15 posts from August 2014
Media Shift reported recently:
"... Internet.org announced free, limited mobile broadband in Zambia, with plans to expand to more developing countries. But there are some downsides: New users must create Facebook accounts that act as portals to the web. If users want to venture beyond the Zuckerberg-free zone and into the whole of the internet, you’ve got to pay. This makes Facebook a broker between the developing world and the open Internet, one that can set prices for visiting certain sites or could undermine privacy, according to GigaOm’s David Meyer. Similarly, Google has plans to connect some of the two-thirds of the world’s population who remain offline, spending more than $1 billion on low-orbiting satellites, and a balloon-based delivery system called Project Loon."
Opinions about these efforts?
This morning, several news sources reported that Burger King, the fast-food chain, and Tim Horton's restaurants have agreed to merge. Horton's is based in Canada. The merger allows Burger King to benefit from a tax inversion, where:
"The combined Canadian coffee chain and U.S. burger chain will have its global headquarters in Canada... In a tax inversion, two international companies merge and move their tax domicile to the lower tax country."
Last month, Bloomberg BusinessWeek published an interesting and informative analysis of the company, its young management, corporate history, and current marketplace challenges. You'll probably want to read the BusinessWeek report titled, "Burger King Is Run By Children."
Professor and former U.S. Labor Secretary Robert Reich posted on Facebook the following about the merger (links added):
"BK’s profits have been flat, mainly because its mostly lower-income customers don’t have enough money to boost sales. So the pending deal is welcome news to investors, who today sent its stock up nearly 20 percent. But it’s a lousy deal for you and me and other Americans because we’ll have to make up for the taxes Burger King stops paying. We’re already subsidizing Burger King because it refuses to raise the pay of its frontline workers, who are now at or near the minimum wage. So we're paying for the food stamps, Medicaid, and wage subsidies its workers need in order to stay out of poverty. That means when BK deserts America to cut its tax bill, we’ll be paying twice. That's a whopper of a slap at America."
A whopper of a slap, indeed. Mr. Reich posted in an update (link added):
"It’s one thing when a company the Pfizer flirts with corporation desertion (technically, a tax “inversion”) to become a foreign company and lower its tax bill. But Burger King, like Walgreen, is highly visible to consumers. Walgreen dropped its plan to desert the United States after a customer backlash and bad publicity. So a boycott of Burger King, accompanied by letters to the local press, picketing for the broadcast media, and a general ruckus, should be helpful."
The phrase "tax inverson" sounds clinical and almost meaningless. I like and prefer the phrase, "corporate desertion" since it better describes what is really happening. And, a boycott seems the appropriate consequence for the burger chain's actions.
What are your opinions of Burger King's tax inversion? Of the "corporate desertion" phrase? Of a boycott?
If you have followed the net neutrality issue, then you know that the first deadline has passed for consumers to submit comments to the Federal Communications Commission (FCC). The FCC received more than 1.1 million comments.
If you are wondering how many of your neighbors submitted comments, then you'll want to visit The Verge website. It features an interesting, interactive tool for consumers to view the number of comments by location. You can view the Zip Codes that submitted the most comments, and looup the Zip Code where you live, work, or attend school.
The U.S. Federal Trade Commission (FTC) announced that the U.S. District Court in Southern New York had ordered fraudsters to pay $5.1 million. The court:
"... issued default judgments against fourteen corporate defendants and fourteen individual defendants that allegedly operated the tech support scams. The operations were mostly based in India and targeted English-speaking consumers in the United States and several other countries... The judgments also ban them from continuing their deceptive tactics and from disclosing, selling or failing to dispose of information they obtained from victims."
The defendants are permanently banned from marketing technical support services. The firms the FTC had filed lawsuits against:
- FTC v. Pecon Software Ltd. et al;
- FTC v. Marczak et al.;
- FTC v. PCCare247 Inc. et al.;
- FTC v. Finmaestros, LLC et al.;
- FTC v. Lakshmi Infosoul Serivces Pvt. Ltd. et al.; and
- FTC v. Zeal IT Solutions Pvt. Ltd. et al.
Two defendants in the PCCare247 case settled with the FTC in November 2013. Two defendants in the Marczak case settled with the FTC in April 2013. The latest court action applied to all remaining defendants.
The FTC had charged the defendants with violating the FTC Act, which prohibits deceptive marketing tactics. The agency had also charged the defendants with violating the Telemarketing Sales Rule, as they had allegedly called phone numbers illegally on the Do Not Call Registry.
The FTC's complaints described the fraudsters' deceptive marketing tactics:
"... the defendants claimed they were affiliated with legitimate companies, including Dell, Microsoft, McAfee, and Norton, and told consumers they had detected malware that posed an imminent threat to their computers. The defendants then charged these consumers hundreds of dollars to remotely access and “fix” the computers."
This sounds very similar to a tech support phone call I received in February, 2012.
