The #DataInsecurity Digest | Issue 72

Data broker leaves 340M consumers’ most personal data unsecured

By John Breyault (@jammingecono, johnb@nclnet.org)
NCL Vice President of Public Policy, Telecommunications and Fraud

Subscribe here. Tell us what you think.

Editor’s Note: As the cyber community assess President Trump’s Supreme Court nominee’s views on privacy and the 4th Amendment, data breaches continue to plague businesses and make headlines. Last week, a data broker left the intimate details of 340 million consumers unsecured online. Likewise, Ticketmaster found itself in the midst of a massive data breach whose scope is not yet fully known. With the midterm elections looming in less than four months, Congress is letting the administration know of its displeasure with the lack of cyber leadership from the White House.

And now, on to the clips!

—————–

Data broker Exactis left nearly 340 million consumer profiles unprotected and easily discoverable. While the records did not contain Social Security Numbers, they did include “more than 400 variables on a vast range of specific characteristics: whether the person smokes, their religion, whether they have dogs or cats, and interests as varied as scuba diving and plus-size apparel. …” The data trove also includes information on individuals’ children and other details, including “phone numbers, home addresses, email addresses, and other highly personal characteristics for every name.” (Source: Wired)

Senate Commerce Committee convenes hearing on Spectre and Meltdown vulnerabilities. In the hearing, Sen. Bill Nelson (D-FL) complained that “seven months [was] too long for the companies to wait before disclosing major vulnerabilities.” In response, the companies testifying pointed out that they were mainly focused on informing the affected companies first. However, @alfredwkng reports that some senators rebutted this, pointing out that “companies notified Chinese companies about Spectre and Meltdown before the US government.” (Source: CNET)

SCOTUS nominee Brett Kavanaugh has a track record of opposing net neutrality and privacy. @alfredwkng reports that Kavanaugh believes that the “NSA’s surveillance program was consistent with the Fourth Amendment, even without a warrant, citing that ‘In my view, that critical national security need outweighs the impact on privacy occasioned by this program.’” The justice also “sided against net neutrality in a 2017 dissent, arguing that it was ‘one of the most consequential regulations ever issued by any executive or independent agency in the history of the United States.’” (Source: CNET)

Lawmakers aim to force Trump to act on cybersecurity. The Senate Armed Services Committee added language to the must-pass defense reauthorization bill that would require the administration to develop a cyberwar doctrine. @D_Hawk reports that “[t]he move highlights mounting frustration with what lawmakers see as a woefully insufficient strategy for responding to cyberattacks, and shows they’re serious about holding officials to their tough rhetoric.” As Sen. Ben Sasse (R-NE) recently said, “Let’s not sugarcoat it: Washington is dangerously unserious about cybersecurity. … We’re decades into the era of cyberwar and we’re still playing catch-up.” (Source: Washington Post)

Cyber lamentations: The cost of doing nothing. In a July 4 piece, New York Times opinion columnist @NickKristof provided a sobering look at the path ahead if nothing is done to improve America’s cybersecurity. When Gen. Paul Nakasone, head of the U.S. Cyber Command, was asked in his 2018 confirmation hearings what he thought would happen if our enemies attack us in cyberspace, Kristof wrote, “They do not think much will happen,” Nakasone replied. “They don’t fear us.” (Source: New York Times)

Ticketmaster breach grows to affect U.S. website and possibly 800 additional e-commerce sites. Security researchers @RiskIQ believe that the “Ticketmaster breach was far bigger than first thought, after several of its global sites — including its US site, which had initially ruled out being affected — was running code from another third-party company that had also been compromised.” (Source: ZDNet)

Equifax agrees to a consent decree, avoiding financial penalty with eight states. However, Equifax must perform a detailed assessment of cyber threats, boost board oversight of cybersecurity, and improve processes for patching known security vulnerabilities, according to the terms of the agreement. The consent decree was approved by regulators in Alabama, California, Georgia, Maine, Massachusetts, New York, North Carolina, and Texas. (Source: Reuters)

Facebook’s new privacy settings may not be that consumer-friendly. Consumer Reports found that “the design and language used in Facebook’s privacy controls nudge people toward sharing the maximum amount of data with the company.” The report also found that “users can’t make changes to default settings before completing the sign-up process. Facebook also directs new users through a confusing dashboard of policies to learn how to change settings, and in some instances users need to perform a dozen or more clicks and swipes to find and adjust the appropriate settings.” (Source: Consumer Reports)

Upcoming Events

August 9-12, 2018 – DEF CON 26 – Las Vegas, NV
DEF CON is the world’s longest-running and largest underground hacking conference. Each summer, hackers, corporate IT professionals, and three-letter government agencies all converge on Las Vegas to absorb cutting-edge hacking research from the most brilliant minds in the world. (Source: DEF CON)

National Consumers League
Published July 12, 2018