Wells Fargo Data Disclosure Totally Human Error

And, I suspect, an  attorney may be looking for a new job.

Angela Turiano, Principal at Bressler, Amery & Ross

About a week ago the New York Times disclosed that a former employee who was suing Wells Fargo Advisors (WFA) received data that he had not asked for – 1.4 gigabytes of data, actually.  Data on, he said, over 50,000 high net worth customers representing tens of billions of dollars invested through Wells’ high net worth investment arm, Wells Fargo Advisors.  Wells Fargo Advisors is separate from the bank but a subsidiary of it.  It came from Wachovia when Wells swallowed Wachovia during the banking meltdown.  It is the second largest brokerage firm in the U.S. with $1.5 trillion in retail client assets under management (AUM), so this likely represents a couple of  percent of its AUM.  Still, exceptionally embarrassing, especially when you consider that what was disclosed included the size of individual investor’s portfolios, names, socials and the fees the bank charged them, likely plus other embarrassing information.

The files were handed over to the former employee with no protective order and no confidentiality agreement.

Given this former employee is not on friendly terms with WFA or, apparently, even his brother (who is also being sued by him), rather than tell Wells that they goofed, he turned the data over to the New York Times, who, of course, published it.  Nothing illegal about it since there was no restriction on what he could do with it.

Bloomberg is reporting that FINRA, the regulator of brokerage firms, is now investigating how Wells’ (outside) attorney could screw up so badly without WFA detecting it.

Based on documents filed with the court, we now understand what happened and it is, very simply, human error by an attorney who did not understand the tools she was using nor the process she was supervising.  While WFA will take all the heat for this, the outside law firm is really to blame, pretty much, 100 percent.

The attorney, Angela Turiano, a Principal at Bressler, Amery and Ross, in court filings attempting to stem the bleeding (which at this point is basically impossible), admitted that she didn’t understand the discovery tool that she was using so she only reviewed a small portion of the documents discovered, didn’t understand the responsibility of the vendor who sifted through the emails to find the responsive ones, so thought the vendor was going to do the redacting, which it was not and, for some unknown reason, didn’t request a protective order from the court to make sure that the data remained under control.  She admits all this in the request to the court to protect this barnful of information after the doors were not only left open but removed and then pulverized.

The judge did order the plaintiffs to stop distributing the information any further, to return all copies of the data in their possession (but likely not in any third party’s possession), to destroy any copies that they had made and to not use the data any further until a court hearing.

Of course, the damage is mostly done.  Assuming they did share this data with others or worse yet, post it online, putting the genie back in the bottle is impossible.  Also, the plaintiff’s attorneys won’t just forget what they had read and while they might not be able, depending on the outcome of the hearings and appeals, be able to use those specific documents, it is likely that their knowledge will color their approach to their case.  If there were any smoking guns in the 1 plus gigabyte of data they were given, then are likely going to push the court to let them use it.

As The New York Law Journal said, e-discovery is a minefield.  It used to be that you printed out or made copies of paper documents and if you, as an attorney, had ten bankers boxes of documents to review, they were all in front of you.  In addition, you didn’t have to worry about metadata (according to the current rules of civil procedure you are required to produce the documents in their original form – you cannot convert, for example, a Word document to a PDF to get rid of hidden artifacts – unless you can show a justification supporting that).

Many attorneys are not computer whizzes and the software interfaces are, in many cases, arcane.  Add to that the fact that they don’t use e-discovery software every day and that there are many vendors of e-discovery software, each of which works differently and you can see why it is a minefield.

All that not withstanding, as more and more client data is digitized and more of it lives in the cloud, attorneys are going to need to make sure that they have in house or contract experts who can help them with these issues.  As we add the cloud to the problem, it only becomes more complex and harder to corral in.

While I have no direct knowledge, I would assume that Wells is not happy, may be considering suing the law firm for any number of reasons and may also be considering not using the firm ever again.  One also assumes that the law firm has contacted their professional liability insurance provider , just in case the worst happens.

