National Consumers League

Pages tagged "privacy"

The #DataInsecurity Digest | Issue 101

Google warns of new iPhone hacking scheme while Texas towns continue to struggle with ransomware attack

By John Breyault (@jammingecono, johnb@nclnet.org)
NCL Vice President of Public Policy, Telecommunications and Fraud

Subscribe here. Tell us what you think.

Editor’s note:As Texas continues to reel from its ransomware attack, Google researchers discovered a massive attempt to hack into consumers’ iPhonevia booby trapped websites. Google admitted its own security problems, too, with a vulnerability in its calendar app potentially affecting 1.5 billion users. In other news, Facebook received additional negative headlines after word spread that hundreds of millions of users’ phone numbers were compromised by being stored on aunsecured server.

And now, on to the clips! 

-----------------

Hackers attempt mass iPhone hack. Google security researchers "discovered a small collection of hacked websites ‘that exploited vulnerabilities in Apple's smartphone software. ... Simply visiting the hacked site was enough for the exploit server to attack your device, and if it was successful, install a monitoring implant." Google estimates that these hacked websites received thousands of visitors each week. @Iyengarish reports that, “the implant was capable of giving hackers access to iPhone users' contacts, photos and location, as well as data from apps like iMessage, WhatsApp, Telegram, Gmail and Google Hangouts.” (Source: CNN) 

Texas ransomware update: Half of affected agencies are still not back up and running. Texas authorities have admitted that at least 10 of the 20+ local agencies have still not recovered from the ransomware attack, which took place on August 16. (Source: Associated Press) 

Google confirms vulnerability of calendar app to phishing attacks. After a spate of news stories noting that a security vulnerability could impact the 1.5 billion users of its calendar app, Google confirmed it. “When a calendar invitation is sent to a user, a pop-up notification appears on their smartphone. The threat actors craft their messages to include a malicious link, leveraging the trust that user familiarity with calendar notifications brings with it,” writes @happygeek. “Those links can lead to a fake online poll or questionnaire with a financial incentive to participate and where bank account or credit card details can be collected.” (Source: Forbes) 

Bolton's departure leaves murky cyber legacy for Trump Administration. Earlier this week, John Bolton made a dramatic exit from the Trump Administration. Bolton's cyber legacy as the national security advisor will likely be mixed; on one hand Bolton was something of a cyber hawk, repeatedly warning "U.S. adversaries that the Trump administration would use its cyber warriors to punish them for jeopardizing American interests." And yet, on the other hand, he undermined U.S. ability to respond to cyber threats by "eliminating the White House cybersecurity coordinator position and downgrading the rank of the homeland security adviser, who supervised the coordinator and oversaw all cyber policy matters." (Source: Morning Cybersecurity)

Breach du jour: Hundreds of millions of phone numbers linked to Facebook accounts. @zachwhittaker reports that "the exposed server contained more than 419 million records. ... But, because the server wasn’t protected with a password, anyone could find and access the database. Each record contained a user’s unique Facebook ID and the phone number listed on the account.” Facebook’s latest cyber incident places its users at risk of spam calls and SIM-swapping attacks.” Source: Tech Crunch 

Perspective: Why is Mitch McConnell blocking all election security bills? One former Obama official speculated to @Joseph_Marks_ that Leader McConnell could be “concerned about the political fallout for Republican senators, several of whom have supported and even co-sponsored election security bills in the past. ‘It would put Republican senators in an awkward spot of having to vote against election security or vote for it and potentially anger Trump or anger some of his base if he were to tweet how bad the bill is.” (Source: Washington Post 

Google agrees to pay $170 million to settle allegations that it illegally collected children’s data. The settlement comes after Google “bragged to toy makers such as Mattel and Hasbro about its popularity among children. In one boast cited by regulators, YouTube claimed to be watched by 93 percent of tweens.” @washingtonpost reports that the fine amounts “to less than two days’ worth of profits for the tech giant.” (Source: Washington Post 

REMINDER: Multi-factor authentication still blocks 99.9 percent of all automated attacks. (Source: ZD Net) 

