While cyber security is not a ‘top-of-mind’ concern for American consumers, the sheer magnitude of this incident and how the company responded will not soon leave regulators’ memories.
California’s Updates on Breach and Security
Gov. Jerry Brown signed legislation beefing up California’s breach notification law. The new law, effective January 1, 2015, requires companies that suffer a breach to offer free identity theft prevention and mitigation services to consumers for at least a year if their Social Security or driver’s license number was compromised. The consumer will still be responsible for taking some action to accept those services.
The Governor signed other bills that also attempt to provide additional privacy and security protections, including restrictions on the paparazzi, laws addressing “revenge porn,” and a prohibition on the state from helping federal intelligence agencies collect telephone records without warrants:
- SB 1177 – Prohibits the creation and distribution of “profiles” of minor students; prohibits applications from targeting K-12 students
- AB 1256 and AB 2306 – Expand existing law regarding invasion of privacy (type of activity protected from unwarranted capturing of images or photographs; establishes zones of privacy around schools and medical facilities; eliminating the existing physical trespass requirement for invasion of privacy; renders illegal the use of drones and other electronic devices to capture images of individuals in their homes)
- AB 1356 – Expands legal recourse for stalking victims (allows plaintiffs to plead “substantial emotional distress” as an alternative to the existing standard of “reasonable fear”)
- AB 2643 – Creates private legal recourse against a person who intentionally distributes a sexually explicit image or video of another without his or her consent (allows plaintiffs to file a civil suit for damages against a defendant who posted intimate photos or videos of the plaintiff without consent)
- SB 828 – Prohibits state agencies from assisting the federal government in the collection of personal, electronically stored data, except under certain circumstances (that the state knows to be illegal or unconstitutional)
- SB 1255 – Expands existing law regarding the distribution of a sexually explicit image or video of another with the intent to cause serious emotional distress
Nate Silver’s Five Thirty Eight blog is featuring an algorithm versus the marketplace bracket mechanism. While Brazil is heavily favored to win the World Cup, FiveThirtyEight favors them even more than the betting shops — based on “real math.” Nate describes the system as such:
Today we’re launching an interactive that calculates every team’s chances of advancing past the group stage and eventually winning the tournament. The forecasts are based on the Soccer Power Index (SPI), an algorithm I developed in conjunction with ESPN in 2010. SPI has Brazil as the heavy favorite, with a 45 percent chance of winning the World Cup, well ahead of Argentina (13 percent), Germany (11 percent) and Spain (8 percent).
The overwhelming factor in this scoring is Brazil’s dominance at home.
Also, relative good news for Team USA — the betting line has them at a .3% chance of winning the World Cup while FiveThirtyEight’s SPI has them at .4%.
Good luck #USMNT – indeed!
And, just in time, Symantec releases its 96-page report: “Latin American + Caribbean Cyber Security Trends.” The report includes individual country reports, which provides details on government capabilities for dealing with cyber security and cybercrime, including any relevant statistics released by the governing authorities regarding sectors affected by cybercrime. Symantec likewise provides some quick country stats, for example:
Internet Penetration: 49.8%
Fixed Broadband Subscribers: 9.2%
And, Symantec, along with its co-sponsor, Organization of American States, sounds the alarm bell for scams and potential vulnerabilities in relation to the World Cup. From the report:
The 2014 FIFA World Cup in Brazil is expected to be one of the largest sporting events of this century. While the world comes together to celebrate and compete in sport, cybercriminals have unfortunately identified vulnerabilities and may be plotting attacks against critical infrastructure. In fact, members of international hacking groups such as Anonymous have recently made threats against official websites operated by FIFA, the Brazilian Government and corporate sponsors of the games.
Several malware operations, phishing attacks, and email scams linked to the World Cup have already been discovered.
See the report at:
And now, Belgium:
Belgium is dangerous, but not as dangerous as tournament favorites Brazil, Germany and Argentina. Meanwhile, the Netherlands, France, Chile and Colombia also look more threatening than Belgium based on the things SPI looks at: pre-tournament resumes, form so far in the World Cup and, in the case of Chile and Colombia, games closer to home.
Our match-prediction algorithm gives the U.S. about a 42 percent chance of winning a knockout-stage game against Belgium based on each team’s SPI rating as of Thursday morning.
