Facebook data leak prompts renewed calls for privacy legislation

By John Breyault (@jammingecono, johnb@nclnet.org)
NCL Vice President of Public Policy, Telecommunications and Fraud

Subscribe here. Tell us what you think.

Editor’s Note: Facebook’s data leak (let’s not call it a “breach”) is top of mind this week, with data on at least 50 million users being misused by Cambridge Analytica, reportedly to the benefit of the 2016 Trump presidential campaign. The leak is prompting renewed calls from advocates and Congress to enact more regulation on digital media platforms like Facebook. The Equifax saga continues, with a senior company executive indicted on insider trading charges for dumping his stock shortly before the breach’s news hit the papers. Finally, those who argue you should never pay a ransomware scammer were supported this week by findings that less than half of those who do pay are able to actually recover their data. Remember to back up early, and back up often, folks!

And now, on to the clips!

—————–

Private Facebook data leaked, reportedly benefiting Trump’s 2016 campaign. Cambridge Analytica, a conservative voter profiling firm “harvested private information from the Facebook profiles of more than 50 million users without their permission,” through an app created by a Russian-American academic. The leak is the largest in the social network’s history, allowing the company “to exploit the private social media activity of a huge swath of the American electorate, developing techniques that underpinned its work on President Trump’s campaign in 2016.” (Source: New York Times)

NCL’s Greenberg: Facebook leak “a wake-up call.” The leak of data on millions of Facebook users to political data analytics firm Cambridge Analytica is generating significant concern from privacy advocates, including NCL. “This is a wake-up call,” said Sally Greenberg, NCL’s executive director. “‘The number of apps who want to use your Facebook log-in is endless. We all run into it.’” (Source: San Francisco Chronicle)

Congress takes aim at Facebook. Outrage from Facebook’s massive leak came from both sides of the aisle. On Monday, Sens. Amy Klobuchar (D-MN) and John Kennedy (R-LA), members of the Senate Judiciary Committee, wrote to chairman Chuck Grassley (R-IA) requesting a hearing with social media companies’ CEOs, including Facebook’s Mark Zuckerberg. Sen. Mark Warner (D-VA), the ranking member of the Senate Intelligence Committee warned “These tech platforms …. need to be more forthcoming or Washington is going to start imposing rules and regulations that may not fit.” (Source: ABC News)

Former Equifax executive charged with insider trading. Jun Ying, former chief information officer of a U.S. business unit of Equifax, was charged last week with insider trading. Ying sold his stock prior to the public disclosure of the company’s massive breach, saving himself from an estimated $117,000 in losses. Richard Best, director of the SEC’s Atlanta regional office, said, “Ying used confidential information to conclude that his company had suffered a massive data breach, and he dumped his stock before the news went public.” (Source: Washington Post)

Tillerson’s departure could be a good thing for cyber at State Department. Former Secretary of State Rex Tillerson’s firing last week could be a positive in at least one area: cybersecurity. According to Christopher Painter, former State Department cybersecurity coordinator, the arrival of CIA Director Mike Pompeo at State could lead to a greater focus on cyber threats. “I don’t think the cyber issue was ever a passion for Tillerson; I don’t think this was ever a personal priority for him,” Painter said. “My sense – and all of this is speculative because it’s hard to predict – my sense is that Pompeo because of his background in the CIA and others will have a better appreciation of the security parts of the portfolio.” (Source: POLITICO)

Pennsylvania AG sues Uber for failing to notify consumers of its data breach. Pennsylvania Attorney General Josh Shapiro has filed a lawsuit against Uber after it took more than 12 months to notify PA residents of the data breach. “Instead of notifying impacted consumers of the breach within a reasonable amount of time, Uber hid the incident for over a year — and actually paid the hackers to delete the data and stay quiet.” @alfredwkng notes that “[u]nder Pennsylvania law, Shapiro can sue for $1,000 for each violation. That means the attorney general’s office could seek $13.5 million from Uber.” (Source: CNet)

Quick hit: Yahoo data breach victims allowed access to the courts. Last week, a court rejected Verizon’s bid to have many of Yahoo’s data breach victims’ claims dismissed. (Source: Reuters)

