53 posts categorized "Outsourcing" Feed

ABA Updates Guidance For Attorneys' Data Security And Data Breach Obligations. What Their Clients Can Expect

To provide the best representation, attorneys often process and archive sensitive information about their clients. Consumers hire attorneys to complete a variety of transactions: buy (or sell) a home, start (or operate) a business, file a complaint against a company, insurer, or website for unsatisfactory service, file a complaint against a former employer, and more. What are attorneys' obligations regarding data security to protect their clients' sensitive information, intellectual property, and proprietary business methods?

What can consumers expect when the attorney or law firm they've hired experienced a data breach? Yes, law firms experience data breaches. The National Law Review reported last year:

"2016 was the year that law firm data breaches landed and stayed squarely in both the national and international headlines. There have been numerous law firm data breaches involving incidents ranging from lost or stolen laptops and other portable media to deep intrusions... In March, the FBI issued a warning that a cybercrime insider-trading scheme was targeting international law firms to gain non-public information to be used for financial gain. In April, perhaps the largest volume data breach of all time involved law firm Mossack Fonesca in Panama... Finally, Chicago law firm, Johnson & Bell Ltd., was in the news in December when a proposed class action accusing them of failing to protect client data was unsealed."

So, what can clients expect regarding data security and data breaches? A post in the Lexology site reported:

"Lawyers don’t get a free pass when it comes to data security... In a significant ethics opinion issued last month, Formal Opinion 483, Lawyers’ Obligations After an Electronic Data Breach or Cyberattack, the American Bar Association’s Standing Committee on Ethics and Professional Responsibility provides a detailed roadmap to a lawyer’s obligations to current and former clients when they learn that they – or their firm – have been the subject of a data breach... a lawyer’s compliance with state or federal data security laws does "not necessarily achieve compliance with ethics obligations," and identifies six ABA Model Rules that might be implicated in the breach of client information."

Readers of this blog are familiar with the common definition of a data breach: unauthorized persons have accessed, stolen, altered, and/or destroyed information they shouldn't have. Attorneys have an obligation to use technology competently. The post by Patterson Belknap Webb & Tyler LLP also stated:

"... lawyers have an obligation to take “reasonable steps” to monitor for data breaches... When a breach is detected, a lawyer must act “reasonably and promptly” to stop the breach and mitigate damages resulting from the breach... A lawyer must make reasonable efforts to assess whether any electronic files were, in fact, accessed and, if so, identify them. This requires a post-breach investigation... Lawyers must then provide notice to their affected clients of the breach..."

I read the ABA Formal Opinion 483. (A copy of the opinion is also available here.) A follow-up post this week by the National Law Review listed 10 best practices to stop cyberattacks and breaches. Since many law firms outsource some back-office functions, this might be the most important best-practice item:

"4. Evaluate Your Vendors’ Security: Ask to see your vendor’s security certificate. Review the vendor’s security system as you would your own, making sure they exercise the same or stronger security systems than your own law firm..."


Billions Of Data Points About Consumers Exposed During Data Breach At Data Aggregator

It's not only social media companies and credit reporting agencies that experience data breaches where massive amounts of sensitive, personal information about millions of consumers are exposed and/or stolen. Data aggregators and analytics firms also have data breaches. Wired Magazine reported:

"The sales intelligence firm Apollo sent a notice to its customers disclosing a data breach it suffered over the summer... Apollo is a data aggregator and analytics service aimed at helping sales teams know who to contact, when, and with what message to make the most deals... Apollo also claims in its marketing materials to have 200 million contacts and information from over 10 million companies in its vast reservoir of data. That's apparently not just spin. Night Lion Security founder Vinny Troia, who routinely scans the internet for unprotected, freely accessible databases, discovered Apollo's trove containing 212 million contact listings as well as nine billion data points related to companies and organizations. All of which was readily available online, for anyone to access. Troia disclosed the exposure to the company in mid-August."

This is especially problematic for several reasons. First, data aggregators like Apollo (and social media companies and credit reporting agencies) are high-value targets: plenty of data is stored in one location. That's both convenient and risky. It also places a premium upon data security.

When data like this is exposed or stolen, it makes it easy for fraudsters, scammers, and spammers to create sophisticated and more effective phishing (and vishing) attacks to trick consumers and employees into revealing sensitive payment and financial information.

Second, data breaches like this make it easier for governments' intelligence agencies to compile data about persons and targets. Third, Apollo's database reportedly also contained sensitive data about clients. That's proprietary information. Wired explained:

"Some client-imported data was also accessed without authorization... Customers access Apollo's data and predictive features through a main dashboard. They also have the option to connect other data tools they might use, for example authorizing their Salesforce accounts to port data into Apollo..."

Salesforce, a customer relationship management (CRM) platform, uses cloud services and other online technologies to help its clients, companies with sales representatives, to manage their sales, service, and marketing activities. This breach also suggests that some employee training is needed about what to, and what not to upload, to outsourcing vendor sites. What do you think?


Equifax Operates A Secondary Credit Reporting Agency, And Its Website Appears Haphazard

Equifax logo More news about Equifax, the credit reporting agency with multiple data security failures resulting in a massive data breach affecting half of the United States population. It appears that Equifax also operates a secondary credit bureau: the National Consumer Telecommunications and Utilities Exchange (NCTUE). The Krebs On Security blog explained Equifax's role:

"The NCTUE is a consumer reporting agency founded by AT&T in 1997 that maintains data such as payment and account history, reported by telecommunication, pay TV and utility service providers that are members of NCTUE... there are four "exchanges" that feed into the NCTUE’s system: the NCTUE itself, something called "Centralized Credit Check Systems," the New York Data Exchange (NYDE), and the California Utility Exchange. According to a partner solutions page at Verizon, the NYDE is a not-for-profit entity created in 1996 that provides participating exchange carriers with access to local telecommunications service arrears (accounts that are unpaid) and final account information on residential end user accounts. The NYDE is operated by Equifax Credit Information Services Inc. (yes, that Equifax)... The California Utility Exchange collects customer payment data from dozens of local utilities in the state, and also is operated by Equifax (Equifax Information Services LLC)."

This surfaced after consumers with security freezes on their credit reports at the three major credit reporting agencies (e.g., Experian, Equifax, TransUnion) found fraudulent mobile phone accounts opened in their names. This shouldn't have been possible since security freezes prevent credit reporting agencies from selling consumers' credit reports to telecommunications companies, who typically perform credit checks before opening new accounts. So, the credit information must have come from somewhere else. It turns out, the source was the NCTUE.

NCTUE logo Credit reporting agencies make money by selling consumers' credit reports to potential lenders. And credit reports from the NCTUE are easy for anyone to order:

"... the NCTUE makes it fairly easy to obtain any records they may have on Americans. Simply phone them up (1-866-349-5185) and provide your Social Security number and the numeric portion of your registered street address."

The Krebs on Security blog also explain the expired SSL certificate used by Equifax which prevents serving web pages in a secure manner. That was simply inexcusable, poor data security.

A quick check of the NCTUE page on the Better Business Bureau site found 2 negative reviews and 70 complaints -- mostly about negative credit inquiries, and unresolved issues. A quick check of the NCTUE Terms Of Use page found very thin usage and privacy policies lacking details, such as mentions about data sharing, cookies, tracking, and more. The lack of data-sharing mentions could indicate NCTUE will share or sell data to anyone: entities, companies, and government agencies. It also means there is no way to verify whether the NCTUE complies with its own policies. Not good.

The policy contains enough language which indicates that it is not liable for anything:

"... THE NCTUE IS NOT RESPONSIBLE FOR, AND EXPRESSLY DISCLAIM, ALL LIABILITY FOR, DAMAGES OF ANY KIND ARISING OUT OF USE, REFERENCE TO, OR RELIANCE ON ANY INFORMATION CONTAINED WITHIN THE SITE. All content located at or available from the NCTUE website is provided “as is,” and NCTUE makes no representations or warranties, express or implied, including but not limited to warranties of merchantability, fitness for a particular purpose, title or non-infringement of proprietary rights. Without limiting the foregoing, NCTUE makes no representation or warranty that content located on the NCTUE website is free from error or suitable for any purpose; nor that the use of such content will not infringe any third party copyrights, trademarks or other intellectual property rights.

Links to Third Party Websites: Although the NCTUE website may include links providing direct access to other Internet resources, including websites, NCTUE is not responsible for the accuracy or content of information contained in these sites.."

Huh?! As is? The data NCTUE collected is being used for credit decisions. Reliability and accuracy matters. And, there are more concerns.

