403 posts categorized "Data Breaches" Feed

New York State Strengthens Its Data Breach Laws

To help its residents, the State of New York has improved its existing data breach law. Governor Andrew Cuomo signed two bills on July 25th:

"The Governor signed the Stop Hacks and Improve Electronic Data Security - or SHIELD - Act (S.5575B/A.5635), which imposes stronger obligations on businesses handling private data to provide proper notification to affected consumers when there is a security breach. The Governor also signed legislation (A.2374/S.3582) requiring consumer credit reporting agencies to offer identity theft prevention and mitigation services to consumers who have been affected by a security breach of the agency's system."

The Governor's announcement emphasized the importance of the state's laws keeping pace with rapid advances in technology. To address new technologies, the SHIELD Act will provide stronger protections by:

"1) Broadening the scope of information covered under the notification law to include biometric information and email addresses with their corresponding passwords or security questions and answers; 2) Updating the notification requirements and procedures that companies and state entities must follow when there has been a breach of private information; 3) Extending the notification requirement to any person or entity with private information of a New York resident, not just those who conduct business in New York State; 4) Expanding the definition of a data breach to include unauthorized access to private information; and 5) Creating reasonable data security requirements tailored to the size of a business."

The full text of the SHIELD Act legislation is available here. The SHIELD Act will go into effect on March 21, 2020. The announcement also mentioned Equifax:

"In late July 2017, one of the three main credit reporting agencies, Equifax Inc., experienced a major data breach involving personal information, including social security numbers... the company's response was insufficient and it is unacceptable that consumers were left to bear the burden to protect their own identities even though their information was stolen at no fault of their own. On July 22, 2019, Governor Cuomo, the State Department of Financial Services and State Attorney General James announced a $19.2 million settlement with Equifax over the data breach. As part of that settlement, Equifax agreed to provide New York consumers with credit monitoring services and free annual credit reports, and the company will pay restitution to consumers affected by the breach..."

So, it seems that Equifax's breach and data security failures factored into the new legislation. The announcement also explained the new Identity Theft Prevention and Mitigation Services (A.2374/S.3582) legislation:

This legislation establishes the minimal amount of long-term protections to consumers who are affected by a data breach from a credit reporting agency. It requires credit reporting agency that suffers a breach of information containing consumer social security numbers to provide five-year identity theft prevention services, and if applicable, identity theft mitigation services to affected customers. Additionally, the legislation requires credit reporting agencies to inform consumers on credit freezes of a breach of data involving a social security number, and provides consumers with the right to freeze their credit at no cost. The bill... applies to any breach of the security of a consumer credit reporting agency that occurred no more than three years prior to the effective date of this act."

The A.2374/S.3582 bill will go into effect on September 23, 2019. The retroactive coverage of three years is good as it ensures credit reporting agencies with recent data breaches cannot escape responsibility.

Consumer reporting agencies enjoy a unique position as consumers cannot opt out of having their credit reports covered by Experian, Equifax, and TransUnion. Some people would call that corporate welfare. It would be great if consumers had the right to remove their credit reports from credit reporting agencies that practice poor data security with repeated data breaches. Consumers have that right with retail stores -- you can stop shopping at stores with poor data security and multiple data breaches.

In related news, JD Supra reported about proposed legislation:

"... New York City lawmakers have proposed a bill that would make it unlawful for a mobile app developer or telecommunications carrier to share a customer’s location data without an authorized purpose if the data was collected from the customer’s device within the city. The bill broadly defines the term “share” as making “location data available to another person, whether for a fee or otherwise,” suggesting that selling information is unlawful without an authorized purpose such as customer consent. The bill allows for a private right of action, including penalties for violations of $1,000 per violation, with a maximum penalty of $10,000 per day per person whose location data was unlawfully shared, as well as attorney’s fees."

To learn more, read about new data breach legislation in other states this year.


FTC Levies $5 Billion Fine, 'New Restrictions, And Modified Corporate Structure' To Hold Facebook Accountable. Will These Actions Prevent Future Privacy Abuses?

The U.S. Federal Trade Commission (FTC) announced on July 24th a record-breaking fine against Facebook, Inc., plus new limitations on the social networking service. The FTC announcement stated:

"Facebook, Inc. will pay a record-breaking $5 billion penalty, and submit to new restrictions and a modified corporate structure that will hold the company accountable for the decisions it makes about its users’ privacy, to settle Federal Trade Commission charges that the company violated a 2012 FTC order by deceiving users about their ability to control the privacy of their personal information... The settlement order announced [on July 24th] also imposes unprecedented new restrictions on Facebook’s business operations and creates multiple channels of compliance..."

During 2018, Facebook generated after-tax profits of $22.1 billion on sales of $55.84 billion. While a $5 billion fine is a lot of money, the company can easily afford the record-breaking fine. The fine equals about one month's revenues, or a little over 4 percent of its $117 billion in assets.

U.S. Federal Trade Commission. New compliance system for Facebook. Click to view larger version The FTC announcement explained several "unprecedented" restrictions in the settlement order. First, the restrictions are designed to:

"... prevent Facebook from deceiving its users about privacy in the future, the FTC’s new 20-year settlement order overhauls the way the company makes privacy decisions by boosting the transparency of decision making... It establishes an independent privacy committee of Facebook’s board of directors, removing unfettered control by Facebook’s CEO Mark Zuckerberg over decisions affecting user privacy. Members of the privacy committee must be independent and will be appointed by an independent nominating committee. Members can only be fired by a supermajority of the Facebook board of directors."

Facebook logo Second, the restrictions mandated compliance officers:

"Facebook will be required to designate compliance officers who will be responsible for Facebook’s privacy program. These compliance officers will be subject to the approval of the new board privacy committee and can be removed only by that committee—not by Facebook’s CEO or Facebook employees. Facebook CEO Mark Zuckerberg and designated compliance officers must independently submit to the FTC quarterly certifications that the company is in compliance with the privacy program mandated by the order, as well as an annual certification that the company is in overall compliance with the order. Any false certification will subject them to individual civil and criminal penalties."

Third, the new order strengthens oversight:

"... The order enhances the independent third-party assessor’s ability to evaluate the effectiveness of Facebook’s privacy program and identify any gaps. The assessor’s biennial assessments of Facebook’s privacy program must be based on the assessor’s independent fact-gathering, sampling, and testing, and must not rely primarily on assertions or attestations by Facebook management. The order prohibits the company from making any misrepresentations to the assessor, who can be approved or removed by the FTC. Importantly, the independent assessor will be required to report directly to the new privacy board committee on a quarterly basis. The order also authorizes the FTC to use the discovery tools provided by the Federal Rules of Civil Procedure to monitor Facebook’s compliance with the order."

Fourth, the order included six new privacy requirements:

"i) Facebook must exercise greater oversight over third-party apps, including by terminating app developers that fail to certify that they are in compliance with Facebook’s platform policies or fail to justify their need for specific user data; ii) Facebook is prohibited from using telephone numbers obtained to enable a security feature (e.g., two-factor authentication) for advertising; iii) Facebook must provide clear and conspicuous notice of its use of facial recognition technology, and obtain affirmative express user consent prior to any use that materially exceeds its prior disclosures to users; iv) Facebook must establish, implement, and maintain a comprehensive data security program; v) Facebook must encrypt user passwords and regularly scan to detect whether any passwords are stored in plaintext; and vi) Facebook is prohibited from asking for email passwords to other services when consumers sign up for its services."

Wow! Lots of consequences when a manager builds a corporation with a, "move fast and break things" culture, values, and ethics. Assistant Attorney General Jody Hunt for the Department of Justice’s Civil Division said:

"The Department of Justice is committed to protecting consumer data privacy and ensuring that social media companies like Facebook do not mislead individuals about the use of their personal information... This settlement’s historic penalty and compliance terms will benefit American consumers, and the Department expects Facebook to treat its privacy obligations with the utmost seriousness."

There is disagreement among the five FTC commissioners about the settlement, as the vote for the order was 3 - 2. FTC Commissioner Rebecca Kelly Slaughter stated in her dissent:

"My principal objections are: (1) The negotiated civil penalty is insufficient under the applicable statutory factors we are charged with weighing for order violators: injury to the public, ability to pay, eliminating the benefits derived from the violation, and vindicating the authority of the FTC; (2) While the order includes some encouraging injunctive relief, I am skeptical that its terms will have a meaningful disciplining effect on how Facebook treats data and privacy. Specifically, I cannot view the order as adequately deterrent without both meaningful limitations on how Facebook collects, uses, and shares data and public transparency regarding Facebook’s data use and order compliance; (3) Finally, my deepest concern with this order is that its release of Facebook and its officers from legal liability is far too broad..."

FTC Commissioners Noah Joshua Phillips and Christine S. Wilson stated on July 24th in an 8-page joint statement (Adobe PDF) with Chairman Joseph J. Simons of the U.S. District Court for the District of Columbia:

"In 2012, Facebook entered into a consent order with the FTC, resolving allegations that the company misrepresented to consumers the extent of data sharing with third-party applications and the control consumers had over that sharing. The 2012 order barred such misrepresentations... Our complaint announced today alleges that Facebook failed to live up to its commitments under that order. Facebook subsequently made similar misrepresentations about sharing consumer data with third-party apps and giving users control over that sharing, and misrepresented steps certain consumers needed to take to control [over] facial recognition technology. Facebook also allowed financial considerations to affect decisions about how it would enforce its platform policies against third-party users of data, in violation of its obligation under the 2012 order... The $5 billion penalty serves as an important deterrent to future order violations... For purposes of comparison, the EU’s General Data Protection Regulation (GDPR) is touted as the high-water mark for comprehensive privacy legislation, and the penalty the FTC has negotiated is over 20 times greater than the largest GDPR fine to date... IV. The Settlement Far Exceeds What Could be Achieved in Litigation and Gives Consumers Meaningful Protections Now... Even assuming the FTC would prevail in litigation, a court would not give the Commission carte blanche to reorganize Facebook’s governance structures and business operations as we deem fit. Instead, the court would impose the relief. Such relief would be limited to injunctive relief to remedy the specific proven violations... V. Mark Zuckerberg is Being Held Accountable and the Order Cabins His Authority Our dissenting colleagues argue that the Commission should not have settled because the Commission’s investigation provides an inadequate basis for the decision not to name Mark Zuckerberg personally as a defendant... The provisions of this Order extinguish the ability of Mr. Zuckerberg to make privacy decisions unilaterally by also vesting responsibility and accountability for those decisions within business units, DCOs, and the privacy committee... the Order significantly diminishes Mr. Zuckerberg’s power — something no government agency, anywhere in the world, has thus far accomplished. The Order requires multiple information flows and imposes a robust system of checks and balances..."

