The #DataInsecurity Digest | Issue 12

Issue 12 | Jan. 20, 2016

By John Breyault (@jammingecono, johnb@nclnet.org)
NCL Vice President of Public Policy, Telecommunications and Fraud

Subscribe here. Tell us what you think.

Editor’s Note: This morning, NCL joined with more than 50 public interest, consumer, and privacy organizations to call on the FCC to propose rules on broadband privacy and data security. Such rules, the groups argue, would allow the FCC to be a “brawnier cop on the beat,” to police the privacy and data security practices of the nation’s ISPs. In other news, data breach bills currently pending in Congress could move “later this spring,” according to Rep. Neugebauer (R-TX). Most consumer and public interest organizations (including NCL) have come out in opposition to Neugebauer’s bill. The LabMD data security case is not only proving to be an ongoing headache for the FTC, but also turning the former head of the company into a permanent thorn in the agency’s side (with an assist from the Koch network). National security pros seem to be a popular target for hacking lately, with news that Director of National Intelligence James Clapper has joined CIA Director John Brennan as intelligence head honchos who have had their email accounts compromised. One wonders whether these guys had two-factor authentication turned on? The breach news keeps coming with updates on old hacks (Hyatt hotels) and new ones (TaxAct, Time Warner Cable, and Nexus Mods). Finally, surveys of DC data security and privacy pros put some unsurprising topics at the tops of their to-do lists: EU Safe Harbor, EU Data Protection Regulation, encryption, breach legislation, and FCC/FTC jurisdictional fights, to name a few.

And now, on to the clips!

—————–

BREAKING: Public interest coalition calls on Wheeler to begin broadband privacy rulemaking. More than 50 consumer, privacy, and public interest orgs this morning sent a letter calling on the FCC to take action on broadband privacy and data security in the wake of the Commission’s Title II reclassification order last year. The groups urge Chairman Wheeler to propose “strong rules to protect consumers from having their personal data collected and shared by their broadband provider without affirmative consent, or for purposes other than providing broadband Internet access service.” They also call for rules that “provide for notice of data breaches, and hold broadband providers accountable for any failure to take suitable precautions to protect personal data collected from users.” (Source: NCL)
Hill update: Competing breach bills could move forward “later this spring.” @KatieBoWill sets up the next few months of Congressional action on the data breach front. “Rep. Randy Neugebauer (R-Texas) on Wednesday said he will look to push forward a combination of data breach bills later this spring. ‘It’s definitely on the radar scope. We have to sit down and determine whether we’re going to try to make them two bills or one bill.’ … Neugebauer said Wednesday the staffs of both committees have been in discussions over the future of the two bills, with an eye toward combining them into a single bill supported by both committees. There have been no member-to-member meetings since the holidays, according to Neugebauer, but he intends to push forward with the discussions this spring.” (Source: The Hill)

The price of inaction: Chaffetz says DOE breach would be “largest data breach we’ve ever seen.” Security deficiencies at the Department of Education could put data on more than half of all Americans at risk of a breach, says Rep. Jason Chaffetz (R-UT). The department recently earned “F” grades on four major security tests in an Inspector General report. “Almost half of America’s records are sitting at the Department of Education,” Chaffetz said. “I think ultimately that’s going to be the largest data breach that we’ve ever seen in the history of our nation.” (Source: WND)

ICYMI: CRS report helps you get smart quick on current state of play in data breach legislation. While you were burning off those Christmas cookie calories, the Congressional Research Service released a great report looking at the current crop of data security bills pending in Congress, the impact of federal preemption on existing state laws, and the authority of the FTC and FCC in this space. Check out @molliesiebee’s snapshot on FierceGovernmentIT. (Source: CRS)