Despite SEC Guidance to report data breaches, few companies do so. In 2017, there were nearly 5,000 cyber attacks on American businesses. Yet, only 24 companies reported a breach to the SEC. While the SEC has investigated late data breach disclosures, it “has yet to bring an enforcement action against a company that failed to disclose an incident.” @craignewman notes that at least part of the hesitation to report a breach could be explained by wanting to avoid undermining an ongoing investigation. (Source: New York Times)

Less than half of ransomware victims who pay get data back. A new study from security firm CyberEdge underscores why it is so critical to maintain up-to-date, offline backups. The firm found that less than half (49.4 percent) of ransomware victims who paid a ransom were able to recover their data. “It’s like flipping a coin twice consecutively – once to determine if your organization will be victimized by ransomware, and then, if you decide to pay the ransom, flip it again to determine if you’ll get your data back.” (Source: The Register)

Dessert: Girl Scouts can now earn a cybersecurity badge. Want some Samoas with your two-factor authentication? Girl Scouts can now earn a cybersecurity badge while they learn the basics of computer networks, cyber attacks, and online safety. (Source: NBC News)

Events

March 27-28 – IAPP Global Privacy Summit, Washington, DC
Starting this weekend, privacy experts and regulators will gather at the IAPP’s Global privacy summit in Washington to discuss and learn about the most pressing issues of the day.

National Consumers League
Published March 22, 2018

FTC calls for reforms to smartphone security update policies; White House AWOL on addressing Russian hacking

By John Breyault (@jammingecono, johnb@nclnet.org)
NCL Vice President of Public Policy, Telecommunications and Fraud

Subscribe here. Tell us what you think.

Editor’s Note: The FTC was extra busy making news in the data security front last week. First, the agency released new data that shows that consumers lost more money this year than last year to scams. Most notably, the FTC flagged identity theft as the second most prominent type of scam. Research from NCL has shown that being affected by data breaches correlates to increased risk of identity fraud. The FTC also called for phone manufacturers to be more transparent by clearly disclosing the minimum guaranteed support period for their devices so as to minimize the number of consumers using phones that are no longer receiving security updates. Finally, outgoing Acting Chairman Ohlhausen, in remarks delivered at PrivacyCon, quantified injury from breaches and other privacy violations.

In non-FTC news, new reports found that Russia hacked into seven state’s election systems prior to the 2016 election. Russia also garnered headlines for getting caught hacking the Olympics. In spite of this drumbeat of Russian-related hacking news, NSA Director Mike Rogers admitted in a Senate hearing that he has not yet been ordered by President Trump to stop Russia from interfering in the next election. There was a bit of good news, as well, with Visa reporting that the transition to chip-based debit and credit cards has led to a precipitous drop in payment card fraud.

And now, on to the clips!

—————–

FTC: Consumer fraud losses increased $63 million in 2017. Last week, the FTC released its annual Consumer Sentinel Data Book. The report analyzes millions of consumer complaints submitted to the FTC and other organizations and is considered a leading indicator of the state of fraud. Identity theft was the second biggest category, making up nearly 14 percent of all consumer complaints. Credit card fraud was the most common type of identity theft reported by consumers. Tax fraud was the second most common type of identity, despite falling by 46 percent from 2016. All three types of fraud often rely on consumer info gleaned from data breaches. (Source: Federal Trade Commission)

FTC mobile security report cites steps needed to protect cell phones from hacking. Acting Director of the FTC’s Bureau of Consumer Protection Tom Pahl commented “that more needs to be done to make it easier for consumers to ensure their devices are secure.” Among the recommendations, the FTC advised manufacturers to “consider adopting and disclosing minimum guaranteed support periods for their devices and notifying consumers when support is about to end.” (Source: Federal Trade Commission)

FTC’s Ohlhausen addresses data breach injury at PrivacyCon. Outgoing FTC Acting Chairman Maureen Ohlhausen devoted a big chunk of her remarks at last week’s PrivacyCon conference to a perennial issue in addressing data breaches: how to define injury. “The takeaway is clear: consumers can suffer injury from privacy and data security incidents and that injury isn’t limited to loss of money,” said Ohlhausen.”[N]ot everything that can be measured matters, and not everything that matters can be measured. But we ought to measure the things we can and think hard about how to objectively and consistently evaluate the things we cannot. After all, if we cannot measure – or even estimate – the injury we are trying to address, how can we tell if we are directing government action effectively?” (Source: Federal Trade Commission)