Time will tell how effective the order's restrictions and $5 billion are. That Facebook can easily afford the penalty suggests the amount is a weak deterrence. If all or part of the penalty is tax-deductible (yes, tax-deductible fines have happened before to directly reduce a company's taxes), then that would weaken the deterrence effectiveness. And, if all or part of the fine is tax-deductible, then we taxpayers just paid for part of Facebook's alleged wrongdoing. I'll bet most taxpayers wouldn't want that.

Facebook stated in a July 24th news release that its second-quarter 2019 earnings included:

"... an additional $2.0 billion legal expense related to the U.S. Federal Trade Commission (FTC) settlement and a $1.1 billion income tax expense due to the developments in Altera Corp. v. Commissioner, as discussed below. As the FTC expense is not expected to be tax-deductible, it had no effect on our provision for income taxes... In July 2019, we entered into a settlement and modified consent order to resolve the inquiry of the FTC into our platform and user data practices. Among other matters, our settlement with the FTC requires us to pay a penalty of $5.0 billion and to significantly enhance our practices and processes for privacy compliance and oversight. In particular, we have agreed to implement a comprehensive expansion of our privacy program, including substantial management and board of directors oversight, stringent operational requirements and reporting obligations, and a process to regularly certify our compliance with the privacy program to the FTC. In the second quarter of 2019, we recorded an additional $2.0 billion accrual in connection with our settlement with the FTC, which is included in accrued expenses and other current liabilities on our condensed consolidated balance sheet."

"Not expected to be" is not the same as definitely not. And, business expenses reduce a company's taxable net income.

A copy of the FTC settlement order with Facebook is also available here (Adobe PDF format; 920K bytes). Plus, there is more:

"... the FTC also announced today separate law enforcement actions against data analytics company Cambridge Analytica, its former Chief Executive Officer Alexander Nix, and Aleksandr Kogan, an app developer who worked with the company, alleging they used false and deceptive tactics to harvest personal information from millions of Facebook users. Kogan and Nix have agreed to a settlement with the FTC that will restrict how they conduct any business in the future."

Cambridge Analytica was involved in the massive Facebook data breach in 2018 when persons allegedly posed as academic researchers in order to download Facebook users' profile information they really weren't authorized to access.

What are your opinions? Hopefully, some tax experts will weigh in about the fine.


Equifax To Pay $575 Million To Settle Charges By U.S. Regulators About Massive 2017 Data Breach

U.S. Federal Trade Commission logo Yesterday, the U.S. Federal Trade Commission (FTC) announced a proposed settlement agreement with Equifax, a national credit reporting agency, which has agreed to pay $575 million to resolve charges about its massive data breach in 2017. That breach exposed the sensitive personal and financial information of about half of all citizens in the United States. The announcement stated:

"In its complaint, the FTC alleges that Equifax failed to secure the massive amount of personal information stored on its network, leading to a breach that exposed millions of names and dates of birth, Social Security numbers, physical addresses, and other personal information that could lead to identity theft and fraud..."

U.S. Consumer Financial Protection Bureau The global, proposed settlement agreement included the FTC, the Consumer Financial Protection Bureau (CFPB), and 50 U.S. states and territories. The FTC announcement described Equifax's data security failures (emphasis added):

"The FTC alleges that Equifax failed to patch its network after being alerted in March 2017 to a critical security vulnerability affecting its ACIS database, which handles inquiries from consumers about their personal credit data. Even though Equifax’s security team ordered that each of the company’s vulnerable systems be patched within 48 hours after receiving the alert, Equifax did not follow up to ensure the order was carried out... Equifax did not discover that its ACIS database was unpatched until July 2017... A company investigation revealed that multiple hackers were able to exploit the ACIS vulnerability to gain entry to Equifax’s network, where they accessed an unsecured file that included administrative credentials stored in plain text. These credentials allowed the hackers to gain access to vast amounts of consumers’ personally identifiable information... The hackers targeted Social Security numbers, dates of birth, and other sensitive information, mostly from consumers who had purchased products from Equifax such as credit scores, credit monitoring, or identity theft prevention services. For example, hackers stole at least 147 million names and dates of birth, 145.5 million Social Security numbers, and 209,000 payment card numbers and expiration dates. Hackers were able to access a staggering amount of data because Equifax failed to implement basic security measures... the FTC also alleges that Equifax stored network credentials and passwords, as well as Social Security numbers and other sensitive consumer information, in plain text."

A truly staggering amount. The most sensitive personal and financial information, indeed. Terms of the proposed settlement:

"... Equifax will pay $300 million to a fund that will provide affected consumers with credit monitoring services. The fund will also compensate consumers who bought credit or identity monitoring services from Equifax and paid other out-of-pocket expenses as a result of the 2017 data breach. Equifax will add up to $125 million to the fund if the initial payment is not enough to compensate consumers for their losses. In addition, beginning in January 2020, Equifax will provide all U.S. consumers with six free credit reports each year for seven years—in addition to the one free annual credit report that Equifax and the two other nationwide credit reporting agencies currently provide."

The settlement also requires Equifax implement a "comprehensive information security plan," and to pay $175 million to 48 states, the District of Columbia and Puerto Rico, as well as $100 million to the CFPB in civil penalties. The comprehensive information security plan will: a) designate an employee to oversee the program; b) include annual assessment of security risks and safeguards; c) obtain "annual certifications from the Equifax board of directors or relevant subcommittee attesting that the company has complied with the order;" d) monitor the effectiveness of security safeguards implemented; e) ensure service providers that access personal information stored by Equifax also implement adequate safeguards; and f) obtain third-party assessments every two years.

The CFPB also announced the proposed settlement on its website. CFPB Director Kathleen L. Kraninger said:

"Today’s announcement is not the end of our efforts to make sure consumers’ sensitive personal information is safe and secure. The incident at Equifax underscores the evolving cyber security threats confronting both private and government computer systems and actions they must take to shield the personal information of consumers. Too much is at stake for the financial security of the American people to make these protections anything less than a top priority."

Kraninger also encouraged consumers affected by the breach to submit their claims to receive free credit monitoring or cash reimbursements. Equifax Chief Executive Officer Mark W. Begor said:

"This comprehensive settlement is a positive step for U.S. consumers and Equifax as we move forward from the 2017 cybersecurity incident and focus on our transformation investments in technology and security as a leading data, analytics, and technology company. The consumer fund of up to $425 million that we are announcing today reinforces our commitment to putting consumers first and safeguarding their data... We have been committed to resolving this issue for consumers and have the financial capacity to manage the settlement while continuing our $1.25 billion EFX2020 technology and security investment program..."

Also, Equifax has set up a website about the settlement: www.equifaxbreachsettlement.com. However, the site says it won't be fully functional until after it receives the approved court order. So, it seems best for affected consumers to deal directly with the FTC.

And, several questions remain. The Identity Theft Resource Center (ITRC) discussed the proposed settlement:

"What victims will qualify for reimbursement? How will victims provide accurate evidence of their efforts and misfortunes? Is this fund only for victims who purchased identity theft services? What is the option for victims who did not have the resources then or now to purchase paid services or avail themselves of free services like those ITRC provides? If all victims filed claims and funds were distributed equally to all 148 million people, each would receive fewer than $3.00 in funds or cost of assistance. This does not accurately reflect the true value of the data that was compromised..."

Yep. More payments by Equifax may be required.

And, the ITRC article includes an important reminder. While the Equifax offer includes a long period of free credit monitoring services -- up to 10 versus the usual 2 years -- the risk to affected consumers never goes away:

"... identity theft has no expiration date. The threat of identity theft does not decrease as more time passes from the date of the breach."

This is why it is critical for companies to deploy the strongest data security measures possible. After data breaches, consumers bear the long-term risks.

Last, the FTC encourages Equifax employees who believe the company fails to comply with the settlement to contact the FTC at equifax@ftc.gov. Affected consumers should contact the FTC directly at the website below:

F.T.C. instructions for consumers affected by Equifax breach


2 Healthcare Software Providers Agree To Settlement With 16 States' Attorneys General To Resolve Charges About 2015 Data Breach

The Attorney General's Office for the State of Arizona announced last month a major settlement agreement with two healthcare software providers: Medical Informatics Engineering Inc. and its subsidiary, NoMoreClipboard, LLC (hereafter, referred to jointly as "MIE") following a massive data breach at MIE in 2015.  The press release by AG Mike Brnovich stated:

"The settlement resolves a bipartisan lawsuit filed by Arizona and 15 other states against MIE relating to a 2015 data breach, which was the first such multistate lawsuit involving claims under the federal Health Insurance Portability and Accountability Act ("HIPAA"). As a result of the settlement, MIE will pay $900,000 to the states, and it has agreed to a comprehensive injunction requiring the implementation of significant data-security improvements."

Medical Informatics Engineering logo The case was filed in the U.S. District Court for the Northern District of Indiana, where MIE is headquartered. States involved in the joint lawsuit and settlement included Arizona, Arkansas, Connecticut, Florida, Indiana, Iowa, Kansas, Kentucky, Louisiana, Michigan, Minnesota, Nebraska, North Carolina, Tennessee, West Virginia, and Wisconsin.

The data breach occurred between May 7, 2015, and May 26, 2015, when hackers broke into WebChart, a web application by MIE and stole:

"... the electronic Protected Health Information ("ePHI") of more than 3.9 million individuals, including roughly 26,000 Arizonans. Stolen ePHI included names, telephone numbers, mailing addresses, usernames, hashed passwords, security questions and answers, spousal information (name and potentially date of birth), email addresses, dates of birth, Social Security numbers, lab results, health insurance policy information, diagnoses, disability codes, doctors’ names, medical conditions, and children’s names and birth statistics."

The consent order and judgment is available here. Indiana’s share was $174,745.29. Indiana AG Curtis Hill said:

"Hoosier consumers trust us to look out for their interests... Once again, we have acted on their behalf to pursue the appropriate penalties and remedies available under the law. We hope our proactive measures serve to motivate all companies doing business in Indiana to exercise the highest possible ethics and the utmost diligence in making sure their systems are safe and secure."


Google Home Devices Recorded Users' Conversations. Legal Questions Result. Google Says It Is Investigating

Many consumers love the hands-free convenience of smart speakers. However, there are risks with the technology. BBC News reported on Thursday:

"Belgian broadcaster VRT exposed the recordings made by Google Home devices in Belgium and the Netherlands... VRT said the majority of the recordings it reviewed were short clips logged by the Google Home devices as owners used them. However, it said, 153 were "conversations that should never have been recorded" because the wake phrase of "OK Google" was not given. These unintentionally recorded exchanges included: a) blazing rows; b) bedroom chatter; c) parents talking to their children; d) phone calls exposing confidential information. It said it believed the devices logged these conversations because users said a word or phrase that sounded similar to "OK Google" that triggered the device..."