So, by now, we know the real SPI belongs to Germany. Cool graphic re: Twitter traffic during World Cup Final:
FiveThirtyEight’s revised analysis:
Germany didn’t begin the World Cup as the favorite. That honor belonged to (ahem) Brazil. But that’s a slightly deceptive measure. This was a top-heavy World Cup; not only Brazil but also Germany, Argentina and Spain would have been the front-runners in many past editions of the tournament.
By the end of the World Cup, Germany left little doubt it is the best team in the world. In fact, it may be the best national soccer team ever assembled.
AG Kamala Harris Issues Guide on Privacy Policies/Do-Not-Track Disclosures
In a press release issued May 21, 2014, the Attorney General for California, Kamala Harris, issued a series of recommendations for businesses that address changes to California privacy law. Key recommendations include:
- Prominent labeling for sections dealing with online tracking, e.g., “California Do Not Track Disclosures”
- Describe how you respond to a browser’s Do Not Track signal (or similar mechanisms)
- Are third parties collecting personally identifiable information? If yes, say so
- Explain uses of personally identifiable information
- Describe what you collect, how you use it, how long you retain it
- Describe choices the consumer has regarding use/sharing of PII
- Use plain language – use graphics/icons
The guide includes summaries of relevant CA statutes (CalOPPA, – broad requirement for privacy policies; AB 370 – tracking transparency). And, while there are no new regulations or enforcement mechanisms provided in the “guide,” obviously, entities doing business in California, and those entities previously under scrutiny by the AG (e.g.,g Amazon, Apple, Facebook, etc.) will likely pay close attention to ensure compliance. The guide is called, Making Your Privacy Practices Public and you can see it at:
Michaels Stores, Inc. is now reporting that two separate 8-month long security breaches at its stores last year may have exposed as many as 3 million customer credit and debit cards. The company says there is no evidence that other customer personal information, such as name, address or debit card PIN, was at risk in connection with this issue. Reportedly, the security firms Michaels hired to investigate the “break-ins” found nothing but the ultimate analysis confirmed the attacks “using highly sophisticated malware that had not been encountered previously by either of the security firms.” In a press release dated April 17, 2014, the company states: “The Company has now identified and fully contained the incident, and the malware no longer presents a threat while shopping at Michaels or Aaron Brother.” Following the disclosures regarding Target and Neiman Marcus, in January of this year, Michaels Stores had previously reported that it was investigating a potential security breach involving customers’ credit card information.
The Target breach involved thieves planting malware on cash registers; the malware was designed to siphon card data when customers swiped the cards at the cash register. According to the information released by Michaels, it appears that the affected systems contained certain payment card information, card number and expiration date, but that there was no evidence that other customer personal information (name, address, debit card PIN) was at risk.
See information regarding nature/scope of breach:
Using Anonymous Patient Data
The Washington Post reports on the developments of PCORI – the Patient-Centered Outcomes Research Institute. This was part of the move to get better information, data, out of the electronic health records initiative funded and spelled out in the Affordable Care Act. The anonymized or de-identified data is supposed to help clinicians draw some meaningful conclusions from the vast wealth of information gathered by physicians, researchers, hospitals, insurers and the pharmaceutical industry. The PCORI network is supposed to identify patients who could be invited to join clinical trials. The new national patient network will comprise eleven sub-networks, drawing on records from participating organizations. Of importance to the privacy watchdogs is that the participating organization retains all of the personally identifiable information and only the aggregated data is submitted for use in a research project.