This also means that companies hiring outside firms – such as, but not limited to – law firms – need to up their third party vendor risk management program.  THAT failure falls directly in Wells Fargo Advisors’ lap AS WELL AS THE LAW FIRM’S LAP.   Wells should have done a better job of managing the law firm and the law firm should have done a better job of managing their discovery vendor.  And, they are far from alone in not managing the risk their vendors bring with them to a sufficiently high level.

There is a lesson to be learned here and companies that don’t learn from other people’s mistakes – well, they get to repeat them.

Vendor risk management – more important than ever.

Information for this post came from The New York Times , Bloomberg and The New York Law Journal.

Fourth Cryptocurrency Heist in a Month – SEC May Step In

An undisclosed attack vector allowed a hacker to steal $8.4 million in Ethereum, a competitor to Bitcoin, during it’s “initial coin offering”.   This is the fourth time this month Ethereum alone was attacked, not counting attacks on other cryptocurrencies (Bitcoin and Ethereum are two popular cryptocurrencies – that is, so called currencies based on cryptography).

For the most part currencies, at least recognized ones such as the dollar or the euro, are regulated, controlled and guaranteed by governments.  None of that is true for cryptocurrencies.

The other hacks include a $7 million hack of Coindash, a $32 million hack of Parity and a $1 million hack of Bithumb.

Prior to panicking, where is there is money there are bandits.

People rob banks and we don’t stop using them (at least most people still use them).

People hack credit cards and we definitely still use them.

Hacking financial institutions has gone on for a long, long time.

Since cryptocurrencies are not regulated or guaranteed by any government, you are on your own when it comes to recouping losses.  That fact not withstanding, Bitcoin, one of the most popular cryptocurrencies has gone from a value of $1.00 in early 2011 to $2,674 today.  People love to speculate and as long are you are not doing that with the rent money and understand the risk, that is fine.  People take risks all the time.

Since most cryptocurrency  solutions are startups, many, likely, don’t even have insurance.

In some cases the people who lost their money get paid back; sometimes they don’t.  The issue with blockchains, which are behind most if not all cryptocurrencies is that they are supposed to be unchangeable, so to reverse a transaction violates “the prime directive”.   In at least one case that I am familiar with, that is exactly what happened.  They got their eraser out and deleted a transaction.

Not surprisingly, governments are watching what is going on with distinct interest and Reuters is reporting that the U.S. Securities and Exchange Commission is looking at regulating “Initial Coin Offerings” or ICOs.  While ICOs are not securities in the sense of an investor owning shares in a company, they are certainly an investment and as the SEC is responsible for protecting investors, it would make sense that they would be looking at this.  One reason that companies are issuing ICOs instead of IPOs is that they are not regulated, there is limited paperwork required and they don’t have to disclose investor risks at the same level that they would if they were doing an IPO.  Stay tuned to see if the SEC does in fact take action.  One question is whether or not ICOs are even in their regulatory authority or whether Congress would need to pass a law to allow them to do that.

All this means is that the cryptocurrency market is young and turbulent and investors should assume some degree of hiccups and loss.

One thing that makes Bitcoin, for example, different than the dollar, is that Bitcoin exists totally in the world of software and software always has bugs.  Hackers love to find bugs.  And exploit them.  As long as investors understand the risk, the market will evolve.

Information for this post came from The Hacker News and Reuters.

How To Get In Trouble When Outsourcing IT

The Swedish government has become embroiled in a scandal after an IT outsourcing deal went horribly wrong.

There was an old TV commercial that included the line “No one ever got fired for buying IBM”, implying that IBM was a safe bet.   Not in this case.

The Swedish Transport Agency decided to outsource it’s IT operations to IBM, which in itself is not problematic.  Unfortunately, apparently no one considered the security of what they were doing.