IRS identity theft enforcement actions plummet by more than 75 percentA new audit from the Treasury Inspector General for Tax Administration found that the IRS opened a mere 75 identity theft cases in 2017 compared with 263 in 2013. @DerekDoesTech reports that “the Criminal Investigations Division has been squeezed over the past decade, losing more than 380 special agents (15% of the division's total workforce)[.] (Source: FCW 

Your state’s DMV could be selling your personal information to private investigators. @josephfcox found that departments of motor vehicles in states across the country are selling the personal data of their customers to private investigation firms, sometimes for as little as one cent per record. Erica Olsen, director of Safety Net at the National Network to End Domestic Violence, commented that “[t]he selling of personally identifying information to third parties is broadly a privacy issue for all and specifically a safety issue for survivors of abuse, including domestic violence, sexual assault, stalking, and trafficking... For survivors, their safety may depend on their ability to keep this type of information private." (Source: Motherboard 

National Consumers League
Published September 12, 2019


Developing a pro-consumer approach towards effective notice of data practices, part 3

Polly Turner-Ward

By NCL Google Public Policy Fellow Pollyanna Turner-Ward

This blog post is the third of a series of blogs offering a consumer perspective on developing an approach towards consumer privacy and data security.

This commentary is the product of a deep dive into the National Telecommunication and Information Administration’s (NTIA) September Request For Comments (RFC), a key part of the process that informs the government’s approach towards consumer privacy. Stakeholder responses to the RFC provide a glimpse into where consensus and disagreement lies on key issues among major consumer and industry players.


Developing a pro-consumer approach towards privacy risks and harms, part 2

Polly Turner-Ward

By NCL Google Public Policy Fellow Pollyanna Turner-Ward

This blog post is the second of a series of blogs offering a consumer perspective on developing an approach towards consumer privacy and data security.

This commentary is the product of a deep dive into the National Telecommunication and Information Administration’s (NTIA) September request for comments (RFC), a key part of the process that informs the government’s approach to consumer privacy. Stakeholder responses to the RFC provide a glimpse into where consensus and disagreements lie on key issues among major consumer and industry players.


Developing a pro-consumer approach towards consumer privacy and data security, part 1

Polly Turner-Ward

By NCL Google Public Policy Fellow Pollyanna Turner-Ward

This blog post is the first of a series of blogs offering a consumer perspective on developing an approach towards consumer privacy and data security.

For more than 20 years, Congressional inaction on privacy and data security has coincided with increased data breaches impacting millions of consumers. In the absence of Congressional action, states and the executive branch have increasingly stepped in. A key part of the White House’s response is the National Telecommunication and Information Administration (NTIA) September Request for Comment (RFC). 


The #DataInsecurity Digest | Issue 100

Massive biometric data breach raises concerns for long-term data security

By John Breyault (@jammingecono, johnb@nclnet.org)
NCL Vice President of Public Policy, Telecommunications and Fraud

Subscribe here. Tell us what you think.

Editor’s note: Researchers have discovered fingerprints, facial recognition data and passwords were inadvertently leaked by a British security firm, compromising some of the most sensitive data for more than a million consumers.

In other news: at least 20 Texas municipalities are battling a ransomware attack; the porn accounts of 1.2 million users have been compromised; and around 10 million dating app users’ geolocation data have been leaked.

Finally, a big “huzzah” to the entire #DataInsecurity Digest team for our 100th issue! Special kudos to NCL staffers Carol McKay, Taun Sterling, and Brian Young for making yours truly look good every other week! And, of course, thanks to all of our loyal readers for making the Digest a success! If you like this email, share it widely and encourage your friends and colleagues to subscribe!

And now, on to the clips! 