Former LabMD head becoming a thorn in FTC’s side with an assist from the Koch network. @BrendanSasso brings us the story of how Michael Daugherty, former head of now-bankrupt LabMD, has used his ongoing fight with the FTC (supported by the Koch-connected Cause of Action) to reinvent himself as a conservative activist. “Two and a half years after the FTC first sued Lab­MD, the leg­al battle is still ra­ging, with neither side plan­ning to back down any­time soon. And the stakes have only got­ten high­er. If Daugh­erty wins, the case could sig­ni­fic­antly curb the FTC’s au­thor­ity to sue com­pan­ies for sloppy data se­cur­ity. ‘They had no idea who they were screw­ing with … I’m speak­ing all over the place on this. I’ve been sent to Aus­tralia to speak on this. I’m go­ing to Lon­don … It’s mak­ing lem­on­ade out of lem­ons. … The fun has just be­gun,’ Daugh­erty said.” (Source: National Journal)

Cyber’s #SOTU mention streak ends at four. @Cory_Bennett notes cyber issues were conspicuously absent from President Obama’s State of the Union last week. Thus ends a four-year SOTU streak in which the President repeatedly reaffirmed his Administration’s commitment to tackling the issue. (Source: The Hill)

It’s never too late for those 2016 data security policy predictions! @kirkjnahrawork of law firm Wiley Rein has a look at what will shape the data security and privacy debate in Washington and beyond. Tops on his list? EU Safe Harbor and EU Data Protection Regulation, though cybersecurity, data breach legislation, wearables/HIPAA, and FTC enforcement authority also make the cut. (Source: Bloomberg BNA)

Encryption, FCC privacy, FTC data security enforcement top 2016 priority list. @BloombergBNA’s Alexei Alexis brings us a snapshot of where DC’s data security and privacy pros see policy action this year. Spoiler alert: The election means Congressional action is unlikely, but we’ll see plenty of fireworks over encryption backdoors, the FCC’s forthcoming broadband privacy rulemaking, and the FTC’s data security role after the LabMD ALJ decision. (Source: BloombergBNA)

Trend Micro takes a deep dive into Privacy Rights Clearinghouse breach data. PRC’s data breach database is a treasure trove of information for the data security advocacy community. Security firm Trend Micro seems to think so as well, and its new report draws out some interesting conclusions from PRC’s data: “Hacking or malware were behind 25% of the data breach incidents from 2005 to April 2015 … Apart from the usual credit card, bank account, and PII dumps—whose prices in the underground have plateaued—there was a prominence of ads selling Uber, PayPal, and poker accounts.” (Source: Trend Micro)

Major BitCoin heist tied to disgraced Secret Service agent. A 2014 theft of $5 million worth of BitCoins and other virtual currencies from crypto-currency exchange Cryptsy is only now coming to light, due in part to the role that former Secret Service agent Shaun Bridges played in bringing down the Silk Road online black market. @euroinfosec has the full story at the link. (Source: ISMG)

DNI Clapper reportedly pWnEd by same group that hacked Brennan. The same hackers who broke into CIA Director John Brennan’s AOL email account last year have reportedly done the same to Director of National Intelligence James Clapper. @lorenzoofb follows the story for Motherboard: “One of the group’s hackers … contacted me on Monday, claiming to have broken into a series of accounts connected to Clapper, including his home telephone and internet, his personal email, and his wife’s Yahoo email. While in control of Clapper’s Verizon FiOS account, Cracka claimed to have changed the settings so that every call to his house number would get forwarded to the Free Palestine Movement.” (Source: Motherboard)

Are breach notifications worth their salt? Olivia Eckerson brings us her personal breach story and explains her frustrated failure to get useful information out of the breached health care provider. In addition, she highlights the difficulty too many consumers face with the risk of identity fraud stemming from data breaches. “Even though I received a data breach notification letter with plenty of numbers to call and companies to contact and a free credit report, I don’t know any more than I did before I was notified, and my occupation as a security reporter didn’t help me get any answers or clarity on the situation. In addition to the lack of information, the so-called ‘protection’ offered to me was laughable.” (Source: TechTarget)

Hackers: IoT security is “deplorable.” Deutsche Welle’s wide-ranging interview with Chaos Computer Club’s Frank Rieger is worth a read in its entirety, but Rieger’s take on the state of IoT security is what caught our eye. “The biggest problem we face right now is the Internet of Things—that is a network of all kinds of physical objects, and adding sensors to all aspects of life on the foundation of deplorable IT security. There is poor software everywhere, not enough content is encrypted, and we often lack an online security culture. Companies prefer to quickly put a product on the market and only check out safety afterwards.” (Source: Deutsche Welle)