So, conversations that shouldn't have been recorded were recorded by Google Home devices. Consumers use the devices to perform and control a variety of tasks, such as entertainment (e.g., music, movies, games), internet searches (e.g., cooking recipes), security systems and cameras, thermostats, window blinds and shades, appliances (e.g., coffee makers), online shopping, internet searches, and more.

The device software doesn't seem accurate, since it mistook similar phrases as wake phrases. Google calls these errors "false accepts." Google replied in a blog post:

"We just learned that one of these language reviewers has violated our data security policies by leaking confidential Dutch audio data. Our Security and Privacy Response teams have been activated on this issue, are investigating, and we will take action. We are conducting a full review of our safeguards... We apply a wide range of safeguards to protect user privacy throughout the entire review process. Language experts only review around 0.2 percent of all audio snippets. Audio snippets are not associated with user accounts as part of the review process, and reviewers are directed not to transcribe background conversations or other noises, and only to transcribe snippets that are directed to Google."

"The Google Assistant only sends audio to Google after your device detects that you’re interacting with the Assistant—for example, by saying “Hey Google” or by physically triggering the Google Assistant... Rarely, devices that have the Google Assistant built in may experience what we call a “false accept.” This means that there was some noise or words in the background that our software interpreted to be the hotword (like “Ok Google”). We have a number of protections in place to prevent false accepts from occurring in your home... We also provide you with tools to manage and control the data stored in your account. You can turn off storing audio data to your Google account completely, or choose to auto-delete data after every 3 months or 18 months..."

To be fair, Google is not alone. Amazon Alexa devices also record and archive users' conversations. Would you want your bedroom chatter recorded (and stored indefinitely)? Or your conversations with your children? Many persons work remotely from home, so would you want business conversations with coworkers recorded? I think not. Very troubling news.

And, there is more.

This data security incident confirms that human workers listen to recordings by Google Assistant devices. Those workers can be employees or outsourced contractors. Who are these contractors, by name? What methods does Google employ to confirm privacy compliance by contractors? So many unanswered questions.

Also, according to U.S. News & World Report:

"Google's recording feature can be turned off, but doing so means Assistant loses some of its personalized touch. People who turn off the recording feature lose the ability for the Assistant to recognize individual voices and learn your voice pattern. Assistant recording is actually turned off by default — but the technology prompts users to turn on recording and other tools in order to get personalized features."

So, to get the full value of the technology, users must enable recordings. That sounds a lot like surveillance by design. Not good. You'd think that Google software developers would have developed a standard vocabulary, or dictionary, in several languages (by beta test participants) to test the accuracy of Assistant software; rather than review users' actual conversations. I guess they viewed it easier, faster, and cheaper to snoop on users.

Since Google already scans the contents of Gmail users' email messages, maybe this is simply technology creep and Google assumed nobody would mind human reviews of Assistant recordings.

About the review of recordings by human workers, the M.I.T. Technology Review said:

"Legally questionable: Because Google doesn’t inform users that humans review recordings in this way, and thus doesn’t seek their explicit consent for the practice, it’s quite possible that it could be breaking EU data protection regulations. We have asked Google for a response and will update if we hear back."

So, it will be interesting to see what European Union regulators have to say about the recordings and human reviews.

To summarize: consumers have willingly installed perpetual surveillance devices in their homes. What are your views of this data security incident? Do you enable recordings on your smart speakers? Should human workers have access to archives of your recorded conversations?


Evite Admitted Data Breach. Doesn't Disclose The Number Of Users Affected

Evite logo Evite, the online social and invitations site, disclosed last month a data breach affecting some of its users:

"We became aware of a data security incident involving potential unauthorized access to our systems in April 2019. We engaged one of the leading data security firms and launched a thorough investigation. The investigation potentially traced the incident to malicious activity starting on February 22, 2019. On May 14, 2019, we concluded that an unauthorized party had acquired an inactive data storage file associated with our user accounts... Upon discovering the incident, we took steps to understand the nature and scope of the issue, and brought in external forensic consultants that specialize in cyber-attacks. We coordinated with law enforcement regarding the incident, and are working with leading security experts to address any vulnerabilities..."

Evite was founded in 1998, so there could be plenty of users affected. The breach announcement did not disclose the number of users affected.

The Evite breach announcement also said, "No user information more recent than 2013 was contained in the file" which was accessed/stolen by unauthorized persons. Evite said it has notified affected users, and has reset the passwords of affected users. The Evite system will prompt affected users to create new passwords when signing into the service.

The announcement listed the data elements accessed/stolen: names, usernames, email addresses, and passwords. If users also entered their birth dates, phone numbers, and mailing addresses then those data elements were also access/stolen. Social Security numbers were not affected since Evite doesn't collect this data. Evite said payment information (e.g., credit cards, debit cards, bank accounts, etc.) was not affected because:

"We do not store financial or payment information. If you opted to store your payment card in your account, your payment information is maintained by and stored on the internal systems of our third-party vendor."

Thank goodness for small wonders. The Evite disclosure did not explain why passwords were not encrypted, nor if that or other data elements would be encrypted in the future. As with any data breach, context matters. ZD Net reported:

"... a hacker named Gnosticplayers put up for sale the customer data of six companies, including Evite. The hacker claimed to be selling ten million Evite user records that included full names, email addresses, IP addresses, and cleartext passwords. ZDNet reached out to notify Evite of the hack and that its data was being sold on the dark web on April 15; however, the company never returned our request for comment... Back in April, the data of 10 million Evite users was put up for sale on a dark web marketplace for ฿0.2419 (~$1,900). The same hacker has breached, stolen, and put up for sale the details of over one billion users from many other companies, including other major online services, such as Canva, 500px, UnderArmor, ShareThis, GfyCat, Ge.tt, and others."

The incident is another reminder of the high value of consumers' personal data, and that hackers take action quickly to use or sell stolen data.


Medical Collections Vendor Files For Bankruptcy Protection

Things have become complicated regarding American Medical Collection Agency (AMCA), a collections firm used by several medical testing firms. After breach announcements by Quest Diagnostics and LabCorp earlier this month, more healthcare firms announced breach notices.

So, more than 20 million persons have been affected. ZD Net reported the patient totals by healthcare firm:

"Quest Diagnostics (11.9 million patients), LabCorp (7.7 million patients), BioReference Laboratories (Opko Health subsidiary, 422,600 patients), Carecentrix (500,000 patients), and Sunrise Laboratories (undisclosed number of patients)."

Now, we learn that AMCA has filed for bankruptcy protection:

"According to the Chapter 11 declaration (.PDF), filed with the court for the Southern District of New York, AMCA first became aware of a potential security incident when a disproportionate number of credit cards that interacted with the company's web portal were linked to fraudulent transactions... Cybersecurity forensics bills of roughly $400,000, IT support costs, severe restrictions that were put in place to protect AMCA's network from further intrusion, looming court cases, and the loss of valuable business partners have all taken their toll."

A "Chapter 11" bankruptcy means a reorganization, compared to a total liquidation under "Chapter 7." So, AMCA executives expect their company to survive.

ZD Net also reported that AMCA has paid more than:

"... $3.8 million to inform over seven million people who have potentially been impacted via mail. This figure alone is more than the company had to hand, forcing AMCA to take out a loan from the CEO and founder, Russell Fuchs, just to meet this expense. By filing for bankruptcy protection, the business will continue on as usual as AMCA seeks to pay off its creditors."

The costs highlight the consequences when companies fail to protect consumers' sensitive personal and payment data. The bankruptcy filing begs the next question: continue operating how effectively? Reportedly, AMCA has already cut its workforce from 155 to 25 employees. Usually under bankruptcy protection, a court decides which creditors get paid and whether they are paid in full -- including employees.

This scenario makes one wonder if AMCA can afford the ongoing expenses and resources necessary to harden its computer systems against intrusions, pay its employees, fully support data breach victims, and pay any post-breach fines. If AMCA can't pay its employees, it is probably already dead.


CBP Breach Disclosed Images Of Travelers' Faces And Vehicle License Plates. Many Unanswered Questions

United States Customs and Border Patrol logo A security breach at a vendor used by U.S. Customs & Border Patrol (CBP) has disclosed the images of both travelers and vehicles license plates. The Washington Post reported:

"Customs officials said in a statement Monday that the images, which included photos of people’s faces and license plates, had been compromised as part of an attack on a federal subcontractor. CBP makes extensive use of cameras and video recordings at airports and land border crossings, where images of vehicles are captured. Those images are used as part of a growing agency facial-recognition program designed to track the identity of people entering and exiting the United States. Fewer than 100,000 people were impacted, said CBP... Officials said the stolen information did not include other identifying information, and no passport or other travel document photos were compromised..."

Reportedly, CBP learned about the breach on May 31. The newspaper also reported:

"CBP said copies of “license plate images and traveler images collected by CBP” had been transferred to the subcontractor’s company network, violating the agency’s security and privacy rules. The subcontractor’s network was then attacked and breached. No CBP systems were compromised, the agency said."

A reporter posted on Twitter the brief statement by CBP, which was sent to selected news organizations:

"On May 31, 2009, CBP learned that a subcontractor, in violation of CBP policies and without CBP's authorization or knowledge, had transferred copies of license plate images and traveler images collected by CBP to the subcontractor's company network. The subcontractor's network was subsequently compromised by a malicious cyber-attack. No CBP systems were compromised.

Initial information indicates that the subcontractor violated mandatory security and privacy controls outlined in their contract. As of today, none of the image data has been identified on the Dark Web or internet. CBP has alerted Members of Congress and is working closely with other law enforcement agencies and cybersecurity entities, and its own Office of Professional Responsibility to actively investigate the incident. CBP will unwaveringly work with all partners to determine the extent of the breach and the appropriate response. CBP has removed from service all equipment related to the breach and is closely monitoring all CBP work by the contractor..."

Well, that brief statement is a start... a small start. This security breach is very troubling for several reasons.

First, it seems that CBP was unaware of the contractual violation (e.g., downloaded images) until it was informed of the data breach. That suggests an inadequate contractual agreement between the vendor and CBP; or failures by CBP to monitor and enforce its contracts. That also raises more questions:

  • When and which executives at the vendor will be reprimanded for this violation?
  • Why did CBP fail to identify the download violation?
  • What changes are underway to prevent future violations?
  • Why is CBP continuing to use a vendor known to have severely violated its contractual agreement?
  • What other vendors have violated CBP contracts?

