The #DataInsecurity Digest | Issue 27

Issue 27 | August 31, 2016

By John Breyault (@jammingecono, johnb@nclnet.org)
NCL Vice President of Public Policy, Telecommunications and Fraud

Subscribe here. Tell us what you think.

Editor’s Note: Wow, we take a few weeks off for R&R and data security news lights up. Fortunately, we’re back from our summer break, so it’s time to catch you up on what you may have missed.

The epic hacking—if true—of the National Security Agency (NSA) has reportedly exposed many of the their trade secrets. In addition, Wikileaks’ reputation took a hit when it distributed apparently hacked (or leaked) data that contained sensitive information of private citizens, including their Social Security numbers and sexual orientations. In somewhat more commonplace data security news, Eddie Bauer joined the ranks of retailers suffering from point-of-sale (POS) breaches when they discovered that all 350 of their North American stores were infected with malware. This will no doubt cause a dent in their sales; KPMG found that 19 percent of consumers will stop shopping at a retailer altogether in the wake of a data breach. However, news of a potential hack at Oracle—a major vendor of POS software systems—could point the finger at someone besides the retailers for this latest spate of attacks.

And now, on to the clips!

—————–

Breach du jour: Eddie Bauer stores POS systems breached. News broke that malware infected point-of-sale systems at more that 350 Eddie Bauer stores in North America during the first six months of 2016. The malware is said to have been scooping up the credit and debit card numbers of shoppers at the chain’s retail locations. Security researcher @briankrebs, who originally alerted the store of a potential breach 6 weeks before it was announced, used the news as a teachable moment for the industry calling on all breached entities to “offer the cyber defenders of the world just a few details about the attack tools and online staging grounds the intruders used. That way, other companies could use the information to find out if they are similarly victimized and to stop the bleeding of customer card data as quickly as possible.” (Source: KrebsOnSecurity.com)

Is a breach at Oracle the source of retail, hotel breaches? Regular readers of the #DataInsecurity Digest will note that we haven’t been shy in noting the spate of breaches at restaurant, retail, and hotel chains recently. If @briankrebs is to be believed, a breach at cloud giant Oracle—specifically its MICROS point-of-sale provision system—could be the culprit. Writes Krebs, “MICROS is among the top three point-of-sale vendors globally. Oracle’s MICROS division sells point-of-sale systems used at more than 330,000 cash registers worldwide … the company said MICROS’s systems were deployed at some 200,000+ food and beverage outlets, 100,000+ retail sites, and more than 30,000 hotels. … Oracle’s own statement seems to suggest the company is concerned that compromised credentials for customer accounts at the MICROS support portal could be used to remotely administer — and, more importantly, to upload card-stealing malware to — some customer point-of-sale systems.” (Source: KrebsOnSecurity.com)

More evidence that data breaches lead to lost customers. KPMG’s 2016 Consumer Loss Barometer, has found that consumers will readily cease doing business in the wake of a data breach. The barometer found that among the 448 consumers that were surveyed, “19 percent said they would stop shopping at a retailer that had been a victim of a cybersecurity hack, even if the company took the necessary steps to remedy the issue. In addition to those who would abandon the retailer entirely, 33 percent of the consumers indicated that fears of further exposure of their personal information would prevent them from shopping at a breached retailer for at least three months.” (Source: KPMG and PRNewswire)

Trump campaign hacked. Reuters reports, “At least one Trump staff member’s email account was infected with malware in 2015 and sent malicious emails to colleagues, according to one insider for the Republican candidate’s campaign and an outside security expert.” Two sources told Reuters that “The tools and techniques used to hack Republican targets resemble those employed in attacks on Democratic Party organizations, including the DNC and Clinton’s campaign organization… That has led U.S. officials to reach a preliminary assessment that Russia’s military and civilian intelligence agencies or their proxies have targeted both political parties.” (Source: Reuters)

ICYMI: The NSA was hacked last week. The hacking group, Shadow Brokers, is auctioning off the NSA’s cyber weapons, reportedly from the NSA’s elite hacking outfit, the “Equation Group.” Such a breach raises serious concerns due to the amount of personal data the NSA collects and what could happen if these hacking tools ended up in the wrong hands. In the wake of the breach, investigators have been scrambling to see what went wrong. As @PaulSzoldra reports, “There are now two prevailing theories as to how the Shadow Brokers obtained the files: Either they hacked a server used by NSA hackers to stage attacks that had the files mistakenly left there by an operator, or an agency insider downloaded the data and later leaked it online.” (Source: Business Insider)

The (other) downside to Wikileaks. When Wikileaks first came onto the international stage, the controversial transparency organization received some support for their efforts to add sunlight to the political process. Now many of the site’s original supporters, such as Edward Snowden, are beginning to distance themselves from the site as the organization continues to be plagued by allegations of a lack of proper document vetting, resulting in ordinary people getting hurt. Associated Press reports that the site actually named teenage rape victims, published Social Security numbers of private citizens and even “published the name of a Saudi citizen arrested for being gay, an extraordinary move given that homosexuality is punishable by death in the ultraconservative Muslim kingdom.” (Source: Associated Press)

32 percent of hospitals are not encrypting patient data. @lucasmearian reports that Healthcare Information and Management Systems Society (HIMSS) recently conducted a study that found “about 32 percent of hospitals and 52 percent of non-acute providers—such as outpatient clinics, rehabilitation facilities and physicians’ offices—are not encrypting data in transit, according to a new survey. Additionally, only 61 percent of acute providers and 48 percent of non-acute providers are encrypting data at rest.” In addition to the possibility that this sensitive data could be compromised in a data breach, the study expressed concerns that this “leaves the door wide open to potential tampering and corruption of the data.” (Source: ITWorld)

Canada and Australia find that Ashley Madison violated privacy laws. The controversial dating site with the slogan “Life is short, have an affair,” which suffered a major breach last year has been found to have violated Australian and Canadian privacy laws. Reuters reports, “The probe found the Toronto-based company had inadequate safeguards in place, including poor password management and a fabricated security trustmark on the website’s home page.” The website’s parent company is also currently being investigated by the Federal Trade Commission. (Source: Reuters)

Country not found: Official Ukrainian Twitter accounts hacked. As Ukraine celebrated the 25th anniversary of its independence from Russia, (presumably) Russian hackers sought to steal the joy from the day by hacking Ukraine’s National Guard and Armed Forces social media accounts and posting tweets in Russian declaring “Ukraine is no more” and “Country not found.” (Source: Newsweek)

Agenda for FTC’s Ransomware workshop announced. The FTC will once again convene a who’s who of data security experts for its ransomware workshop on Wednesday, September 7. Because we endeavor to save you precious billable hours, here’s a Twitter list you can follow to stay up-to-date on all the side conversations from the event. See below for more information on the workshop.

Upcoming events

September 7 – Fall Technology Series: Ransomware – Washington, DC
The FTC’s first event in this year’s Fall Technology Series will take place on Wednesday, September 7, 2016 in Washington, DC. This half-day workshop will address how ransomware works, what victims should do, the role of education, and what technological measures can be taken to prevent a ransomware attack.

January 12, 2017 – PrivacyCon – Washington, DC
The FTC will host its second PrivacyCon conference “to continue and expand collaboration among leading whitehat researchers, academics, industry representatives, consumer advocates, and the government to address the privacy and security implications of emerging technologies.”

National Consumers League
Published August 31, 2016