I congratulate the FTC and the Court on this enforcement.
Last week, the Huffington Post and U.S. Senator Elizabeth Warren (D-Massachusetts) posted an interesting infographic about the vast sums banks have paid in settlements for alleged wrongdoing. If you haven't seen the infographic, it is definitely worth a view.
"Since 2009, big banks in the U.S. and Europe have paid at least $128 billion to regulators, according to data compiled by the Wall Street Journal, Reuters, and The Huffington Post, for issues tied to the housing collapse and other financial misdeeds, including aiding and abetting money laundering and tax evasion."
Some statistics from the infographic:
- Bank of America: $61.1 billion
- JPMorgan: $31.4 billion
- Citigroup: $10 billion
- Wells Fargo: $5.8 billion
View the infographic to see more. This suggests an industry in crisis and out of control. Consider a 2013 ethics survey which found that young bankers view wrongdoing as a necessary evil and fear reporting misconduct. Sadly, some of these settlements have been tax deductible, but often such details aren't disclosed. When settlements are tax deductible, that means taxpayers -- you and I -- who did nothing wrong, are really paying part of these fines. Do you want to pay part of these fines and settlements? I don't, and I doubt that you do either.
"... the fact that a portion of settlements can be tax-deductible sends the wrong message to the public.... every dollar in tax write-offs for the companies has to be made up for by the government in higher tax rates, cuts to programs or more national debt... The really pernicious thing here is both the (government) agencies and the banks have an incentive to tout larger but illusory pretax numbers. The agency looks good because they get to hold up a bigger number. The company gets a better bottom line because it can get a big write-off... The only one who loses is the public."
On August 12, U.S. Senator Elizabeth Warren posted on Facebook:
"Since 2009, the big banks and financial institutions have paid at least $128 billion to regulators for the tricks and traps that brought down our economy. But they are happy to pay the fines – in fact, JP Morgan gave its CEO Jamie Dimon a 74% raise for negotiating its settlement. If these settlements are so weak that Wall Street is celebrating, it's not a good deal for the American people. That's why I introduced the Truth in Settlements Act to require accessible, detailed disclosures about settlement agreements. Just a couple weeks ago, the bill made it through the Senate Homeland Security & Governmental Affairs Committee and can now receive a full Senate vote. We're one step closer to stronger transparency and accountability."
Executives often use settlements as a way to avoid admitting any wrongdoing (and to avoid jail time), Some highlights from the Truth in Settlements Act (Adobe PDF):
"If enforcement agencies are confident that settlements are a good deal for the people they represent, they should be willing to publicly disclose the key terms of those agreements. The Truth in Settlements Act demands specificity and transparency in all federal agency settlements that include over $1 million in payments. The Act ensures that relevant details and terms of non-confidential settlements are publicized truthfully, and that the process by which settlements are deemed confidential is assessed and monitored..."
Specific provisions in the legislation require federal agencies to:
- Explain in written public documents what and which portions of the settlement are tax deductible, and any applicable tax "credits" included
- Explain how the settlement payments are classified (e.g., restitution, compensation, penalties, etc.) and the tax implications
- Post online at their websites basic information about settlements over $1 million, with copies of the settlement agreements and details
- Explain why they agreed to a settlement with confidential or secret portions
- Report each year to Congress the statistics about both any settlements over $1 million and any settlements with confidential portions
- The General Accounting Office (GAO) to study and analyze the confidentiality issues, plus make, "legislative and administrative recommendations for reform"
The Act also requires companies that settlement with federal enforcement agencies to publish in their SEC filings whether they have deducted any settlement payments from their taxes. You can easily track online the progress of S 1898 (The Truth in Settlements Act).
The Act sounds like an excellent deal for consumers and taxpayers. You want to know what your government is doing so you can hold it accountable. Contact your elected officials and demand that they support the Truth in Settlements Act (S 1898).
What are your opinions of the huge banking settlements? About the tax deductions in many settlements? Of the Truth In Settlements Act?
Community Health Systems, Inc. (CHS) announced a data breach that affected 4.5 million patients nationwide. Breach victims are patients who have done business with any CHS hospitals, or whose physicians are associated with CHS hospitals. CHS said in its website that it includes 206 affiliated hospitals in 29 states, with 135,000 employees and 22,000 physicians.
CHS believes the attack, by hackers from China, occurred between April and June of 2014. Sensitive personal data elements stolen included patient names, addresses, birth dates, telephone numbers and social security numbers. This means that breach victims are vulnerable to identity theft and fraud, since the data elements stolen are sufficient for thieves to apply for and/or open fraudulent credit accounts and loans. The only good news was that the breach did not include patients' medical records and payment information (e.g., credit/debit cards).