2.4 million additional Americans affected by Equifax breach. The new breach victims only had their “names and a partial driver’s license number stolen by the attackers, unlike the original 145.5 million Americans who had their Social Security numbers impacted.” Equifax’s latest revelation brings its total number of victims up to 147.9 million. (Source: Associated Press)

Point-of-sale fraud drops 70 percent for retailers that use chip readers. While only “59 percent of US storefronts have terminals that accept chip cards, fraud has dropped 70 percent from September 2015 to December 2017 for those retailers that have completed the chip upgrade[.]” (Source: Ars Technica)

Despite ongoing efforts by Russia to interfere in upcoming election, Trump has not ordered NSA to stop Russia. In last week’s Senate Armed Services Committee hearing, NSA Director Mike Rogers said that “[n]obody’s … directly asked me,” when questioned on whether the agency has been directed to address the threat of Russian hackers targeting the U.S. election system. He elaborated by stating: “I’ve certainly provided my opinion in ongoing discussions.” @martinmatishak reports that Mike Rogers’ “comments echoed ones he, and the other intelligence leaders, made earlier this month to the Senate Intelligence Committee.” (Source: Politico)

Russia compromised seven state election systems prior to the 2016 election. Systems in Alaska, Arizona, California, Florida, Illinois, Texas, and Wisconsin were compromised by Russian-backed covert operatives prior to the 2016 election. While no votes were altered, “[t]he officials say systems in the seven states were compromised in a variety of ways, with some breaches more serious than others, from entry into state websites to penetration of actual voter registration databases.” (Source: NBC News)

SEC: Selling shares before a breach is disclosed is a no-no. New guidance from the Securities and Exchange Commission will prohibit directors and officers from selling company shares after a breach is discovered, but before it has been disclosed to the public. The guidance also reinforces prior guidance by stating “that all companies must inform investors in a timely fashion of all material cybersecurity risks.” (Source: Bank Info Security)

Russia hacked the Olympics. U.S. intelligence officials have confirmed that “Russian spies hacked several hundred computers used by authorities at the 2018 Winter Olympic Games in South Korea …They did so while trying to make it appear as though the intrusion was conducted by North Korea, what is known as a ‘false-flag’ operation.” (Source: Washington Post)

Events

March 25-26 – IAPP Global Privacy Summit, Washington, DC
Later this month, privacy experts and regulators will gather at the IAPP’s Global privacy summit in Washington to discuss and learn about the most pressing issues of the day.

National Consumers League
Published March 8, 2018

2017 found to be worst year ever for data breaches

By John Breyault (@jammingecono, johnb@nclnet.org)
NCL Vice President of Public Policy, Telecommunications and Fraud

Subscribe here. Tell us what you think.

Editor’s Note: Just because cybersecurity did not receive a mention in President Trump’s State of the Union, did not mean that data breaches were not garnering headlines in recent weeks. 2017 was found to be the worst year for data breaches ever by the Online Trust Alliance. Nearly half of American organizations were breached in the past 12 months, up from 24 percent in 2016, according to Thales. Other big news this week comes from our colleagues at Consumer Reports, who published the first reviews of smart TVs using the organization’s new Digital Standard for privacy and security. CR’s tests found that leading smart TVs have significant security vulnerabilities that could allow hackers to change channels, raise volumes, or play disturbing YouTube content.

All this comes with fallout from the Meltdown and Spectre vulnerabilities continuing to brew, with many key cybersecurity vacancies remaining in the Trump Administration, and with reports of the new CFPB director abandoning the agency’s investigation of the Equifax mega-breach.

And now, on to the clips!