While at the NCTUE site, I briefly browsed the credit freeze information, which is hosted on an outsourced site, the Exchange Service Center (ESC). What's up with that? Why a separate site, and not a cohesive single site with a unified customer experience? This design gives the impression that the security freeze process was an afterthought.

Plus, the NCTUE and ESC sites present different policies (e.g., terms of use, privacy). Really? Why the complexity? Which policies rule? You'd think that the policies in both sites would be consistent and would mention each other, since consumers must use the two sites complete security freezes. That design seems haphazard. Not good.

There's more. Rather than use state-of-the-art, traditional web pages, the ESC site presents its policies in static Adobe PDF documents making it difficult for users to follow links for more information. (Contrast those thin policies with the more comprehensive Privacy and Terms of Use policies by TransUnion.) Plus, one policy was old -- dated 2011. It seems the site hasn't been updated in seven years. What fresh hell is this? More haphazard design. Why the confusing user experience? Not good.

Image of confusing drop-down menu for exchanges within the security freeze process. Click to view larger version There's more. When placing a security freeze, the ESC site includes a drop-down menu asking consumers to pick an exchange (e.g., NCTUE, Centralized Credit Check System, California Utility Exchange, NYDE). The confusing drop-down menu appears in the image on the right. Which menu option is the global security freeze? Is there a global option? The form page doesn't say, and it should. Why would a consumer select one of the exchanges? Perhaps, is this another slick attempt to limit the effectiveness of security freezes placed by consumers. Not good.

What can consumers make of this? First, the NCTUE site seems to be a slick way for Equifax to skirt the security freezes which consumers have placed upon their credit reports. Sounds like a definite end-run to me. Surprised? I'll bet. Angry? I'll bet, too. We consumers paid good money for security freezes on our credit reports.

Second, the combo NCTUE/ESC site seems like some legal, outsourcing ju-jitsu to avoid all liability, while still enjoying the revenues from credit-report sales. The site left me with the impression that its design, which hasn't kept pace during the years with internet best practices, was by a committee of attorneys focused upon serving their corporate clients' data collection and sharing needs while doing the absolute minimum required legally -- rather than a site focused upon the security needs of consumers. I can best describe the site using an old film-review phrase: a million monkeys with a million crayons would be hard pressed in a million years to create something this bad.

Third, credit reporting agencies get their data from a variety of sources. So, their business model is based upon data sharing. NCTUE seems designed to effectively do just that, regardless of consumers' security needs and wishes.

Fourth, this situation offers several reminders: a) just about anyone can set up and operate a credit reporting agency. No special skills nor expertise required; b) there are both national and regional credit reporting agencies; c) credit reports often contain errors; and d) credit reporting agencies historically have outsourced work, sometimes internationally -- for better or worse data security.

Fifth, you now you know what criminals and fraudsters already know... how to skirt the security freezes on credit reports and gain access to consumers' sensitive information. The combo NCTUE/ESC site is definitely a high-value target by criminals.

My first impression of the NCTUE site: haphazard design making it difficult for consumers to use and to trust it. What do you think?


San Diego Police Widely Share Data From License Plate Database

Images of ALPR device mounted on a patrol car. Click to view larger version Many police departments use automated license plate reader (ALPR or LPR) technology to monitor the movements of drivers and their vehicles. The surveillance has several implications beyond the extensive data collection.

The Voice of San Diego reported that the San Diego Police Departments shares its database of ALPR data with many other agencies:

"SDPD shares that database with the San Diego sector of Border Patrol – and with another 600 agencies across the country, including other agencies within the Department of Homeland Security. The nationwide database is enabled by Vigilant Solutions, a private company that provides data management and software services to agencies across the country for ALPR systems... A memorandum of understanding between SDPD and Vigilant stipulates that each agency retains ownership of its data, and can take steps to determine who sees it. A Vigilant Solutions user manual spells out in detail how agencies can limit access to their data..."

San Diego's ALPR database is fed by a network of cameras which record images plus the date, time and GPS location of the cars that pass by them. So, the associated metadata for each database record probably includes the license plate number, license plate state, vehicle owner, GPS location, travel direction, date and time, road/street/highway name or number, and the LPR device ID number.

Information about San Diego's ALPR activities became public after a data request from the Electronic Frontier Foundation (EFF), a digital privacy organization. ALPRs are a popular tool, and were used in about 38 states in 2014. Typically, the surveillance collects data about both criminals and innocent drivers.

Images of ALPR devices mounted on unmarked patrol cars. Click to view larger version There are several valid applications: find stolen vehicles, find stolen license plates, find wanted vehicles (e.g., abductions), execute search warrants, find parolees, and find wanted parolees. Some ALPR devices are stationary (e.g., mounted on street lights), while others are mounted on (marked and unmarked) patrol cars. Both deployments scan moving vehicles, while the latter also facilitates the scanning of parked vehicles.

Earlier this year, the EFF issued hundreds of similar requests across the country to learn how law enforcement currently uses ALPR technology. The ALPR training manual for the Elk Grove, Illinois PD listed the data archival policies for several states: New Jersey - 5 years, Vermont - 18 months, Utah - 9 months,  Minnesota - 48 hours, Arkansas - 150 days, New Hampshire - not allowed, and California - no set time. The document also stated that more than "50 million captures" are added each month to the Vigilant database. And, the Elk Grove PD seems to broadly share its ALPR data with other police departments and agencies.

The SDPD website includes a "License Plate Recognition: Procedures" document (Adobe PDF), dated May 2015, which describes its ALPR usage and policies:

"The legitimate law enforcement purposes of LPR systems include the following: 1) Locating stolen, wanted, or subject of investigation vehicles; 2) Locating witnesses and victims of a violent crime; 3) Locating missing or abducted children and at risk individuals.

LPR Strategies: 1) LPR equipped vehicles should be deployed as frequently as possible to maximize the utilization of the system; 2) Regular operation of LPR should be considered as a force multiplying extension of an officer’s regular patrol efforts to observe and detect vehicles of interest and specific wanted vehicles; 3) LPR may be legitimately used to collect data that is within public view, but should not be used to gather intelligence of First Amendment activities; 4) Reasonable suspicion or probable cause is not required for the operation of LPR equipment; 5) Use of LPR equipped cars to conduct license plate canvasses and grid searches is encouraged, particularly for major crimes or incidents as well as areas that are experiencing any type of crime series... LPR data will be retained for a period of one year from the time the LPR record was captured by the LPR device..."

The document does not describe its data security methods to protect this sensitive information from breaches, hacks, and unauthorized access. Perhaps most importantly, the 2015 SDPD document describes the data sharing policy:

"Law enforcement officers shall not share LPR data with commercial or private entities or individuals. However, law enforcement officers may disseminate LPR data to government entities with an authorized law enforcement or public safety purpose for access to such data."

However, the Voice of San Diego reported:

"A memorandum of understanding between SDPD and Vigilant stipulates that each agency retains ownership of its data, and can take steps to determine who sees it. A Vigilant Solutions user manual spells out in detail how agencies can limit access to their data... SDPD’s sharing doesn’t stop at Border Patrol. The list of agencies with near immediate access to the travel habits of San Diegans includes law enforcement partners you might expect, like the Carlsbad Police Department – with which SDPD has for years shared license plate reader data, through a countywide arrangement overseen by SANDAG – but also obscure agencies like the police department in Meigs, Georgia, population 1,038, and a private group that is not itself a police department, the Missouri Police Chiefs Association..."

So, the accuracy of the 2015 document is questionable, it it isn't already obsolete. Moreover, what's really critical are the data retention and sharing policies by Vigilant and other agencies.


Mystery Package Scam Operating on Amazon Site. What It Is, The Implications, And Advice For Victims

Amazon logo Last fall, a couple living in a Boston suburb started receiving packages they didn't order from Amazon, the popular online retailer. The Boston Globe reported that the couple living in Acton, Massachusetts:

"... contacted Amazon, only to be told that the merchandise was paid for with a gift card. No sender’s name, no address. While they’ve never been charged for anything, they fear they are being used in a scam... The first package from Amazon landed on Mike and Kelly Gallivan’s front porch in October. And they have continued to arrive, packed with plastic fans, phone chargers, and other cheap stuff, at a rate of one or two a week."

The packages were delivered to the intended recipient. Nobody knows who sent the items: wireless chargers, a high-intensity flashlight, a Bluetooth speaker, a computer vacuum cleaner, LED tent lamps, USB cables, and more. After receiving 25 packages since October, the couple now wants it to stop. What seemed funny at first, is now a nuisance.

