The #DataInsecurity Digest | Issue 6

Issue 6 | Oct. 20, 2015

By John Breyault (@jammingecono, johnb@nclnet.org)
NCL Vice President of Public Policy, Telecommunications and Fraud

Subscribe here. Tell us what you think.

Editor’s Note: As Congress returns from its Columbus Day recess, there are rumblings that the Senate is expected to take up the long-delayed Cybersecurity Information Sharing Act of 2015 (CISA). The case for data security reform (though not necessarily CISA itself) was highlighted last week when NCL, along with 24 other consumer privacy organizations, called on the CFPB and FTC to investigate the breach at Experian that led to the exposure of 15 million T-Mobile customer records. CISA also made waves on the presidential campaign trail when Democratic candidate Sen. Bernie Sanders announced his opposition to the bill. Finally, if you haven’t already done so, mark your calendars for the FTC’s second “Start with Security” event in Austin on Nov. 5. We will be following the event with interest, particularly to see what Commissioner McSweeny has to say about data security and the startup economy.

—————–

Bloomberg: Dow Jones breach potentially involved market-moving info. @MichaelRileyDC has the story on the latest hack of potential market-moving information: “The breach is described by the people as far more serious than a lower-grade intrusion disclosed a week ago by Dow Jones, a unit of Rupert Murdoch’s News Corp. … Information embargoed by companies and the government for release at a later time could be valuable to traders looking to gain an edge over other market participants, as could stories being prepared on topics like mergers and acquisitions that move stock prices.” (Source: Bloomberg)

Groups urge FTC & CFPB to investigate Experian/T-Mobile breach. More than two dozen consumer and privacy organizations (including NCL) are calling on the FTC and CFPB to investigate security lapses at Experian and T-Mobile that could have contributed to the breach of 15 million T-Mobile customers’ and applicants’ personal information. The letter, via @USPIRG: “We believe this breach, occurring at one of the nationwide CRAs, takes this problem to a whole new and dangerous level given the extraordinarily large amounts of critical financial information they hold.” (Source: USPIRG)

More Experian/T-Mobile fallout: Senator wants answers. Sen. Sherrod Brown is using his perch as ranking member on the Senate Banking, Housing and Urban Affairs Committee to demand answers from Experian and push for free credit freezes and an end to forced arbitration (h/t @KatieBoWill). (Source: Office of U.S. Senator Sherrod Brown)

Krebs: Talent exodus at Experian could have contributed to T-Mobile breach. @briankrebs talks to a number of ex-Experian security staff to get the inside scoop on factors that could have allowed the T-Mobile breach to occur: “Over the past week, KrebsOnSecurity has interviewed a half-dozen security experts who said they recently left Experian to find more rewarding and less frustrating work at other corporations. Nearly all described Experian as a company fixated on acquiring companies in the data broker and analytics technology space, even as it has stymied efforts to improve security and accountability.” (Source: KrebsOnSecurity)

Bernie comes out against CISA. No candidates on the Democratic side of the ledger had taken positions on the Cyber Information Sharing Act until Bernie Sanders made his opposition clear last week. @ericgeller for @DailyDot: “Sanders’ stance … aligns him with privacy advocates and makes him the only Democratic presidential candidate to stake out that position … Sanders has not decided whether or not to join a potential filibuster. His office told the Daily Dot that he is waiting to see which of the 22 proposed amendments get votes on the Senate floor.” (Source: The Daily Dot)

Study: 87% of Android devices are vulnerable. @RonAmadeo covers disturbing new information on the vulnerability of the world’s most popular mobile OS for @ArsTechnica: “…a recent study … finds that ‘on average 87.7% of Android devices are exposed to at least one of 11 known critical vulnerabilities.’ … As for why so many Android devices are insecure, the study found that most of the blame sits with OEMs. The group states that ‘the bottleneck for the delivery of updates in the Android ecosystem rests with the manufacturers, who fail to provide updates to fix critical vulnerabilities.’”

EU moves toward comprehensive data breach notification. @markscott82, who handles EU tech reporting for @NYTimes, takes a look at the coming EU breach notification regs: “Under the proposals, any company — even one based outside Europe — that collects and manages data about the region’s more than 500 million residents would need to inform a national privacy watchdog within 72 hours of discovering a data breach. … The rules, which are still being negotiated, are expected to be completed by early next year and take effect as early as 2018.” (Source: New York Times)

Think Millennials don’t care about privacy & security? Think again! UK-based cybersecurity firm @IntercedeMyID is out with a new survey of Millennials’ attitudes towards privacy and security online. Significant findings: “New survey reveals fewer than 5% of UK and US Millennials believe their digital identity is completely protected by effective safeguards; 70% believe risk to their online privacy will increase as we become more digitally connected; 54% claim failure of businesses to implement better online security will result in public distrust of goods and services.” (Source: Intercede)

California Gov. signs expanded breach notification bill. @natllawreview covers the impact of the changes Gov. Jerry Brown has made to California’s data breach notification law, considered the gold standard for breach notification laws by some. Among the changes: a strengthened definition of “encryption,” standardizing breach notice verbiage, and expanding the definition of “personally identifiable information” to cover data captured by automated license plate recognition (ALPR) system. (Source: National Law Review)

Stat du jour: Medical ID theft to affect 25M patients over next 5 years. New research from @Accenture puts the tab for health system cyber attacks at $305 million over the next five years, with one in 13 patients having their personal information compromised. (Source: Accenture)

Breach du Jour: America’s Thrift Stores. The chain of for-profit Christian charity thrift stores last week announced that its point-of-sale system was compromised last month, affecting credit and debit card transactions made Sept. 1-27. Point-of-sale systems have been a frequent target for hackers, as the stolen data can be quickly sold on online dark markets to carding rings who use the hacked cards to purchase high-dollar merchandise for resale. (Source: Krebs on Security)

ICYMI: New ITRC app puts ID theft counselors in your pocket. TheSan Diego-based Identity Theft Resource Center (@ITRCSD) recently released a helpful app to help ID theft victims. The new app “offers resources for victims including direct links to victim advisors, all free of charge to consumers. The app also offers educational tools for consumers wanting to protect themselves against identity theft.” Check it out! (Source: ITRC)

Upcoming Events

National Cybersecurity Awareness Month – National
October 2015

Oct. 30 – Follow the Lead: An FTC Workshop About Online Lead Generation – Washington, DC
The workshop will bring together a variety of stakeholders, including industry representatives, consumer advocates, and government regulators. The FTC has invited the public to submit research, recommendations for topics of discussion, and requests to participate as panelists.

Nov. 5 – Start with Security – Austin, TX
This one-day conference will continue the FTC’s work to provide companies with practical tips and strategies for implementing effective data security. Aimed at start-ups and developers, this event will bring together experts to provide information on security by design, common security vulnerabilities, strategies for secure development, and vulnerability response.

Jan. 14, 2016 – PrivacyCon – Washington, DC
The FTC will hold a conference on January 14, 2016 to bring together a diverse group of stakeholders, including whitehat researchers, academics, industry representatives, consumer advocates, academics, and a range of government regulators, to discuss the latest research and trends related to consumer privacy and data security.

National Consumers League
Published October 20, 2015