The #DataInsecurity Digest | Issue 28

Issue 28 | September 14, 2016

#DataInsecurity Digest: Russians hack WADA, ransomware on tap at the FTC and our interview with AG Madigan

By John Breyault (@jammingecono,
NCL Vice President of Public Policy, Telecommunications and Fraud

Subscribe here. Tell us what you think.

Editor’s Note: We are excited for our second installment of our #DataInsecurity Thought Leaders series featuring Illinois Attorney General and 2016 Trumpeter Award Recipient Lisa Madigan! Excerpts from our chat are below, and the full interview is available online.

The same Russian outfit that hacked the DNC is making news again, this time for a hack of the World Anti-Doping Agency, which has been at the center of a report alleging massive cheating by Russian athletes. At an FTC forum on ransomware, Chairwoman Ramirez recently stated that ransomware is the “new business model” for scammers. The FTC’s focus is unsurprising, given new estimates that it’s costing businesses $75 billion per year. A new House Oversight Committee’s report on the OPM breach, which ranks among the most serious in recent memory, is blistering, pointing the finger at a failure of leadership at the agency. The Department of Education could be in Oversight Chairman Rep. Jason Chaffetz’s sights next, as he again warned that a breach there could be even more damaging than the one at OPM. It was another big week for breaches with Kimpton Hotels and adult website Brazzers being hit, potentially exposing 800,000+ users. Not to be forgotten, Russia again made cybernews this week as federal investigators announced an investigation into Russia’s possible intent to use cyber attacks at the DNC to undermine American confidence in the election process.


Thought Leaders interview with Attorney General Lisa Madigan

Illinois Attorney General Lisa Madigan sat down to answer questions for us about the role her office is playing in keeping Illinois consumers safer from data breaches and identity fraud. Excerpts from our interview are below. You can read the full interview at our site.

NCL: Illinois is considered by many to have some of the strongest data breach notification and data security laws in the country. How would you describe the state of data security in Illinois? How have Illinois’ actions on data security affected the debate about data security nationally?

AG Madigan: Data security is one of the biggest challenges we face as a nation and Illinois is no exception. It’s an ongoing struggle for all Americans and the companies, non-profits, and government agencies that hold our personal information. … At this point, Americans realize it’s not a matter of if, but when, they will be a victim of some form of identity theft. In this environment, Americans need and expect more transparency of data breaches. Not less.

NCL: Many data breach notification and data security laws were introduced in Washington, DC during the 114th Congress, but none of them were enacted into law. In the next Congress, what steps should policymakers at the federal level take to reduce incidences of data breaches and help consumers avoid the fallout?

AG Madigan: I’ve testified in support of federal data security legislation in both the U.S. House and Senate and to share the concerns of Illinois consumers. They have told me they are concerned by the increasing number of breaches. They demand notification when their information is stolen. They want to know what they can do to protect themselves from identity theft. And they want to know whether companies are doing enough to prevent breaches and protect their information.

So a weak, national law that restricts what most state laws have long provided will not meet consumers’ increasing expectation that they be told when their information has been stolen. Instead, Congress should seek to pass legislation that ensures notification of breaches of information that can harm Americans. Therefore, the definition of “protected personal information” should be broad and include the growing amount of sensitive information that companies are collecting from consumers. I also think it’s vital that federal law not preempt state data breach laws.

NCL: Illinois has one of the nation’s strongest privacy laws in the country regarding biometric data — the Biometric Information Privacy Act. That law has been under scrutiny by the legislature and the courts this year. From your point of view, what is the benefit of this law to consumers, and what do you think the future holds for biometric privacy laws in Illinois and beyond?

AG Madigan: The Illinois Biometric Information Privacy Act (BIPA) offers enormous protections to consumers over biometric information and significantly reduces the risk of identity theft. At its core, BIPA requires companies to provide notice to and consent by consumers to use their biometric data, limits the scope of how the data can be used, requires companies to use reasonable security measures to protect the data and requires permanent destruction of biometric data within a set period of time. Importantly, BIPA prohibits the sale, lease or trade of biometric data.

Read full interview here.