The Gallivans are not alone. CBC News reported that students at several universities in Canada have also received mystery packages containing a variety of items they didn't order:

"The items come in Amazon packaging, but there's no indication who's ordering the goods from the online retail giant. "We're definitely confused by it," said Shawn Wiskar, University of Regina Students' Union vice-president of student affairs. His student union has received about 15 anonymous packages from Amazon since late November, many of which contained multiple items. Products sent so far include iPad cases, a kitchen scale and a "fleshlight" — a male sex toy in the shape of a flashlight... Six other university student unions — Dalhousie in Halifax; St. Francis Xavier in Antigonish (Nova Scotia); Ryerson in Toronto; Wilfrid Laurier in Waterloo, Ontario; Royal Roads in Victoria; and the University of Manitoba in Winnipeg — have also confirmed that they've been receiving mysterious Amazon packages since the fall."

Experts speculate that the mystery packages were sent by fraudsters trying to game the retailer's review system. Consumers buy products on Amazon.com either directly from the retailer or from independent sellers listed on the site. The Boston Globe explained:

"Here’s how two experts who used to work for Amazon, James Thomson and Chris McCabe, say it probably works: A seller trying to prop up a product would set up a phony e-mail account that would be used to establish an Amazon account. Then the seller would purchase merchandise with a gift card — no identifying information there — and send it to a random person, in this case the Gallivans. Then, the phantom seller, who controls the “buyer’s” e-mail account, writes glowing reviews of the product, thus boosting the Amazon ranking of the product."

If true, then there probably are a significant number of bogus reviews on the Amazon site. The Boston Globe's news item also suggested that a data breach within a seller's firm might have provided scammers with valid mailing addresses:

"How did Mike, to whom the packages are addressed, get drawn into this? On occasion he’s ordered stuff on Amazon and received it directly from a manufacturer, once from China. That manufacturer or some affiliate may have scooped Mike’s name and address."

If true, then that highlights the downside of offshore outsourcing, where other countries don't mandate data breach disclosures. Earlier in 2017, a resident of Queens in New York City received packages with products she didn't order:

"... All she knows is that the sender is some guy named Kevin who uses Amazon gift cards... And she’s reported the packages to the NYPD, the FBI and the Better Business Bureau since Amazon hasn’t made the deliveries stop."

In that news report, a security expert speculated that criminals were testing stolen debit- and gift-card numbers. Did a seller have a data breach which went unreported? Lots of questions and few answers.

Security experts advise consumers to report packages they didn't order to various law enforcement and agencies, as the Queens resident did. Ultimately, her deliveries stopped, but not for the Gallivans.

Amazon has been unable to identify the perpetrators. At press time, a search of Amazon's Help and Customer Service site section failed to find content helping consumers victimized by this scam.

Perhaps, it is time for law enforcement and the U.S. Federal Trade Commission to step in. Regardless, we consumers will probably hear more news in the future about this scam.


Security Researcher Finds Unprotected Voter Files Online Affecting Up To 1.8 Million Chicagoans

While looking for unprotected data in cloud storage services, a security researcher found unprotected information for as many as 1.8 million voters in Chicago. CBS Chicago reported:

"It was Friday Aug. 11 in Silicon Valley. John Hendren, a marketing representative for IT security firm UpGuard, was looking for insecure data in the cloud. He randomly plugged in "Chicago … db," for “Chicago database,” and hit the jackpot. He found names, addresses, birth dates, driver’s license numbers and the last four digits of Social Security numbers for up to 1.8 million Chicago voters..."

How the breach happened:

"Chicago’s vendor is ES&S, out of Omaha, Nebraska. The company has been paid more than $5 million since 2014 by the Chicago Board of Elections. The company placed the data folder on Amazon Web Services (AWS) with the wrong security settings, Tom Burt, the firm’s CEO, recently told Chicago officials. Burt says managers missed the gaffe, and the database remained online for six months, until UpGuard found it. Company officials say they don’t believe the information ended up on the “dark web” for identity thieves to attain..."

The CBE's breach notice (Adobe PDF) provided a more complete list of the data elements exposed:

"... The personal information contained in the back-up files included voter names, addresses, and dates of birth, and many voters’ driver’s license and State ID numbers and the last four digits of Social Security numbers. Upon discovery of the Incident, ES&S promptly took the AWS server off-line, secured the back-up files, and commenced a forensics investigation. ES&S also hired two specialized third-party vendors to conduct searches to determine whether any personal information stored on the back-up files was available on the Dark Web. The results of ES&S’ investigations have not uncovered any evidence that any voter’s personal information stored on the AWS server was misused..."

This is bad for several reasons. First, the data elements exposed or stolen are enough for cyber criminals to do sufficient damage to breach victims. Second, just because the post-breach investigation didn't find misuse of data doesn't mean there wasn't any. It simply means they didn't find any misuse.

Third, it would be unwise to assume that the breach wasn't that bad because only the last 4 digits of Social Security numbers were exposed. Security researchers have known for a long time that Social Security numbers are easy to guess:

"... a crook need only figure out where and when you were born--information often easily found on social networking sites like Facebook--to guess your number in as few as 1000 tries... Social Security numbers were never meant to be used for widespread identification. They were conceived solely to track taxes and benefits... Every Social Security number starts with three digits known as an "area number." Smaller states might have only one, whereas New York, for example, has 85. The next two digits are "group numbers," which can be anything from 01-99, but don't correspond to anything specific. The last four digits, the "serial number," are assigned sequentially..."

So, it's long past time to stop using the last four digits of Social Security numbers as identification. Fourth, the incident makes one wonder when -- if ever -- the unprotected data folder would have been discovered by ES&S or CBE, if the security researcher hadn't found it. That's unsettling. It calls into question the security methods and managerial oversight at ES&S.

This isn't the first breach at the Chicago Board of Elections (CBE). A CBE breach in 2012 exposed the sensitive personal information of at least 1,000 voters, after initial reports estimated the number of affected voters at 1.7 million. Before that, the CBE faced several lawsuits in 2007 claiming negligence after:

"... it distributed more than 100 computer disks containing Social Security numbers and other personal data on more than 1.3 million voters to alderman and ward committee members."

Reportedly, in 2016 foreign cyber criminals hacked the Illinois Board of Elections' voter registration system. A similar attack happened in Arizona. The main takeaway: voter registration databases are high-value targets.

So, strong data security measures and methods seem wise; if not necessary. The latest incident makes one wonder about: a) the data security language and provisions in CBE's outsourcing contract with ES&S, and b) the agency's vendor oversight.

Will Chicago residents demand better data security? I hope so. What do you think?


Why The IRS Gave Equifax A No-Bid Contract Extension

You've probably heard the news. The Internal Revenue Service (IRS) gave a no-bid contract to Equifax, even after knowing about the credit reporting agency's massive data breach and arguably lackadaisical data security approaches by management.

Why would the IRS do this? The contract's synopsis in the Federal Business Opportunities (FBO) site stated on September 30:

"This action was to establish an order for third party data services from Equifax to verify taxpayer identity and to assist in ongoing identity verification and validations needs of the Service. A sole source order is required to cover the timeframe needed to resolve the protest on contract TIRNO-17-Z-00024. This is considered a critical service that cannot lapse."

C/Net explained the decision and sequence of key events:

"The IRS already had enough trouble dealing with tax fraud, losing $5.8 billion to scammers in 2013... The contract, first reported by Politico,... describes the agreement as a "sole source order," calling Equifax's help a "critical service." When it comes to credit monitoring, there are really only three major names in the US: Equifax, Experian and TransUnion. Experian has also suffered a breach... The IRS actually awarded its authentication service contract to another company in July, Jeffrey Tribiano, the agency's deputy commissioner for operations support told members of Congress. Equifax protested losing the contract to the US Government Accountability Office on July 7, according to documents. The office will decide on the protest by October 16. Until then, the IRS could not move onto its new partner. That meant that when the IRS' old contract with Equifax was supposed to expire on Friday (Sept. 29), Tribiano said, millions of Americans would not have been able to verify their identity with the agency for more than two weeks."

Wow! So, the IRS was caught between a rock and a hard place... or "caught between a rock and a hacked place" as C/Net described. Apparently, consumers taxpayers are also caught.

Once again, another mess involving Equifax gives consumers that "I've been mugged" feeling.


Data Breach Exposes Information Of Millions Of Verizon Customers

Verizon logo A data breach at Verizon has exposed the sensitive information of millions of customers. ZD Net reported:

"As many as 14 million records of subscribers who called the phone giant's customer services in the past six months were found on an unprotected Amazon S3 storage server controlled by an employee of NICE Systems, a Ra'anana, Israel-based company. The data was downloadable by anyone with the easy-to-guess web address."