Second, CBP refused to disclose the name of the vendor. Why? What would this accomplish? Its statement described the breach as a "malicious cyberattack." That seems to warrant disclosure. Were CBP executives caught unprepared?

Thankfully, reporters at the Washington Post continued investigating:

"... a Microsoft Word document of CBP’s public statement, sent Monday to Washington Post reporters, included the name “Perceptics” in the title: “CBP Perceptics Public Statement.” Perceptics representatives did not immediately respond to requests for comment... reporters at The Register, a British technology news site, reported late last month that a large haul of breached data from the firm Perceptics was being offered as a free download on the dark web."

So, we don't know for sure if Perceptics was the CBP vendor. However, the May 23rd article in The Register indicates that Perceptics executives were already aware of the breach. CBP executives should have known about the breach on May 23, too, since the article mentioned both entities. Then, why did the CBP statement say it learned of the breach on May 31st? Something here smells -- arrogance, incompetence, or both.

Third, a check at press time of the CBP website and newsroom failed to find any mentions of the security breach. CBP executives have had since May 31st (or since May 23rd), so why send a statement only to select news organizations? Why not publish that statement on its website, too? Were CBP executives caught unprepared and then rushed a haphazard response? When will the breach investigation report be released?

This is troubling. It suggests either arrogance or unpreparedness. As a taxpayer, my money funds CBP activities. I want to know that my money is being spent effectively.

Fourth, the lack of a detailed breach announcement means many related questions remain unanswered:

  • When will CBP notify affected persons? If the vendor will notify affected persons, then CBP must disclose the vendor's name in advance.
  • What assistance (e.g., free credit monitoring) will CBP provide affected persons?
  • What is the status of the post-breach investigation? It helps to know how attackers broke in so effective fixes can be implemented.
  • What other data elements were accessed/stolen? Metadata (e.g., image date and timestamp, border crossing GPS location, entering or exiting USA, vehicle brand and model, number and ages of any passengers in vehicles, etc.) attached to the images can be just as damaging.
  • Were any data elements encrypted? If not, why not?
  • Can facial images be matched to vehicle plate images, and/or to other data elements? If so, this creates more problems for impacted persons.
  • When will fixes be implemented so this doesn't happen again?
  • Exactly how many persons were affected, and in what states? Local states' breach notification laws may apply.
  • How many of the affected persons are U.S. citizens? If the 100,000 estimate applies to only affected U.S. citizens, then we need to know the true total number of persons impacted by the breach.
  • Does the 100,000 estimate refer to facial images only? If so, then exactly how many vehicle license plate images were disclosed?

The statement of "fewer than 100,000 persons impacted" seems vague. A breach investigation should determine two fairly precise items: the number of facial images accessed/stolen, and the number of license plate images accessed/stolen.

Plus, it seems wise to assume more data was stolen during the breach. Why? Consider this report by The Atlantic:

"I would be cautious about assuming this data breach contains only photo data," said Chad Loder, the CEO of Habitu8, a cybersecurity firm that trains other companies on security awareness. The full scope of the breach may be much larger than what CBP revealed in its original statement, he said. In recent years, CBP has asked travelers for fingerprints, facial data, and, recently, even social-media accounts. "If CBP’s contractor was targeted specifically, it’s unlikely that the attacker would have stopped with just photo data..."

If social media passwords were stolen, then affected persons need to know so they can change online passwords. And, elected officials are also asking questions. The Hill reported:

"House Homeland Security Committee Chairman Bennie Thompson (D-Miss.) announced on Monday that his committee would hold hearings next month to examine the collection of biometric information by the Department of Homeland Security (DHS), which includes CBP... Homeland Security Committee ranking member Mike Rogers (R-Ala.), used the breach to criticize DHS’s handling of cybersecurity challenges, saying in a statement to The Hill that "the agency is ill-equipped to handle emerging cyberthreats"... Representative Cedric Richmond (D-La.), the chairman of the House Homeland Security subcommittee on cybersecurity, also called for more answers about the breach, which he said would inform Congress's next steps... Senator Brian Schatz (D-Hawaii), the ranking member of the Senate Commerce Subcommittee on Communications, Technology, Innovation and the Internet, said he thinks the breach merits an investigation by the Office of the Inspector General."

Good suggestion by Senator Schatz. Clearly, there's plenty more news to come. Plenty.


Two Data Breaches At Collections Vendor Used By Healthcare Testing Firms Affect About 19 Million Persons

Two healthcare data breaches have affected about 19 million persons, so far.

First, a data breach at a third-party collections firm has affected about 11.9 million patients at Quest Diagnostics, a medical testing firm. Quest announced in a June 3rd news release that American Medical Collection Agency (AMCA) notified it of data breach affecting Quest patients:

"... an unauthorized user had access to AMCA’s system...AMCA provides billing collections services to Optum360, which in turn is a Quest contractor. Quest and Optum360 are working with forensic experts to investigate the matter. AMCA first notified Quest and Optum360 on May 14, 2019 of potential unauthorized activity on AMCA’s web payment page. On May 31, 2019, AMCA notified Quest and Optum360 that the data on AMCA’s affected system included information regarding approximately 11.9 million Quest patients. AMCA believes this information includes personal information, including certain financial data, Social Security numbers, and medical information, but not laboratory test results."

Quest said that AMCA hasn't yet provided it with details about the data breach. The news release did not state when AMCA or Quest would directly notify affected patients. Hopefully, future news releases will provide dates when the breach occurred, how the attackers broke in, and the fixes underway so this doesn't happen again.

Second, a data breach at the same third-party collections firm has also affected about 7.7 million customers of LabCorp, another medical testing firm. LabCorp disclosed in a filing with the U.S. Securities and Exchange Commission that AMCA notified it of data breach which occurred between August 1, 2018 and March 30, 2019. The filing did not state the date when AMCA notified LabCorp. The filing did state:

"AMCA is an external collection agency used by LabCorp and other healthcare companies. LabCorp has referred approximately 7.7 million consumers to AMCA... AMCA’s affected system included information provided by LabCorp. That information could include first and last name, date of birth, address, phone, date of service, provider, and balance information. AMCA’s affected system also included credit card or bank account information that was provided by the consumer to AMCA... AMCA has advised LabCorp that Social Security Numbers and insurance identification information are not stored or maintained for LabCorp consumers."

LabCorp said in the filing that it didn't provide patients' ordered tests, laboratory results, or diagnostic information to AMCA. AMCA is currently notifying about 200,000 LabCorp consumers whose credit card or bank account information may have been accessed. Also:

"AMCA has not yet provided LabCorp a list of the affected LabCorp consumers or more specific information about them. AMCA has indicated that it is continuing to investigate this incident and has taken steps to increase the security of its systems, processes, and data. LabCorp takes data security very seriously, including the security of data handled by vendors. AMCA has informed LabCorp that it intends to provide the approximately 200,000 affected LabCorp consumers with more specific information about the AMCA Incident, in addition to offering them identity protection and credit monitoring services for 24 months."

Given the ongoing investigation and breach notification, more news seems likely. Both breaches suggest other AMCA clients may have been affected. A check of the AMCA website at press time failed to find any news releases or mentions of both data breaches. C/Net reported:

"LabCorp also said that as a result of the breach, it's stopped sending new collection requests to the AMCA and suspended the AMCA's work on any pending requests related to LabCorp customers... LabCorp declined to comment beyond its SEC filing. AMCA said it conducted an internal audit after being notified of the breach by an outside security compliance firm and took down its web payments page. The company has also hired a third-party forensics firm to investigate the breach and has notified law enforcement."

The Krebs On Security blog reported:

"... AMCA also does business under the name “Retrieval-Masters Credit Bureau,” a company that has been in business since 1977. Retrieval-Masters also has an atrocious reputation for allegedly harassing consumers for debts they never owed. A search on the company’s name at the complaints page of the Consumer Financial Protection Bureau (CFPB) turns up almost 700 complaints for Retrieval-Masters. The company has an abysmal “F” rating from the Better Business Bureau, with 60 complaints closed against it in the last three years. Reviewing a number of those complaints reveals some of the AMCA’s other current and/or previous clients, including New Jersey’s EZPass system.

Both data breaches reminder patients that when companies outsource collections activities, patients' sensitive healthcare and payment information are often shared with outsource vendors. The lack of breach details makes one wonder if AMCA executives were caught unprepared with both inadequate data security on its payments website, and post-breach responses. Hopefully, future news reports will clarify things.


Marriott Lowered The Number Of Guests Affected By Its Data Breach. Class Action Lawsuits Filed

Marriott International logo Important updates about the gigantic Marriott-Starwood data breach. The incident received more attention after security experts said that China's intelligence agencies may have been behind the cyberattack, which also targeted healthcare insurance companies.

Earlier this month, Marriott announced a lower number of guests affected:

"Working closely with its internal and external forensics and analytics investigation team, Marriott determined that the total number of guest records involved in this incident is less than the initial disclosure... Marriott now believes that the number of potentially involved guests is lower than the 500 million the company had originally estimated [in November, 2018]. Marriott has identified approximately 383 million records as the upper limit for the total number of guest records that were involved...

The announcement also said that fewer than 383 million different persons were affected because its database contained multiple records for the same guests. The announcement also stated that about:

"... 5.25 million unencrypted passport numbers were included in the information accessed by an unauthorized third party. The information accessed also includes approximately 20.3 million encrypted passport numbers... Marriott now believes that approximately 8.6 million encrypted payment cards were involved in the incident. Of that number, approximately 354,000 payment cards were unexpired as of September 2018..."

This is mixed news. Fewer breach victims is good news. The bad news: multiple database records for the same guests, and unencrypted passport numbers. Better, stronger data security always includes encrypting sensitive information. The announcement did not explain why some data was encrypted and some wasn't.

The hotel chain said that it will terminate its Starwood reservations database at the end of the year, and continue its post-breach investigation:

"While the payment card field in the data involved was encrypted, Marriott is undertaking additional analysis to see if payment card data was inadvertently entered into other fields and was therefore not encrypted. Marriott believes that there may be a small number (fewer than 2,000) of 15-digit and 16-digit numbers in other fields in the data involved that might be unencrypted payment card numbers. The company is continuing to analyze these numbers to better understand if they are payment card numbers and, if they are payment card numbers, the process it will put in place to assist guests."

Also, the hotel chain admitted during its January 4th announcement that it still wasn't fully ready to help affected guests:

"Marriott is putting in place a mechanism to enable its designated call center representatives to refer guests to the appropriate resources to enable a look up of individual passport numbers to see if they were included in this set of unencrypted passport numbers. Marriott will update its designated website for this incident (https://info.starwoodhotels.com) when it has this capability in place."

