Tag Archives: FTC

Security News for the Week Ending July 19, 2019

FTC Approves $5 Billion Fine for Facebook

The FTC commissioners reportedly approved an approximately $5 billion fine of Facebook for violating the 2011 consent decree in conjunction with the Cambridge Analytica mess.

To put that in perspective, Facebook’s revenue just for 4th quarter of last year was $16.9 billion and their profit for that quarter was $6.9 billion, so the fine represents a little less than one quarter’s profit.   Still this is two orders of magnitude greater than the FTC fine of Google a few years ago.  The Justice Department has to approve the settlement and is typically a rubber stamp, but given this President’s relationship with social media, you never know.  Source: NY Times.

 

Why do they Want to Hack ME?

The Trickbot malware has compromised 250 million email addresses according to Techcrunch.  Besides using your email account to send spam, it does lots of other nifty stuff as it evolves.  Nice piece of work – NOT!

Why?  So that they can use your email to send spam.  After you, you are kind of a trusted person, so that if someone gets an email from you as opposed to a spammer, they are more likely to click on the link inside or open the attachment and voila, they are owned.

And, of course, you are blamed, which is even better for the spammer.  Source: Techcrunch.

 

Firefox Following Chrome – Marking HTTP web sites with “NOT SECURE” Label

Firefox is following in the footsteps of Google’s Chrome.  Starting this fall Firefox will also mark all HTTP pages (as opposed to HTTPS) as NOT SECURE as Google already does.  Hopefully this will encourage web site operators to install security certificates.  It used to be expensive, but now there are free options.  Source: ZDNet.

 

AMCA Breach Adds Another 2 Million + Victims

Even though American Medical Collection Agency was forced into bankruptcy as a result of the already 20 million+ victims, the hits keep coming for AMCA.  Another one of their customers, Clinical Pathology Labs, said that more than 2 million of their customers were affected by the breach.  They claim that they didn’t get enough information from AMCA to figure out what happened.

It is going to be interesting to see where the lawsuits go, who’s name(s) show up on the HIPAA wall of shame and who Health and Human Services goes after.  Given that AMCA filed for bankruptcy, it is very likely that Quest, CPL and AMCA’s other customers will wind up being sued.  Actually, Quest, Labcorp and the others are who should be sued because they selected AMCA as a vendor and obviously did not perform adequate due diligence.  Source: Techcrunch.

 

Another Day, Another Cryptocurrency Hack/Breach

This time it is the cryptocurrency exchange Bitpoint and they say that half of their 110,000 customers lost (virtual) money as a result of a hack last week.  The hack cost Bitpoint $28 million and they say that they plan the refund their customer’s money. One more time the hackers compromised the software, not the encryption,  Source: The Next Web.

Facebooktwitterredditlinkedinmailby feather

FTC Paves New Road

The message this administration has been delivering over the last two-three years is less regulation; less controls.  So what, exactly, is the FTC doing?  Are they going off the reservation or is there a plan here?  My guess is that there is a plan.

Last week the FTC whacked DealerBuilt, a service provider that provides dealership management software service to car dealerships.

Apparently, back in late 2016,  Dealerbuilt had a breach that exposed 12 million customer’s data from over 130 dealerships.  The data included all of the stuff that you would expect for car loans.

The crooks downloaded about 10 gigabytes of that data representing about 70,000 customers before it was discovered.  The problem was a really crappy cybersecurity program including transmitting data in the clear, storing data unencrypted, no penetration testing, etc.

What is new here is that the FTC is holding the vendor and not the dealers responsible.  They are saying that the vendor has direct liability to the FTC, even though it is the car dealership that is considered a financial institution because it makes car loans.

Dealerbuilt tried to make it right with their customers after the breach, but the damage was already done.

DealerBuilt was, according to the terms of the deal, prohibited from handling consumer data at all until they had an approved cybersecurity program in place (meaning zero revenue until then) and they have to have a third party risk assessment every two years.  While it does not say so, these FTC programs typically last for 20 years.

