Tag Archives: FTC

Security News for the Week Ending September 17, 2021

LA Police Collected Social Media Account Info From People They Talked To

I’m sure they were just curious. The LA police watchdog says that officers were instructed to collect civilians’ social media details when they interviewed them. An Email from the Chief dating back to 2015. He said it could be beneficial to investigations and possibly even future outreach programs. These are people who are neither arrested or cited. I am sure that using people’s email addresses for social outreach is far more effective than, say, Twitter, Facebook or even the 6:00 News. Not. For harassing and scaring people, yes. Credit: MSN

Germany Admits Police Used NSO Group Pegasus Spyware

Germany’s Federal Police admitted that they used the Pegasus Spyware, which can totally own a mobile phone and all the data on it, when testifying before Parliament. They said that some features were disabled due to German law. What features and how many people were not revealed. Likely they are not alone – they just got caught at it Credit: Security Week

Taliban and China Are Reportedly in Bed Together

China has reportedly sent its best (?) cyber spies to Kabul to help the Taliban hack land lines and mobile calls, monitor the Internet and mine social media. While all governments, including ours, does this, the Taliban is not likely to put any controls on what gets monitored. China has been, US intelligence sources say, wooing the Taliban for years getting ready for this. One can only assume that the Taliban will reciprocate, like by giving China access to stuff we left behind. CreditL Mirror

FTC Says Health Apps Must Notify Consumers About Breaches

The FTC warned apps and devices that collect personal health information that they must notify consumers if their data is breached in a 3-2 vote, with the two Republicans voting against it. This is designed to specifically address the gap that apps are not considered covered entities for the most part, hence they are not covered by HIPAA. The two Trump appointees who voted against it are not necessarily against having app makers tell users that their data has been compromised, but would prefer to drag the decision out for a few more years as the government does its normal bureaucratic rulemaking process. Credit: FTC

Cop Instructed to Play Loud Music to Disrupt Public Filming of Their Activities

Police – or at least some police – do not like being filmed while performing their job. One Illinois police department officially came up with an interesting tactic. While it doesn’t stop people from filming them, it MIGHT cause the videos to be taken down from social media, which seems to be the goal. When they detect someone filming them, they turn on copyrighted music to be included in the recording. Most social media have been sued enough that they have tech that detects at least popular copyrighted music and if detects it, it removes the post so they don’t get sued. I think it is pretty simple to distort the music a little bit so the filter won’t work while still allowing a listener to hear the interaction with the police. My guess is that if a case like this came to court over copyright, the court would rule in favor of the person filming, but we are talking about the law here, so who knows. Credit: Vice

Cybersecurity News for the Week Ending May 14, 2021

If You Thought the FTC Was Toothless Before, Just Wait

I always complained that the FTC’s penalties were way too meek. Now I understand why, but it has just gotten MUCH worse. 99.99% of the blame goes to Congress. Initially, the FTC could not bring lawsuits against businesses at all. All they could do was to hold an administrative hearing. Then they could issue telling a business to stop doing bad things. In 1973 Congress added Section 13(b) to the FTC act, allowing the FTC to go to court and get an injunction – again no penalty for past bad deeds. In 1975 Congress added Section 19 which allows the FTC to seek monetary damages – after obtaining a cease and desist order and then only after future bad deeds which were obviously malicious, so still no relief. Last month the Supreme Court agreed that Congress, in its stupidity, did not grant the FTC any ability to make consumers whole for companies that break the law. Individually, a person can still sue the company – spending a lot money and years. Maybe they can convince some State AG to take up their case – maybe. If you can convince the Justice Department to go after some company, that is possible too, but all of those take years, maybe a decade with appeals. Congress intentionally neutered the FTC. This is the result. Will Congress act now? Your guess is as good as mine. Credit: ADCG

Apple is Privacy Focused – Except if it Hurts their Rep

Epic games and Apple are fighting in court and lawsuits tend to get dirty. In countering Apple’s argument that they didn’t want Epic to bypass their store because they want to protect their customers, Epic trotted out emails that Apple chose not to notify 128 million customers after a supply chain attack called XcodeGhost. This is the largest ever known attack against Apple products. They said notifying all those people would be hard and it would damage their reputation. They never did notify anyone. So much for being a privacy focused company.