—————–

2017 declared the worst year for data breaches ever. The Online Trust Alliance released its annual report, finding that ransomware incidents doubled from 2016 to 2017 and cost consumers and businesses $5 billion. “Surprising no one, 2017 marked another ‘worst year ever’ in personal data breaches and cyber incidents around the world.” The report also found that 93 percent of data breaches could have been avoided. (Source: Online Trust Alliance)

Number of breached organizations nearly doubled in 12 months. A survey conducted by Thales found that, in the last 12 months, 46 percent of U.S. organizations experienced a breach. This is a significant increase from the 24 percent of organizations that were breached in 2016. (Source: Thales)

Lawmakers take aim at Uber. On Tuesday, “Democrats and Republicans alike needled the ride-hailing company for withholding information even as it faced a federal investigation for its privacy and security practices.” Ranking Member Bill Nelson (D-FL) cautioned against current legislative efforts to weaken data security: “better for Congress to pass no bill than to pass a bill that provides less protections to consumers compared to the status quo.” (Source: The Hill)

Smart TVs vulnerable to hacking. In the first use of its new Digital Standard for privacy and security, our colleagues at Consumer Reports have published the findings of their tests on leading “smart” TVs. The results weren’t pretty, particularly for TVs using the Roku platform: “Roku devices have a totally unsecured remote control API enabled by default,” said Eason Goodale, [CR partner] Disconnect’s lead engineer. “This means that even extremely unsophisticated hackers can take control of Rokus. It’s less of a locked door and more of a see-through curtain next to a neon ‘We’re open!’ sign.” (Source: Consumer Reports)

Consumers Union: Report underscores need for Congress to act on data security. Consumers Union, the advocacy arm of Consumer Reports, used the findings of the magazine’s connected TV report to press for Congressional action on data security standards. “Congress needs to pass data security standards for connected products, and federal regulators need to step up and hold companies accountable for the privacy, security and safety of these products,” said CU’s @JustinBrookman. “For years, consumers have had their behavior tracked when they’re online or using their smartphones. But I don’t think a lot of people expect their television to be watching what they do.” (Source: Consumers Union)

More than $1 million stolen from U.S. ATMs. “Jackpotting”–the hijacking of ATMs by hackers to spit out cash much like a slot machine–has long been a problem for European banks. Last week however, the problem arrived in the United States with a half-dozen incidents. “The spate of attacks represented the first widespread jackpotting activity in the United States,” said Matthew O‘Neill, a special agent for the Secret Service. “Previous campaigns have been spotted in parts of Europe and Latin America in recent years. It was just a matter of time until it hit our shores.” (Source: Reuters)

Researchers have found 139 different types of malware designed to exploit Meltdown and Spectre. This is a significant increase from reports in January, when researchers found 77 malware samples. @EduardKovacs reports that, “while a majority of the samples appear to be in the testing phase, we could soon start seeing attacks.” (Source: Security Week)

Quick hit: Intel working “around the clock” to solve Spectre and Meltdown security flaws. Intel informed investors in a quarterly earnings call that it plans to “release updated chips later this year to provide a long-term solution.” (Source: Washington Post)

Acting CFPB director believed to be canceling Equifax investigation. @PatrickMRucker is reporting that acting director Mick Mulvaney is pulling back an investigation into Equifax’s behavior, which led to 143 million Americans having their most personal data compromised. Mulvaney “has not ordered subpoenas against Equifax or sought sworn testimony from executives, routine steps when launching a full-scale probe. Meanwhile the CFPB has shelved plans for on-the-ground tests of how Equifax protects data, an idea backed by Cordray.” (Source: Reuters)

Fitness trackers give away locations of secret U.S. military bases. It was recently revealed that, back in November, a social network for athletes called Strava released a heat map showing every run ever uploaded to its network. The map was “detailed enough that it potentially gives away extremely sensitive information… . In locations like Afghanistan, Djibouti and Syria, the users of Strava seem to be almost exclusively foreign military personnel, meaning that bases stand out brightly.” (Source: The Guardian)

After one year in office, many key cybersecurity posts remain unfilled by Trump. “About one-third of agency chief information security officers hold their jobs on an acting basis. The same is true for the federal chief information officer, the federal chief information security officer and the two top posts in the Homeland Security Department’s cybersecurity and infrastructure protection division, which is substantially responsible for the civilian government’s cybersecurity.” According to former officials, the vacancies are damaging “efforts to upgrade the government’s aging IT infrastructure and could endanger national security.” (Source: NextGov)

Japan grapples with fallout from a $534 million cyberheist. Authorities in Japan are investigating the cryptocurrency trading company Coincheck after “hackers stole 58 billion yen ($534 million) of NEM coins, among the most popular digital currencies in the world.” (Source: Reuters)

Events

February 28, 2018 – Privacy Con 2018, Washington, DC
In February, the FTC will host its third Privacy Con, convening a broad array of academics, researchers, consumer advocates, government officials, and industry representatives to address the privacy implications of emerging technologies.