Many businesses use cloud services vendors  -- Amazon Web Services and other vendors -- to outsource the storage of customers' information in online databases. While the practice isn't new, a problem is that customers aren't always informed of the business practice using their sensitive information.

Founded in 1986, NICE Systems has 3,500 employees, serves about 25,000 customers in 150 countries, and provides services to 85 percent of Fortune 100 companies. The exact number of affected Verizon customers is disputed.

The security firm Upguard found the unprotected cloud-based storage server:

"Upguard's Cyber Risk Team can now report that a mis-configured cloud-based file repository exposed the names, addresses, account details, and account personal identification numbers (PINs) of as many as 14 million US customers of telecommunications carrier Verizon, per analysis of the average number of accounts exposed per day in the sample that was downloaded. The cloud server was owned and operated by telephonic software and data firm NICE Systems, a third-party vendor for Verizon. (UPDATE: July 12, 3 PM PST - Both NICE Systems and Verizon have since confirmed the veracity of the exposure, while a Verizon spokesperson has claimed that only 6 million customers had data exposed)."

Whether the total number of breach victims is 6 or 14 million customers, neither is good. The phrase "account details" is troubling. That could mean anything from e-mail addresses to payment information to residential addresses, or more.

Upguard's announcement added:

"Beyond the risks of exposed names, addresses, and account information being made accessible via the S3 bucket’s URL, the exposure of Verizon account PIN codes used to verify customers, listed alongside their associated phone numbers, is particularly concerning. Possession of these account PIN codes could allow scammers to successfully pose as customers in calls to Verizon, enabling them to gain access to accounts—an especially threatening prospect, given the increasing reliance upon mobile communications for purposes of two-factor authentication.

Finally, this exposure is a potent example of the risks of third-party vendors handling sensitive data... Third-party vendor risk is business risk; sharing access to sensitive business data does not offload this risk, but merely extends it to the contracted partner, enabling cloud leaks to stretch across several continents and involve multiple enterprises."

Agreed. This outsourcing business practice may be profitable for all companies involved, but the outsourcing practice does not decrease the risks. Not good. Mis-configured cloud servers should not happen. Not good. The event raises the question: when has this happened before, but went undetected?

Verizon released a statement about the incident:

"... an employee of one of our vendors put information into a cloud storage area and incorrectly set the storage to allow external access. We have been able to confirm that the only access to the cloud storage area by a person other than Verizon or its vendor was a researcher who brought this issue to our attention. In other words, there has been no loss or theft of Verizon or Verizon customer information.

By way of background, the vendor was supporting an approved initiative to help us improve a residential and small business wireline self-service call center portal and required certain data for the project. The overwhelming majority of information in the data set had no external value, although there was a limited amount of personal information included, and in particular, there were no Social Security numbers or Verizon voice recordings in the cloud storage area.

To further clarify, the data supports a wireline portal and only includes a limited number of cell phone numbers for customer contact purposes. In addition, to the extent PINs were included in the data set, the PINs are used to authenticate a customer calling our wireline call center, but do not provide online access to customer accounts..."

Typically, after a breach companies hire independent security experts to investigate breaches and the contributing causes. Verizon's announcement did not state who, if anyone, it hired to perform a post-breach investigation nor when. So, according to Verizon: no big deal. No problem. Hmmmmm.

Reportedly, Upguard notified Verizon about the breach on June 13, and the breach was fixed on June 22. Upguard added:

"The long duration of time between the initial June 13th notification to Verizon by UpGuard of this data exposure, and the ultimate closure of the breach on June 22nd, is troubling."

Troubling, indeed. What took Verizon (and/or Nice Systems) so long? Verizon's statement didn't say. And what is Verizon (and/or NICE Systems) doing so this type of breach doesn't happen again? I look forward to upcoming explanations by both companies.

Readers: what are your opinions of this data breach? Of how long it took Verizon to fix things? Of the outsourcing practice? Verizon customers:

  • Is Verizon doing enough to protect your sensitive data?
  • Should affected customers be notified directly?
  • Have you received a breach notice from Verizon? If so, share some of its details.

Dozens Of Uber Employees Fired Or Investigated For Harassment. Uber And Lyft Drivers Unaware of Safety Recalls

Uber logo Ride-sharing companies are in the news again and probably not for the reasons their management executives would prefer. First, TechCrunch reported on Thursday:

"... at a staff meeting in San Francisco, Uber executives revealed to the company’s 12,000 employees that 20 of their colleagues had been fired and that 57 are still being probed over harassment, discrimination and inappropriate behavior, following a string of accusations that Uber had created a toxic workplace and allowed complaints to go unaddressed for years. Those complaints had pushed Uber into crisis mode earlier this year. But the calamity may be just beginning... Uber fired senior executive Eric Alexander after it was leaked to Recode that Alexander had obtained the medical records of an Uber passenger in India who was raped in 2014 by her driver."

"Recode also reported that Alexander had shared the woman’s file with Kalanick and his senior vice president, Emil Michael, and that the three men suspected the woman of working with Uber’s regional competitor in India, Ola, to hamper its chances of success there. Uber eventually settled a lawsuit brought by the woman against the company..."

News broke in March, 2017 about both the Recode article and the Grayball activity at Uber to thwart local government code inspections. In February, a former Uber employee shared a disturbing story with allegations of sexual harassment.

Lyft logo Second, the investigative team at WBZ-TV, the local CBS afiliate in Boston, reported that many Uber and Lyft drivers are unaware of safety recalls affecting their vehicles. This could make rides in these cars unsafe for passengers:

"Using an app from Carfax, we quickly checked the license plates of 167 Uber and Lyft cars picking up passengers at Logan Airport over a two day period. Twenty-seven of those had open safety recalls or about 16%. Recalls are issued when a manufacturer identifies a mechanical problem that needs to be fixed for safety reasons. A recent example is the millions of cars that were recalled when it was determined the airbags made by Takata could release shrapnel when deployed in a crash."

Both ride-sharing companies treat drivers as independent contractors. WBZ-TV reported:

"Uber told the [WBZ-TV investigative] Team that drivers are contractors and not employees of the company. A spokesperson said they provide resources to drivers and encourage them to check for recalls and to perform routine maintenance. Drivers are also reminded quarterly to check with NHTSA for recall information."

According to the president of the Massachusetts Bar Association Jeffrey Catalano, the responsibility to make sure the car is safe for passengers lies mainly with the driver. But because Uber and Lyft both advertise their commitment to safety on their websites, they too could be held responsible."


Federal Reserve Survey of Experiences of Younger Workers

The Federal Reserve Board (FRB) recently released the results of its survey of younger workers ages 18 to 30 with data through 2015. The survey found that younger workers overall:

"... experienced higher rates of unemployment and lower rates of labor force participation than the general population for at least two decades, and the Great Recession exacerbated this phenomenon. Despite a substantial labor market recovery from 2009 through 2014, vulnerable populations—including the nation’s young adults—continue to experience higher rates of unemployment. Changes in labor market conditions, including globalization and automation, have reduced the availability of well-paid, secure jobs for less-educated persons, particularly those jobs that provide opportunity for advancement. Furthermore, data suggest that young workers entering the labor market are affected by a long-running increase in the use of “contingent” or “alternative” work arrangements, characterized by contracted, part-time, temporary, and seasonal work."

Specific findings about younger workers' attitudes:

"In 2015, the majority of young adults (61 percent) are optimistic about their future job opportunities, showing an increase in optimism from 2013 (45 percent)... the likelihood that a young adult is optimistic about future job opportunities increases with higher levels of education... young adults continue to have a strong preference for steady employment (62 percent) over higher pay (36 percent)... Among respondents who prefer steady employment, 80 percent would rather have one steady job than a stream of steady jobs for the next five years...

Most young adults are not sure how their standard of living will compare with their parents’ standard of living. Young adults with at least one parent with a bachelor’s degree (or higher) are more likely to believe their standard of living will be lower than their parents (4 percent) when compared with young adults whose parents have a high school education or less (1 percent)...

Specific findings about younger workers' experiences:

"28 percent of respondents are currently enrolled as students in a certificate or degree program. Most students are enrolled in degree programs... most undergraduate students are identified “nontraditional” because they are over age 23, enrolled in school part time, working full time, and/or financially independent. 10 percent of respondents are “non-completers,” meaning they are not currently enrolled in a certificate or degree program they started... 62 percent of respondents with post-secondary education worked while in school to finance all or part of their most recent education. 52 percent of respondents with post-secondary educational experience have parents that contributed financially to their education. 46 percent of respondents incurred debt to pay for some portion of their education or training...