The True Cost of Ransomware

Insurance giant CNA, which announced that it suffered a “sophisticated cyberattack” (what you and I call ransomware) in March. This week, two months later, they announced that all of the systems were back up and that yes, surprise, it was a ransomware attack. They said it took them two months to get back online because they had to restore each system, then scan and clean it and finally, harden it. This is the cost of ransomware. A lot of hard work and more importantly, months of time. If you do not have good backups, add to that the loss of data. And, as Colonial Pipeline learned this week, just because the hackers give you the decryption key, it doesn’t mean that the decryption process will be fast (they said that they were restoring from backups, even though they paid the $5 million in ransom) or that it will even work. Credit: Security Week

Global Chip Shortage Much Worse than Communicated

OUT OF STOCK! Expect to see more of that message.

In addition to phones, computers and laptops, expect to see those signs elsewhere such as appliances and kids toys. Already car makers are replacing cool tech like high tech entertainment consoles with radios. Probably with knobs and dials. Maybe that fancy auto-parking feature, well it is not available. Manufacturers are looking at which products are more popular or offer them higher margins and just not shipping some other models. Samsung is considering completely skipping the next generation of the super popular NOTE phones altogether. Expect the problem to continue into and through 2022. Credit: ZDNet

China has Collected Health Data of 80% of US Adults

China wants our data. Our health data is particularly useful because our population is very diverse. That makes us useful for them to test their software and systems on. Besides stealing that data, the are doing things like setting up Covid testing labs. What do you get with every sample? Our DNA. China wants to beat the US out of the biotech industry and stealing our data is helping them. Credit: The Hill

Security News for the Week Ending July 19, 2019

FTC Approves $5 Billion Fine for Facebook

The FTC commissioners reportedly approved an approximately $5 billion fine of Facebook for violating the 2011 consent decree in conjunction with the Cambridge Analytica mess.

To put that in perspective, Facebook’s revenue just for 4th quarter of last year was $16.9 billion and their profit for that quarter was $6.9 billion, so the fine represents a little less than one quarter’s profit.   Still this is two orders of magnitude greater than the FTC fine of Google a few years ago.  The Justice Department has to approve the settlement and is typically a rubber stamp, but given this President’s relationship with social media, you never know.  Source: NY Times.

 

Why do they Want to Hack ME?

The Trickbot malware has compromised 250 million email addresses according to Techcrunch.  Besides using your email account to send spam, it does lots of other nifty stuff as it evolves.  Nice piece of work – NOT!

Why?  So that they can use your email to send spam.  After you, you are kind of a trusted person, so that if someone gets an email from you as opposed to a spammer, they are more likely to click on the link inside or open the attachment and voila, they are owned.

And, of course, you are blamed, which is even better for the spammer.  Source: Techcrunch.

 

Firefox Following Chrome – Marking HTTP web sites with “NOT SECURE” Label

Firefox is following in the footsteps of Google’s Chrome.  Starting this fall Firefox will also mark all HTTP pages (as opposed to HTTPS) as NOT SECURE as Google already does.  Hopefully this will encourage web site operators to install security certificates.  It used to be expensive, but now there are free options.  Source: ZDNet.

 

AMCA Breach Adds Another 2 Million + Victims

Even though American Medical Collection Agency was forced into bankruptcy as a result of the already 20 million+ victims, the hits keep coming for AMCA.  Another one of their customers, Clinical Pathology Labs, said that more than 2 million of their customers were affected by the breach.  They claim that they didn’t get enough information from AMCA to figure out what happened.