CHS has notified federal law enforcement agencies and (links added):
"... engaged Mandiant, who has conducted a thorough investigation of this incident and is advising the Company regarding remediation efforts. Immediately prior to the filing of this Report, the Company completed eradication of the malware from its systems and finalized the implementation of other remediation efforts that are designed to protect against future intrusions of this type. The Company has been informed by federal authorities and Mandiant that this intruder has typically sought valuable intellectual property, such as medical device and equipment development data."
CHS is notifying breach victims, and will offer identity theft protection services. The announcement did not specify which, if any, data elements were encrypted. Usually, breach announcements state which items were encrypted. Hopefully, future announcements will provide the necessary details.
I browsed the CHS site Monday afternoon expecting to see a notice on the site about the breach. I didn't see one. May it is there and hidden. For context: after its massive breach, Target provided a notice and link on its home page for affected breach victims to easily access important information. CHS needs to do the same.
What's even more troubling is that the Social Security numbers weren't encrypted by CHS. How do I know this? The HIPAA Breach Notification Rule governs when hospitals must disclose data breaches. It says in part (links and bold text added):
"Covered entities and business associates must only provide the required notifications if the breach involved unsecured protected health information. Unsecured protected health information is protected health information that has not been rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary in guidance... The guidance... specifies encryption and destruction as the technologies and methodologies for rendering protected health information unusable, unreadable, or indecipherable to unauthorized individuals. Additionally, the guidance also applies to unsecured personal health record identifiable health information under the FTC regulations. Covered entities and business associates, as well as entities regulated by the FTC regulations, that secure information as specified by the guidance are relieved from providing notifications following the breach of such information."
In other words, if CHS had encrypted the information stolen, it probably would not have had to issue a breach notification (and incur the related costs). Since it did issue a breach notification, I conclude the data elements stolen -- especially Social Security numbers -- were not encrypted. Even though credit card data wasn't stolen in the breach, this makes one wonder if this payment information is encrypted. Hopefully, CHS will say more soon about what data is encrypted; and why or why not.
While browsing its website, I learned that CHS confirmed in an August 4 press release that it had:
"... resolved the investigation by the U.S. Department of Justice into short stay admissions through emergency departments at certain affiliated hospitals. The parties have entered into a settlement agreement, which concludes the government’s review into whether these 119 hospitals billed Medicare, Medicaid and TRICARE for certain inpatient admissions from January 2005 to December 2010 that the government believed should have been billed as outpatient or observation cases... Under the terms of the agreement, there is no finding of improper conduct by Community Health Systems or its affiliated hospitals, and the Company has denied any wrongdoing. The Company has agreed to pay $88,257,500 in resolution of all federal government claims, including Medicare, TRICARE and the federal share of the Medicaid claims, and an additional $892,500 to the states for their portions of the Medicaid claims."
To see if your hospital was affected, browse the list of CHS locations by state. Have you received a breach notice from CHS? What are your opinions of the notice? Of the identity theft protection services offered?
Earlier this month, the Federal Deposit Insurance Corporation (FDIC) announced a pilot program to encourage school-aged youth to save money. The goals of the program are to collect and share best practices by participating banks.
The pilot program includes two phases:
"... the first covers programs that will be in place during the 2014-2015 school year. Through August 22, 2014, the FDIC is soliciting interest from institutions that will have a youth savings program underway during the 2014-2015 school year. For the second phase, the FDIC will begin soliciting interest in April of 2015 for institutions that will begin new savings programs with schools in the 2015-2016 school year..."
After the "great depression," the U.S. Congress established the FDIC in 1933 to restore public confidence in the nation's banking system. The FDIC insures deposits at the nation's 6,730 banks and savings associations. The agency promotes the safety and soundness of banks by identifying, monitoring and addressing risks.
According to a December 2012 report by the FDIC (Adobe PDF):
"A majority of banks (87 percent) offered at least one of the following specialty savings products: Individual Development Accounts (IDAs), specialized savings clubs, workplace-based savings, or youth (minor) savings accounts. Youth accounts dominated, with 82 percent of financial institutions offering this savings product. Forty-one percent of banks offered specialized savings clubs..."
That same report also concluded about all consumers, not only youth, without bank accounts:
"Community outreach through collaborations with community groups was identified as the most effective strategy for developing relationships with these populations. Despite this recognition, only about half of all banks reported using partnerships with organizations to promote opening checking or savings accounts."
In a 2011 study by researchers at the University of Kansas concluded:
"... that when savings accounts are started for children of low-income families and financial education is included, not only are the families more likely to save, but students can be more likely to attend college and graduate... when money is set aside for college, families save more, find creative ways to save even when money is tight and view attending college as a more realistic possibility."
During its pilot program in 2014-15, the FDIC will document innovative practices and assess the success of participating banks. Participating banks must send in December 2014 a summary of the youth savings programs they implemented during the Fall. The FDIC will collect a variety of data about the pilot program, including:
".... the number of accounts opened, the average saved in the accounts, indications on whether the youth accounts helped the institution establish account relationships with the parents, the on-boarding process for the accounts, the financial education strategy used and its reception, the longevity of account relationships, whether banks felt satisfied with their work with the school, and whether the bank’s expectations were met."
