The #DataInsecurity Digest | Issue 82

Facebook’s past and present handling of Cambridge Analytica scandal continues to draw criticism

By John Breyault (@jammingecono, johnb@nclnet.org)
NCL Vice President of Public Policy, Telecommunications and Fraud

Subscribe here. Tell us what you think.

Editor’s note: Politicians in both the U.K. and the United States remain outraged with Facebook’s continued mismanagement of the Cambridge Analytica scandal. After Facebook’s Mark Zuckerberg repeatedly refused to answer questions from the U.K. Parliament, parliamentary leaders took the rare step of confiscating internal Facebook documents, including confidential emails between senior executives. Meanwhile, new data breaches continued to garner headlines as both Amazon and the Postal Service experienced breaches just before the Black Friday/Cyber Monday rush.

And now, on to the clips!

—————–

Congress outraged in aftermath of Facebook’s questionable damage control tactics. After a New York Times report revealed that Facebook attempted to paint any criticism of its brand in the wake of the 2016 election as a plot by George Soros, members of Congress expressed outrage. Senator Mark Warner (D-VA): “It’s important for Facebook to recognize that this isn’t a public relations problem – it’s a fundamental challenge for the platform and their business model… . I think it took them too long to realize that. It’s clear that Congress can’t simply trust [Facebook] to address these issues on their own.” (Source: Washington Post)  

U.K. Parliament seizes internal Facebook documents after Zuckerberg repeatedly refuses to answer questions. “The cache of documents is alleged to contain significant revelations about Facebook decisions on data and privacy controls that led to the Cambridge Analytica scandal. It is claimed they include confidential emails between senior executives, and correspondence with Zuckerberg.” (Source: The Guardian)

More than half a million Google Play users installed malware posing as gaming apps. @LukasStefanko, a security researcher at ESET, found that 13 apps, two of which were trending on the Google Play store, were loaded with malware. “Combined, the apps surpassed 580,000 installs before Google pulled the plug.” (Source: TechCrunch)

Amazon compromised user emails and then provided few details and potentially bad cyber advice to breach victims. @TonyRomm reports that the retailer “informed some customers on Wednesday that their names and email addresses had been ‘inadvertently disclosed’ as a result of a ‘technical error,’ but declined to provide more details about the security incident.” Many cyber watchers further questioned Amazon after it told its “users there’s ‘no need for you to change your password or take any other action,’ even though hackers ‘still might try to use their names and email addresses for nefarious purposes, including phishing scams.’” (Source: Washington Post)

Japanese cybersecurity minister admits to having never used a computer. Before Parliament, Yoshitaka Sakurada admitted that he has no need for computers, stating that “‘I have been independently running my own business since I was 25 years old.’ When computer use is necessary, ‘I order my employees or secretaries’ to do it. … I don’t type on a computer.’” Asked by a lawmaker if nuclear power plants allowed the use of USB drives, a common technology widely considered to be a security risk, Mr. Sakurada did not seem to understand what they were.” (Souce: New York Times)

Your VPN could be spying on you. A new report found that “60 percent of the top free mobile VPN apps returned by Google Play Store and Apple Play Store searches are from developers based in China or with Chinese ownership, raising serious concerns about data privacy. … The same report also found that 86 percent of the apps analyzed had ‘unacceptable privacy policies.’ For example, some apps didn’t say if they logged traffic, some apps appeared to use generic privacy policies that didn’t even mention the term VPN, while some apps didn’t feature a privacy policy at all. On top of this, other apps admitted in their policies to sharing data with third-parties, tracking users, and sending and sharing data with Chinese third-parties.” (Source: ZD Net)

Breach du jour: 60 million USPS customers. The security vulnerability existed for about a year and “allowed anyone who has an account at usps.com to view account details for some 60 million other users, and in some cases to modify account details on their behalf.” (Source: Krebs on Security)

Two hospitals hit with ransomware attack. The two hospitals, one located in Wheeling, WV and the other in Martins Ferry, OH, “became unable to accept patients from emergency service transports following an attempted ransomware attack…. Officials said the hospitals had since begun using a paper charting system to ensure protection of data, and the hospitals were still accepting walk-in patients.” (Source: WV News)

Events

June 27, 2019: Federal Trade Commission’s PrivacyCon – Washington DC
Each year, the FTC convenes a group of privacy experts, academics, policy makers and regulators to discuss the latest research surrounding consumer privacy and data security. Researchers are encouraged to apply to present at the conference by March 15, 2019. (Source: Federal Trade Commission)

National Consumers League
Published November 29, 2018