The #DataInsecurity Digest | Issue 18

Issue 18 | April 11, 2016

By John Breyault (@jammingecono, johnb@nclnet.org)
NCL Vice President of Public Policy, Telecommunications and Fraud

Subscribe here. Tell us what you think.

Editor’s Note: The valuable data held by law firms is increasingly being targeted by hackers. The #PanamaPapers breach news is putting a spotlight on the data security vulnerability of law firms like never before. As more revelations roll in, expect law firms around the globe and those who oversee them to focus on what errors Mossack Fonseca made that allowed the data to leak out.

The FCC’s newly-released proposed rules for broadband privacy and security may be causing some heartburn for ISPs, but it represents a significant shift in a privacy and security debate in Washington that seems to be going nowhere in Congress. Public interest and privacy advocates are lining up to support the new rules while the ISPs are, unsurprisingly, taking a dim view of Chairman Wheeler’s actions. Grab your popcorn, folks!

Yet another Flash zero-day has Adobe scrambling to roll out a patch. Our advice? Just disable Flash (you won’t miss it). WhatApp’s rollout of end-to-end encryption is a step forward for consumer data protection, but it isn’t the foolproof way to protect yourself that some are suggesting. Finally, we take a look at some surprising numbers coming out on data breach litigation and provide an update on two massive breaches of government databases in Turkey and the Philippines.

And now, on to the clips!

—————– 

#PanamaPapers are a lesson for law firms on the need for better data security. Repercussions of the massive leak of sensitive data from Panamanian law firm Mossack Fonseca continue to reverberate around the globe. However, the #PanamaPapers leak is just the latest in a string of law firm breaches, notes @euroinfosec, “Ask hackers why they attack law firms, and their reply – to riff on bank robber Willie Sutton’s famous quip – would no doubt be: ‘Because that’s where the secrets are.’ … Law firms are a prime hacker target because they handle secret details of intellectual property, mergers and acquisitions, and other potentially valuable information.” (Source: Data Breach Today)

More #PanamaPapers fallout: One-quarter of law firms have experienced data breaches. The #PanamaPapers saga is also making HR pro’s take a closer look at data security, writes @1SHRMScribe, “Experts worldwide are calling the data breach surrounding the so-called Panama Papers—more than 11.5 million documents detailing how hundreds of wealthy people hid money in offshore banks and investments to avoid paying taxes—the biggest data breach in history. … Last year, the American Bar Association reported in its Legal Technology Survey that 1 in 4 firms with at least 100 attorneys have experienced a data breach.” (Source: SHRM)

FCC Broadband Privacy NPRM includes security, breach notification standards for ISPs. While the privacy requirements in the FCC’s proposed rules for ISPs have gotten most of the press, the Commission is also proposing important new data security regulations for broadband providers. The rules would require ISPs to, among other things, appoint a CISO, strengthen customer authentication technology (read: multi-factor authentication), and take responsibility for the data security practices of third parties that subscriber data is shared with and notify customers and law enforcement of breaches. (Source: FCC)

Advocates: ISP rules could be a big win for consumer privacy. Public interest advocates, for the most part, welcomed the FCC’s proposal with open arms as a way to strengthen privacy and security protections in a key part of the Internet ecosystem. @M_F_Rose of Public Knowledge reflected the thoughts of many advocates, writing, “Broadband service providers occupy a unique position in the Internet ecosystem. As gatekeepers to the Internet, they have, by their very nature, access to every bit of data that their customers send and receive online. And, as they move aggressively into advertising markets, they have every incentive to exploit their access to this data and remove all consumer agency in determining where and for what purpose their personal data is used. … This NPRM represents a step forward to protecting consumers’ economic and dignitary rights in their own data.” (Source: Public Knowledge)

But not everyone’s happy with the new rules. The industry reaction to the new rules has been, to say the least, less than welcoming. Jim Halpert of @DLA_Piper reflected the views of many in his analysis of the rules for IAPP: “Unless narrowed in the final rule, the FCC’s proposed rules would create major challenges for privacy professionals with responsibilities for broadband Internet access provider customer data. They would also generate considerable consumer confusion about use of consumer data collected online.” (Source: IAPP)

Adobe rushes to patch Flash vulnerability powering ransomware attacks. If you’re one of the 1 billion users who have Flash installed on your computer, the latest zero-day vulnerability could lead to a big headache. Adobe rushed out a patch this week, but experts are already seeing hackers exploiting the bug. Writes @jim-finkle “The software maker urged the more than 1 billion users of Flash on Windows, Mac, Chrome and Linux computers to update the product as quickly as possible after security researchers said the bug was being exploited in ‘drive-by’ attacks that infect computers with ransomware when tainted websites are visited.” (Source: Reuters)

Our advice: just disable Flash. Fewer and fewer websites are using it and chances are, you won’t miss it. Here’s a step-by-step guide for disabling flash on all the major browsers.