It is going to be interesting to see where the lawsuits go, who’s name(s) show up on the HIPAA wall of shame and who Health and Human Services goes after.  Given that AMCA filed for bankruptcy, it is very likely that Quest, CPL and AMCA’s other customers will wind up being sued.  Actually, Quest, Labcorp and the others are who should be sued because they selected AMCA as a vendor and obviously did not perform adequate due diligence.  Source: Techcrunch.

 

Another Day, Another Cryptocurrency Hack/Breach

This time it is the cryptocurrency exchange Bitpoint and they say that half of their 110,000 customers lost (virtual) money as a result of a hack last week.  The hack cost Bitpoint $28 million and they say that they plan the refund their customer’s money. One more time the hackers compromised the software, not the encryption,  Source: The Next Web.

FTC Paves New Road

The message this administration has been delivering over the last two-three years is less regulation; less controls.  So what, exactly, is the FTC doing?  Are they going off the reservation or is there a plan here?  My guess is that there is a plan.

Last week the FTC whacked DealerBuilt, a service provider that provides dealership management software service to car dealerships.

Apparently, back in late 2016,  Dealerbuilt had a breach that exposed 12 million customer’s data from over 130 dealerships.  The data included all of the stuff that you would expect for car loans.

The crooks downloaded about 10 gigabytes of that data representing about 70,000 customers before it was discovered.  The problem was a really crappy cybersecurity program including transmitting data in the clear, storing data unencrypted, no penetration testing, etc.

What is new here is that the FTC is holding the vendor and not the dealers responsible.  They are saying that the vendor has direct liability to the FTC, even though it is the car dealership that is considered a financial institution because it makes car loans.

Dealerbuilt tried to make it right with their customers after the breach, but the damage was already done.

DealerBuilt was, according to the terms of the deal, prohibited from handling consumer data at all until they had an approved cybersecurity program in place (meaning zero revenue until then) and they have to have a third party risk assessment every two years.  While it does not say so, these FTC programs typically last for 20 years.

If they screw up again, the FTC could fine them $42,350 (who makes up these numbers) per violation.  $42,350 x 70,000 customers = $2.96 billion.   Probably enough incentive.

Key point is that if you are a vendor to someone, and most people are, then the FTC is saying that they reserve the right to come after you, as well as your customer.

The consent decree also holds company executives responsible for the new cybersecurity program and requires that the company conducts penetration tests.

Interestingly, it seems like the FTC is still going after folks, as is Health and Human Services (HIPAA), while other agencies, such as the EPA are being  told to stand down.  Source: Autonews.

The Regulators Are Coming! The Regulators Are Coming!

Everyone knows that the regulators have been going after businesses that don’t protect consumer information.  Some people say they are to overreaching.  Others say that they are not doing enough.  Either way, the reality is that you have to deal with them.  So who are they and who do they go after?  Read on.

The FTC.  The FTC has gone after businesses using section 5 of the FTC act – basically saying that the actions of a business represent unfair or deceptive practices.  Recently, after the FTC went after Wyndham Hotels after a series of breaches, Wyndham went to court in an effort to get the courts to agree that the FTC had no jurisdiction over cyber security.  Unfortunately, the courts did not agree and Wyndham settled (see article).  Suffice it to say, the FTC’s jurisdiction covers anyone who is in business and they have levied multi-million dollar fines and consent decrees that allow them to watch over that business for 20 years.

The FCC. The FCC is  a new player in the privacy regulation business.  Their jurisdiction is limited to communications and broadcasters.  Recently, they have gone after a number of businesses blocking WiFi signals in an effort to force you to buy their WiFi services at a hefty price.  Marriott, Hilton, the Baltimore Convention Center and others have felt the wrath of the FCC (see article).  This is a low risk regulator to most businesses.