-----------------

Millions of pieces of biometric data leaked. This massive breach includes thefingerprints of over 1 million individuals, face recognition information, unencrypted names and passwords, and other personal info.” @techreview comments that the data leak strikes at the heart of one of the big fears and criticisms about the increasing use of biometrics: You can change your username and password with a couple of clicks. Your face is forever.” (Source: MIT Technology Review)  

At least 20 municipalities in Texas suffered a ransomware attack. Government officials would not release the names of the entities affected by the breach “for security reasons.” (Source: The Hill)  

Breach du jour: 1.2 million pornography accounts. The adult content sharing site Lucious exposed the personal information of nearly 1.2 million of its users. Of the breach victims,many users joined Luscious using their government email addresses,” which inflicts “a great deal of additional vulnerability,” to the breach victims. (Source: IT Pro

Breach du jour part deux: Tens of thousands of MoviePass customer credit cards. “Movie ticket subscription service MoviePass has exposed tens of thousands of customer card numbers and personal credit cards because a critical server was not protected with a password.” (Source: Tech Crunch)   

Smart ovens are turning themselves on. While the smart oven company, June, blames this fire hazard on “user error,” the company “is planning an update that’ll hopefully remedy the situation and prevent it from happening again, but that change isn’t coming until next month.” (Source: The Verge

Suggested reading: How much damage could a hacker do with just a victim's phone number? (Source: New York Times)

Cyber threats against financial institutions increased by 56 percent in the last 12 months. Researchers “found more than 8.9 million security events in a 12-month period. Brand abuse and manipulation was the most common threat, with more than 250,000 events. Ninety percent of these were name impersonations, often not easily detected due to disguising tactics.” (Source: Dark Reading)

Grindr, Romeo, Recon, and 3fun expose users’ exact location. Together, the four dating apps boast around 10 million users. The breach of location data has the potential to increase discrimination. @alexlomas comments that, “aside from exposing yourself to stalkers, exes and crime, de-anonymizing individuals can lead to serious ramifications. ... In the UK, members of the BDSM community have lost their jobs if they happen to work in ‘sensitive’ professions like being doctors, teachers, or social workers. Being outed as a member of the LGBT+ community could also lead to you losing your job in one of many states in the USA that have no employment protection for employees’ sexuality.” (Source: Threat Post)

  

National Consumers League
Published August 29, 2019


The #DataInsecurity Digest | Issue 99

Millions of Intel processors, Boeing 787 planes, and WhatsApp all found to have major cyber vulnerabilities

By John Breyault (@jammingecono, johnb@nclnet.org)
NCL Vice President of Public Policy, Telecommunications and Fraud

Subscribe here. Tell us what you think.

Editor’s note: Cyber researchers were busy this week as new vulnerabilities were found in WhatsApp, Boeing 787s and millions of newer Intel processers. In other news, after the Federal Trade Commission (FTC) announced their settlement with Equifax, they are weathering a publicity fiasco after an ‘unexpected’ number of breach victims began filing for compensation and worries grew that the fund was not large enough to pay out to everyone at the promised amount.

And now, on to the clips! 

-----------------

Millions of newer Intel microprocessors vulnerable to hackers. @zpring reports that Intel microprocessors manufactured after 2012 “are vulnerable to a new type of side-channel attack dubbed SWAPGS.” SWAPGS is like the previously announced Spectre and Meltdown vulnerabilities and “could allow a hacker to gain access to sensitive data such as passwords and encryption keys on consumer and enterprise PCs.” This newly discovered vulnerability “bypasses all known mitigation mechanisms implemented in response to Spectre and Meltdown.” (Source: Threat Post)  

Cybersecurity vulnerability discovered in Boeing 787. The vulnerability could allow "a multi­stage attack that starts in the plane’s in-flight entertainment system and extends to highly protected, safety-critical systems like flight controls and sensors.” While Boeing flatly denies the existence of the vulnerability researchers say the “flaws uncovered in the 787's code" represent a “troubling lack of attention to cybersecurity...” (Source: Wired)  

Vulnerability in WhatsApp allows hackers to edit messages. Researchers have “discovered ways in which a malicious actor could alter messages in WhatsApp, “essentially putting words in [someone’s] mouth.” The vulnerability also “allows [hackers to] change the identity of the sender of content in a group chat.” Security researcher @Od3dV commented that “a malicious actor would not have to crack Facebook’s end-to-end encryption in order to do this... the process was ‘not so complex to perform.’” The security vulnerability has not been fixed and remains an issue. (Source: Financial Times)

