The #DataInsecurity Digest | Issue 43

Issue 43 | April 12, 2017

#DataInsecurity Digest: Q&A with Koskinen, Trump rolls back broadband privacy protections, more woes for Arby’s

By John Breyault (@jammingecono,
NCL Vice President of Public Policy, Telecommunications and Fraud

Subscribe here. Tell us what you think.

Editor’s Note: With Tax Day right around the corner, we are excited to bring you a timely interview with IRS Commissioner John Koskinen as part of our #DataInsecurity Thought Leaders series. Cmmr. Koskinen answered a range of questions about the agency’s success at reducing tax identity fraud rates and dealing with fraudsters using stolen data. Excerpts from our chat are below and the full interview is available here.

Bucking sweeping public opinion, President Trump signed a repeal of the FCC’s broadband privacy rule last week. As a result, ISPs will be able to collect and sell user’s browsing history and precise location without first obtaining consent. The repeal also exempts ISPs from the Rule’s proposed data security and breach notification requirements. While the ISPs say this will allow for a level playing field and less confusion for consumers, advocates were outraged at the move and are vowing to continue the fight. Don’t look for help from Congress any time soon, however, as the Administration says not to expect movement on comprehensive privacy legislation for the foreseeable future. Meanwhile, eight different banks and credit unions are suing Arby’s as a result of its February data breach. In addition, Scottrade customers became the latest data breach victims, when their Social Security numbers were left in the cloud unsecured. Finally, data security was the cover story this month in The Economist, which said that greater government involvement to prod companies to better protect data security could be beneficial.


Preview of #DataInsecurity Thought Leaders interview with IRS Commissioner John Koskinen

We are pleased that IRS Commissioner John Koskinen was kind enough to take a break at the height of tax season to answer a series of questions about tax identity fraud and the link between data breaches of tax information and scams. Here’s an excerpt; read the full interview here.

NCL: Tax identity fraud remains a top concern for many consumers. For example, employment or tax-related identity fraud remains the top type of ID theft complaint filed with the FTC. For its part, the IRS has shown significant progress in reducing rates of tax identity fraud in recent years. To what do you credit this success and what remains to be done?

Commr. Koskinen: We made tremendous progress in stopping fraudulent returns. Because we did a better job keeping bad returns from ever entering our systems, we saw a 30 percent drop in the number of confirmed identity theft returns caught by our filters. We saw a 50 percent decrease in the number of questionable refunds being issued and stopped by banks. And, most importantly, we saw a 46 percent decline in the number of taxpayers reporting to us that they were victims of tax-related identity theft.

The amount of progress we made is tremendous, but we are not declaring victory. There is still much work to be done. We enacted even more “trusted customer” features for the 2017 tax season and, though we have limited data, we believe we are on the right path and are continuing our progress. Congress also gave us a tremendous tool. They passed legislation requiring Form W-2s to be filed with the IRS in January instead of March. This helps us match the income information, which is very helpful to stopping identity theft and fraud.

Read our full interview with IRS Commissioner John Koskinen.


This edition’s clips

Economist cover: ‘How to manage the computer-security threat.’ The Economist magazine devoted its lead this week to the need for governments to take a stronger role in prodding industry to take data security seriously. “Firms should recognise that, if the courts do not force the liability issue, public opinion will. Many computer-security experts draw comparisons to the American car industry in the 1960s, which had ignored safety for decades. … [I]magine the clamour for legislation after the first child fatality involving self-driving cars.” (Source: The Economist)

Trump signs repeal of FCC’s broadband privacy rules. After partisan votes in both the House and Senate advanced a Congressional Review Act resolution to repeal the FCC’s broadband privacy rules, President Trump signed the repeal into law last week. @davidshepardson reports that the rules “would have required internet providers to obtain consumer consent before using precise geolocation, financial information, health information, children’s information and web browsing history for advertising and marketing.” The CRA prevents the FCC from ever reintroducing similar rules without direct Congressional approval. (Source: Reuters)