What are your opinions of this pilot program? Do youth need to save more?
Here in Massachusetts, the local news media has reported extensively about the confrontations at Market Basket, a regional, low-price supermarket chain. Perhaps, you have heard about it.
The first confrontation was between family members for control of the company. The company's board of directors fired Arthur T. Demoulas in June 2013 and replaced him with two new managers. After that event, workers and managers at the stores banded together to demand Arthur T's return. That led to the current work stoppage and boycot by many customers. Store sales have declined and shelves in most stores are largely empty. During the last few days, hours for many on-the-job workers have been cut.
Former Labor Secretary Robert Reich explained how Arthur T. Demoulas managed Market Basket:
"... his business model. He kept prices lower than his competitors, paid his employees more and gave them and his managers more authority. Late last year he offered customers an additional four percent discount, arguing they could use the money more than the shareholders. In other words, Arthur T. viewed the company as a joint enterprise from which everyone should benefit, not just shareholders. Which is why the board fired him."
In his article, Mr. Reich concluded, perhaps most importantly:
"... interestingly, we’re beginning to see the Arthur T. business model pop up all over the place."
Mr. Reich explained Arthur T's managerial approach was similar to the "B Corporations" (a/k/a "B Corps"):
"That’s a for-profit company whose articles of incorporation require it to take into account the interests of workers, the community and the environment, as well as shareholders. The performance of B-corporations according to this measure is regularly reviewed and certified by a nonprofit entity called B Lab. To date, over 500 companies in sixty industries have been certified as B-corporations... 27 states have passed laws allowing companies to incorporate as “benefit corporations.” This gives directors legal protection to consider the interests of all stakeholders rather than just the shareholders who elected them."
Take a moment for that to sink in.
Benefit corporations intentionally structured themselves to provide benefits for several groups: workers, the community, the environment, and shareholders. That means other types of corporations focus only on benefits for shareholders. They may provide benefits for groups besides shareholders, but they don't have to. In fact, the dominant, traditional business structure provides incentives to benefit primarily shareholders. Mr. Reich explained how this dominant corporate structure happened:
"In the 1980s, corporate raiders began mounting unfriendly takeovers of companies that could deliver higher returns to their shareholders – if they abandoned their other stakeholders. The raiders figured profits would be higher if the companies fought unions, cut workers’ pay or fired them, automated as many jobs as possible or moved jobs abroad, shuttered factories, abandoned their communities and squeezed their customers. Although the law didn’t require companies to maximize shareholder value, shareholders had the legal right to replace directors. The raiders pushed them to vote out directors who wouldn’t make these changes..."
You're probably wondering if any brands or companies you know are B Corps. Maybe you are curious, or maybe you want to shop only at businesses that are B Corps. Maybe you want to invest in B Corps, or socially responsible corporations.
The folks at B Labs developed a nifty mechanism to search their database. You can search by name, industry, city, state, and/or country. I ran several searches and found:
- Amazon: no
- Ben & Jerry's: yes
- Breckinridge Capital Advisors: yes
- Etsy: yes
- Hobby Lobby: no
- King Arthur Flour Company: yes
- McDonald's: no
- Tech Networks of Boston: yes
- Trillium Asset Management: yes
- Whole Foods: no
After searching, you can click through to a detailed report about each company and how it performs against B Corps criteria; often for both the current and prior years. The B Labs site explained it:
"B Corp is to business what Fair Trade certification is to coffee or USDA Organic certification is to milk. B Corps are certified by the nonprofit B Lab to meet rigorous standards of social and environmental performance, accountability, and transparency. Today, there is a growing community of more than 1,000 Certified B Corps from 33 countries and over 60 industries..."
This search tool allows consumers to learn whether your favorite brand walks the talk, or not. Any corporation can hire an advertising agency to develop ads, taglines, slogan, websites, and/or apps that say their company provides benefits to groups beyond shareholders. But do they really? Are they structured to do so? How have they performed? You can use the B Labs site to start answering these questions. You can find corporations that are walking the talk.
It is important to remember that there is a difference between "B Corps" and "Benefits corporations." The Cullinane Law Group emphasized the difference:
"B Corps and Benefit Corporations are distinct terms that are often used interchangeably, but there are clear differences. In short,
- B Corp: a certification or “stamp of approval” by a third-party certifying company.
- Benefit Corporation: is a specific legal corporate structure within a state."
The states that provide the "Benefit Corporation" structure:
"... Arizona (effective December 31, 2014), Arkansas (effective August 2013), California, Colorado (effective April 1, 2014), Hawaii, Illinois, Louisiana, Maryland, Massachusetts, Nevada (effective January 1, 2014), New Jersey, New York, Oregon (effective January 1, 2014), Pennsylvania, South Carolina, Vermont, Virginia, and Washington D.C."