Hyatt breach lasted months, number of impacted cards still unknown. The massive data breach at hotel chain Hyatt affected 250 locations in 50 countries and lasted from August-December 2015, according to the company. The breach is the fourth major one at a hotel chain since last October. What remains unknown is how many credit and debit cards were affected. (Source: Reuters)

Krebs: Hyatt breach highlights frustration as U.S. payment industry reform slows. @briankrebs took to his blog last week to lambast the slow pace of payment security reform. “Instead of just mandating that banks and retailers shift in lockstep on a to handling chip cards, U.S. lawmakers and regulators have for years delegated (abdicated?) accountability for credit card security to a booming industry of auditors and assessors who’ve been trying to secure a technology (magnetic stripe-based cards) that is 60 years old and is about as secure as mailing your credit card number on a postcard.” (Source: KrebsonSecurity)

Fanboy alert: More Krebs. Brian Krebs is one of the best, if not the best reporters covering data security these days (full disclosure: NCL hosted a book party to for his book Spam Nation, so we’re biased). That said, he’s been on fire since the new year, bringing us must-read articles on cybercriminal call centers, “warranty fraud,” and Russian dating scams. All are well worth your time.

Breach du jour: TaxAct. Tax prep firm TaxAct has disclosed that it suffered a breach from November to December last year in which an undisclosed number of consumers’ personal tax information was compromised. Reporting on the breach, @jeffwriter notes that TaxAct relied on the extremely vulnerable email address/password combination to authenticate users. With tax identity fraud so prevalent, this begs the question of why TaxAct was not requiring two-factor authentication for its users? (Source: eSecurity Planet)

Breach du jour (part deux): Time Warner Cable. Email address and password information on as many as 320,000 Time Warner Cable subscribers may have been compromised, reports Forbes’ @abigailtracy. While the source of the breach remains unclear, the company says it suspects malware on consumers’ computers or a breach at a company maintaining TWC data. (Source: Forbes

Breach du jour (part trois): Nexus Mods. @campuscodi brings us news that Nexus Mods, reportedly the biggest repository of gaming mods on the Internet, has confirmed that hackers compromised nearly 6 millions user accounts. The hack, which apparently occurred in 2013 and is only now coming to light, involved users who registered with the site before July 22, 2013. The hacked database contains “only user IDs, usernames, email addresses, password hashes and salts. No cleartext passwords.” Such personally identifiable information is typically used to power phishing attacks and account takeover fraud. (Source: Softpedia)

Security fears after Malheur data breach leads to employee relocation. Militants occupying the Malheur National Wildlife Refuge in Oregon inappropriately accessed government computers at the refuge. Since personal information about employees was stored on the computers, the U.S. Fish and Wildlife Service has recommended that refuge employees relocate from their homes “out of an abundance of caution.” (Source: KOIN

Upcoming Events 

Jan. 24-30 – Tax Identity Theft Awareness Week – Online
Tax identity theft is the fastest-growing form of identity fraud reported to the FTC, which will join forces with AARP, the Department of Treasury, IRS, Department of Veterans Affairs, and the Identity Theft Resource Center to host a series of webinars and Twitter chats at the end of January to mark Tax Identity Theft Awareness Week. Check out the FTC’s events calendar for more information.

Jan. 28 – Data Privacy Day – National
Our friends at the National Cyber Security Alliance are once again coordinating a full slate of activities to mark Data Privacy Day 2016. Privacy tips, Twitter chats, and more information is available at NCSA’s Stop. Think. Connect DPD page.

Feb. 9 – Start with Security: Seattle – Seattle, WA
The FTC’s third “Start With Security” event will take place on February 9, 2016, in Seattle, Washington, and will be co-sponsored by the University of Washington Tech Policy Lab and the University of Washington School of Law Technology Law & Public Policy Clinic. This one-day conference will continue the FTC’s work to provide companies with practical tips and strategies for implementing effective data security. This event will bring together experts to provide insights on how small companies can secure their applications and products, and how important it is to do so.