‘Historic’ Equifax settlement may provide less relief than promised. Initially, victims were given the choice of free credit monitoring or a $125 settlement check. But, due to the limited funds, Equifax agreed to provide the fund and the “unexpected” demand on the settlement check option, the FTC is now cautioning “that if everyone eligible requests the money over the monitoring, your benefit will be nowhere near $125." (Source: CNET)  

Facebook fails to stop class-action lawsuit over biometric data collection practices. Class members alleged that the social media giant “secretly amassed the world’s largest privately held database of consumer biometric data,” without their knowledge or consent. Facebook argues that victims were free to opt-out at any time. (Source: Bloomberg)

In wake of Capital One breach, congressional scrutiny focuses on Amazon. In a letter to Amazon, the company that managed the cloud service responsible for the Capital One breach, Senator Ron Wyden (D-OR) argued that, “[w]hen a major corporation loses data on a hundred million Americans because of a configuration error, attention naturally focuses on that corporation’s cybersecurity practices… However, if several organizations all make similar configuration errors, it is time to ask whether the underlying technology needs to be made safer, and whether the company that makes it shares responsibility for the breaches.” (Source: Wall Street Journal)

Suggested reading: The Capital one breach autopsy

Breach du jour: Stock X. The online clothing marketplace appears to be the latest retailer to suffer a data breach. @zackwhittaker reports that customer names, email addresses, scrambled password (believed to be hashed with the MD5 algorithm and salted), and other profile information such as shoe size and trading currency,” were compromised. (Source: TechCrunch)

National Consumers League
Published August 15, 2019


The #DataInsecurity Digest | Issue 98

Settlement with Equifax, Capital One hack put spotlight back on financial breaches 

By John Breyault (@jammingecono, johnb@nclnet.org)
NCL Vice President of Public Policy, Telecommunications and Fraud

Subscribe here. Tell us what you think.

Editor’s note: This week Capital One announced a massive breach affecting 100 million accounts. The full details of the breach are not yet known, but we know that at least 140,000 Social Security numbers and 80,000 bank account numbers have been compromised. Meanwhile, regulators continued to strike back against the seemingly endless string of data breaches when they announced a settlement for the Equifax breachwhich will provide consumers with either free credit monitoring or access to a settlement fund.

And now, on to the clips! 

-----------------

Breach du jour: 100 million Capital One accounts and credit applications. Investigators believe that the breach has compromised “140,000 Social Security numbers, 1 million Canadian Social Insurance numbers and 80,000 bank account numbers, in addition to an undisclosed number of people's names, addresses, credit scores, credit limits, balances, and other information[.]” (Source: CNN)  

Hackers take aim at schools. Data rich, yet financially strapped, educational institutions make for a tempting target for hackers. Unfortunately, “it may be a while before schools’ defenses are able to catch up with the abilities of the hackers who target them,” commented George Washington University’s Eva Vincze. “Most school systems, especially in small communities, do not have the resources to keep up with each generation of threats that bad actors come up with[.]” (Source: New York Times)  

String of laboratory data breaches grows to 22+ million accounts. Clinical Pathology Laboratories joins the list of laboratories affected by a breach at payment processor American Medical Collection Agency. “LabCorp was first hit with 7.7 million patients affected, then 11.9 million Quest Diagnostics patients were next. BioReference Laboratories pushed the breach over the 20 million mark.” (Source: TechCrunch

Equifax reaches $575-$700 million settlement with FTC. Last week, in addition to agreeing to reimburse victims for time and expenses incurred because of the breach, Equifax also agreed to provide four years of credit monitoring and identity protection from the three major credit bureaus. “After those four years, Equifax is offering six extra years of credit monitoring. If consumers in the class action already have credit monitoring, they can be paid $125.” (Source: Market Watch)  

Quick reminder: ‘Deidentified data’ can easily be reidentified. (Source: New York Times