Will Market Basket workers or its board prevail? That remains to be seen. Will Market Basket restructure as a Benefit Corporation? That, too, remains to be seen. Perhaps, if it did the company could have avoided the pain it is now experiencing.
What are your opinions of B Corporations? Of the B Labs search tool? Should more states enact legislation for benefits corporations?
U.S. Senator Charlces Schumer (D-New York) expressed the privacy threat to consumers by fitness apps that collect and share consumers' sensitive fitness and health data with third parties -- without notice nor consent. In an August 10th news conference and press release, the Senator expressed concerns about the privacy threats the privacy concerns:
"... personal health and fitness data – so rich that an individual can be identified by their gait – is being gathered and stored by fitness bracelets like ‘FitBit’ and others like it, and can potentially be sold to third parties, like employers, insurance providers and other companies, without the users’ knowledge or consent. Schumer said that this creates a privacy nightmare, given that these fitness trackers gather highly personal information on steps per day, sleep patterns, calories burned, and GPS locations. Users often input private health information like blood pressure, weight and more...."
While the Senator believes that fitness apps are an effective and helpful technology for better health, the privacy concerns are compounded by the fact that:
"There are currently no federal protections to prevent those developers from then selling that data to a third party without the wearer’s consent. Schumer therefore urged the Federal Trade Commission (FTC) to push for fitness device and app companies to provide a clear and obvious opportunity to “opt-out” before any personal health data is provided to third parties, who could discriminate against the user based on that sensitive and private health information."
A March 3, 2014 blog post explored the massive data collection by Facebook via several fitness apps. The Senator's privacy concerns are valid since we already know that at least one credit reporting agency wants access to consumers' data collected by Facebook and other social networking services. News organizations have widely reported about several problems in the credit reporting industry: failures to fix errors in the reports they sell, data breaches, and settlement agreements about alleged improper list sales.
"What Data May be Shared With Third Parties?
First and foremost: We don’t sell any data that could identify you. We only share data about you when it is necessary to provide our services, when the data is de-identified and aggregated, or when you direct us to share it."
Ways your sensitive data with Fitbit might be shared:
"Other Ways You Might Share Your Data
Default Visibility Settings -- The privacy settings on new Fitbit accounts are set to reveal minimal data about you with the purpose of getting you active and involved with Fitbit...
Fitbit Social Tools -- Fitbit provides many ways for you to share data with other Fitbit users, such as with the 7-day Leaderboard, Challenges, or by posting comments to the Fitbit community message boards. When you interact with others in these ways, you will be displaying your data based upon the visibility settings in your User Account privacy settings...
Community Posts -- To post to Fitbit community message boards, you’ll be asked to create a community username that’s separate from your Fitbit username. This community username will be posted next to any comments you publish on community message boards. Other information, like a profile photo that you’ve added to your Fitbit account may also be visible on message boards, depending on your Fitbit account settings.
Second, Fitbit does not honor Do Not Track browser settings:
"Although we would like to honor the browsers set with a “Do Not Track” signal, we are currently unable to honor those signals. We believe that consumers should exercise choice regarding the collection of this type of data, which is why we disclose the cookies used and provide links to opt-out of those collection practices below."
So, the burden is on the consumer to pay close attention. This brings us to my third observation: the policy does not offer a global opt-out of all data sharing, which Senator Schumer called for. A global opt-out mechanism would make it easy for consumers to ensure that no sensitive health and fitness data is shared with third parties. Instead, the burden is on users to wade through every program, site feature, and mobile app feature and its corresponding rules or policies.
Fourth, the Fitbit policy doesn't indicate what is stored in cloud services; on computers hosted by third party companies. My March 3, 2014 blog post explored the privacy policies of other fitness apps, and some of them mention cloud services. To be informed shoppers, consumers must think about this in the context of the specific mobile platform (e.g., Apple iOS, Android,, etc.). Whatever is transmitted through your mobile device potentially could be shared with the manufacturers of that device, its operating system, and the telephone company.
What are your opinions about the privacy of fitness apps?
Last week, Target announced the impact upon second-quarter expenses related to its December 2013 data breach. The retailer announced in an August 5 news repease:
"... second quarter financial results are expected to include gross expenses of $148 million, partially offset by a $38 million insurance receivable, related to the December 2013 data breach. These expenses include an increase to the accrual for estimated probable losses for what the Company believes to be the vast majority of actual and potential breach-related claims, including claims by payment card networks. In addition, the Company provided an estimate of costs related to its recently-completed early debt retirement and updated expectations for second-quarter Adjusted1 and GAAP earnings per share..."