This edition’s #DataInsecurity Clips

Gold medal for hacking: Russians breach World Anti-Doping Agency. The same outfit thought to be responsible for breaches at the Democratic National Committee is responsible for hacking into athletes’ medical records in advance of the Rio Olympics. Writes @publicbill: “Some of the data listed athletes’ therapeutic use exemptions, which allow banned substances to be taken if they’re deemed to be necessary for an athlete to cope with an illness or medical condition. … The breach is believed to be a case of ‘spear phishing of email accounts[.]’” (Source: NPR)

Ramirez: Ransomware the most profitable malware in history. The FTC kicked off its Fall Technology Series last week with a thorough discussion on ransomware. @Slabodkin reports that Chairwoman Ramirez set the tone by declaring that “ransomware is ‘among the most troubling cyber threats’ confronting the United States that is ‘becoming increasingly more pernicious’ and is ‘escalating at an alarming rate.’ Citing statistics…that the U.S. averages 4,000 incidents per day.” (Source: Information Magnet)

Ransomware costs businesses an estimated $75 billion a year. Longtime readers of The #DataInsecurity Digest will recall the FBI’s recent announcement that ransomware attacks cost victims a total of $209 million in the first three months of 2016. @datto, a cybersecurity company, now claims a higher estimate of $75 billion a year, factoring in lost productivity, the ransomware payment itself, and the finding that “less than 1 in 4 ransomware incidents are reported to the authorities.” (Source: The Atlantic)

OPM breach a “failure of culture and leadership, not technology.” The House Oversight Committee released its long awaited 241-page report on the unprecedented 2014 breach at the Office of Personnel Management (OPM) that compromised the background records of millions of Americans. In addition to finding that the government has never been more vulnerable to cyber attacks, it found: “the long-standing failure of OPM’s leadership to implement basic cyber hygiene…despite years of warnings from the inspector general, represents a failure of culture and leadership, not technology.” (Source: Fed Scoop, Full report)

Chaffetz: Breach at DOE could be worse than OPM. Following up on his committee’s report on OPM, Rep. Chaffetz bestowed the title of “the biggest vulnerability that I see out there right now” on the Department of Education (DOE). @Nextgov reports that Chavez lamented woeful security at the agency, which holds 130 million Social Security numbers in its databases: “despite housing tens of millions of people’s sensitive information and 180-plus databases, the agency doesn’t ‘even have the most basic of tools’ to protect them against breaches.” (Source: Nextgov)

Breach du jour: Kimpton Hotels. Kimpton Hotels, a subsidiary of Intercontinental Hotels Group, is the latest hotel chain to be breached, with a POS system malware attack on 62 properties and restaurants. @stevenmusil reports, “Cards used at certain restaurants and hotel front desks between February 16 and July 7 may be affected. The chain has published a list of properties where customers’ cards may be affected, along with specific at-risk time frames, and said it will be contacting customers who may have had data exposed.” (Source: CNET)

Breach du Jour part II: Nearly 800,000 Brazzers accounts compromised. The adult website Brazzers suffered a massive breach that revealed the email addresses, usernames, and plaintext passwords of nearly 800,000 of its users. Troy Hunt, creator of Have I been Pwned, which helped validate the authenticity of the breach noted, “We also know that forum breaches frequently include not just user credentials, but private messages as well, and those can be particularly revealing.” (Source: Motherboard)

Russian hacking plan to undermine confidence in U.S. electoral process under investigation. As leaders in Washington plan their response to Russia’s alleged hack of the DNC and the Arizona and Illinois voter registration databases, @danapriest reports that the Director of National Intelligence James Clapper Jr. has been chosen to lead the investigation aimed at discerning “the [attack’s] scope and intent.” The investigation follows Putin’s recent comment, “It doesn’t really matter who hacked this data from Mrs. Clinton’s campaign headquarters. …The important thing is the content was given to the public.” (Source: Washington Post)

Upcoming event

January 12, 2017 – PrivacyCon – Washington, DC
The FTC will host its second PrivacyCon conference “to continue and expand collaboration among leading whitehat researchers, academics, industry representatives, consumer advocates, and the government to address the privacy and security implications of emerging technologies.”

National Consumers League
Published September 14, 2016