If they screw up again, the FTC could fine them $42,350 (who makes up these numbers) per violation.  $42,350 x 70,000 customers = $2.96 billion.   Probably enough incentive.

Key point is that if you are a vendor to someone, and most people are, then the FTC is saying that they reserve the right to come after you, as well as your customer.

The consent decree also holds company executives responsible for the new cybersecurity program and requires that the company conducts penetration tests.

Interestingly, it seems like the FTC is still going after folks, as is Health and Human Services (HIPAA), while other agencies, such as the EPA are being  told to stand down.  Source: Autonews.

Facebooktwitterredditlinkedinmailby feather

The Regulators Are Coming! The Regulators Are Coming!

Everyone knows that the regulators have been going after businesses that don’t protect consumer information.  Some people say they are to overreaching.  Others say that they are not doing enough.  Either way, the reality is that you have to deal with them.  So who are they and who do they go after?  Read on.

The FTC.  The FTC has gone after businesses using section 5 of the FTC act – basically saying that the actions of a business represent unfair or deceptive practices.  Recently, after the FTC went after Wyndham Hotels after a series of breaches, Wyndham went to court in an effort to get the courts to agree that the FTC had no jurisdiction over cyber security.  Unfortunately, the courts did not agree and Wyndham settled (see article).  Suffice it to say, the FTC’s jurisdiction covers anyone who is in business and they have levied multi-million dollar fines and consent decrees that allow them to watch over that business for 20 years.

The FCC. The FCC is  a new player in the privacy regulation business.  Their jurisdiction is limited to communications and broadcasters.  Recently, they have gone after a number of businesses blocking WiFi signals in an effort to force you to buy their WiFi services at a hefty price.  Marriott, Hilton, the Baltimore Convention Center and others have felt the wrath of the FCC (see article).  This is a low risk regulator to most businesses.

The CFPB.  The CFPB is a new regulator which came out of the Dodd-Frank Act and was created in 2010.  Recently, they went after a small Fin-Tech company, Dwolla (see blog post) saying that they were lying about the cyber security measures they were providing to their customers.  CFPB oversees financial institutions such as banks, insurance companies, fin-tech companies such as Dwolla, brokers, etc.  In Dwolla’s case the fine was relatively small ($100k) and the duration of the consent order was short (5 years) compared to FTC actions.  The CFPB’s reach covers anyone in the financial industry or supporting that industry and they are just beginning to figure out their role.

HHS Office Of Civil Rights (OCR).  Health and Human Services enforces HIPAA and HiTech, specifically in the area of protecting your medical information.  They have done some some enforcement actions in the past, but they have been a somewhat weak regulator in the area of privacy.  Recently, they got beat up by their Inspector General’s office saying that they were being namby-pamby (see blog post), so it appears that they are stepping up enforcement.  Their area of jurisdiction is health information, so if you are a medical or dental practice, insurance provider or a vendor to one of these businesses, you could come in their cross hairs.  Still, they seem to be behind the power curve.  Recently, they finally created a full time office to handle enforcement.

Earlier this month they fined North Memorial Health Care of Minnesota $1.55 million because they did not have policies in place to cover what their Business Associates (essentially, vendors and subcontractors) did with your data.  This stemmed from a vendor of theirs had a laptop – UNENCRYPTED – with the medical records of 10,000 patients on it, stolen out of their car.

Also this month, HHS OCR fined the Feinstein Institute $3.9 million.  This fine also was the result of an unencrypted laptop being stolen out of an employee’s car.  This time it had 13,000 patient records on it.  They were fined for not having encryption AND, not having a documented explanation why encrypting patient data wasn’t needed.  HIPAA and HiTech don’t require encryption, but they do require a documented explanation of how you manage risk if you don’t implement reasonable controls.

They two cases date back to 2012.  I assume this means that HHS OCR is still playing catch up and we don’t really know what this new office is going to do.