41 percent of respondents believe they have the level of education and training needed for the type of job that they would like to hold in the next five years... 66 percent of young adults received information about jobs and careers during high school. And, 69 percent of young adults received such information in college...

Less than half (45 percent) of employees work in a career field that is closely related to their educational and training background... Many young adults gained early work experience during high school, college, or both. 53 percent of young adults had a paid job during high school, and 77 percent of young adults had a paid job during college..."

A key takeaway: about 30 percent of young adults did not receive information about jobs and careers in high school nor college. That seems to be an area the educational sector must improve upon.

4,135 potential respondents were contacted for the 2015 survey, and 2,035 completed surveys (49 percent response rate). FRB staff designed the survey, which was administered by GfK, an online consumer research company.

More notable statistics from the survey: about 69 percent of survey respondents have some form of paid employment, up from 60 percent in 2013. 63 percent of employees held a single full-time job during the past year, and 18 percent of employees held multiple full-time jobs during the past year. Profile information about employed younger workers:

"78 percent of employees have a permanent/long-term job... 75 percent of employees in the survey have a full-time job... Among part-time employees surveyed, 49 percent were identified as underemployed, as they are working part time because of economic conditions. Meanwhile, 42 percent of part-time employees prefer part-time work... The percent of young workers who have health insurance increased from 2013 (70 percent) to 2015 (82 percent). Likewise, the percent of young workers who received paid time off for sick leave, holidays, or both from any of their paid jobs increased from 2013 (59 percent) to 2015 (62 percent)...

As adults, 43 percent of employees have formed a new household with their immediate family (i.e., spouse/partner), and 20 percent have formed a new household alone or with a roommate..."

Self-sufficiency is important. The report found:

"... 73 percent of employees are able to cover their monthly household expenses with their household income. Meanwhile, 22 percent of employees report that they are sometimes able to cover their monthly household expenses, and 4 percent are not able to cover their monthly household expenses at all... Among employees who are not able to cover their household expenses some or all of the time, 64 percent reduce their monthly expenses to meet the challenge, 56 percent do not pay some bills, 54 percent borrow money from family, 46 percent use their credit cards, 41 percent use savings, and 16 percent borrow from friends.

A key consideration regarding self-sufficiency is the ability of a household to withstand financial disruptions. Among young workers, the ability to go without a paycheck temporarily improved between 2013 and 2015. The percent of young workers who can pay their living expenses if out of work for four weeks improved from 38 percent in 2013 to 45 percent in 2015..."

The report cited 4 policy implications to address the findings:

  1. Improve Alignment between Education and the Labor Market
  2. Increase Opportunities for Non-degree Education
  3. Provide Assistance and Protections for Workers with Alternative Work Arrangements
  4. Seek Opportunities to Improve Job Growth

There is plenty of information in the 120-page report, which is available at the FRB site and here (Adobe PDF; 1,190.2K bytes).


Big Data Brokers: Failing With Privacy

You may not know that hedge funds, in both the United Kingdom and in the United States, buy and sell a variety of information from data brokers: mobile app purchases, credit card purchases, posts at social networking sites, and lots more. You can bet that a lot of that mobile information includes geo-location data. The problem: consumers' privacy isn't protected consistently.

The industry claims the information sold is anonymous (e.g., doesn't identify specific persons), but researchers have it easy to de-anonymize the information. The Financial Times reported:

"The “alternative data” industry, which sells information such as app downloads and credit card purchases to investment groups, is failing to adequately erase personal details before sharing the material... big data is seen as an increasingly attractive source of information for asset managers seeking a vital investment edge, with data providers selling everything from social media chatter and emailed receipts to federal lobbying data and even satellite images from space..."

One part of the privacy problem:

“The vendors claim to strip out all the personal information, but we occasionally find phone numbers, zip codes and so on,” said Matthew Granade, chief market intelligence officer at Steven Cohen’s Point72. “It’s a big enough deal that we have a couple of full-time tech people wash the data ourselves.” The head of another major hedge fund said that even when personal information had been scrubbed from a data set, it was far too easy to restore..."

A second part of the privacy problem:

“... there is no overarching US privacy law to protect consumers, with standards set individually by different states, industries and even companies, according to Albert Gidari, director of privacy at the Stanford Center for Internet and Society..."

The third part of the privacy problem: consumers are too willing to trade personal information for convenience.


High Tech Companies And A Muslim Registry

Since the Snowden disclosures in 2013, there have been plenty of news reports about how technology companies have assisted the U.S. government with surveillance programs. Some of these activities included surveillance programs by the U.S. National Security Agency (NSA) including innocent citizens, bulk phone calls metadata collection, warrantless searches by the NSA of citizen's phone calls and emails, facial image collection, identification of the best collaborator with NSA spying, fake cell phone towers (a/k/a 'stingrays') used by both federal government agencies and local police departments, and automated license plate readers to track drivers.

You may also remember, after Apple Computer's refusal to build a backdoor into its smartphones, the U.S. Federal Bureau of Investigation bought a hacking tool from a third party. Several tech companies built the reform government surveillance site, while others actively pursue "Surveillance Capitalism" business goals.

During the 2016 political campaign, candidate (and now President Elect) Donald Trump said he would require all Muslims in the United States to register. Mr. Trump's words matter greatly given his lack of government experience. His words are all voters had to rely upon.

So, The Intercept asked several technology companies a key question about the next logical step: whether or not they are willing to help build and implement a Muslim registry:

"Every American corporation, from the largest conglomerate to the smallest firm, should ask itself right now: Will we do business with the Trump administration to further its most extreme, draconian goals? Or will we resist? This question is perhaps most important for the country’s tech companies, which are particularly valuable partners for a budding authoritarian."

The companies queried included IBM, Microsoft, Google, Facebook, Twitter, and others. What's been the response? Well, IBM focused on other areas of collaboration:

"Shortly after the election, IBM CEO Ginni Rometty wrote a personal letter to President-elect Trump in which she offered her congratulations, and more importantly, the services of her company. The six different areas she identified as potential business opportunities between a Trump White House and IBM were all inoffensive and more or less mundane, but showed a disturbing willingness to sell technology to a man with open interest in the ways in which technology can be abused: Mosque surveillance, a “virtual wall” with Mexico, shutting down portions of the internet on command, and so forth."

The response from many other companies has mostly been crickets. So far, only executives at Twitter have flatly refused, and included with its reply a link to its blog post about developer policies:

"Recent reports about Twitter data being used for surveillance, however, have caused us great concern. As a company, our commitment to social justice is core to our mission and well established. And our policies in this area are long-standing. Using Twitter’s Public APIs or data products to track or profile protesters and activists is absolutely unacceptable and prohibited.

To be clear: We prohibit developers using the Public APIs and Gnip data products from allowing law enforcement — or any other entity — to use Twitter data for surveillance purposes. Period. The fact that our Public APIs and Gnip data products provide information that people choose to share publicly does not change our policies in this area. And if developers violate our policies, we will take appropriate action, which can include suspension and termination of access to Twitter’s Public APIs and data products.

We have an internal process to review use cases for Gnip data products when new developers are onboarded and, where appropriate, we may reject all or part of a requested use case..."

Recently, a Trump-Pence supporter floated this trial balloon to justify such a registry:

"A prominent supporter of Donald J. Trump drew concern and condemnation from advocates for Muslims’ rights on Wednesday after he cited World War II-era Japanese-American internment camps as a “precedent” for an immigrant registry suggested by a member of the president-elect’s transition team. The supporter, Carl Higbie, a former spokesman for Great America PAC, an independent fund-raising committee, made the comments in an appearance on “The Kelly File” on Fox News...

“We’ve done it based on race, we’ve done it based on religion, we’ve done it based on region,” Mr. Higbie said. “We’ve done it with Iran back — back a while ago. We did it during World War II with Japanese.”

You can read the replies from nine technology companies at the Intercept site. Will other companies besides Twitter show that they have a spine? Whether or not such a registry ultimately violates the U.S. Constitution, we will definitely hear a lot more about this subject in the near future.


