In a blog post, Yahoo reports that attackers now own an undisclosed number of usernames and passwords to Yahoo Mail accounts. User names and passwords would be attractive based upon the premise that consumers use the same name-password combination across multiple platforms, including for financial accounts.
In the Sony Gaming Networks litigation, currently pending in the U.S. District Court for the Southern District of California, the trial court entered a decision on January 21, 2014 ruling on Sony’s Motion to Dismiss class action litigation, which arose out of the April 2011 breach of Sony’s PlayStation Network. Sony sought dismissal of plaintiffs’ First Amended Complaint on several grounds, including standing. Sony argued that plaintiffs did not have standing to pursue non-Ohio state law claims on behalf of non-Ohio residents (the consolidated action includes Named Plaintiffs from Massachusetts, New Hampshire, Florida, California, Missouri, Michigan, Texas, Ohio and New York – fifty-one claims in the consolidated action, included negligence, negligent misrepresentation, breach of express/implied warranty, violation of state consumer protection statutes, violation of the CA Database Breach Act, violation of FCRA and bad faith). The court dismissed without leave to amend the Ohio and FCRA claims. In addition, Sony sought to dismiss on the basis of Article III standing – that plaintiffs’ allegations failed to allege an “injury-in-fact” as a result of the intrusion. Essentially, Sony sought another ruling on the issue in light of the Supreme Court’s ruling in the Clapper v. Amnesty International ruling. In Clapper, journalists and human rights activists alleged they were potential targets of the government under the Foreign Intelligence Surveillance Act (“FISA”) because their work requires them to communicate with international subjects. The Clapper plaintiffs argued that they would be targeted under the Act and they already had undertaken costly and burdensome measures to protect the confidentiality of international sources. The Supreme Court found that the claimants failed to show that the “threatened injury” was “certainly impending.” The Supreme Court stated that a “speculative chain of possibilities … based on potential future surveillance” was not enough. The Supreme Court also noted that if parties could base Article III standing on reasonably incurred costs to avoid the risk of future harm, this would water down the fundamental requirements of Article III.
Sony argued that the Clapper ruling resulted in a more “tightened ‘injury-in-fact’ analysis” than the standard relied upon by the trial court (under Krottner v. Starbucks). Judge Battaglia in the Sony Gaming decision refused to acknowledge a distinction between the analyses he previously made based on Krottner and the Supreme Court’s standards outlined in Clapper. Judge Battaglia stated that courts in the Ninth Circuit “have routinely denied motions to dismiss based on Article III standing where a plaintiff alleges that his personal information was collected and then wrongfully disclosed…” Judge Battaglia said that although Sony argued that plaintiffs’ allegations were insufficient because none of the named plaintiffs alleged that their personal information was actually accessed by a third party, nonetheless, plaintiffs “plausibly alleged a ‘credible threat’ of impending harm…”
So, another test of the injury-in-fact issue relating to so-called fear of identity theft. The cases cited by Judge Battaglia addressed whether personal information was disclosed (Facebook), whether personal information was even exposed (LinkedIn) or whether personal information had been disseminated (Google). The distinctions in the cases regarding whether a plaintiff can allege some kind of injury, for now, appear to relate to whether a court finds that the plaintiff(s) have alleged sufficient facts to show some kind of collection and disclosure of personal information. As more and more data breach scenarios are tested in class litigation, we likely will see courts continue to refine this analysis.
In other breach news, the Attorney General for the State of California filed suit on January 24, 2014 against Kaiser Foundation Health Plan alleging violations of unfair business codes because of Kaiser’s alleged delay in disclosing a breach of its security systems. The AG alleges that on September 24, 2011, Kaiser learned that an external hard drive containing unencrypted personal information of former and current Kaiser employees had been purchased by a member of the public at a thrift store in Santa Cruz. Included in the data were employee names, SSNs, DOBs, addresses and personal information of some employee spouses and children (data going back to 2009). Kaiser secured the data and conducted an exam revealing over 30,000 SSNs and other sensitive information, which exam was completed by December 28, 2011. Kaiser continued the inventory and the AG alleges that Kaiser had sufficient information to identify and notify at least some individuals between December 2011 and February 2012. Instead, the AG notes, Kaiser began mailing letters on or about March 19, 2012. The AG also alleges that Kaiser violated CA code by publicly posting or displaying SSNs of 20,000 plus residents. The AG seeks $2500 for each violation.
Yet another example of how the healthcare, health insurer industry will continue to remain a target given the wealth of member information they manage. As with the recent Target data breaches, predictably, legislators took the opportunity to investigate and interrogate company officials. See article at:
Now you see it…. and then maybe…
Snapchat, another messaging service that is supposed to delete content once it has been sent, recently suffered a “breach,” of sorts. No sensitive information was released but security researchers wanted to “expose” the vulnerabilities in the service so they gained access to data and then posted user names and phone numbers on a site called SnapchatDB.info and made the data available for download.
The security researchers stated on this website: “This database contains username and phone number pairs of a vast majority of the Snapchat users. This information was acquired through the recently patched Snapchat exploit and is being shared with the public to raise awareness on the issue. The company was too reluctant at patching the exploit until they knew it was too late and companies that we trust with our information should be more careful when dealing with it.”
They also cautioned that they redacted part of the info: “For now, we have censored the last two digits of the phone numbers in order to minimize spam and abuse. Feel free to contact us to ask for the uncensored database. Under certain circumstances, we may agree to release it.”
Snapchat reportedly is going to update its applications to secure the data; from their website:
“We will be releasing an updated version of the Snapchat application that will allow Snapchatters to opt out of appearing in Find Friends after they have verified their phone number. We’re also improving rate limiting and other restrictions to address future attempts to abuse our service.”
Security experts have been concerned by the false sense of security that some of these messaging services purport to provide their users.
See NYT blog for more info:
Snapchat reports of customer complaints of an increase in spam but denies that the activity is related to the “Find Friends” breach.
–Snapchat settled with the FTC – May 8, 2014–
From the FTC’s Press release:
According to the FTC’s complaint, Snapchat made multiple misrepresentations to consumers about its product that stood in stark contrast to how the app actually worked.
“If a company markets privacy and security as key selling points in pitching its service to consumers, it is critical that it keep those promises,” said FTC Chairwoman Edith Ramirez. “Any company that makes misrepresentations to consumers about its privacy and security practices risks FTC action.”
Under the terms of its settlement with the FTC, Snapchat will be prohibited from misrepresenting the extent to which it maintains the privacy, security, or confidentiality of users’ information. In addition, the company will be required to implement a comprehensive privacy program that will be monitored by an independent privacy professional for the next 20 years.
It appears the settlement was for corrective and compliance actions but no monetary payment.
See also, critique of Snapchat –
Nice “panel” discussion published by Financier Worldwide.com and featuring this humble blogger:
Roundtable – Cyber Security 2014
Thanks to James Spavin and Peter Livingstone.