National Consumers League
Published February 8, 2018

Issue 59 | January 11, 2018

#DataInsecurity Digest: Discovery of major vulnerabilities ushers in 2018

By John Breyault (@jammingecono, johnb@nclnet.org)
NCL Vice President of Public Policy, Telecommunications and Fraud

Subscribe here. Tell us what you think.

Editor’s Note: Happy New Year and welcome to the first #DataInsecurity Digest of 2018! The year started off with a bang as news of critical vulnerabilities in nearly every electronic device shook the data security world. The vulnerabilities, known as Spectre and Meltdown, have no easy repair/patch available, though no attacks exploiting the vulnerabilities have yet been reported. Nonetheless, we expect the news to serve as a catalyst for litigation in the coming months. As if this were not enough, compromised personal data of Florida Medicaid recipients and DHS employees also made headlines, along with the revelation that Romanian hackers were able to disable Washington, DC security cameras for days prior to the inauguration of President Trump in January 2017.

And now, on to the clips!

—————–

Spectre/Meltdown: Majority of world’s computers may be compromised. Security researchers have discovered two massive security flaws in Intel, AMD, and ARM-based processors called Meltdown and Spectre. The security vulnerabilities “could allow hackers to steal the entire memory contents of computers, including mobile devices, personal computers and servers running in so-called cloud computer networks…There is no easy fix for Spectre, which could require redesigning the processors, according to researchers. As for Meltdown, the software patch needed to fix the issue could slow down computers by as much as 30 percent.” Paul Kocher, a key researcher who helped discover the vulnerabilities, commented that “we’ve really screwed up… There’s been this desire from the industry to be as fast as possible and secure at the same time. Spectre shows that you cannot have both.” (Source: New York Times)

The flaw will affect almost a decade worth of Intel computer chips. @HowellONeill reports that “the fix requires a fundamental redesign of the operating system kernel, the software that manages a machine’s resources. It’s meant to be nearly all-powerful and all-secure. This flaw renders it plainly vulnerable across platforms.” (Source: Cyber Scoop)

Apple users are victims too. Apple informed users that while “there are no known exploits impacting customers at this time,” all iPhones, iPads, and Mac computers are affected by the recently disclosed processor flaws. (Source: CNN)

At least three class action lawsuits have been filed against Intel. Class action suits in California, Oregon, and Indiana are expected to be followed by others in the coming days. “All three cite the security vulnerability and Intel’s delay in public disclosure from when it was first notified by researchers of the flaws in June. … The plaintiffs also cite the alleged computer slowdown that will be caused by the fixes needed to address the security concerns…” (Source: The Guardian)

Intel CEO sold off most of his stock after learning of massive security flaw. Intel CEO Brian Krzanich, “sold the majority of his company stock in November, several months after the company was alerted to the flaws…” but before the failure was made public. “Krzanich sold off all but 250,000 of his Intel shares—the minimum number he’s required to hold per his employee agreement.” (Source: Quartz)

Hackers took over DC surveillance cameras prior to inauguration. A recently unsealed criminal complaint revealed that, just prior to President Trump’s inauguration, Romanian hackers took over two-thirds of the District of Columbia’s outdoor surveillance cameras. The attack “affected 123 of the DC police department’s 187 outdoor surveillance cameras, leaving them unable to record for several days.” (Source: Washington Post)

Breach du jour: 30,000 Florida Medicaid records. The breach came about due to a malicious phishing email attack. As a result of the breach, “hackers may have partly or fully accessed the enrollees’ full names, Medicaid ID numbers, birthdates, addresses, diagnoses, medical conditions and Social Security numbers.” (Source: Associated Press)

