The #DataInsecurity Digest | Issue 44

Issue 44 | April 26, 2017

#DataInsecurity Digest: White House still has no cyber plans; Shoney’s, Intercontinental Hotels breaches roll in

By John Breyault (@jammingecono, johnb@nclnet.org)
NCL Vice President of Public Policy, Telecommunications and Fraud

Subscribe here. Tell us what you think.

Editor’s Note: Saturday marks President Trump’s 100th day in office. Data security watchers can only hope that the Administration’s cyber order’s release is just around the corner and that Trump puts his team in place to create a 90-day cyber plan, even though we are well past its promised delivery date.

As the White House grapples with creating its promised cybersecurity plans, data breaches rage on. Intercontinental Hotel Group’s “small” breach is now believed to have compromised more than 1,000 hotels. Shoney’s Restaurant is now also investigating a breach of its own, and hundreds of YouTube channels were hacked. With numerous data breaches, and the lack of executive action to create a data security standard, it is perhaps little wonder that consumers are forming a class action against Bose for collecting and selling their data without their consent.

And now to the clips!

—————–

Trump falls short in creating a 90-day cyber plan. Back in January, President Trump promised to “appoint a team to give me a plan within ninety days of taking office” that would stop hackers and provide data security. @IsaacDovere reports that last Thursday, “Trump hit his ninety-day mark. There is no team, there is no plan, and there is no clear answer from the White House on who would even be working on what.” (Source: Politico)

The wait continues for the White House’s cyber order. Nearly three months after the expected release of the White House’s cyber order, it has yet to release one. @frankentele reports that a former White House staffer didn’t “think the delay is due to any real substantive revisions going on at this point.” In this official’s view, “the delay is more a matter of the White House continuing to confront staffing issues and other more pressing political and policy challenges. The former official said the last leaked draft looked close to a finished document that had buy-in from many in industry.” (Source: FCW)

Intercontinental payment breach grows to at least 1,175 hotels. Back in February, Intercontinental Hotel Group (IHG), announced it had suffered a payment systems breach at a dozen of its hotels. Now the hotel chain is stating that at least 1,175 of its 5,000 U.S. hotels have been compromised. @ChristianSonne is reporting that the breach affected several of the IHG brand names, including Holiday Inn Express (781), Holiday Inn (176), Candlewood Suites (120), Staybridge Suites (54), Crowne Plaza (30), Hotel Indigo (11), and Holiday Inn Resort (3). (Source: Krebs on Security)

Class action filed against Bose Headphones for spying on users without their consent. The Illinois lawsuit was filed after the plaintiff learned that Bose sent “all available media information” collected from the Bose app and headphones to third parties. In addition to financial compensation, the plaintiff is seeking an end to Bose’s data collection practices. (Source: Reuters

Was Shoney’s Restaurant breached? @briankrebs is reporting that the restaurant chain may be the latest subject of a data breach. Details are not yet clear on how many of the chain’s 140 stores were affected, but “sources in the financial industry say they’ve received confidential alerts from the credit card associations about suspected breaches at dozens of locations, although it remains unclear whether the problem is limited to those locations or if it extends company-wide.” (Source: Krebs on Security)

Breach du jour: Hundreds of YouTube accounts. A group of hackers who call themselves “Our Mine” struck again. This time, instead of targeting the social media accounts of public figures such as Facebook CEO Mark Zuckerberg or hacking Sony’s Twitter feed to spread fake news that Britney Spears had died, the hackers targeted hundreds of large and small YouTube accounts. “The compromised channels were of different sizes, and some of them were big guns as well. Most notable of them was Studio 71, which was a niche of a wide network of websites. RomanAtwoodVlogs, JustKiddingNews and Wranglerstar and several other channels were hacked for a short period.” (Source: Hack Read)

Cyber thieves steal $14.2 million from Hong Kong stock exchange. In the past 18 months, the Hong Kong stock exchange suffered 20 cyber attacks netting cyber thieves $14.2 million. In response, regulators are requiring “all [brokers] to invest more to enhance the cybersecurity of their computer systems after customers lost up to HK$110 million from hacker attacks.” (Source: Cyber Scope)

—————–

Upcoming events

May 24, 2017 – Planning for the Future: A Conference About Identity Theft – Washington, DC
The FTC will host an all-day conference to take a comprehensive look at how identity theft has evolved over the last decade and what can be done to address this challenge in the future. The conference will be used to gather input from academics, business and industry representatives, government experts, and consumer advocates. Participants will look at the current state of identity theft, examine potential future challenges, and discuss how to address these issues.

May 25, 2017 – Workshop on Technology and Consumer Protection (ConPro ’17)  San Jose, CA
At this year’s 38th IEEE Symposium on Security and Privacy, a Workshop on Technology and Consumer Protection (ConPro’17) will explore computer technology’s impact on consumers, with a special focus on privacy and ways in ”which computer science can prevent, detect, or address the potential for technology to deceive or unfairly harm consumers.” ConPro’17 aims to bring together academic and industry researchers along with government officials.

National Consumers League
Published April 26, 2017