Facebook’s record-breaking $5 billion fine: FTC wanted more. @tonyromm reports that the Federal Trade Commission attempted to fine “Facebook not just $5 billion, but tens of billions of dollars, and imposing more direct liability for the company’s chief executive, Mark Zuckerberg. Facebook, however, fiercely resisted...” and with a revenue of $55 billion, which amounts to “200 times the budget afforded to the federal regulators, [the FTC] settled for less.” (Source: Washington Post

Suggested reading: One data breach forced a victim to change their name and move their family to a new home. (Source: ZD Net

As demand for cyber insurance increases, insurance agencies getting cold feet. @jeffstone500 reports that “despite all the demand... insurers are now re-thinking whether it’s in their best interest to keep offering the plans that help clients recover from devastating cyberattacks... it’s just difficult to gather the information necessary to build the mathematical models that determine how to assign risk.” (Source: Cyber Scoop)  

National Consumers League
Published August 1, 2019


The #DataInsecurity Digest | Issue 97

Regulators strike back as new data puts cost of breaches at $45 billion annually

By John Breyault (@jammingecono, johnb@nclnet.org)
NCL Vice President of Public Policy, Telecommunications and Fraud

Subscribe here. Tell us what you think.

Editor’s note: Corporations were put on notice this week as both EU and U.Sregulators imposed record-setting fines. While UK regulators assessed fines against both British Airways and Marriott, the Federal Trade Commission (FTCreportedly voted to levee a massive $5 billion fine against Facebook. Only time will tell if the regulators’ actions will spur companies to take meaningful steps to curtail data breaches, which the Internet Society estimated inflicted over $45 billion in losses in 2018 alone.             

And now, on to the clips! 

-----------------

FTC reportedly approves massive $5 billion fine against Facebook. The fine is not only the largest ever levied “against a tech company that broke a past promise to the government to improve its privacy practices” but it is "more than 200 times greater than the previous largest fine.” (Source: Washington Post)

ICE officials search state driver's license databases without citizens’ knowledge or consent. In at least three states, Immigration and Customs Enforcement (ICE) officials have “requested to comb through state repositories of license photos,” using facial recognition. At least two states, Utah and Vermont, complied. (Source: New York Times)

House Energy and Commerce Committee look toward Fall 2019 for release of privacy bill. Aides for the committee identified two major sticking points for the bill. The first being state preemption and the second "lies in whether or not the bill should give consumers the right to sue companies for data breaches. ..." One of the aides said that although his office expects the language [a private right of action] to be included in the bill, it could upset moderate Democrats involved in the discussions.” (Source: Morning Consult)

UK regulators propose fining British Airways $230 million. The fine comes in response to the airline's 2018 data breach, which compromised about a half-million passenger records. The fine “represents the latest and by far biggest penalty initiated by national-privacy regulators across the European Union since the enactment last year of [GDPR].” (Source: Wall Street Journal)

UK regulators fine Marriott $123 million. Marriott’s costly fine was in response to a data breach the company suffered last year affecting around 383 million guests, 30 million of whom resided in the EU. “The U.K.’s Information Commissioner’s Office (ICO) said its investigation found that Marriott ‘failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its systems.’” (Source: Tech Crunch)

Lake City, FL hit with ransomware attack. The city’s misfortune is another in a growing trend of ransomware attacks on local governments. "Experts on cybersecurity say the growing number of attacks and escalating ransom demands suggest that cyberattacks have found a ripe target: small governments with weak computer protections and strong insurance policies. The [ransom] payments keep coming even as the F.B.I. says they might be incentivizing more attacks.” In the case of Lake City, Florida, many of its files remain locked even after paying the hefty ransom. (Source: New York Times)

Google admits to listening to smart device recordings. An investigative report found “many recordings that had been captured inadvertently, without users activating their devices.” Google “emphasized that ... audio recordings are not tagged to users’ accounts in Google’s review system.” However, despite Google’s claim, journalists were “able to link some audio snippets to the users who were captured on the recordings because they included sensitive, identifiable information.” (Source: The Hill)