Breach du jour part deux: 247,000 Homeland Security Department employees and non-employees. Last week, authorities confirmed previous reports that DHS suffered a data breach in 2014. They did not detail what personal information was compromised in the breach but revealed that the “personal information on 247,167 Homeland Security employees as well as…” an undisclosed number of “…non-employees who were subjects, witnesses or complainants in inspector general investigations between 2002 and 2014,” had been compromised as well. (Source: Next Gov)

Opinion: The end of Net Neutrality could worsen data security. @TonyAtESET contemplates how the end of net neutrality “could put many devices and their users’ critical data at risk.” (Source: We Live Security)

Events

February 28, 2018 – Privacy Con 2018, Washington, DC
In February, the FTC will host its third Privacy Con, convening a broad array of academics, researchers, consumer advocates, government officials, and industry representatives to address the privacy implications of emerging technologies.

National Consumers League
Published January 11, 2018

Welcome to the Q4 issue of the Health Advisory Council Newsletter. This quarter, NCL and Council Members have been active on many fronts. Please see our policy updates, new Q&A’s with Pfizer and the American Society of Health-System Pharmacists, Member updates, and more.

Let’s keep the conversation going in 2018!
We hope you will renew your Health Advisory Council membership for 2018 as NCL continues to convene diverse members of the healthcare community to share perspectives and insights, identify common interests, and support NCL’s work in health-related consumer education and advocacy. Thanks to your support in 2017, we were able to work and advocate on a variety of important health issues. We look forward to continuing the conversation with you and others in 2018! 

 ICYMI: Meeting with special guest FDA Commissioner Scott Gottlieb

On December 6, 2017 NCL hosted its end-of-year Health Advisory Council meeting and holiday reception featuring a fireside chat with NCL Executive Director Sally Greenberg and FDA Commissioner Scott Gottlieb. Topics of discussion included making the FDA product review cycle more efficient; preserving the balance between innovation and competition struck by the Hatch-Waxman Act; FDA’s actions to combat counterfeit drugs; steps FDA can take to encourage the development of drugs for Alzheimer’s and other diseases that currently have no treatments; and how Commissioner Gottlieb’s experience as a cancer patient influenced him as a policymaker and a physician. In addition to the discussion with the Commissioner, the meeting also included a report on NCL’s health programs and activities, as well as the opportunity for Members to network with each other and share updates on their initiatives and priorities.

Minutes are available here.

 NCL health policy at work 

Counterfeit drugs 

NCL is pleased to announce our Counterfeit Drugs Consumer Education Project that we plan to launch in 2018. Working together, NCL’s Health and Fraud teams will develop consumer education content to be housed at NCL’s Fraud.org. The content will focus on the following elements:

1. Examining the threat and sharing real life situations related to the online purchase of unsafe counterfeit medications;
2. Redirecting consumers to safe purchasing websites;
3. Educating consumers on smart purchasing practices and highlighting opportunities for cost savings, including practical tools, tips, and websites; and
4. Providing a channel for consumers to access enforcement bodies such as the FDA, MedWatch, and other appropriate resources, in order for them to report their personal medication concern to the proper authorities.

NCL expresses its appreciation to Eli Lilly for its initial grant as the first founding member in support of this project, and is looking for additional partners. Please contact NCL’s Senior Director of Development Lee Granados at leeg@nclnet.org about how your organization can join this resource-rich platform to educate consumers on making smart decisions. 

Click here for more NCL health policy updates.  

 Member spotlight

Get to know Health Advisory Council Members – Pfizer and American Society of Health-System Pharmacists – with new Q&A’s.  

 Updates on Member programs

Get the latest updates on programs, policy, and initiatives from our Members, including Astellas, Duke University, USP, and many more. 

 We want to hear from you!

If you have time-sensitive information and updates you’d like to share with the Health Advisory Council in between NCL’s quarterly newsletters, please contact Karin Bolte (karinb@nclnet.org) or Janay Johnson (janayj@nclnet.org), and we will be happy to forward your materials to the Council membership. We also encourage you to contact us with your ideas and suggestions for Council activities.

_______________

National Consumers League
Published December 19, 2017