Millions Of Android Smartphones And Apps Infected With New Malware, And Accounts Breached

Security researchers at Check Point Software Technologies have identified malware infecting an average of 13,000 Android phones daily. More than 1 million Android phones have already been infected. Researchers named the new malware "Gooligan." Check Point explained in a blog post:

"Our research exposes how the malware roots infected devices and steals authentication tokens that can be used to access data from Google Play, Gmail, Google Photos, Google Docs, G Suite, Google Drive, and more. Gooligan is a new variant of the Android malware campaign found by our researchers in the SnapPea app last year... Gooligan potentially affects devices on Android 4 (Jelly Bean, KitKat) and 5 (Lollipop), which is over 74% of in-market devices today. About 57% of these devices are located in Asia and about 9% are in Europe... We found traces of the Gooligan malware code in dozens of legitimate-looking apps on third-party Android app stores. These stores are an attractive alternative to Google Play because many of their apps are free, or offer free versions of paid apps. However, the security of these stores and the apps they sell aren’t always verified... Logs collected by Check Point researchers show that every day Gooligan installs at least 30,000 apps fraudulently on breached devices or over 2 million apps since the campaign began..."

Check Point chart about Gooligan malware. Click to view larger version This Telegraph UK news story listed 24 device manufacturers affected: Archos, Broadcom, Bullitt, CloudProject, Gigaset, HTC, Huaqin, Huawei, Intel, Lenovo, Pantech, Positivio, Samsung, Unitech, and others.The Check Point announcement listed more than 80 fake mobile apps infected with the Gooligan malware: Billiards, Daily Racing, Fingerprint unlock, Hip Good, Hot Photo, Memory Booster, Multifunction Flashlight, Music Cloud, Perfect Cleaner, PornClub, Puzzle Bubble-Pet Paradise, Sex Photo, Slots Mania, StopWatch, Touch Beauty, WiFi Enhancer, WiFi Master, and many more.

Check Point is working closely with the security team at Google. Adrian Ludwig, Google’s director of Android security, issued a statement:

"Since 2014, the Android security team has been tracking a family of malware called 'Ghost Push,' a vast collection of 'Potentially Harmful Apps' (PHAs) that generally fall into the category of 'hostile downloaders.' These apps are most often downloaded outside of Google Play and after they are installed, Ghost Push apps try to download other apps. For over two years, we’ve used Verify Apps to notify users before they install one of these PHAs and let them know if they’ve been affected by this family of malware... Several Ghost Push variants use publicly known vulnerabilities that are unpatched on older devices to gain privileges that allow them to install applications without user consent. In the last few weeks, we've worked closely with Check Point... to investigate and protect users from one of these variants. Nicknamed ‘Gooligan’, this variant used Google credentials on older versions of Android to generate fraudulent installs of other apps... Because Ghost Push only uses publicly known vulnerabilities, devices with up-to-date security patches have not been affected... We’ve taken multiple steps to protect devices and user accounts, and to disrupt the behavior of the malware as well. Verified Boot [https://source.android.com/security/verifiedboot/], which is enabled on newer devices including those that are compatible with Android 6.0, prevents modification of the system partition. Adopted from ChromeOS, Verified Boot makes it easy to remove Ghost Push... We’ve removed apps associated with the Ghost Push family from Google Play. We also removed apps that benefited from installs delivered by Ghost Push to reduce the incentive for this type of abuse in the future."

How the gooligan malware works by Check Point. Click to view larger version Android device users can also have their devices infected by phishing scams where criminals send text and email messages containing links to infected mobile apps. News about this latest malware comes at a time when some consumers are already worried about the security of Android devices.

Recently, there were reports of surveillance malware installed the firmware of some Android devices, and and the Quadrooter security flaw affecting 900 million Android phones and tablets. Last month, Google quietly dropped its ban on personally identifiable web tracking.

News about this latest malware also highlights the problems with Google's security model. We know from prior reports that manufacturers and wireless carriers don't provide OS updates for all Android phones. Hopefully, the introduction last month of the Pixel phone will address those problems. A better announcement would have also highlighted security improvements.

For the Gooligan malware, Check Point has develop a web site for consumers to determine if their Google account has already been compromised:  https://gooligan.checkpoint.com/. Check Point advised consumers with compromised accounts:

"1. A clean installation of an operating system on your mobile device is required (a process called “flashing”). As this is a complex process, we recommend powering off your device and approaching a certified technician, or your mobile service provider, to request that your device be “re-flashed.”

2. Change your Google account passwords immediately after this process."

A word to the wise: a) shop for apps only at trustworthy, reputable sites; b) download and install all operating-system security patches to protect your devices and your information; and c) avoid buying cheap phones that lack operating system software updates and security patches.


Can Apple Move iPhone Production To The United States?

President Elect Donald Trump and his incoming administration have promised to "make America great again." That promise included a key policy position to move manufacturing -- and its jobs -- back to the United States; in particular move production of Apple iPhones to the USA:

"we have to bring Apple — and other companies like Apple — back to the United States. We have to do it. And that’s one of my real dreams for the country, to get … them back. We have a great capacity in this country."

Well, can it be done? And if so, what might the consequences be?

Nikkei Asia Review reported:

"Key Apple assembler Hon Hai Precision Industry, also known as Foxconn Technology Group, has been studying the possibility of moving iPhone production to the United States... Apple asked both Foxconn and Pegatron, the two iPhone assemblers, in June to look into making iPhones in the United States..."

Experts warn that moving production is complex and difficult. Not only must assembly operations be relocated, but new facilities must be located and built, plus nearby suppliers and transport services found, moved, and contracts obtained. During the globalization trend of the last 35 years, many manufacturing facilities in the USA were closed, destroyed, and replaced with other businesses. Plus, the remainaing facilities may be technologically obsolete. After solving these issues, then production workers must be hired.

With any major change, there often are unintended consequences. A possible consequence:

"Making iPhones in the U.S. means the cost will more than double... According to research company IHS Markit, it costs about $225 for Apple to make an iPhone 7 with a 32GB memory, while the unsubsidized price for such a handset is $649..."

Prices for unlocked iPhone7 with 32 GB phones on eBay range from $700 to $1,000.00. 128 and 256 GB versions cost even more. Would consumers be willing to pay higher prices, say 50 percent more, or even double?


Yahoo Confirms Massive Data Breach. Unclear If Users At Its Outsourcing Clients Were Also Affected

Yahoo logo After reports about a rumored announcement, Yahoo confirmed late on Thursday a massive data breach affecting half a billion users -- 500 million persons. Yahoo believes the breach was performed by a "state-sponsored actor."

Data elements exposed and stolen during the breach include full names, e-mail addresses, telephone numbers, dates of birth, hashed passwords and, in some cases, security questions and answers. The breach dated back to 2014. This is very serious, and by far the largest breach ever. The data elements stolen facilitate spam and a variety of scams; plus access to email contacts such as clients, customers, and patients.

Yahoo's breach announcement stated:

"The ongoing investigation suggests that stolen information did not include unprotected passwords, payment card data, or bank account information; payment card data and bank account information are not stored in the system that the investigation has found to be affected. Based on the ongoing investigation, Yahoo believes that information associated with at least 500 million user accounts was stolen and the investigation has found no evidence that the state-sponsored actor is currently in Yahoo’s network. Yahoo is working closely with law enforcement on this matter..."

Yahoo is in the process of notifying affected persons. Affected users should change their passwords, security questions, and answers.

The breach announcement did not state if users at outsourcing clients were affected. Other companies and entities can outsource their e-mail services to Yahoo, or to other e-mail providers offering similar services. One such company appears to be AT&T. The "AT&T Email Basics" page (see image below) references a co-branded AT&T-Yahoo website for AT&T customers to check their e-mail.

AT&T Email Basics page references Yahoo site for email. Click to view larger version I reached out to AT&T for a comment. A reply was not received by press time. If its email users were affected by the breach, then those users will probably want to know who is going to assist them, and what assistance will be offered.

Given the pending acquisition of Yahoo by Verizon, several AT&T customers already discussed in an online forum concerns about what might happen to their e-mail service operated by a competitor. (Verizon said on Thursday it learned about the breach two days ago.) If users at outsourcing clients were also affected by the breach, then this might add to their uncertainty.

If you received a breach notice from Yahoo, what is your opinion of the response?


Digital Economy Workers Fight For Their Rights And Fair Treatment

The digital economy includes a variety of industries, ranging from e-commerce and auction sites (e.g., eBay, Etsy) to ride-sharing services (e.g., Uber, Lyft), and more. A lot of people love them, and participate as consumers, sellers, or workers. A recent article New York Times article about workers in the digital economy caught my attention:

"... many workers have felt squeezed and at times dehumanized by a business structure that promises independence but often leaves them at the mercy of increasingly powerful companies. Some are beginning to band together in search of leverage and to secure what they see as fairer treatment from the platforms that make the work possible."