In 2018, there were more than 2 million cyber incidents. The report put out by the Internet Society’s Online Trust Alliance also estimated that the incidents inflicted at least $45 billion in losses. The organization predicted that its numbers were on the low side because “it is still the case that most incidents go unreported.” (Source: The Internet Society)

National Consumers League
Published July 18, 2019


The #DataInsecurity Digest | Issue 96

Despite saber-rattling, U.S. woefully unprepared for cyber war with Iran

By John Breyault (@jammingecono, johnb@nclnet.org)
NCL Vice President of Public Policy, Telecommunications and Fraud

Subscribe here. Tell us what you think.

Editor’s note: As the United States launches cyberattacks against Iran, the Department of Homeland Security (DHS) is warning that defenses against possible retaliation appear to be lacking. A bi-partisan Senate committee found that several high-profile agencies left Americans’ sensitive data vulnerable to hackers. Sen. Warner is one of several Senators asking for answers about the recent spate of healthcare data breaches. And Sen. Hassan could find herself in hot water if it’s found that she failed to notify constituents affected by a data breach in her office.             

And now, on to the clips! 

-----------------

U.S. military launches cyber strike against Iran. The cyberattacks were approved by President Trump and “specifically targeted Iran’s Islamic Revolutionary Guard Corps computer system.” The attacks “disabled Iranian computer systems that controlled its rocket and missile launchers. ...” (Source: The Associated Press)

DHS warns businesses that they will be targeted by Iranian hackers. In the wake of the U.S. cyberattacks, Chris Krebs, director of the Homeland Security Department’s cybersecurity division, warned that Iranian hackers have already begun “targeting U.S. companies with specialized malicious software designed to wipe the contents of their computer networks rather than to simply steal their data.” (Source: Washington Post)

Quick hit: DHS announces that it is unlikely to meet its cybersecurity goals. (Source: Department of Homeland Security)

Healthcare data breaches under new Congressional scrutiny. High-profile breaches at medical bill collectors and diagnostics companies that compromised 20 million consumer records are attracting attention from Congress. “I am concerned about your supply chain management, and your third-party selection and monitoring process,” wrote Sen. John Warner (D-VA) in a letter to Quest Diagnostics, one of the breached entities. (Source: Bloomberg)

Did Sen. Hassan violate breach notification laws? Right-wing media is abuzz over the sentencing of a former staffer for Sen. Maggie Hassan (D-NH) who engineered a massive breach of the Senator’s IT systems, compromising significant amounts of sensitive constituent data. Now questions are being raised about whether Hassan complied with relevant data breach notification laws related to the incident. “Hassan’s office provided no evidence to the Daily Caller News Foundation (DCNF) that it had disclosed its own breach, and several New Hampshire residents who had communicated with Hassan’s office told the DCNF they had not received any notification that their information could be in the hands of bad actors,” wrote @lukerosiak. (Source: Daily Caller)

EFF: Federal privacy bill should include a data security standard. The Electronic Frontier Foundation (EEF), a leading digital civil liberties group, is calling for stronger data security protections as part of its recommendations for comprehensive privacy legislation. “Also, where a company fails to meet this duty, it should be easier for people harmed by data breaches—including those suffering non-financial harms—to take those companies to court.” (Source: Electronic Frontier Foundation)

Bi-partisan Senate committee found that U.S. agencies left sensitive data vulnerable to breaches for decades. The Committee found that the Departments of State, Homeland Security, Health and Human Services, Transportation, Education, Agriculture, Housing and Urban Development, and the Social Security Administration left “Americans' personal information open and vulnerable to theft.” (Source: The Hill)

City of Baltimore approves additional $10 million in cyberattack relief. As the city moves into its 9th week since a ransomware attack, its water billing system remains offline. (ABC News)

Lawsuit against Facebook for compromising 29 million accounts allowed to move forward. A federal appeals court in San Francisco rejected Facebook’s attempt to block the lawsuit and allowed “claims against Facebook [to] proceed for negligence and for failing to secure users’ data as promised.” (Source: Bloomberg)