WhatsApp hops on the end-to-end encryption train… Messaging service WhatsApp is the latest tech company to embrace end-to-end encryption as a way to better protect users’ data. WhatsApp CEO Jan Koum explains the move: “The idea is simple: when you send a message, the only person who can read it is the person or group chat that you send that message to. No one can see inside that message. Not cybercriminals. Not hackers. Not oppressive regimes. Not even us.” (Source: WhatsApp)

…but it’s not all puppies and rainbows, yet. Writing for TechDirt, @glynmoody says WhatsApp’s end-to-end encryption is a good thing, but may not be the privacy and security panacea you might think it is. “[E]nd-to-end encryption is only available if all the participants in a conversation are using the latest version of the software. If one of them isn’t, group chats will be unencrypted. … even with strong, end-to-end encryption in place, the accompanying metadata is still leaking important information about who you are communicating with, and when. … end-to-end encryption does not protect you from malware that is capturing your keystrokes and sending them over the Internet, or from slips like accidentally storing a screenshot of sensitive chats.” (Source: TechDirt)

OECD: Consumer protection laws need updating to improve trust in e-commerce. The OECD is out with new guidance to member countries on improving consumer confidence in e-commerce. “While consumers are increasingly drawn to the convenience and choice of online commerce, concerns about privacy, payment security or legal recourse in case of a problem mean that many others remain wary,” noted the agency. While the OECD recommendations are non-binding they “[put] peer pressure on countries to take action – says businesses should not misrepresent or hide terms and conditions likely to affect a decision to buy or try to conceal their identity or location.” (Source: OECD)

Krebs: Trump Hotels potentially facing another HUUUUGE breach. For the second time in less than a year, the Trump Hotel Collection chain of hotels appears to have a payment system breach on its hands. @BrianKrebs breaks the story: “KrebsOnSecurity reached out to the Trump organization after hearing from three sources in the financial sector who said they’ve noticed a pattern of fraud on customer credit cards which suggests that hackers have breached credit card systems at some — if not all — of the Trump Hotel Collection properties. … The hospitality industry has been hit hard by card breaches over the past two years. In April 2014, hotel franchising firm White Lodging confirmed its second card breach in a year. Card thieves also have hit Hilton, Hyatt, and Starwood properties.” (Source: KrebsOnSecurity)

Krebs (part deux): CEO phishing scams net $2.3 billion since 2013. @BrianKrebs also points us to a new fraud alert from the FBI about a dramatic spike in so-called “CEO phishin” scams, that’s costing businesses big-time. Writes Krebs: “Unlike traditional phishing scams, spoofed emails used in CEO fraud schemes rarely set off spam traps because these are targeted phishing scams that are not mass e-mailed. Also, the crooks behind them take the time to understand the target organization’s relationships, activities, interests and travel and/or purchasing plans. … But CEO fraud attacks succeed because they rely almost entirely on tricking employees into ignoring or sidestepping some very basic security precautions.” (Source: KrebsOnSecurity)

Breach litigation cases down 25 percent. Law firm @BryanCaveLLP is out with their annual Data Breach Litigation Report, which examines data breach cases filed in U.S. District courts. Its findings are surprising. Notably, the number of data breach litigation cases filed in the last 15 months is down 25 percent. Only 21 unique defendants were names in those cases and only 5 percent of publicly reported breaches led to class action litigation, despite a huge amount of media attention to the breach issue. (Source: Bryan Cave)   

Is increased breach vulnerability being overlooked in the M&A boom? @steve_schick takes a look at one facet of the $4.3 trillion mergers and acquisitions boom of 2015: data security. “One overlooked area for the IT integration of merged or acquired companies is the blind spot that exists in not knowing whether one firm may be connecting to another where a network intruder may have been long hidden, giving an attacker easy access. … Less than 1% of enterprises today have the capability of finding an active attacker that is at work exploring their network and expanding their sphere of control in order to get to valuable assets. This means that the acquirer may be just as in the dark as the acquiree about whether or not intruders are currently in their networks.” (Source: LightCyber)

Not just a U.S. problem: COMELEC breach leaks data on 55 million Filipino voters. A breach of voter registration data in the Philippines is being blamed for leaking voter registration information on tens of millions of Filipino voters. Writes @MikeBueza and @wdmauel: “Information security experts fear that what can be considered as the biggest leak of personal data in Philippine history could result in massive identity theft by preying criminals.” (Source: Rappler)

Turkey, too! 49 million records leaked from citizenship database. @alexhern is covering the story of how hackers leaked records on nearly half of Turkey’s citizens. “A database posted online allegedly contains the personal information of 49 million people on the Turkish citizenship database, potentially making more than half of the population of the country vulnerable to identity theft and massive privacy violations. … On top of the risks of having ID numbers made public, Turks on the database also face the prospect of identity theft purely using the personal information contained within the database.” (Source: The Guardian)

Upcoming events

June 15 – FTC Start with Security – Chicago – Chicago, IL
The FTC’s fourth “Start With Security” event will take place on Wednesday, June 15, 2016, in Chicago, Illinois, and will be co-sponsored by Northwestern Pritzker School of Law. During this one-day event, the FTC will bring together experts who will provide businesses with practical tips and strategies for implementing effective data security.

National Consumers League
Published April 11, 2016