The #DataInsecurity Digest | Issue 88

Regulators in Europe, Members of Congress, consumer advocates taking a critical eye at misuse of consumer data 

By John Breyault (@jammingecono,
NCL Vice President of Public Policy, Telecommunications and Fraud

Subscribe here. Tell us what you think.

Editor’s note: While EU regulators take aim at social media giants like Facebook, the new leadership in the House of Representatives pledged to protect consumer data. The newly invigorated Democratic Congress has its work cut out for it, though, as more research came out to prove just how vulnerable our entire system is to hacking and how one wellplanned attack could collapse our entire financial system.

And now, on to the clips!


EU Regulators: First of seven investigations into Facebook to be completed by summer. Ireland’s Data Protection Commissioner commented that he anticipated that the remaining six investigations into the company’s use of personal data should be completed by the end of the year. @conorhumphries reports that in addition to probing Facebook’s data practices, “the commissioner is also probing Facebook subsidiaries WhatsApp and Instagram as well as Twitter, LinkedIn and Apple in relation to their processing of personal data and the transparency of their data processes.” (Source: Reuters) 

Democrats hold first major tech policy hearing since taking over the House. @TonyRomm reports that “party lawmakers charged that long-standing inaction on Capitol Hill had left consumers unprotected in the digital age.” Chairman Frank Pallone said, “It’s time that we move past the old model that protects the companies using our data and not the people.” (Source: Washington Post) 

Banks, securities firms, financial market infrastructures, and hospitals found to be at the highest risk of a devastating cyber-attack. @MoodysInvSvc’s report found that these industry sectors hold around $11.7 trillion of the world’s debt and that an “attack in one of those sectors would also have broad ripple effects.” The report said such an attack could result in “far-reaching impact on other sectors,” and that a single successful attack on a large bank, for example, could “pose a systemwide risk” that affects the entire financial sector. (Source: Washington Post 

North Korea launches cyberattacks against U.S. banks and business while meeting with Trump in Hanoi. While the attacks had been going on for months, thanks to the help of “an unnamed foreign law enforcement agency,” researchers were able to access “one of the main computer servers used by the North Korean hackers to stage their attacks [and watch] in real time, as the North Koreans attacked the computer networks of more than a hundred companies in the United States and around the globe. (Source: New York Times 

Equifax’s CEO admits that compromising Social Security numbers causes harm while simultaneously arguing in court that it does not. When asked to share his Social Security number by Rep. Katie Porter (D-CA) in a committee hearing, Equifax CEO Mark Begor declined, citing fears over identity theft. valid concern, but also noteworthy ithat Equifax has been desperately trying to “beat back a class-action lawsuit by arguing that the plaintiffs’ claims of breach-related harm are merely theoretical. In asking a judge to dismiss the case, Equifax said last July that the ‘alleged injuries are the very definition of speculative and conjectural.’” (Source: Politico 

In wake of DNA test kit data misuse, consumer advocates call for HIPAA protections for patient info. After news reports disclosed that was giving the FBI access to its DNA database, an act it said it would not do without a customer’s permission, NCL’s @sallygreenberg called on Congress to take action. “We need some rules of the road. ... Right now it puts consumers at great risk of having their very private information shared, sold and misused in ways they didn’t sign up for. ... We need a strengthened HIPAA for DNA testing companies.” (Source: Washington Post 

Breach du jour: Dow Jones watchlist of 2.4 million high risk individuals. The sensitive data “can include names, addresses, cities and their location, whether they are deceased or not and, in some cases, photographs.” The watchlist includes “current and former politicians, individuals or companies under sanctions or convicted of high-profile financial crimes such as fraud, or anyone with links to terrorism.” This trove of sensitive data was exposed “after a company with access to the database left it on a server without a password.” (Source TechCrunch) 

Technology used by law enforcement to hack mobile devices for sale on eBay for $100. The devices, manufactured by a company known as Cellebrite, are “used by police around the world to break open iPhones, Androids and other modern mobiles to extract data. ...” With an unknown amount of Cellebrite devices being sold second-hand by law enforcement agents on the Internet, “cybersecurity researchers are now warning that valuable case data and powerful police hacking tools could have leaked as a result.” (Source: Forbes)

Upcoming Events

June 27, 2019: Federal Trade Commission’s PrivacyCon – Washington, DC
Each year, the FTC convenes a group of privacy experts, academics, policymakers, and regulators to discuss the latest research surrounding consumer privacy and data security. Researchers are encouraged to apply to present at the conference by March 15, 2019. (Source: Federal Trade Commission)

National Consumers League
Published March 7, 2019