Stat du jour: 50 percent of manufacturers experienced a breach in the last 12 months. Of the breached entitles surveyed, @sikichllp found that 11 percent suffered a “major” breach. (Source: Industry Week)

National Consumers League
Published July 3, 2019


The #DataInsecurity Digest | Issue 95

Federal contractors look to weaken Android cybersecurity as Trump Administration makes plans to beef up offensive cyber operations

By John Breyault (@jammingecono, johnb@nclnet.org)
NCL Vice President of Public Policy, Telecommunications and Fraud

Subscribe here. Tell us what you think.

Editor’s note:

The U.S. is ramping up its offensive cyber operations abroad. However, cyber anxieties steadily grow at home as Baltimore city government continues to grapple with the aftermath of their devastating ransomware attack.

Good news on the cyber front was in short supply this week. Senate Majority Leader Mitch McConnell (R-KY) is reportedly telling colleagues that he plans on blocking all election security legislation regardless of party sponsorship–despite Russia’s continued efforts to hack election systems. Senator Merkley (D-OR), for one, isn’t sitting still. He’s pressing U.S. auto manufacturers for information on their data collection and data security practices.

And now, on to the clips!

-----------------

Bolton: U.S. to expand offensive cyber operations. Previously, the United States “had been primarily focused on stopping election interference.” Now, White House national security adviser John Bolton, “intends to expand offensive operations in cyberspace to counter digital economic espionage and other commercial hacks...” (Source: Wall Street Journal)

Federal contractor known for breaking into iPhones turns attention toward Android. A startup that reached fame for helping agencies like U.S. Immigration and Customs Enforcement (ICE) break into iPhones, Grayshift, will now also work to thwart the cybersecurity of Android phones. Grayshift CEO David Miles recently revealed that, “the most logical next step would be [to hack] some of the more modern Android devices, from Samsung and Google...” (Source: Forbes)

Mitch McConnell blocks election security legislation. In the wake of Russia’s interference in the 2016 presidential election, many Republicans and Democrats have worked together to beef up election security. However, Senate Majority Leader Mitch McConnell (R-KY) has reportedly told his colleagues that “he will not allow the Senate to vote on election security legislation this session.” (Source: Sludge)

Breach Du Jour: Evite. The social planning and e-invitation website has suffered a breach that compromised around 10 million users’ accounts. A hacker on the dark web is now “selling ten million Evite user records that include full names, email addresses, IP addresses, and cleartext passwords.” (Source: ZDNet)

One-third of data breaches could have been easily prevented with DNS firewalls. @GlobalCyberAlln found that the installation of domain name system (DNS) firewalls that “prevent users from visiting malicious sites,” could have stopped “between $150-200 billion in cybercrime losses annually.” (Source: Global Cyber Alliance)

Quick hit: More than one in five Americans has considered canceling their plans to attend an event due to cyber or physical security concerns. (Source: Unisys Security Index)

Baltimore update: City of Baltimore still unable to send out water bills. Residents will again not receive water bills this month as the city struggles to return to normal operations in the wake of a ransomware attack on May 7, 2019. In total, the attack is now estimated to have "cost the city more than $18 million.” (Source: The Baltimore Sun)

Senator Merkley investigates car manufacturer’s data collection practices. After a study discovered that cars can collect 25 GB of data per hour, Senator Merkley (D-OR) wrote a letter to leading car manufacturers to discover “whether or not their cars collect personal data from drivers, what data they collect, who owns that data, and whether data collected is securely stored to protect consumers’ privacy.” (Source: Office of Senator Jeff Merkley)

Upcoming Events

June 27, 2019: Federal Trade Commission’s PrivacyCon – Washington, DC
Each year, the Federal Trade Commission (FTC) convenes a group of privacy experts, academics, policymakers, and regulators to discuss the latest research surrounding consumer privacy and data security. (Source: Federal Trade Commission)

National Consumers League
Published June 20, 2019


1  2  3  4  5  Next →