The announcement also stated:
"Expenses for the quarter include an increase to the accrual for estimated probable losses for what the Company believes to be the vast majority of actual and potential breach-related claims, including claims by payment card networks. Given the varying stages of claims and related proceedings, and the inherent uncertainty surrounding them, the Company’s estimates involve significant judgment and are based on currently available information, historical precedents and an assessment of the validity of certain claims. These estimates may change as new information becomes available and, although the Company does not believe it is probable, it is reasonably possible that the Company may incur a material loss in excess of the amount accrued. The Company is unable to estimate the amount of such reasonably possible excess loss exposure at this time. The accrual does not reflect future breach-related legal, consulting or administrative fees, which are expensed as incurred and not expected to be material in any individual period..."
The retailer's stock closed at about $60.70 on August 4. On August 5, the stock opened at about $58.09, and dipped to $57.40 on August 7. The share price closed at $58.56 on Friday, August 8. Prior prices were $63.27 on December 31, 2013 and $71.13 on August 13, 2013. Data and the chart below are from Google Finance.
It has been an interesting week for Hold Securities, LLC, an information security, risk management, and incident response company. In an August 5 news release with the sensational headline, "You Have Been Hacked," the company announced:
"... Hold Security’s Deep Web Monitoring practice in conjunction with our Credential Integrity Services discovered what could be arguably the largest data breach known to date... After more than seven months of research, Hold Security identified a Russian cyber gang which is currently in possession of the largest cache of stolen data... over 4.5 billion records, mostly consisting of stolen credentials. 1.2 billion of these credentials appear to be unique, belonging to over half a billion e-mail addresses. To get such an impressive number of credentials, the CyberVors robbed over 420,000 web and FTP sites..."
Hold Security named the gang of Russian hackers "CyberVors." The company's news release also described how the hack happened:
"Initially, the gang acquired databases of stolen credentials from fellow hackers on the black market. These databases were used to attack e-mail providers, social media, and other websites to distribute spam to victims and install malicious redirections on legitimate systems. Earlier this year, the hackers altered their approach. Through the underground black market, the CyberVors got access to data from botnet networks... These botnets used victims’ systems to identify SQL vulnerabilities on the sites they visited..."
Reportedly, the total hack was 4.5 billion username/e-mail and password pairs... a stunning total. The haul included some duplicates and passwords no longer used:
"If we narrow it down by unique e-mail addresses, we still have over half a billion records since there may be multiple password corresponding to a single e-mail address. Not all of them are valid or current. Some people use fake e-mail addresses, in other cases the CyberVor gang might have stolen credentials that belonged to an e-mail address that you no longer have... or a password that you haven’t used for over a decade, or even a default password automatically assigned to you by a website."
News about the hacking was widely reported by news organizations, including the New York Times on August 5:
"Hold Security would not name the victims, citing nondisclosure agreements and a reluctance to name companies whose sites remained vulnerable. At the request of The New York Times, a security expert not affiliated with Hold Security analyzed the database of stolen credentials and confirmed it was authentic. Another computer crime expert who had reviewed the data, but was not allowed to discuss it publicly, said some big companies were aware that their records were among the stolen information."
Also on August 5, Forbes magazine reported:
"The story provides few details beyond hyperbolic numbers: 1.2 billion username and password combinations... No specifics about the state of those passwords: whether they’re in clear-text — the worst case scenario — or in encrypted form.... "
Users in multiple countries were affected, and Hold Security did not provide a list of countries. The Forbes article described Hold Security's announcement of its subscription service including continuous monitoring for firms and consumers:
"You can pay “as low as $120″ to Hold Security monthly to find out if your site is affected by the breach. Hold Security put a page up on its site about its new breach notification service around the same time the New York Times story went up... Shortly after Wall Street Journal reporter Danny Yadron linked to the page on Twitter and asked questions about it, the firm replaced the description of the service with a “coming soon” message. Holden says by email that the service will actually be $10/month and $120/year."
The Forbes article was critical of both Hold Security and the New York Times:
"Yes, I expect security firms to make money for making the Internet more secure, but I am skeptical of a firm with a financial incentive in creating a panic to be the main source for a story that causes a panic. If nothing else, it should be disclosed in the New York Times story that the firm that reported a major breach hoped to directly profit from it."
I agree with that criticism of Hold Security. The same Hold Security news release also appeared to be a product announcement:
"Companies -- check if your website is susceptible to a SQL injection... Hold Security is proud to announce our new Breach Notification Service (BNS). After we verify your identity and entitlements to the website(s) or domain(s), we can tell you if you have been impacted by this or other breaches..."
"Individuals -- the ultimate victims of the CyberVor gang are the end-users. Hold Security is proud to announce that we will be providing full electronic identity monitoring service to all the individuals within the next 60 days. Even if you are currently using another Identity Protection Service, your electronic identity may still be vulnerable..."