The data which IBM was now administrating included data about every VEHICLE and every DRIVER in the country, including those used by the police and the military.  IBM administrators in the Czech Republic were given access to all data and logs and did not have to go through any pesky background checks.

In addition, after uploading the entire database to the cloud, the Swedish Transport Agency emailed the entire database in messages to marketers that subscribe to it.  Included was every vehicle in the country including police and military registrations and people in the witness protection program.

And of course, as is normal for emails, it was all sent in the clear, unencrypted.

To compound the problem, when they discovered their error, they sent a new list by email, ASKING the recipients to delete the first email.

According to the head of privacy at VPN provider Private Internet Access, who blew the whistle, the incident “exposed and leaked every conceivable top secret database: fighter pilots, SEAL team operators, police suspects, people under witness relocation.”

Among the data was the weight capacity of all roads and bridges in the country – useful for understanding how troops and tanks might be moved in war time; names, photos and home addresses of the military’s most secret units and a lot of other very sensitive information.  You can read the article to see the rest of the list – not something you would want in your enemy’s hands.

The breach happened in 2015 and was discovered in 2016.  The director general of the Transport Agency was fired this year and fined about $8,000.

Oh, yeah, it is not likely that the database will be secured again for several more months, meaning that people without a clearance still have access to this data and that fact is now VERY public.

Suffice it to say, for the tens of millions of Swedish citizens, police and military, there is a little bit of an upset.

There is, of course, a lesson to be learned and it is not DO NOT OUTSOURCE.  First, that is not the problem and second, that is not going to happen.

The lesson is that the security requirements are no different if you outsource IT then if you do it yourself.

How many readers of this column use third party IT firms or outsource the data, unencrypted, in the cloud and THE CONTRACTS WITH THESE FIRMS DO NOT SPECIFY THE SECURITY REQUIREMENTS, SECURITY AUDIT PROCEDURES AND PENALTIES FOR FAILING TO COMPLY?

I suggest that everyone reading this should review their outsourcing agreements in light of this screw-up and see whether they are in the same boat.

Remember, if you handle HIPAA protected information, sensitive non-public financial information or other sensitive or export-controlled information, the law does not care if you choose to outsource your IT because it is more convenient or cost effective.  The rules for protecting it are exactly the same, whether IT is internally managed or outsourced.

Information for this post came from The Hacker News.


Saved By The Echo – Amazon Echo!

This is one of those pretty strange stories.

An Albuquerque man is in jail charged with beating and threatening his girlfriend and the prime witness is …. yes … an Amazon Echo.

The suspect, Eduardo Barros, was arrested July 2nd after a standoff with Albuquerque SWAT police officers.

The couple was house sitting for the victim’s parents at the time when the victim received a text.  Barros accused his girlfriend of cheating on him and said he was going to kill her if she called the cops.

He asked her (actually yelled at her) if she had called the Sheriff and – yes – the parents had an Amazon Echo in the house and it interpreted that to be a request for the Echo to call the Sheriff.

When 911 called the victim to verify what was going on, Barros saw the 911 caller ID, threw the victim to the ground and started kicking her.

The 911 operator overheard the screaming between the two and notified SWAT, who responded to the location, eventually arresting the suspect.

A court spokesperson said that Barros is facing 14 charges including false imprisonment and possession of a firearm by a convicted felon.  He is being held without bond.

It is certainly reasonable that the victim would have been much more seriously hurt had her parents not had an Amazon Echo in the house.

We have seen a number of cases recently where Internet of Things devices from Amazon Echos to smart water heaters played a prominent role in apprehending criminals.

Information for this post came from Fox 6 News.

Don’t Turn on WiFi on Your Phone Until You Patch it

An interesting vulnerability was just announced that affects both Apple and Google/Android phones.  That is something that is very unusual.