In related news, about 150 former guests have sued Marriott. Vox reported that a class-action lawsuit:

"... was filed Maryland federal district court on January 9, claims that Marriott did not adequately protect guest information before the breach and, once the breach had been discovered, “failed to provide timely, accurate, and adequate notice” to guests whose information may have been obtained by hackers... According to the suit, Marriott’s purchase of the Starwood properties is part of the problem. “This breach had been going on since 2014. In conducting due diligence to acquire Starwood, Marriott should have gone through and done an accounting of the cybersecurity of Starwood,” Amy Keller, an attorney at DiCello Levitt & Casey who is representing the Marriott guests, told Vox... According to a December report by the Wall Street Journal, Marriott could have caught the breach years earlier."

At least one other class-action lawsuit has been filed by breach victims.


Pennsylvania Ruling May Help Plaintiffs in Class Action Lawsuits About Data Breaches

An article in the Lexology site by attorneys at Thompson Coburn LLP provides an important update about class-action lawsuits in Pennsylvania regarding data breaches and data security:

"One of the most insurmountable barriers for security breach class action plaintiffs has been the ability to show concrete damages. In order to bring a lawsuit, fundamentally, plaintiffs must have standing to sue. In federal court, this standing to sue is governed by Article III of the U.S. Constitution. The U.S. Supreme Court has articulated standing to sue as requiring (1) injury in fact, (2) fairly traceable to the defendant’s conduct, (3) that is likely redressed by a favorable decision... Proving a concrete and particularized injury therefore becomes difficult for plaintiffs... since it often becomes an individualized analysis of harms. Many state courts follow similar standing requirements as those articulated by the federal courts..."

The case involved a class-action lawsuit by employees against their employer, the University of Pittsburgh Medical Center (UPMC). The suit alleged that the sensitive personal and financial information for 62,000 current and former employees had been stolen, and that:

"... UPMC breached an implied contract and was negligent by failing to implement adequate security measures to safeguard information relating to employees."

The claims were dismissed by a trial court. The employees appealed that decision, and the appellate court agreed with the trial court's decision. The good news:

"... the Pennsylvania Supreme Court concluded the lower courts erred in determining UPMC did not owe a duty to safeguard the employees’ personal information and that the economic loss doctrine barred the negligence claim... While the Pennsylvania decision affects only Pennsylvania for the time being, anyone that collects or stores personal information should be aware that this could signal a new tide for security breach plaintiffs..."


More Than One Billion Accounts Affected By Data Breaches During 2018

Now that 2019 is here, we can assess 2018. It was a terrible year for identity theft, privacy, and data breaches. Several corporations failed miserably to protect the data they archive about consumers. This included failures within websites and mobile apps. There were so many massive data breaches that it isn't a question of whether or not you were affected.

You were. NordVPN reviewed the failures during 2018:

"If your data wasn’t leaked in 2018, you’re lucky. The information of over a billion people was compromised in 2018 as many of the companies we trust failed to protect our data."

That's billion with a "b." NordVPN provides virtual private network (VPN) services. If you want to use the internet with privacy, a VPN is the way to go. That is especially important for residents of the United States, since the U.S. Federal Communications Commission (FCC) repealed in 2017 both broadband privacy and net neutrality protections for consumers. A December 2017 study of 1,077 voters found that most want net neutrality protections. President Trump signed the privacy-rollback legislation in April 2017. A prior blog post listed many historical abuses of consumers by some ISPs.

PC Magazine reviewed NordVPN earlier this month and concluded:

"... NordVPN has proved itself to be our top service for securing your online activities. The company now has more than 5,100 servers across the globe, making it the largest service we've yet tested. It also takes a strong stance on privacy for its customers and includes tools rarely seen in the competition."

The NordVPN articled listed the major corporate data security failures during 2018. Frequent readers of this blog are familiar with the breaches. Chances are you use one or more of the services. Below is a partial list:

  • Marriott: 500 million
  • Twitter: 330 million
  • My Fitness Pal: 150 million accounts
  • Facebook: 147 million accounts
  • Quora: 100 million accounts
  • Firebase: 100 million accounts
  • Google+ : 500,000 accounts
  • British Airways: 380,000 accounts

While Google is closing its Google+ service, that is little help for breach victims whose personal data is out in the wild. The massive Equifax breach affecting 145.5 million persons isn't on the list because it happened in 2017. It's important to remember Equifax because persons cannot opt out of Equifax, or any of the other credit reporting agencies. Ain't corporate welfare nice?

What can consumers do to protect themselves and their sensitive personal and payment information? NordVPN advised:

  1. "Use strong and unique passwords.
  2. Think twice before posting anything on social media. This information can be used against you.
  3. If you shop online, use a credit card. You will have less liability for fraudulent charges if your financial information leaks.
  4. Provide companies only with necessary information. The less information they have, the less they can leak.
  5. Look out for fraud. If notified that your data was leaked, change your passwords and take the steps advised by the company that compromised your data."

Well, there you go. That's a good starter list for consumers to protect themselves. Do it because your personal data is out in the wild. The only question is which bad actor is abusing it.


A Series Of Recent Events And Privacy Snafus At Facebook Cause Multiple Concerns. Does Facebook Deserve Users' Data?

Facebook logo So much has happened lately at Facebook that it can be difficult to keep up with the data scandals, data breaches, privacy fumbles, and more at the global social service. To help, below is a review of recent events.

The the New York Times reported on Tuesday, December 18th that for years:

"... Facebook gave some of the world’s largest technology companies more intrusive access to users’ personal data than it has disclosed, effectively exempting those business partners from its usual privacy rules... The special arrangements are detailed in hundreds of pages of Facebook documents obtained by The New York Times. The records, generated in 2017 by the company’s internal system for tracking partnerships, provide the most complete picture yet of the social network’s data-sharing practices... Facebook allowed Microsoft’s Bing search engine to see the names of virtually all Facebook users’ friends without consent... and gave Netflix and Spotify the ability to read Facebook users’ private messages. The social network permitted Amazon to obtain users’ names and contact information through their friends, and it let Yahoo view streams of friends’ posts as recently as this summer, despite public statements that it had stopped that type of sharing years earlier..."

According to the Reuters newswire, a Netflix spokesperson denied that Netflix accessed Facebook users' private messages, nor asked for that access. Facebook responded with denials the same day:

"... none of these partnerships or features gave companies access to information without people’s permission, nor did they violate our 2012 settlement with the FTC... most of these features are now gone. We shut down instant personalization, which powered Bing’s features, in 2014 and we wound down our partnerships with device and platform companies months ago, following an announcement in April. Still, we recognize that we’ve needed tighter management over how partners and developers can access information using our APIs. We’re already in the process of reviewing all our APIs and the partners who can access them."

Needed tighter management with its partners and developers? That's an understatement. During March and April of 2018 we learned that bad actors posed as researchers and used both quizzes and automated tools to vacuum up (and allegedly resell later) profile data for 87 million Facebook users. There's more news about this breach. The Office of the Attorney General for Washington, DC announced on December 19th that it has:

"... sued Facebook, Inc. for failing to protect its users’ data... In its lawsuit, the Office of the Attorney General (OAG) alleges Facebook’s lax oversight and misleading privacy settings allowed, among other things, a third-party application to use the platform to harvest the personal information of millions of users without their permission and then sell it to a political consulting firm. In the run-up to the 2016 presidential election, some Facebook users downloaded a “personality quiz” app which also collected data from the app users’ Facebook friends without their knowledge or consent. The app’s developer then sold this data to Cambridge Analytica, which used it to help presidential campaigns target voters based on their personal traits. Facebook took more than two years to disclose this to its consumers. OAG is seeking monetary and injunctive relief, including relief for harmed consumers, damages, and penalties to the District."

Sadly, there's still more. Facebook announced on December 14th another data breach:

"Our internal team discovered a photo API bug that may have affected people who used Facebook Login and granted permission to third-party apps to access their photos. We have fixed the issue but, because of this bug, some third-party apps may have had access to a broader set of photos than usual for 12 days between September 13 to September 25, 2018... the bug potentially gave developers access to other photos, such as those shared on Marketplace or Facebook Stories. The bug also impacted photos that people uploaded to Facebook but chose not to post... we believe this may have affected up to 6.8 million users and up to 1,500 apps built by 876 developers... Early next week we will be rolling out tools for app developers that will allow them to determine which people using their app might be impacted by this bug. We will be working with those developers to delete the photos from impacted users. We will also notify the people potentially impacted..."

We believe? That sounds like Facebook doesn't know for sure. Where was the quality assurance (QA) team on this? Who is performing the post-breach investigation to determine what happened so it doesn't happen again? This post-breach response seems sloppy. And, the "bug" description seems disingenuous. Anytime persons -- in this case developers -- have access to data they shouldn't have, it is a data breach.

One quickly gets the impression that Facebook has created so many niches, apps, APIs, and special arrangements for developers and advertisers that it really can't manage nor control the data it collects about its users. That implies Facebook users aren't in control of their data, either.

There were other notable stumbles. There were reports after many users experienced repeated bogus Friend Requests, due to hacked and/or cloned accounts. It can be difficult for users to distinguish valid Friend Requests from spammers or bad actors masquerading as friends.

In August, reports surfaced that Facebook approached several major banks offering to share its detailed financial information about consumers in order, "to boost user engagement." Reportedly, the detailed financial information included debit/credit/prepaid card transactions and checking account balances. Not good.

Also in August, Facebook's Onavo VPN App was removed from the Apple App store because the app violated data-collection policies. 9 To 5 Mac reported on December 5th:

"The UK parliament has today publicly shared secret internal Facebook emails that cover a wide-range of the company’s tactics related to its free iOS VPN app that was used as spyware, recording users’ call and text message history, and much more... Onavo was an interesting effort from Facebook. It posed as a free VPN service/app labeled as Facebook’s “Protect” feature, but was more or less spyware designed to collect data from users that Facebook could leverage..."

Why spy? Why the deception? This seems unnecessary for a global social networking company already collecting massive amounts of content.

In November, an investigative report by ProPublica detailed the failures in Facebook's news transparency implementation. The failures mean Facebook hasn't made good on its promises to ensure trustworthy news content, nor stop foreign entities from using the social service to meddle in elections in democratic countries.

