private investigators “have found hacking tools, techniques, and procedures previously used in attacks attributed to Chinese hackers.” (Source: Reuters) 

House Oversight Committee: Equifax breach entirely preventable.’ On Monday, the House Oversight Committee released its long-awaited report regarding Equifax’s historic breach, which harmed 148 million American consumers. The report found that had Equifax “taken action to address its observable security issues prior to this cyberattack, the data breach could have been prevented." However, the report only called for additional cooperation between the public and private sectors to prevent future breaches. (Source: House Oversight and Government Reform Committee [Majority])

A few hours later, Democrats release competing Equifax oversight report. The Democratic report “called for new laws that would raise financial penalties for data breaches, simplify how consumers are notified about breaches and boost federal regulators’ cybersecurity efforts.”@Joseph_Marks_ comments how the dueling reports “highlight how cybersecurity, which was once considered a largely bipartisan topic, has been infected by partisan conflict... .The fact that the parties can’t even agree on how to properly condemn Equifax makes it seem even less likely that they will be united on how to tackle more complex challenges that have serious political implications, such as election security or protecting the power grid.” (Source: Washington Post

House Republican campaign committee hacked during the midterm electionAlthough details regarding the full extent of the breach have not yet been released, it is believed that “thousands of sensitive emails” were exposed to an outside intruder and that “the email accounts of four senior aides at the National Republican Congressional Committee were surveilled for several months.” (Source: Politico)

AOL pays nearly $5for illegally tracking children and auctioning off their data to the highest bidder. Last week, AOL’s parent company Verizon paid $4.95 million to settle charges that AOL violated the 1998 Children’s Online Privacy Protection Act (COPPA) after “the company had knowingly been disclosing data collected on children under 13 to third parties in violation of the law.” (Source: The Hill) 

Quora breach compromises 100 million user accountsThe breach is believed to have compromised “users' names, email addresses, and encrypted passwords as well as data from social networks like Facebook and Twitter ." (Source: CNN)

Your phone’s apps could be spying on youMost of us know that many of our mobile apps track our locations. But, the New York Times has uncovered that this data could easily be used to “identify a person without consent. They could follow someone they knew, by pinpointing a phone that regularly spent time at that person’s home address. Or, working in reverse, they could attach a name to an anonymous dot, by seeing where the device spent nights and using public records to figure out who lived there.” Similarly, the Times uncovered other unsettling applications for location tracking such as how one company, “Tell All Digital, a Long Island advertising firm,  says it runs ad campaigns for personal injury lawyers targeting people anonymously in emergency rooms.” (Source: New York Times)

Events

June 27, 2019: Federal Trade Commission’s PrivacyCon - Washington DC
Each year, the FTC convenes a group of privacy experts, academics, policy makers, and regulators to discuss the latest research surrounding consumer privacy and data security. Researchers are encouraged to apply to present at the conference by March 15, 2019. (Source: Federal Trade Commission)

National Consumers League
Published December 13, 2018


1  2  3  4  Next →