The bug is tied to a part of all cell phones called the baseband processor.  It is the part of the phone that controls the radios inside your phone.  In this case, the chip is the Broadcom 43xx family of chips.  According to Broadcom this chip can control your cellular radio, WiFi, Bluetooth and FM radio all on one chip.

Unfortunately, researchers found a bug in the WiFi code that would allow an attacker to take over the baseband processor and from there, the entire phone.

The reason this affects both Apple and Android phones is that this chip is used by almost everyone.  From iPhone 5s to the newest Android phones, they are all impacted.

Apple just released iOS 10.3.3 (which may or may not have been downloaded to your iPhone yet) and Google just released an Android patch in the July updates.  Unlike Apple devices, Android users have to wait for manufacturers to pick up Google’s fixes and test them and then wait again for carriers to make them available.  The only users who do not have to wait are Google branded Android phone users.  Those users get their patches directly from Google.

What can you do?

Three answers.

If you are an Apple user, download iOS 10.3.3 and install it.  Done!

If you are a user who is running a relatively new version of the Android OS on your phone AND your phone manufacturer/carrier is actively releasing updates, you should install the July update as soon as it is available.  That might be 30 days or more.

If you are running an older version of the Android OS and/or your carrier/phone vendor is not releasing security updates, you are kind of out of luck.  Turn off your WiFi and DO NOT TURN IT ON EVER AGAIN.  This is probably. for most people, time to get a new phone.

Why, you say, am I so aggressive about this?

The report is that you only have to be within radio range of the WiFi access point which is trying to attack you in order to be compromised.  You DO NOT need to connect to that access point.  You do not need to open a web browser.  You do not need to install an app.  You do not need to click on a link.  All you need to do is be near a rogue WiFi access point – which could easily be hidden in someone’s backpack.

So, for now, until you have installed the patch, if you can, leave WiFi off.  If you can’t, then only turn it on when you have to.

We will know more after the researcher presents his findings at Blackhat later this month, but at least from what we have heard, this don’t not affect Windows or Mac computers, only mobile devices. But, stay tuned;  this is not the end of the story.

Information for this post came from Threatpost.

Fedex Says Cost of Cyber Attack Material

Fedex was one of the companies that announced last month that they were affected by the Petya un-ransomware  (it operated like ransomware, but there was no decryption key, even if you paid the ransom).

It is interesting that most of the time there is some sort of malware attack you do not get much information, but with this incident, we are seeing a lot of information.

In this case, the attack, which happened over a month ago, affected Fedex’s TNT Express unit.  TNT operates in over 200 countries and had revenue of over $8 billion.

Fedex says that the attack will hurt it’s full year results and will be material.  For Fedex, at over $50 billion in revenue, to say the effects of a cyber attack will be material to it’s full year financial results is pretty unusual.

Over a month later, TNT is still experiencing widespread service delays and that it is experiencing a revenue drop and costs associated with dealing with the malware.

Even more amazing, Fedex did not have cyber risk insurance in place to cover the cost of the incident, they say.

They also say that they are still evaluating the financial impact of the attack and have no estimate as to when service at TNT would be back to normal.

Let me see if I can summarize this:

  • a $50 billion company says that the effects of a ransomware attack will be material to their full year financial results
  • Six weeks after the attack they are still experiencing widespread service delays
  • They do not know when service will be back to normal
  • And, they had no insurance to cover the incident

I seriously doubt that this will have any long financial effect for Fedex, but I am sure that their corporate ego is seriously bruised.  I anticipate that many of the customers that moved to other carriers like DHL and UPS after the service disruption will never come back to Fedex.

Ponder this one for a moment.

If YOUR company suffered ransomware attack like Fedex did, how long would it take you to recover?  How many customers would  you lose?  Could you afford the cost of the event or would it be life altering to the company?

The good news for Fedex is that even if it costs them $10 million , $100 million or even $500 million, they will be able to weather the storm.

Would YOUR company be able to say the same?

Information for this post came from Reuters.