There is more. Facebook disclosed in October a massive data breach affecting 30 million users (emphasis added):

For 15 million people, attackers accessed two sets of information – name and contact details (phone number, email, or both, depending on what people had on their profiles). For 14 million people, the attackers accessed the same two sets of information, as well as other details people had on their profiles. This included username, gender, locale/language, relationship status, religion, hometown, self-reported current city, birth date, device types used to access Facebook, education, work, the last 10 places they checked into or were tagged in, website, people or Pages they follow, and the 15 most recent searches..."

The stolen data allows bad actors to operate several types of attacks (e.g., spam, phishing, etc.) against Facebook users. The stolen data allows foreign spy agencies to collect useful information to target persons. Neither is good. Wired summarized the situation:

"Every month this year—and in some months, every week—new information has come out that makes it seem as if Facebook's big rethink is in big trouble... Well-known and well-regarded executives, like the founders of Facebook-owned Instagram, Oculus, and WhatsApp, have left abruptly. And more and more current and former employees are beginning to question whether Facebook's management team, which has been together for most of the last decade, is up to the task.

Technically, Zuckerberg controls enough voting power to resist and reject any moves to remove him as CEO. But the number of times that he and his number two Sheryl Sandberg have over-promised and under-delivered since the 2016 election would doom any other management team... Meanwhile, investigations in November revealed, among other things, that the company had hired a Washington firm to spread its own brand of misinformation on other platforms..."

Hiring a firm to distribute misinformation elsewhere while promising to eliminate misinformation on its platform. Not good. Are Zuckerberg and Sandberg up to the task? The above list of breaches, scandals, fumbles, and stumbles suggest not. What do you think?

The bottom line is trust. Given recent events, BuzzFeed News article posed a relevant question (emphasis added):

"Of all of the statements, apologies, clarifications, walk-backs, defenses, and pleas uttered by Facebook employees in 2018, perhaps the most inadvertently damning came from its CEO, Mark Zuckerberg. Speaking from a full-page ad displayed in major papers across the US and Europe, Zuckerberg proclaimed, "We have a responsibility to protect your information. If we can’t, we don’t deserve it." At the time, the statement was a classic exercise in damage control. But given the privacy blunders that followed, it hasn’t aged well. In fact, it’s become an archetypal criticism of Facebook and the set up for its existential question: Why, after all that’s happened in 2018, does Facebook deserve our personal information?"

Facebook executives have apologized often. Enough is enough. No more apologies. Just fix it! And, if Facebook users haven't asked themselves the above question yet, some surely will. Earlier this week, a friend posted on the site:

"To all my FB friends:
I will be deleting my FB account very soon as I am disgusted by their invasion of the privacy of their users. Please contact me by email in the future. Please note that it will take several days for this action to take effect as FB makes it hard to get out of its grip. Merry Christmas to all and with best wishes for a Healthy, safe, and invasive free New Year."

I reminded this friend to also delete any Instagram and What's App accounts, since Facebook operates those services, too. If you want to quit the service but suffer with FOMO (Fear Of Missing Out), then read the experiences of a person who quit Apple, Google, Facebook, Microsoft, and Amazon for a month. It can be done. And, your social life will continue -- spectacularly. It did before Facebook.

Me? I have reduced my activity on Facebook. And there are certain activities I don't do on Facebook: take quizzes, make online payments, use its emotion reaction buttons (besides "Like"), use its mobile app, use the Messenger mobile app, nor use its voting and ballot previews content. Long ago I disabled the Facebook API platform on my Facebook account. You should, too. I never use my Facebook credentials (e.g., username, password) to sign into other sites. Never.

I will continue to post on Facebook links to posts in this blog, since it is helpful information for many Facebook users. In what ways have you reduced your usage of Facebook?


China Blamed For Cyberattack In The Gigantic Marriott-Starwood Hotels Data Breach

Marriott International logo An update on the gigantic Marriott-Starwood data breach where details about 500 million guests were stolen. The New York Times reported that the cyberattack:

"... was part of a Chinese intelligence-gathering effort that also hacked health insurers and the security clearance files of millions more Americans, according to two people briefed on the investigation. The hackers, they said, are suspected of working on behalf of the Ministry of State Security, the country’s Communist-controlled civilian spy agency... While American intelligence agencies have not reached a final assessment of who performed the hacking, a range of firms brought in to assess the damage quickly saw computer code and patterns familiar to operations by Chinese actors... China has reverted over the past 18 months to the kind of intrusions into American companies and government agencies that President Barack Obama thought he had ended in 2015 in an agreement with Mr. Xi. Geng Shuang, a spokesman for China’s Ministry of Foreign Affairs, denied any knowledge of the Marriott hacking..."

Why any country's intelligence agency would want to hack a hotel chain's database:

"The Marriott database contains not only credit card information but passport data. Lisa Monaco, a former homeland security adviser under Mr. Obama, noted last week at a conference that passport information would be particularly valuable in tracking who is crossing borders and what they look like, among other key data."

Also, context matters. First, this corporate acquisition was (thankfully) blocked:

"The effort to amass Americans’ personal information so alarmed government officials that in 2016, the Obama administration threatened to block a $14 billion bid by China’s Anbang Insurance Group Co. to acquire Starwood Hotel & Resorts Worldwide, according to one former official familiar with the work of the Committee on Foreign Investments in the United States, a secretive government body that reviews foreign acquisitions..."

Later that year, Marriott Hotels acquired Starwood for $13.6 billion. Second, remember the massive government data breach in 2014 at the Office of Personnel Management (OPM). The New York Times added that the Marriott breach:

"... was only part of an aggressive operation whose centerpiece was the 2014 hacking into the Office of Personnel Management. At the time, the government bureau loosely guarded the detailed forms that Americans fill out to get security clearances — forms that contain financial data; information about spouses, children and past romantic relationships; and any meetings with foreigners. Such information is exactly what the Chinese use to root out spies, recruit intelligence agents and build a rich repository of Americans’ personal data for future targeting..."

MSS Inside Not good. And, this is not the first time concerns about China have been raised. Reports surfaced in 2016 about malware installed in the firmware of smartphones running the Android operating system (OS) software. In 2015, China enacted a new "secure and controllable" security law which many security experts viewed then as a method to ensure that back doors were built into computing products and devices during into the manufacturing and assembly process.

And, even if China's MSS didn't do this massive cyberattack, it could have been another country's intelligence agency. Not good either.

Regardless who the attackers were, this incident is a huge reminder to executives in government and in the private sector to secure their computer systems. Hopefully, executives at major hotel chains -- especially those frequented by government officials and military members -- now realize that their systems are high-value targets.


House Oversight Committee Report On The Equifax Data Breach. Did The Recommendations Go Far Enough?

On Monday, the U.S. House of Representatives Committee on Oversight and Government Reform released its report (Adobe PDF) on the massive Equifax data breach, where the most sensitive personal and payment information of more than 148 million consumers -- nearly half of the population -- was accessed and stolen. The report summary:

"In 2005, former Equifax Chief Executive Officer(CEO) Richard Smith embarked on an aggressive growth strategy, leading to the acquisition of multiple companies, information technology (IT) systems, and data. While the acquisition strategy was successful for Equifax’s bottom line and stock price, this growth brought increasing complexity to Equifax’s IT systems, and expanded data security risks... Equifax, however, failed to implement an adequate security program to protect this sensitive data. As a result, Equifax allowed one of the largest data breaches in U.S. history. Such a breach was entirely preventable."

The report cited several failures by Equifax. First:

"On March 7, 2017, a critical vulnerability in the Apache Struts software was publicly disclosed. Equifax used Apache Struts to run certain applications on legacy operating systems. The following day, the Department of Homeland Security alerted Equifax to this critical vulnerability. Equifax’s Global Threate and Vulnerability Management (GTVM) team emailed this alert to over 400 people on March 9, instructing anyone who had Apache Struts running on their system to apply the necessary patch within 48 hours. The Equifax GTVM team also held a March 16 meeting about this vulnerability. Equifax, however, did not fully patch its systems. Equifax’s Automated Consumer Interview System (ACIS), a custom-built internet-facing consumer dispute portal developed in the 1970s, was running a version of Apache Struts containing the vulnerability. Equifax did not patch the Apache Struts software located within ACIS, leaving its systems and data exposed."

As bad as that is, it gets worse:

"On May 13, 2017, attackers began a cyberattack on Equifax. The attack lasted for 76 days. The attackers dropped “web shells” (a web-based backdoor) to obtain remote control over Equifax’s network. They found a file containing unencrypted credentials (usernames and passwords), enabling the attackers to access sensitive data outside of the ACIS environment. The attackers were able to use these credentials to access 48 unrelated databases."

"Attackers sent 9,000 queries on these 48 databases, successfully locating unencrypted personally identifiable information (PII) data 265 times. The attackers transferred this data out of the Equifax environment, unbeknownst to Equifax. Equifax did not see the data exfiltration because the device used to monitor ACIS network traffic had been inactive for 19 months due to an expired security certificate. On July 29, 2017, Equifax updated the expired certificate and immediately noticed suspicious web traffic..."

Findings so far: 1) growth prioritized over security while archiving highly valuable data; 2) antiquated computer systems; 3) failed security patches; 4) unprotected user credentials; and 5) failed intrusion detection mechanism. Geez!

Only after updating its expired security certificate did Equifax notice the intrusion. After that, you'd think that Equifax would have implemented a strong post-breach response. You'd be wrong. More failures:

"When Equifax informed the public of the breach on September 7, the company was unprepared to support the large number of affected consumers. The dedicated breach website and call centers were immediately overwhelmed, and consumers were not able to obtain timely information about whether they were affected and how they could obtain identity protection services."

"Equifax should have addressed at least two points of failure to mitigate, or even prevent, this data breach. First, a lack of accountability and no clear lines of authority in Equifax’s IT management structure existed, leading to an execution gap between IT policy development and operation. This also restricted the company’s implementation of other security initiatives in a comprehensive and timely manner. As an example, Equifax had allowed over 300 security certificates to expire, including 79 certificates for monitoring business critical domains. "Second, Equifax’s aggressive growth strategy and accumulation of data resulted in a complex IT environment. Equifax ran a number of its most critical IT applications on custom-built legacy systems. Both the complexity and antiquated nature of Equifax’s IT systems made IT security especially challenging..."

Findings so far: 6) inadequate post-breach response; and 7) complicated IT structure making updates difficult. Geez!

The report listed the executives who retired and/or were fired. That's a small start for a company archiving the most sensitive personal and payment information of all USA citizens. The report included seven recommendations:

"1: Empower Consumers through Transparency. Consumer reporting agencies (CRAs) should provide more transparency to consumers on what data is collected and how it is used. A large amount of the public’s concern after Equifax’s data breach announcement stemmed from the lack of knowledge regarding the extensive data CRAs hold on individuals. CRAs must invest in and deploy additional tools to empower consumers to better control their own data..."