Go to: http://www.washingtonpost.com/national/health-science/scientists-embark-on-unprecedented-effort-to-connect-millions-of-patient-medical-records/2014/04/15/ea7c966a-b12e-11e3-9627-c65021d6d572_print.html
The FTC Can Seek to Enjoin
In other news, the FTC overcame some question of its authority to police data breach incidents, in this case data specifically involving consumer payment card account numbers. In the FTC v. Wyndham Worldwide Corporation matter, Wyndham hotels challenged the FTC’s authority to bring suit for injunctive relief following three breach incidents. The FTC had alleged in its suit that Wyndham had failed to implement reasonable and appropriate security measures which exposed consumers’ personal information to unauthorized access, collection and use that “has caused and is likely to cause substantial consumer injury, including financial injury, to consumers and businesses.” The FTC had alleged that after discovering the first two breaches, Wyndham “failed to take appropriate steps in a reasonable time frame to prevent the further compromise of [its] network.” Accordingly, the FTC sought a permanent injunction against Wyndham, presumably then to enter into some kind of agreement to correct such practices. Wyndham argued that the FTC overstepped its authority and moved to dismiss the complaint, arguing that the FTC’s “unfairness authority” did not cover data security and arguing that the FTC needs to publish regulations before filing an unfairness claim in federal court. The US District Court for the District of New Jersey declined to “carve out a data-security exception to the FTC’s authority.” Wyndham had tried to get the Court to analogize this situation to the tobacco industry cases (where the FDA had denied authority over tobacco). Instead, the District Court noted the FTC had never disavowed its authority over unfair practices related to data security.
There are other issues to be resolved in the sphere of enforcement and oversight of similar data breaches. The injunction route can be fraught with technical issues and issues regarding how best to tailor oversight of an entities’ practices and promises. However, for now, the FTC has asserted its authority in an important way, and some commentators believe this will embolden the FTC to bring additional enforcement actions. More than likely, the FTC will scrutinize those incidents that involve significant security lapses and/or some significant financial impact on consumers.
See FTC v. Wyndham Worldwide, Case 2:13-cv-01887-ES-JAD, Filed 04/07/14
A whitepaper released by SANS Analyst Program (sponsored by Norse) predicts an increase in risks to healthcare systems and data given “more open exchanges of health care information between patients, insurers, doctors and pharmacists.” The report subtitled “Widespread Compromises Detected, Compliance Nightmare on Horizon,” describes results from another SANS report, “Biggest Culprits: Internet of Things and Security Devices,” which concluded that since the healthcare and pharmaceutical sectors will employ more devices, the threats are greater.
Specifically, the SANS analysis showed that the healthcare system’s critical information systems are poorly protected and often compromised. These issues affected radiology imaging software, video conferencing systems, digital video systems, call contact software, security systems and devices, including VPNs, firewalls and routers. The report’s author warns: “As compared to traditional IT systems, incidents involving Things, such as a hacked MRI machine, can carry physical consequences, as well as policy and financial impacts.”
- Connected medical endpoints (examples: online health monitoring to radiology devices to video-oriented services);
- Internet facing personal health data (example: web-based call center for medical supply entity);
- Security systems and edge devices (example: enterprise network controllers).
The report details the findings of a study that reviewed the largest sources of malicious traffic.
To get a copy of the report, go to:http://norse-corp.com
Now you see it…. and then maybe…
Snapchat, another messaging service that is supposed to delete content once it has been sent, recently suffered a “breach,” of sorts. No sensitive information was released but security researchers wanted to “expose” the vulnerabilities in the service so they gained access to data and then posted user names and phone numbers on a site called SnapchatDB.info and made the data available for download.
The security researchers stated on this website: “This database contains username and phone number pairs of a vast majority of the Snapchat users. This information was acquired through the recently patched Snapchat exploit and is being shared with the public to raise awareness on the issue. The company was too reluctant at patching the exploit until they knew it was too late and companies that we trust with our information should be more careful when dealing with it.”
They also cautioned that they redacted part of the info: “For now, we have censored the last two digits of the phone numbers in order to minimize spam and abuse. Feel free to contact us to ask for the uncensored database. Under certain circumstances, we may agree to release it.”
Snapchat reportedly is going to update its applications to secure the data; from their website:
“We will be releasing an updated version of the Snapchat application that will allow Snapchatters to opt out of appearing in Find Friends after they have verified their phone number. We’re also improving rate limiting and other restrictions to address future attempts to abuse our service.”
Security experts have been concerned by the false sense of security that some of these messaging services purport to provide their users.
See NYT blog for more info:
Snapchat reports of customer complaints of an increase in spam but denies that the activity is related to the “Find Friends” breach.
–Snapchat settled with the FTC – May 8, 2014–
From the FTC’s Press release:
According to the FTC’s complaint, Snapchat made multiple misrepresentations to consumers about its product that stood in stark contrast to how the app actually worked.
“If a company markets privacy and security as key selling points in pitching its service to consumers, it is critical that it keep those promises,” said FTC Chairwoman Edith Ramirez. “Any company that makes misrepresentations to consumers about its privacy and security practices risks FTC action.”
