Issue 47 | June 7, 2017
#DataInsecurity Digest: Credit unions pushing for retailer standard; Kmart and OneLogin breaches
By John Breyault (@jammingecono, firstname.lastname@example.org)
NCL Vice President of Public Policy, Telecommunications and Fraud
Editor’s Note: Credit unions, which incurred an average of $226,000 each in costs responding to data breaches in 2014, are ramping up pressure on Congress to pass a data security standard for retailers, as new breaches were announced at Kmart and OneLogin. Consumers themselves got a bit of a break recently, as Target agreed pay out a record-breaking $28.5 million settlement with numerous state attorney generals, stemming from its massive 2013 breach. Meanwhile, the FDIC was once again put on notice by the Government Accountability Office for not using strong enough encryption methods. Finally, a group of Democratic senators is calling on the FBI to investigate a DDoS attack on the FCC’s electronic filing system, which may have prevented consumers from filing comments in the agency’s ongoing net neutrality proceeding.
And now, on to the clips!
Credit unions: Time for a retailer data security standard. The fact that banks must abide by the Gramm-Leach-Bliley Act’s strict data security standard while retailers (whose point of sale systems are a key target for criminal hacking) are exempt has long rankled the banking industry. That’s one reason why the National Association of Federally-insured Credit Unions (NAFCU) is ramping up the pressure on Congress to pass a retailer data security standard law. NAFCU head @BDanBerger writes that “[e]very time there is a retailer data-security breach, credit unions step forward to make their members whole. A NAFCU survey found that its member credit unions paid an average of $226,000 each in costs associated with retailer data breaches in 2014.” (Source: Credit Union Journal)
Data breaches will cost business $8 trillion in the next five years. @JuniperNetworks’s new report also forecasted that “the number of personal data records stolen by cybercriminals will reach 2.8 billion in 2017, almost doubling to 5 billion in 2020, despite new and innovative cybersecurity solutions emerging.” (Source: Juniper)
Breach du jour: Kmart. @briankrebs is reporting that Kmart suffered from its second point-of-sale data breach in three years. Kmart’s parent company, Sears, would not comment “on how many of Kmart’s 735 locations nationwide may have been impacted or how long the breach is believed to have persisted, saying the investigation is ongoing.” (Source: Krebs on Security)
Target pays out $18.5 million to settle 2013 data breach investigations. Target’s 2013 breach “affected more than 41 million customer payment-card accounts and exposed contact information of more than 60 million customers.” The settlement represents the largest multi-state accord ever reached over a data breach. The $18.5 million settlement is in addition to the $10 million Target has already paid out to harmed consumers in 2015. (Source: Bloomberg)
GAO puts FDIC on notice regarding cybersecurity. The agency charged with insuring our bank deposits was found to have “significantly deficient” cybersecurity by the Government Accountability Office. Among other things, the GAO faulted the Federal Deposit Insurance corporation for “not using strong encryption when users connect to certain sensitive systems.” (Source: Next Gov)
Democratic senators request FBI investigation into FCC DDoS attack. On May 8, the FCC claimed that the crash of its electronic filing system, which prevented consumers from filing comments on net neutrality, was the result of a distributed denial of service (DDoS) attack. Last week, Democratic Senators Brian Schatz (D-HI), Al Franken (D-MN), Patrick Leahy (D-VT), Ed Markey (D-MA), and Ron Wyden (D-OR) sent a letter to acting FBI Director Andrew McCabe requesting an investigation, stating that “[a]ny cyberattack on a federal network is very serious.” (Source: The Hill)
Quick hit: Ransomware insurance claims more than double. A year ago, ransomware insurance claims were “just over a tenth of cyber insurance claims, but that figure is now almost a quarter, according to data from insurer CFC Underwriting.” (Source: Financial Times)
Breach du Jour part deux: OneLogin. The identity management firm that “secures connections across all users, all devices, and every application” announced that a “threat actor” had accessed database tables including “information about users, apps, and various types of keys,” which may have allowed them to decrypt customers’ encrypted information. This marks the second breach OneLogin has suffered in the last year. (Source: Ars Technica)
National Consumers League
Published June 7, 2017