Uber logo The article described a growing awareness among workers:

“We started realizing we’re not contractors, we’re more like employees,” said Berhane Alemayoh, one of the UberBlack drivers in Dallas. “They tell us what kind of car to drive. They kick you out if a customer accused you of not having a clean car. They started to tighten the rope. Gradually, we can’t breathe any more.”

In June, the California Labor Commission ruled that Uber drivers are employees, not contractors. In December, the Seattle City Council approved an ordinance allowing ride-sharing drivers to unionize. That was a first.

Uber drivers in New York City have protested. Clearly, rates for drivers must exceed the costs of auto payments, insurance, government fees, maintenance, repairs, gasoline, and commissions due the ride-sharing company. Otherwise, it's pointless. Learn more about UberBlack and how it differs from Uber X. Learn about UberSelect, UberBlack, and UberXL in Los Angeles.

Postmates logo The article cited more examples, including compensation and workers' safety issues:

"A group of couriers who find work on the platform Postmates is waging a campaign to create an “I’m done after this delivery” button because they worry that turning down jobs will affect how many future assignments they receive... The National Domestic Workers Alliance, which organizes nannies and housekeepers, recently produced what it calls the Good Work Code, which it has urged gig economy companies to adopt. “They would be dispatched to a home that didn’t feel safe, but would be hesitant to exit themselves from that situation because it might affect their ratings...”

National Domestic Workers Alliance logo Historically, independent contractors negotiate rates with businesses. Employees don't. Independent contractors, often called freelance workers, typically set their own hours and work approach. Employees don't. Employers typically tell employees when to work, where to work, how to do the job, specify the materials they must use, and dictate the pay rate. Perhaps, most importantly:

"... to the extent that the Dallas drivers have been successful, one crucial advantage is that they were able to organize in person rather than depend exclusively on the Internet and social media. That also helps explain the success of the campaign in Seattle, where Uber had previously reversed a rate cut after facing pressure from drivers..."

Experts have observed:

" "There’s a sense of workplace identity and group consciousness despite the insistence from many of these platforms that they are simply open ‘marketplaces’ or ‘malls’ for digital labor," said Mary L. Gray, a researcher at Microsoft Research and professor in the Media School at Indiana University who studies gig economy workers."

Who are these freelance workers? Forbes Magazine explained:

"... 53 million Americans, or 34% of the population, qualify as freelancers. Not all of them make their living exclusively as freelancers. The number includes 14.3 million workers who would be called “moonlighters”—people who have a primary, traditional job that pays benefits, and supplement their income with extra work, like a full-time tech support worker... Of the remaining 38.7 million, 21.1 million are what the survey calls “traditional” freelancers who do temporary work on a project basis. Some 9.3 million have multiple sources of income which can include a part-time job like working 20 hours a week at a dentist’s office. Another 5.5 million are temporary staffers who work for a single employer but not on a permanent basis that comes with benefits, like a business strategy consultant working for a startup on a contract that can include months of employment. Then there are the 2.8 million business owners who have between one and five employees..."

The issues aren't going away, as companies continue to outsource work globally, not only in the United States. So, you probably know people who work as freelancers. I know many in graphic design, website and mobile app development, and copy writing. Maybe you're a freelancer. I am.

Like any other business, companies in the digital economy merit watching by both freelancers and by customers. Nobody wants to support a business that mistreats its workers.

The examples cited in the newspaper highlight the fact that there's strength in numbers. Companies organize into trade associations, or industry trade groups, to promote their interests and influence government policies through federal, state, and local politicians. Workers should have the same freedoms to organize, if they choose. Both are natural (and necessary) components of a free-market capitalist system.

Don't like organizing? You don't have to join any group. However, when bad things happen in the workplace and you're unable to solve it alone, you may regret having rejected the support of a group. What are your opinions?


You've Got Email Trackers: A Tool Marketers Use To Spy On Consumers

The New York Times told the story of an executive who received a call at 10:30 pm on his smartphone from a marketer, minutes after opening an e-mail message from the same marketer. Coincidence? The executive didn't think so, and after some investigation found that the marketer had planted a tracking mechanism in the e-mail message.

This marketer took e-mail marketing to the creepy zone. The marketer arrogantly assumed the executive, a) wouldn't mind the tracking and privacy invasion; and b) was agreeable to receiving a late-night phone call. Inappropriate. If the executive was driving his car, the late-night call could have created a distracted driving risk. Dangerous.

This marketer isn't alone. According to The New York Times:

"The trackers are traditionally offered by email marketing services like GetResponse and MailChimp. They have a legitimate use: to help commercial entities send messages tailored for specific types of customers. The New York Times, too, uses email trackers in its newsletters. The Electronic Frontier Foundation, a nonprofit that focuses on digital rights, estimates that practically every marketing email now contains some form of a tracker."

The e-mail tracking is possible because most users view HTML e-mail messages. One e-mail vendor's website home page highlights the industry's position:

Image of Sidekick home page. Click to view larger version.

Marketers want to know when, where, what device you use, and what link(s) you click on with their e-mails and advertisements. Yes, marketers should be able to evaluate their e-mail and marketing programs. At the same time, consumers have valid needs, often including privacy and the desire not to be tracked.

According to Pew Research, consumers perform a variety of tasks to thwart online tracking and data collection: delete browser cookies or browser history (59 percent), refuse to provide personal information irrelevant to the transaction (57 percent), set their browser to disable or turn off browser cookies (34 percent), and more. 86% of internet users have taken steps online to remove or mask their digital footprints. Plus, the growth in usage of ad-blockers by consumers highlights the desire not to be tracked (since many advertising networks contain tracking mechanisms):

"Between 15 to 17% of the U.S. population reportedly use ad blockers, and the number is double that for millennials. The numbers are even higher in Europe, and up to 80-90% in the case of specialty tech and gaming sites."

So, balance and respect are key. If marketers and advertisers are going to plant trackers in e-mail messages, then be honest and transparent: say so. Notify consumers. Provide opt-in mechanisms for consumers that don't mind the tracking.

Don't be that creepy marketer.

Will marketers act with respect and not go to the creepy, dark side? History suggests otherwise, given the litany of covert technologies marketers and advertisers have used to track consumers online: browser cookies, zombie cookies, zombie e-tags, Flash cookies to regenerate browser cookies users have deleted, super cookiescanvas finger-printing, and more recently cross-device tracking.

Aware consumers realize that surveillance isn't performed only by government spy agencies. Private-sector corporate marketers and advertisers do it, too. The New York Times article discussed one of the e-mail trackers used:

"... MailTrack, which is a plug-in for Google’s Chrome browser that can quickly insert a hidden tracking pixel into a message..."

Unfortunately, both the good guys and bad guys (e.g., spammers, phishers) use e-mail trackers. Experts advise consumers to expect trackers planted in messages, and:

"A basic method for thwarting some email trackers involves disabling emails from automatically loading images, including invisible tracking pixels. But that doesn’t defeat all trackers, which are also hiding in other places like fonts and web links."

Ugly Email and Trackbuster, are tools consumers can use to detect trackers embedded in e-mail messages. The former is a Gmail plug-in.

What are your opinions of e-mail trackers? What software do you use to detect e-mail trackers?

[Editor's Note: an earlier version of this post linked the "cross-device tracking" text to a CBS News article. That link was updated to a more descriptive article at Ars Technica.]


Medical Informatics Engineering, Concentra, Employers, Data Sharing, And Privacy

Medical Informatics Engineering logo After receiving the breach notice from Medical Informatics Engineering (MIE) via postal mail, my wife and I wondered how MIE acquired her information. MIE's breach notice mentioned Concentra, a healthcare company we haven't and don't do business with. Today's blog post describes what we learned during our search for answers, and how consumers aren't in control of our sensitive personal information.

Background

The breach was massive. The Journal Gazette reported 3.1 million breach notices sent to affected consumers nationwide. The U.S. Department of Health & Human Services listed 3.9 million consumers affected.  Readers of this blog have reported breach notices received via postal mail in Alabama, California, Colorado, Florida, Georgia, Idaho, Indiana, Kansas, Kentucky, Maryland, Massachusetts, New Hampshire, Tennessee, Texas, and the District of Columbia. Concentra was one of many health care providers involved.

During our search for answers, my wife contacted her employer and a local clinic. Neither does business with No More Clipboard (MIE's cloud-based service) or with Concentra. On her behalf I contacted Concentra's nearest office in Wilmington, Massachusetts. The office's administrative person searched for information about my wife in Concentra's database. No record. The administrator referred me to regional human resources representative, who confirmed the breach and suggested that Concentra may have obtained my wife's information from data-sharing during a sales pitch with employers. We continued to look for firmer answers.