Quick Hit: Nearly 75 percent of Republicans and Democrats wanted Trump to veto the repeal of the broadband privacy rule. A Huffington Post/YouGov poll found that just 8 percent of Republicans, Democrats, and Independents wanted Internet providers to share their personal information; 83 percent% did not want their data collected. (Source: Huffington Post)

White House lowers expectations for privacy protections. Proponents of repealing the FCC’s privacy protections argued that the rules were unfairly stricter than protections in place for websites. Privacy advocates now have to hope that the rule’s repeal will push Congress to move toward providing comprehensive privacy protections for both ISP users and website visitors. @TonyRomm reports, however, that the White House is signalling that a comprehensive new rule will be unlikely in the short term as “the Trump administration’s chief legislative aide cast doubt on the idea, stating that ‘we were content right now on pulling back’ on the previous FCC’s privacy rules.” (Source: Recode)

Eight data breach lawsuits filed against Arby’s. Banks, credit unions, and customers have filed lawsuits against Arby’s claiming damages from the fast food chain’s February data breach. One of the credit unions suing Arby’s–North Alabama Educators Credit Union–stated in its lawsuit that “hundreds of thousands, if not millions, of credit and debit cards… were compromised due to Arby’s severely inadequate security practices… Arby’s actions and omissions left highly sensitive Payment Card Data of the Plaintiff’s customers exposed and accessible for hackers to steal for nearly three months.” (Source: Associated Press)

Breach du Jour: 20,000 Scottrade accounts. The stock trading company Scottrade accidentally left sensitive information unprotected in the cloud. The information included Social Security numbers, plain text passwords, and employee credentials used to obtain credit reports. Scottrade Bank stated that “it believes contact information was the primary goal of those responsible for compromising the database where the data was stored.” (Source: CSO)

GameStop investigates possible data breach. @briankrebs is reporting that retailer GameStop is investigating a possible credit card hack after credit cards used on its website were found for sale on the Dark Web. The alleged breach occurred between September 2016 and February 2017 and is believed to have compromised “customer card numbers, expiration dates, names, address and card verification values (CVV2), usually a 3-digit security code printed on the backs of credit cards.” (Source: Krebs on Security)

95,000 Canadian McDonald’s job applications stolen. Job applications submitted by anyone who applied for a job at a Canadian McDonald’s between March 2014 and March of 2017 have been stolen by hackers. @neuwaves reports that “McDonald’s seems to be a bit of a target for hackers lately, since its corporate Twitter account was allegedly compromised earlier in March.” (Source: Motherboard)

Are software developers responsible when their products are misused? The FBI recently arrested Taylor Huddleston for aiding hackers after the software he created — “Net Seal” — was used by hackers for fraudulent purposes. It seems that while Huddleston designed his software to remove fraudulently purchased programs from computers, hackers used the remote access feature of the software as a way to breach computers. Huddleson made a point of preventing his software from being used improperly. “Whenever he saw evidence that a particular buyer was using the product to hack, he’d log in to Net Seal and disable that user’s copy, cutting the hacker off from his infected slaves.” In spite of this, Huddleson faces jail time should the FBI succeed with its prosecution. (Source: The Daily Beast)


Upcoming events

May 24, 2017 – Planning for the Future: A Conference About Identity Theft – Washington, DC
The FTC will host an all-day conference to take a comprehensive look at how identity theft has evolved over the last decade and what can be done to address this challenge in the future. The conference will be used to gather input from academics, business and industry representatives, government experts, and consumer advocates. Participants will look at the current state of identity theft, examine potential future challenges, and discuss how to address these issues.

May 25, 2017 – Workshop on Technology and Consumer Protection (ConPro ’17)  San Jose, CA
At this year’s 38th IEEE Symposium on Security and Privacy, a Workshop on Technology and Consumer Protection (ConPro’17) will explore computer technology’s impact on consumers, with a special focus on privacy and ways in ”which computer science can prevent, detect, or address the potential for technology to deceive or unfairly harm consumers.” ConPro’17 aims to bring together academic and industry researchers along with government officials.

National Consumers League
Published April 12, 2017