"2: Review Sufficiency of FTC Oversight and Enforcement Authorities. Currently, the FTC uses statutory authority under Section 5 of the Federal Trade Commission Act to hold businesses accountable for making false or misleading claims about their data security or failing to employ reasonable security measures. Additional oversight authorities and enforcement tools may be needed to enable the FTC to effectively monitor CRA data security practices..."

"3: Review Effectiveness of Identity Monitoring and Protection Services Offered to Breach Victims. The General Accounting Office (GAO) should examine the effectiveness of current identity monitoring and protection services and provide recommendations to Congress. In particular, GAO should review the length of time that credit monitoring and protection services are needed after a data breach to mitigate identity theft risks. Equifax offered free credit monitoring and protection services for one year to any consumer who requested it... This GAO study would help clarify the value of credit monitoring services and the length of time such services should be maintained. The GAO study should examine alternatives to credit monitoring services and identify addit ional or complimentary services..."

"4: Increase Transparency of Cyber Risk in Private Sector. Federal agencies and the private sector should work together to increase transparency of a company’s cybersecurity risks and steps taken to mitigate such risks. One example of how a private entity can increase transparency related to the company’s cyber risk is by making disclosures in its Securities and Exchange Commission (SEC) filings. In 2011, the SEC developed guidance to assist companies in disclosing cybersecurity risks and incidents. According to the SEC guidance, if cybersecurity risks or incidents are “sufficiently material to investors” a private company may be required to disclose the information... Equifax did not disclose any cybersecurity risks or cybers ecurity incidents in its SEC filings prior to the 2017 data breach..."

"5: Hold Federal Contractors Accountable for Cybersecurity with Clear Requirements. The Equifax data breach and federal customers’ use of Equifax identity validation services highlight the need for the federal government to be vigilant in mitigating cybersecurity risk in federal acquisition. The Office of Management and Budget (OMB) should continue efforts to develop a clear set of requirements for federal contractors to address increasing cybersecurity risks, particularly as it relates to handling of PII. There should be a government-wide framework of cybersecurity and data security risk-based requirements. In 2016, the Committee urged OMB to focus on improving and updating cybersecurity requirements for federal acquisition... The Committee again urges OMB to expedite development of a long-promised cybersecurity acquisition memorandum to provide guidance to federal agencies and acquisition professionals..."

"6: Reduce Use of Social Security Numbers as Personal Identifiers. The executive branch should work with the private sector to reduce reliance on Social Security numbers. Social Security numbers are widely used by the public and private sector to both identify and authenticate individuals. Authenticators are only useful if they are kept confidential. Attackers stole the Social Security numbers of an estimated 145 million consumers from Equifax. As a result of this breach, nearly half of the country’s Social Security numbers are no longer confidential. To better protect consumers from identity theft, OMB and other relevant federal agencies should pursue emerging technology solutions as an alternative to Social Security number use."

"7: Implement Modernized IT Solutions. Companies storing sensitive consumer data should transition away from legacy IT and implement modern IT security solutions. Equifax failed to modernize its IT environments in a timely manner. The complexity of the legacy IT environment hosting the ACIS application allowed the attackers to move throughout the Equifax network... Equifax’s legacy IT was difficult to scan, patch, and modify... Private sector companies, especially those holding sensitive consumer data like Equifax, must prioritize investment in modernized tools and technologies...."

The history of corporate data breaches and the above list of corporate failures by Equifax both should be warnings to anyone in government promoting the privatization of current government activities. Companies screw up stuff, too.

Recommendation #6 is frightening in that it hasn't been implemented. Yikes! No federal agency should do business with a private sector firm operating with antiquated computer systems. And, if Equifax can't protect the information it archives, it should cease to exist. While that sounds harsh, it ain't. Continual data breaches place risks and burdens upon already burdened consumers trying to control and protect their data.

What are your opinions of the report? Did it go far enough?


Massive Data Breach At Quora Affects 100 Million Users

Quora logo Quora, the knowledge-sharing social networking site, announced on Monday a data breach affecting about 100 million of its users. The company discovered the breach on Friday, and a breach investigation is ongoing.

The company’s Chief Executive Officer, Adam D’Angelo, wrote in a blog post that the following data elements were compromised or stolen:

"a) Account information, e.g. name, email address, encrypted password (hashed using bcrypt with a salt that varies for each user), data imported from linked networks when authorized by users; b) Public content and actions, e.g. questions, answers, comments, upvotes; and c) Non-public content and actions, e.g. answer requests, downvotes, direct messages (note that a low percentage of Quora users have sent or received such messages)"

Quora has cancelled affected users' passwords. Quora does not yet know exactly how unauthorized persons accessed its system. The breach announcement did not state when the intrusion began. D'Angelo added:

"We're still investigating the precise causes and in addition to the work being conducted by our internal security teams, we have retained a leading digital forensics and security firm to assist us. We have also notified law enforcement officials."

Affected users are being notified via email. Affected users returning to the site must reset their accounts with new passwords. Quora encourages users with questions to visit its breach help site. Users are warned to change their online passwords.

The New York Times reported:

"... the incident was unlikely to result in identity theft, as the site does not collect sensitive information such as credit card or Social Security numbers... 300 million people around the world use its site at least once a month to ask and answer questions about politics, faith, calculus, unrequited love, the meaning of life and more. By comparison, Twitter claims 326 million monthly active users. But since it blasted onto the social media landscape in 2010, igniting a blaze of interest among tech company employees, Quora has not become the mainstream cultural force that Twitter has..."

This breach is another reminder to all consumers to never use the same password at multiple sites. Cybercriminals are persistent, and will reuse stolen passwords to see which other sites they can break into to steal sensitive personal and payment information.

If you received an email breach notice from Quora, please share it below (after deleting any sensitive personal data).


Gigantic Data Breach At Marriott International Affects 500 Million Customers. Plenty Of Questions Remain

Marriott International logo A gigantic data breach at Marriott International affects about 500 million customers who have stayed at its Starwood network of hotels in the United States, Canada, and the United Kingdom. Marriott International announced the data breach on Friday, November 30th, and set up a website for affected Starwood guests.

According to its breach announcement, an "internal security tool" discovered the breach on September 8, 2018. The initial data breach investigation determined that unauthorized persons accessed its registration database as far back as 2014, and had both copied and encrypted information before removing it. Marriott engaged security experts, the information was partially decrypted on November 19, 2018, and the global hotel chain determined that the information was from its Starwood guest reservation database.

Starwood Preferred Guest logo The Starwood hotels network includes brands such as W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Le Méridien Hotels & Resorts, Four Points by Sheraton, and more. Marriott has not finished decrypting all information, so there may be future updates from the breach investigation.

For 327 million guests, the personal data items stolen included a combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences. For some guests, the information stolen also included payment card numbers and payment card expiration dates. While Marriott said the payment card numbers were encrypted using Advanced Encryption Standard encryption (AES-128), its warned that it doesn't yet know if the encryption keys (needed to decrypt payment information) were also stolen.

For 173 million guests, fewer personal data items were stolen included, "name and sometimes other data such as mailing address, email address, or other information." Marriott International said its Marriott-branded hotels were not affected since they use a different reservations database on a different server.

Marriott said it has notified law enforcement, is working with law enforcement, and has begun to notify affected guests via email. The hotel chain will offer affected guests in select countries one year of free enrollment in the WebWatcher program which, "monitors internet sites where personal information is shared and  an alert to the consumer if evidence of the consumer’s personal information is found." WebWatcher will not be offered to all affected guests. Eligible guests should read the fine print, which the Starwood breach site summarized:

"Due to regulatory and other reasons, WebWatcher or similar products are not available in all countries. For residents of the United States, enrolling in WebWatcher also provides you with two additional benefits: (1) a Fraud Loss Reimbursement benefit, which reimburses you for out-of-pocket expenses totaling up to $1 million in covered legal costs and expenses for any one stolen identity event. All coverage is subject to the conditions and exclusions in the policy; and (2) unlimited access to consultation with a Kroll fraud specialist. Consultation support includes showing you the most effective ways to protect your identity, explaining your rights and protections under the law, assistance with fraud alerts, and interpreting how personal information is accessed and used..."

The seriousness of this data breach cannot be overstated. First, it went undetected for a very long time. Marriott needs to explain that and the changes it will implement with an improved "internal security tool" so this doesn't happen again. Second, 500 million is an awful lot of affected customers. An awful lot. Third, breach CNN Business reported:

"Because the hack involves customers in the European Union and the United Kingdom, the company might be in violation of the recently enacted General Data Protection Regulation (GDPR). Mark Thompson, the global lead for consulting company KPMG's Privacy Advisory Practice, told CNN Business that hefty GDPR penalties will potentially be slapped on the company. "The size and scale of this thing is huge," he said, adding that it's going to take several months for (EU) regulators to investigate the breach."

Fourth, the data items stolen are sufficient to cause plenty of damage. Security experts advise affected customers to change their Starwood passwords, check the answers.Kroll.com breach site next week to see if their information was compromised/stolen, sign up for credit monitoring (if they don't already have it), watch their payment or bank accounts for fraudulent entries, and consider an early renewal if your passport number was compromised/stolen. Fifth, companies usually arrange free credit monitoring for breach victims for one or two years. So far, Marriott hasn't done this. Maybe it will. If not, Marriott needs to explain why.

Sixth, breach notification of affected guests via email seems sketchy... like Marriott is trying to cut corners and costs. History is littered with numerous examples of skilled spammers and cybercriminals using faked or spoofed email to trick consumers into revealing sensitive personal and payment information. It will be interesting to see how Marriott's breach notification via email works and manages this threat.

Seventh, lawsuits and other investigations have already begun. ZDNet reported:

"... two Oregon men sued international hotel chain Marriott for exposing their data. Their lawsuit was followed hours later by another one filed in the state of Maryland. Both lawsuits seek class-action status. While plaintiffs in the Maryland lawsuit didn't specify the amount of damages they were seeking from Marriott, the plaintiffs in the Oregon lawsuit want $12.5 billion in costs and losses. his should equate to $25 for each of the 500 million users who had their personal data stolen from Marriott's serv ers... The Maryland lawsuit was filed by Baltimore law firm Murphy, Falcon & Murphy..."

Bloomberg BNA announced:

"The Massachusetts, New York and Illinois state attorneys general quickly announced they would examine the hack. Connecticut George Jepsen (D) is also looking into the matter, a spokesman told Bloomberg Law."