I would have liked the New York Times reporters to have use more skepticism. The Guardian UK reported on August 6:
"Security researchers from Kaspersky, Symantec and University College London have questioned the news reported on Tuesday that private security firm Hold Security had identified a Russian cybercriminal gang called CyberVor, which had amassed a database of more than 4.5bn stolen records... Cybersecurity experts are concerned that Hold Security has not yet made the data public or available for confirmation by users."
The Guardian UK article concluded with this advice for consumers:
"Security experts are advising that users keep aware of developments with the CyberVor breach, but that immediately changing all their passwords is not yet the appropriate action."
Experts also advised consumers not to use the same password in multiple sites (e.g., bank accounts, social networking sites, e-mail services, etc.). When you do, it makes it easy for criminals to hack into your accounts and steal money.
"If CyberVor were shopping for the Fortune 500 data instead of cracking systems, on the other hand, the group would have had plenty of options. The data could have come from Target, LinkedIn, or an upstream breach like the Global Payments hack in 2012. All that data is still kicking around the darker corners of the web, available to anyone willing to pay for it. The usernames get cheaper as they get older, so in the case of a two-year-old hack like Global Payments, counting to a billion wouldn't even be that expensive. The biggest red flag of all, though, is that CyberVor isn't trying to sell the data or use it to steal actual money... If there were anything else they could do with these passwords, it would be more lucrative and more sustainable than spamming..."
You can read about the Target and Global Payments breaches in this blog. After reading about the CyberVors hack, I had two reactions:
1. Something doesn't seem quite right.
During the past seven years I've written this blog, I have learned that companies experiencing data breaches usually hire a security firm to assist with the breach investigation and post-breach incident management. Companies usually notify users and customers affected by the data breach. That notice often includes some period (e.g., one or two years) of free credit monitoring services. The security firm rarely, if ever, marketed any subscription monitoring services directly to consumers without a client company.
So, what Hold Security has done seemed to have skipped a couple steps... important steps. It's critical for the affected companies to do their own breach investigations and notify their affected users and/or customers. The breach notification laws in many states require such notice.
2. There may be an unreported story that needs to be told.
The New York Times article reported this about its conversations with Alex Holden, the founder and chief information officer at Hold Security:
"“They audited the Internet,” Mr. Holden said."
Assuming that the "they" refers to the CyberVors hacking gang, it suggested that the gang may have capabilities to analyze e-mail and password combinations. Do hackers employ state-of-the art data mining or "bigdata" analysis techniques? If so, that is a scary thought with consequences.
Such analyses could make it easier to guess passwords. If a database of stolen e-mail and password pairs includes the history of a user's passwords, it could make it easier to predict a current passwords. Here's a simple example (using an extremely poorly constructed password). A consumer used the "123password" password in 2013, then changed it to "234password" in 2014. It doesn't take a genius to guess that the user's probable next password would be "345password". If criminals are analyzing the databases they've compiled of stolen e-mail/password pairs, we need to know. I would expect security companies and news organizations to investigate, confirm, alert consumers.
What are your opinions of the CyberVors hacking? Of Hold Security's subscription services?
The Office of the Attorney General (AG) for the state of Oregon has filed a lawsuit against the manufacturer of 5-Hour Energy drink. Oregon AG Ellen Rosenblum filed the suit on July 17, 2014 aagainst Living Essentials and Innovation Ventures. The suit alleged the defendants:
"... used print, television, Internet and radio advertising to claim that 5-hour ENERGY® contains a unique blend of ingredients that provide consumers with energy, alertness and focus, when in reality the only ingredient that provides any effect is the concentrated dose of caffeine.... The lawsuit, which was filed in Multnomah Circuit Court, also targets allegedly misleading claims that the product will not cause consumers to experience a ‘crash’. The suit also focuses on claims that the product has been recommended by doctors in a way that it has not..."
Dating Service Admitted Performing Online Experiments Using Its Customers Without Notice And Consent
In a wide-ranging and arrogant blog post to promote his new book, Christian Rudder, the co-founder of the OKCupid dating website, described several experiments the site performed on its customers:
"... chose to celebrate the app’s release by removing all the pictures from OkCupid on launch day. “Love Is Blind Day” on OkCupid—January 15, 2013... But by comparing Love Is Blind Day to a normal Tuesday, we learned some very interesting things. In those 7 hours without photos: people responded to first messages 44% more often; conversations went deeper; contact details were exchanged more quickly; in short, OKCupid worked better..."
In another experiment, the OKCupid site changed its display parameters telling some users with poor matched that the matches were excellent and the reverse:
"... the “match percentage” we calculate for users is very good at predicting relationships. It correlates with message success, conversation length, whether people actually exchange contact information, and so on... To test this, we took pairs of bad matches (actual 30% match) and told them they were exceptionally good for each other (displaying a 90% match.)† Not surprisingly, the users sent more first messages when we said they were compatible..."
"Because of a diagnostic test, your match percentage with XXX was misstated as 31%. It is really 91%. We wanted to let you know."