The CFPB.  The CFPB is a new regulator which came out of the Dodd-Frank Act and was created in 2010.  Recently, they went after a small Fin-Tech company, Dwolla (see blog post) saying that they were lying about the cyber security measures they were providing to their customers.  CFPB oversees financial institutions such as banks, insurance companies, fin-tech companies such as Dwolla, brokers, etc.  In Dwolla’s case the fine was relatively small ($100k) and the duration of the consent order was short (5 years) compared to FTC actions.  The CFPB’s reach covers anyone in the financial industry or supporting that industry and they are just beginning to figure out their role.

HHS Office Of Civil Rights (OCR).  Health and Human Services enforces HIPAA and HiTech, specifically in the area of protecting your medical information.  They have done some some enforcement actions in the past, but they have been a somewhat weak regulator in the area of privacy.  Recently, they got beat up by their Inspector General’s office saying that they were being namby-pamby (see blog post), so it appears that they are stepping up enforcement.  Their area of jurisdiction is health information, so if you are a medical or dental practice, insurance provider or a vendor to one of these businesses, you could come in their cross hairs.  Still, they seem to be behind the power curve.  Recently, they finally created a full time office to handle enforcement.

Earlier this month they fined North Memorial Health Care of Minnesota $1.55 million because they did not have policies in place to cover what their Business Associates (essentially, vendors and subcontractors) did with your data.  This stemmed from a vendor of theirs had a laptop – UNENCRYPTED – with the medical records of 10,000 patients on it, stolen out of their car.

Also this month, HHS OCR fined the Feinstein Institute $3.9 million.  This fine also was the result of an unencrypted laptop being stolen out of an employee’s car.  This time it had 13,000 patient records on it.  They were fined for not having encryption AND, not having a documented explanation why encrypting patient data wasn’t needed.  HIPAA and HiTech don’t require encryption, but they do require a documented explanation of how you manage risk if you don’t implement reasonable controls.

They two cases date back to 2012.  I assume this means that HHS OCR is still playing catch up and we don’t really know what this new office is going to do.

These are just a small sample of regulators that could come after a business that does not protect non public personal information of different varieties, depending what industry you are in.

I am sure that there are many more to consider, but suffice it to say, that almost every business could come into the cross hairs of at least one of these regulators.

Of course, this does not include state regulators, such as the New York Department of Financial Services or the California Attorney General, both of whom have been very active in the privacy arena.

So, if you collect non-public personal information, protecting that information should be a high priority for your business if you want to keep the privacy regulators at bay.

Information for this post came from Health Data Management.

FTC Settles With Asus Over Security Claims

Asus is an international manufacturer of all kinds of computer and networking equipment.

The FTC, in this case, was not upset with Asus for making hardware that was buggy and not secure, thereby exposing customer’s information, but rather representing that their routers had numerous security features that could protect users from unauthorized access and hackers when it was buggy and not secure.

In fact, under section 5 of the FTC act, as the Wyndham Hotel chain discovered, they could probably have brought an action in either case, but it is much clearer that saying it was secure when it was not is deceptive.

According to the FTC,

ASUS marketed its routers as including numerous security features that the company claimed could “protect computers from any unauthorized access, hacking, and virus attacks” and “protect [the] local network against attacks from hackers.” Despite these claims, the FTC’s complaint alleges that ASUS didn’t take reasonable steps to secure the software on its routers.

The press release goes on to talk about some of the vulnerabilities and the fact that Asus did not address them in a timely or effective manner and did not notify consumers of the vulnerabilities.

Hopefully, this will act as a warning to manufacturers of Internet of Things devices that they better maintain reasonable security or the FTC will explain to them that they should.

In the agreement, Asus agreed to create a security program, have that program watched by the FTC for the next TWENTY years, to notify consumers of security flaws and workarounds for those flaws until they are patched and let the FTC audit them every two years during that period.

For those in the IoT space, doing what is in this agreement without being told will likely keep them out of the cross hairs of the FTC.  The FTC is not expecting IoT devices to be bug free, but they are expecting manufacturers to be responsible.

Manufacturers should consider themselves warned.

 

The FTC press release on the Asus settlement can be found here.