Under the terms of its settlement with the FTC, Snapchat will be prohibited from misrepresenting the extent to which it maintains the privacy, security, or confidentiality of users’ information. In addition, the company will be required to implement a comprehensive privacy program that will be monitored by an independent privacy professional for the next 20 years.
It appears the settlement was for corrective and compliance actions but no monetary payment.
See also, critique of Snapchat –
Nice “panel” discussion published by Financier Worldwide.com and featuring this humble blogger:
Roundtable – Cyber Security 2014
Thanks to James Spavin and Peter Livingstone.
From KrebsonSecurity: Target’s HVAC contractor was the vulnerability for the attack–
“It’s not immediately clear why Target would have given an HVAC company external network access, or why that access would not be cordoned off from Target’s payment system network.
It remains unclear when the dust settles from this investigation whether Target will be liable for failing to adhere to payment card industry (PCI) security standards, violations that can come with hefty fines.
Avivah Litan, a fraud analyst with Gartner Inc., said that although the current PCI standard (PDF) does not require organizations to maintain separate networks for payment and non-payment operations (page 7), it does require merchants to incorporate two-factor authentication for remote network access originating from outside the network by personnel and all third parties — including vendor access for support or maintenance (see section 8.3).”
AND ON THE LITIGATION FRONT:
Banks file suit over their costs:
“The cancellation and reissuance of cards has caused significant damages and losses to Amalgamated and members of its class,” the company said in its complaint.
Notification to consumers (not just customers, apparently) appeared to be a phishing attack and with link to suspicious subdomain:
From the New York Times:-
DEC. 12 The Secret Service requests a meeting with Target.
13 Target is informed of the breach by the Secret Service and Justice Department.
15 Target removes the malware that evening.
17 Credit card companies are given information about which cards were compromised. Target determines 40 million customers were affected and tells financial firms it will publicly announce the breach on Dec. 18.
18 MasterCard and Visa begin informing banks of the breach. Brian Krebs publishes a story on the breach in the afternoon.
19 Target makes its first public acknowledgement of the breach.
20 Target tells its financial partners that credit card data and encrypted PIN data had been taken. JPMorgan decides at night to reissue all debit cards that were compromised and keep its branches open late over the weekend.
Congressional hearing: Target and Secret Service representatives are asked to testify before the House Commerce sub-committee. See:
And from Reuters: A cybersecurity firm, IntelCrawler, said it has uncovered at least six ongoing attacks at merchants across the United States whose credit card processing systems are infected with the same type of malicious software used to steal data from credit cards at Target Inc. The attackers used an inexpensive “off the shelf” malware known as BlackPOS. The same malware may have also been involved in the Neiman Marcus attack.
Target, one of the largest US retailers, is reporting a data breach from November 27th through December 15th, involving consumer credit card data – customer name, card number. News reports are estimating 40 million accounts impacted.
The Target website includes a banner at the top of the home page with a link to the current information. Click to that link and Target has included the following information, so far:
“We wanted to make you aware of unauthorized access to Target payment card data. The unauthorized access may impact guests who made credit or debit card purchases in our U.S. stores from Nov. 27 to Dec. 15, 2013…
We began investigating the incident as soon as we learned of it. We have determined that the information involved in this incident included customer name, credit or debit card number, and the card’s expiration date and CVV (the three-digit security code).”
See notice at:
And news articles at:
UPDATE: It appears the magnetic strip is getting the blame for the security weakness and the fact that the data from the Target systems was unencrypted as the data transferred through the payment system. Reportedly, 40 million accounts had names, credit/debit card numbers, expiration dates and three-digit security codes compromised. Target has not yet specifically identified the method of access or weakness that allowed for the breach.
Experts suggest it is time for U.S. card issuers to go to the chip-card system, currently in use in most other markets, as chip cards use a different encrypted mathematical value for each transaction, making it harder for criminals to use stolen data for future purchases.
PINs also breached:-
UPDATE AND COMMENTARY:
What are the prospects for class litigation? Will the claimants be able to string together an ‘actual injury’ theory or is it more likely that a “class” of financial institutions will bring suit?
See also top ten data breaches for 2013 (thanks to Daniel M. Ryan for graphs):