Diagnostic test? That explanation doesn't sound entirely accurate. It sounds like some type of error-checking routine, and not a true admission or notification of an intentional marketing test. Were customers offered refunds for "misstated" compatibility matches? If I were an OKCupid customer, I'd demand a refund as the service didn't seem to deliver what was promised.
Rudder's blog post provides plenty of statistics about what the company learned from its live tests with customers. Rudder's blog post gave the impression that the ends justify the means -- that the wealth of data the company collected justified the test approach. Rudder also defended Facebook, after that social networking site had been criticized for performing experiments on its members without notice nor explicit consent:
"We noticed recently that people didn’t like it when Facebook “experimented” with their news feed. Even the FTC is getting involved. But guess what, everybody: if you use the Internet, you’re the subject of hundreds of experiments at any given time, on every site. That’s how websites work."
All websites? For sure, at least Facebook and OKCupid.
I am no prude. I fully expect websites to explore and implement new services, content, and functionality. How one does it matters. The ends do not justify the means.
During the last 20 years, as a usability professional I have built dozens of websites in a variety of industries: telecommunications, petroleum, travel, banking, insurance, higher education, food, consumer packaged goods, and more. In all instances, we used a variety of standard, proven test methods to collect users' opinions and reactions to proposed website features and functionality. Usually, we started by asking users -- customers and prospective customers -- what they wanted in the site that they couldn't get today. Many users will tell you. Man users are happy to tell you.
Frankly, it makes sense -- time wise and financially -- to build features that users want. No matter how curious OKCupid executives may be, I highly doubt that the site's users wanted the service to lie to them about compatibility matches.
After compiling a list of requested features (e.g., content and/or functionality), we tested implementation approaches... not on the live site, but in usability sessions with mockups or with prototypes. That approach builds users' trust. Many users appreciated the opportunity to view and comment on new features before those features are added to the live site.
In other cases, we used focus group sessions to uncover users' needs and to explore their reactions and attitudes. We often used rigorous questionnaires (sometimes in combination with other test methods), so that we could analyze the results later. In some instances, we included survey forms with the live site.
My point: we never adjusted the live site's core functions and contents without notice. We didn't add new features to live sites until after all testing was finished, the new features were built, and all "bugs" or code glitches were fixed. Anyone experienced with website development knows that it takes time to get the bugs out. When you add new features, they often affect, or break, something else -- unintended consequences.
Users' trust and reliability are critical. Frankly, we trusted uses to ask them what they wanted. We trusted users enough to inform them of tests. We respected users enough to compensate test participants for their time. We respected users enough to acknowledge that some have a right to not participate in tests.
After reading Mr. Rudder's blog post, I began to wonder how trustworthy the OKCupid site really is. The good: OKCupid executives are curious, want to continually improve their site, and act quickly. The not-so-good: curiosity and acting quickly aren't enough. Users rely on the live site to to operate as advertised and promised. Deviations from that with unannounced tests that users can't opt out of, erode users' confidence and trust.
All of the tests Rudder described could have been performed with standard testing methods, some of which I have described above; without directly changing the live site. Maybe the OKCupid executives aren't aware of or wanted to skip the costs and time of traditional testing methods. Maybe speed is their primary goal. In their rush to improve things, Mr. Rudder and his executive team seem comfortable to unnecessarily risk consumers' trust and respect.
If this is the current state of social networking sites, then the industry has fallen. It has moved beyond simply collecting, archiving, and analyzing massive amounts of consumers' personal information for advertising revenues. It also operates arrogantly: making any changes they please to live sites, while ignoring users' trust nor respect. That's not something I look for in a site. Nor will I buy Mr. Rudder's book.
What are your opinions of OKCupid's tests?
Everyone uses USB flash drives (a/k/a thumb drives) to store and share information. Consumers rely upon anti-virus software to scan and detect any computer viruses infecting USB drives. According to a Wired report, researchers have created a proof-of-concept demonstrating the difficulty -- or impossibility -- to detect and remove malware from USB devices:
"... researchers Karsten Nohl and Jakob Lell plan to present next week, demonstrating a collection of proof-of-concept malicious software that highlights how the security of USB devices has long been fundamentally broken... Any time a USB stick is plugged into a computer, its firmware could be reprogrammed by malware on that PC, with no easy way for the USB device’s owner to detect it... The malware they created, called BadUSB, can be installed on a USB device to completely take over a PC, invisibly alter files installed from the memory stick, or even redirect the user’s internet traffic..."
A wide variety of devices employ USB technology: mice, keyboards, desktop computers, laptops, smartphones, tablets, and more. Experts advise consumers to:
- Purchase USB sticks and devices only from reputable, trusted retailers,
- View any USB sticks or devices you receive from untrusted sources, or people, as infected, and
- Don't insert USB sticks and devices into untrusted computers or devices.
What are your opinions of USB sticks? USB security?