Eighth, the breach site's website address unnecessarily vague: answers.kroll.com. Frankly, a website address like "starwood-breach.kroll.com" or "marriott-breach.kroll.com" would have been better. (The combination of email notification and vague website name seems eerily similar to the post-breach clusterf--k by Equifax's poorly implemented breach site.) Maybe this vague address was a temporary quick fix, and Marriott will host a comprehensive breach-status site later on one of its servers. That would be better and clearer for affected customers, who probably are unfamiliar with Kroll. Readers of this blog probably first encountered Kroll after IBM Inc. contracted it to help implement IBM's post-breach response in 2007.

The Starwood breach notice appears within the news section of Marriott.com site. Also, Marriott's post-breach notice included overlays on both the home page and the Starwood landing page within the Marriott.com site. This is a good start, but a better implementation would insert a link directly into the webpages, since the overlays don't render well in all browsers on all devices. (Marriott: you did test this before deployment?) Example: people with pop-up blockers may miss the breach notice in the overlays. And, a better implementation would link to the news story's detail page within the Marriott.com site -- not directly to the vague answers.kroll.com site.

Last, some questions remain about the post-breach response:

  • Why email notices to breach victims? Hopefully, there are more reasons than simply saving postal mailing costs.
  • Why no credit monitoring offers to breach victims?
  • What data in the Starwood reservations database was altered by the attackers? That data was encrypted by the attackers suggests that the attackers had sufficient time, resources, and skills to modify or alter database records. Marriott needs to explain what it is doing about this.
  • When will Marriott host a breach site on one of its servers? No doubt, there will be follow-up news, more questions by breach victims, and breach investigation updates. A dedicated breach site on one of its servers seems best. Leaning too much on Kroll is not good.
  • Why did the intrusion go undetected for so long? Marriott needs to explain this and the post-breach fix so guests are reassured it won't happen again.
  • Is the main Marriott reservations database also vulnerable? Guests for other brands weren't affected since a separate reservations database was used. Maybe this is because the main Marriott reservations database and server are better protected, or cybercriminals haven't attacked it (yet). Guests deserve comprehensive answers.
  • Why the website overlaps/pop-ups and not static links?
  • What changes (e.g., software upgrades, breach detection tools, employee training, etc.) will be implemented so this doesn't happen again?

Having blogged about data breaches for 11+ years, these types of questions often arise. None are unreasonable questions. Answers will help guests feel comfortable with using Starwood hotels. Plus, Marriott has an obligation to fully inform guests directly at its website, and not lean on Kroll. What do you think?


Massive Data Breach At U.S. Postal Service Affects 60 Million Users

United States Postal Service logo The United States Postal Service (USPS) experienced a massive data breach due to a vulnerable component at its website. The "application program interface" or API component allowed unauthorized users to access and download details about other users of the Informed Visibility service.

Security researcher Brian Krebs explained:

"In addition to exposing near real-time data about packages and mail being sent by USPS commercial customers, the flaw let any logged-in usps.com user query the system for account details belonging to any other users, such as email address, username, user ID, account number, street address, phone number, authorized users, mailing campaign data and other information.

Many of the API’s features accepted “wildcard” search parameters, meaning they could be made to return all records for a given data set without the need to search for specific terms. No special hacking tools were needed to pull this data, other than knowledge of how to view and modify data elements processed by a regular Web browser like Chrome or Firefox."

Geez! The USPS has since fixed the API vulnerability. Regardless, this is bad, very bad, for several reasons. Not only should the vulnerable API have prevented one user from viewing details about another, but it allowed changes to some data elements. Krebs added:

"A cursory review by KrebsOnSecurity indicates the promiscuous API let any user request account changes for any other user, such as email address, phone number or other key details. Fortunately, the USPS appears to have included a validation step to prevent unauthorized changes — at least with some data fields... The ability to modify database entries related to Informed Visibility user accounts could create problems for the USPS’s largest customers — think companies like Netflix and others that get discounted rates for high volumes. For instance, the API allowed any user to convert regular usps.com accounts to Informed Visibility business accounts, and vice versa."

About 13 million Informed Delivery users were also affected, since the vulnerable API component affected all USPS.com users. A vulnerability like this makes package theft easier since criminals could determine when certain types of mail (e.g., debit cards, credit cards, etc.) arrive at users' addresses. The vulnerable API probably existed for more than one year, when a security researcher first alerted the USPS about it.

While the USPS provided a response to Krebs on Security, a check at press time of the Newsroom and blog sections of About.USPS.com failed to find any mention of the data breach. Not good. Transparency matters.

If the USPS is serious about data security, then it should issue a public statement. When will users receive breach notification letters, if they haven't been sent? Who fixed the vulnerable API? How long was it broken? What post-breach investigation is underway? What types of changes (e.g., employee training, software testing, outsource vendor management, etc.) are being implement so this won't happen again?

Trust matters. The lack of a public statement makes it difficult for consumers to judge the seriousness of the breach and the seriousness of the fix by USPS. We probably will hear more about this breach.


Amazon Said Its Data Breach Was Due To A "Technical Error" And Discloses Few Breach Details

Amazon logo Amazon.com, the online retail giant, confirmed that it experienced a data breach last Wednesday. CBS News reported:

"Amazon said a technical error on its website exposed the names and email addresses of some customers. The online retail giant its website and systems weren't hacked. "We have fixed the issue and informed customers who may have been impacted," said an Amazon spokesperson. An Amazon spokesman didn't answer additional questions, like how many people were affected or whether any of the information was stolen."

A check of the press center and blog sections with the Amazon.com site failed to find any mentions of the data breach. The Ars Technica blog posted the text of the breach notification email Amazon sent to affected users:

"From: Amazon.com
Sent: 21 November 2018 10:53
To: a--------l@hotmail.com
Subject: Important Information about your Amazon.com Account

Hello,
We’re contacting you to let you know that our website inadvertently disclosed your name and email address due to a technical error. The issue has been fixed. This is not a result of anything you have done, and there is no need for you to change your password or take any other action.

Sincerely,
Customer Service
http://Amazon.com"

What? That's all? No link to a site or to a page for customers with questions?

This incident is a reminder that several things can cause data breaches. It's not only when cyber-criminals break into an organization's computers or systems. Human error causes data breaches, too. In some breaches, employees collude with criminals. In some cases, sloppy data security by outsource vendors causes data breaches. Details matter.

Typically, organizations affected by data breaches hire external security agencies to conduct independent, post-breach investigations to learn important details: when the breach started, how exactly the breach happened, the list of data elements unauthorized users accessed/stole, what else may have happened that wasn't readily apparent when the incident was discovered, and key causal events leading up to the breach -- all so that a complete fix can be implemented, and so that it doesn't happen again.

Who made the "technical error?" Who discovered it? What caused it? How long did the error exist? Who fixed it? Were specialized skills or tools necessary? What changes were made so that it won't happen again? Amazon isn't saying. If management decided to skip a post-breach investigation, consumers deserve to know that and why, too.

Often, the breach starts long before it is discovered by the company, or by a security researcher. Often, the fix includes several improvements: software changes, employee training, and/or improved security processes with contractors.

So, all we know is that names and email addresses were accessed by unauthorized persons. If stolen, that is sufficient to do damage -- spam or phishing email messages, to trick victims into revealing sensitive personal (e.g., usernames, passwords, etc.) and payment (e.g., bank account numbers, credit card numbers, etc.) information. It is not too much to ask Amazon to share both breach details and the results of a post-breach investigation.

Executives at Amazon know all of this, so maybe it was a management decision not to share breach details nor a post-breach investigation -- perhaps, not wanting to risk huge Black Friday holiday sales. Then again, the lack of details could imply the breach was far worse than management wants to admit.

Either way, this is troublesome. It's all about trust. When details are shared, consumers can judge the severity of the breach, the completeness of the company's post-breach response, and ideally feel better about continuing to shop at the site. What do you  think?


ABA Updates Guidance For Attorneys' Data Security And Data Breach Obligations. What Their Clients Can Expect

To provide the best representation, attorneys often process and archive sensitive information about their clients. Consumers hire attorneys to complete a variety of transactions: buy (or sell) a home, start (or operate) a business, file a complaint against a company, insurer, or website for unsatisfactory service, file a complaint against a former employer, and more. What are attorneys' obligations regarding data security to protect their clients' sensitive information, intellectual property, and proprietary business methods?

What can consumers expect when the attorney or law firm they've hired experienced a data breach? Yes, law firms experience data breaches. The National Law Review reported last year:

"2016 was the year that law firm data breaches landed and stayed squarely in both the national and international headlines. There have been numerous law firm data breaches involving incidents ranging from lost or stolen laptops and other portable media to deep intrusions... In March, the FBI issued a warning that a cybercrime insider-trading scheme was targeting international law firms to gain non-public information to be used for financial gain. In April, perhaps the largest volume data breach of all time involved law firm Mossack Fonesca in Panama... Finally, Chicago law firm, Johnson & Bell Ltd., was in the news in December when a proposed class action accusing them of failing to protect client data was unsealed."

So, what can clients expect regarding data security and data breaches? A post in the Lexology site reported:

"Lawyers don’t get a free pass when it comes to data security... In a significant ethics opinion issued last month, Formal Opinion 483, Lawyers’ Obligations After an Electronic Data Breach or Cyberattack, the American Bar Association’s Standing Committee on Ethics and Professional Responsibility provides a detailed roadmap to a lawyer’s obligations to current and former clients when they learn that they – or their firm – have been the subject of a data breach... a lawyer’s compliance with state or federal data security laws does "not necessarily achieve compliance with ethics obligations," and identifies six ABA Model Rules that might be implicated in the breach of client information."

Readers of this blog are familiar with the common definition of a data breach: unauthorized persons have accessed, stolen, altered, and/or destroyed information they shouldn't have. Attorneys have an obligation to use technology competently. The post by Patterson Belknap Webb & Tyler LLP also stated:

"... lawyers have an obligation to take “reasonable steps” to monitor for data breaches... When a breach is detected, a lawyer must act “reasonably and promptly” to stop the breach and mitigate damages resulting from the breach... A lawyer must make reasonable efforts to assess whether any electronic files were, in fact, accessed and, if so, identify them. This requires a post-breach investigation... Lawyers must then provide notice to their affected clients of the breach..."

I read the ABA Formal Opinion 483. (A copy of the opinion is also available here.) A follow-up post this week by the National Law Review listed 10 best practices to stop cyberattacks and breaches. Since many law firms outsource some back-office functions, this might be the most important best-practice item:

"4. Evaluate Your Vendors’ Security: Ask to see your vendor’s security certificate. Review the vendor’s security system as you would your own, making sure they exercise the same or stronger security systems than your own law firm..."