Select Medical logo The HR representative referred me to Edwin Bodensiek, the Vice President of Public Relations at Select Medical, the corporation that acquired Concentra in May, 2015. Select Medical's First Quarter 2015 10-Q Filing (Adobe PDF) explained:

"[Select Medical Holdings] announced on March 23, 2015 that MJ Acquisition Corporation, a joint venture that the Company has created with Welsh, Carson, Anderson & Stowe XII, L.P. (“WCAS”), has entered into a stock purchase agreement, dated as of March 22, 2015 (the “Purchase Agreement”), as buyer with Concentra Inc. (“Concentra”) and Humana Inc. (“Humana”) to acquire all of the issued and outstanding equity securities of Concentra from Humana. Concentra, a subsidiary of Humana, is a national health care company that delivers a wide range of medical services to employers and patients, including urgent care, occupational medicine, physical therapy, primary care, and wellness programs... For all of the outstanding stock of Concentra, MJ Acquisition Corporation has agreed to pay a purchase price of $1.055 billion..."

Humana had acquired Concentra in 2010. Now, Concentra is part of Select Medical. i contacted Mr. Bodensiek asking when, why, and how Concentra obtained my wife's sensitive personal information. My wife and I weren't sure we'd get any answers, and if so how long it would take.

What We Learned

After about a month, Mr. Bodensiek called with some answers. My wife had taken a temporary part-time job in February 2014 and that second employer used the Humana Wellness (e.g., Concentra) health care services. Mr. Bodensiek explained that the second employer sent an "eligibility file" to Concentra with data about its employees that were eligible for the employer-sponsored health care plan. That's when my wife's name, address, phone, and Social Security Number were transmitted to Concentra; and then to MIE, the electronic medical records vendor for Humana Wellness. Mr. Bodensiek described this as standard business practice.

My wife and I have health care coverage elsewhere, so she never had any intentions nor did not register for health care through this second employer. My wife's situation is not unique since five percent of the U.S. workforce works two or more jobs. (Vermont, South Dakota, Nebraska, Kansas, and Maine lead the nation with people working two or more jobs.) It's great that this second employer offered health care to its employees, but not so great that employees' sensitive information was shared regardless of whether or not the employees expressed an interest in coverage.

I'd like to publicly thank Mr. Bodensiek for his hard work and diligence. He didn't have to help, but he did. It gave us a good first impression of Select Medical. Hopefully, other breach victims have had success getting answers.

Implications And Consequences

Our experience highlights a business practice consumers should know: your employer may share your information with their health care provider whether you subscribe or not, and maybe without your knowledge. Maybe this sharing was for employees' convenience (e.g., faster, easier sign-up for health care), or for the employer's convenience (e.g., minimize processing effort and expense) by sending one, massive eligibility file. Regardless, the business practice has implications and consequences.

First, when an employer's administrative process sends to their health care vendor data about all employees (without an opt-out mechanism), then more data is shared than otherwise, and the process is arguably less private. Why? The health care provider receives and archives information about both subscribers and non-subscribers; patients and non-patients. A process based upon opt-in would be better and more private, since the data shared includes employees who want to sign up for their employer's health care plan. Simply, fewer employee records with sensitive data (e.g., name, address, phone, Social Security Number) are shared, and less data for the health care provider to archive and protect (and further share with a cloud vendor).

Regarding the MIE breach, eligibility-file-sourced data about my wife was archived by MIE. That means MIE archived eligibility-file data about many other employees. So, MIE's database includes data about health-care subscribers and non-subscribers; patients and non-patients. When data breaches happen, the stolen archived data about non-subscribers opens those non-subscribers to identity theft and fraud risks. How long will this data about non-subscribers be archived? When will data about non-subscribers be deleted? Select Media didn't say. I can only assume the archiving will continue as long as they decide, either solely or in combination with their employer clients.

Second, costs matter. The more data shared, the more records the health care provider and electronic records vendor must archive and protect. When data breaches happen, more data is lost and data breach costs (e.g., investigation, breach notification, identity protection services) are greater. A 2015 study by IBM found that the average total cost of a data breach was $3.8 million, up 23 percent from 2013. Given this high cost, you'd think that employers and health care providers would work together to minimize data sharing. Probably not as long as consumers bear the risks.

Third, if my wife had signed up for health care services with Concentra, then much more sensitive information would have been stolen in the MIE breach. One may argue who is to blame for the data security failure (e.g., breach), but at the end of the day: the employer hired Concentra, and Concentra hired MIE. There is enough blame to go around.

Fourth, the MIE breach highlights some of the places employees' sensitive information can be shared without their knowledge (or consent). If the MIE breach hadn't happened, would employees know their medical records were stored in the cloud? Would employees know about the eligibility-file sharing? One wonders. Employees deserve to know upfront.

Your sensitive personal information also moves when companies (e.g., health care providers, employers, cloud vendors) buy, sell, and merge with other companies. that includes your medical records. Since eligibility-file sourced data is archived, you don't have to be a health care plan subscriber or patient.

Fifth, for information to be private there must be control. The eligibility-file sharing suggests that employers have the control and not employees. Consumers like my wife have been taken steps to protect themselves and their sensitive information by locking down their credit reports with Security Freezes. That data protection is largely undone by eligibility-file sharing with health care providers. Not good.

Consumers need a comparable mechanism to lock down their medical records and prevent eligibility-file sharing. Without a mechanism, then consumers have no control over both their medical and personal information. Without control, consumers lack privacy. You lack privacy.

It will be interesting to watch how Select Medical manages its new acquisition. The Select Medical website lists these core values:

"We deliver superior quality in all that we do. At Select Medical, we set high standards of performance for ourselves and for others. We provide superior services to our patients. We continually strive to uphold and improve our reputation for excellence.

We treat others as they would like to be treated. At Select Medical, we treat each other with respect and promote a positive environment where people feel valued. We are honest and open in our relationships and straightforward in our communications.

We are results-oriented and achieve our objectives. At Select Medical, we are focused and decisive in achieving our objectives and helping others achieve theirs. We accept responsibility for our decisions and actions. We are accountable for using our time, talents and resources effectively."

My wife and I know how we want to be treated. We wanted to be treated with respect. We know how we want our sensitive personal and health information treated:

  • Don't collect it unless we're patients,
  • Don't archive it unless we're patients,
  • Don't share it without notice and consent. Consent must be explicit, specific, for a stated duration, and for specific purposes,
  • Don't collect and archive it if you can't protect it,
  • Be transparent. Provide clear, honest answers about breach investigations and data-sharing practices,
  • Don't try to trick us with promises of convenience,
  • Hold your outsourcing vendors to the same standards,
  • Don't make consumers assume the risk. You benefited from data sharing, so you pay the costs, and
  • Two years of credit monitoring is insufficient since the risk is far longer.

What are your opinions? Does the data sharing by employers bother you?


Leaked Documents From The Ashley Madison Data Breach Highlight The Company's Technology Vendors

The fallout continues from the data breach at infidelity website Ashley Madison. Besides several class-action lawsuits filed against Ashley Madison, Forbes magazine reported that stolen documents highlight the company's information technology (I.T.) vendor relationships:

"In response to challenges of the data’s authenticity, Impact Team began a second series of dumps, including what appears to be essentially all corporate records, including source code, internal business documents and corporate emails of Avid Life Media/Ashley Madison... Within those hundreds of thousands of documents is one entitled Areas of Concern – Customer Data (abbreviated in this article, AoC)... The needle in the treasure trove haystack of corporate data... In the AoC, the IT business practices of Avid/Ashley Madison began to emerge, including its relationships with third party vendors. New Relic is mentioned as one of three third party IT vendors to Avid. Also mentioned in that document as vendors are OnX (publicly reported as being an Ashley Madison vendor) and Redis/Memcached (alternative open source caching tools)... The AoC identifies New Relic as being a customer data “concern” (worry), by mentioning that it could employ “a hacker/bad actor” who could gain access to customer data. There was nothing in the AoC to indicate any reason to call out New Relic as a third party vendor presenting particular customer data security risks."

Assuming the leaked documents are accurate, one reason why this is important:

"The existence of third party IT vendors may be of interest to the increasing numbers of plaintiffs suing Avid and Ashley Madison. These plaintiffs have, to date, apparently not named these vendors as defendants."

Noel Biderman, the chief executive at Avid Life Media, Ashley Madison's parent company, resigned last week. The Wired article highlighted another reason:

"... the Missouri suit states that its anonymous plaintiff paid a $19 fee to have Ashley Madison delete her personal information from its servers but failed to deliver on that service."