These are just a small sample of regulators that could come after a business that does not protect non public personal information of different varieties, depending what industry you are in.

I am sure that there are many more to consider, but suffice it to say, that almost every business could come into the cross hairs of at least one of these regulators.

Of course, this does not include state regulators, such as the New York Department of Financial Services or the California Attorney General, both of whom have been very active in the privacy arena.

So, if you collect non-public personal information, protecting that information should be a high priority for your business if you want to keep the privacy regulators at bay.

Information for this post came from Health Data Management.

Facebooktwitterredditlinkedinmailby feather

FTC Settles With Asus Over Security Claims

Asus is an international manufacturer of all kinds of computer and networking equipment.

The FTC, in this case, was not upset with Asus for making hardware that was buggy and not secure, thereby exposing customer’s information, but rather representing that their routers had numerous security features that could protect users from unauthorized access and hackers when it was buggy and not secure.

In fact, under section 5 of the FTC act, as the Wyndham Hotel chain discovered, they could probably have brought an action in either case, but it is much clearer that saying it was secure when it was not is deceptive.

According to the FTC,

ASUS marketed its routers as including numerous security features that the company claimed could “protect computers from any unauthorized access, hacking, and virus attacks” and “protect [the] local network against attacks from hackers.” Despite these claims, the FTC’s complaint alleges that ASUS didn’t take reasonable steps to secure the software on its routers.

The press release goes on to talk about some of the vulnerabilities and the fact that Asus did not address them in a timely or effective manner and did not notify consumers of the vulnerabilities.

Hopefully, this will act as a warning to manufacturers of Internet of Things devices that they better maintain reasonable security or the FTC will explain to them that they should.

In the agreement, Asus agreed to create a security program, have that program watched by the FTC for the next TWENTY years, to notify consumers of security flaws and workarounds for those flaws until they are patched and let the FTC audit them every two years during that period.

For those in the IoT space, doing what is in this agreement without being told will likely keep them out of the cross hairs of the FTC.  The FTC is not expecting IoT devices to be bug free, but they are expecting manufacturers to be responsible.

Manufacturers should consider themselves warned.

 

The FTC press release on the Asus settlement can be found here.

Facebooktwitterredditlinkedinmailby feather

Wyndham Hotels Settles Breach Investigation With FTC

The Wyndham Worldwide hotel chain, which has been fighting with the FTC for years after the hotel chain suffered three security breaches in two years exposing credit card data, settled with the FTC this week.

The hotel went as far as to attempt to get the courts to say that the FTC did not have the authority to regulate corporate cyber hygiene.  The court of appeals, in a decision this past summer, disagreed with Wyndham, and said that was within the FTC’s purview.

The FTC had filed suit against Wyndham in the Third Circuit, so to say that this issue was a bit adversarial would be polite.

Apparently Wyndham realized that they were not going to win this battle and settled with the FTC.  They declared victory by saying that they did not have to admit they were guilty or pay a fine.  Note that the FTC usually does not require either of these as a condition to settling.

What Wyndham did agree to is:

  • The FTC will monitor their behavior, cyber security wise, for the next TWENTY years.
  • The company will obtain annual security audits of its information security program that conform with the PCI standards – something that they should have been doing anyway.
  • The audit will certify that Wyndham is treating franchisee networks as untrusted (the fact that they were trusting the franchisee networks apparently facilitated the previous breaches)
  • The audit will also report on whether the hotel chain is compliant with a formal risk assessment process.
  • If the hotel has another breach of more than 10,000 cards, they will obtain an assessment of the breach and hand that assessment over to the FTC.
  • The order says that if Wyndham gets the necessary compliance certifications that they will be in compliance with this agreement.

The order needs to be approved by the judge overseeing this case, which we assume will not be a problem.

It seems to me that this is only a Pyrrhic victory for Wyndham.  While they may declare victory in the press, the FTC got exactly what they wanted and in fact, what they have usually obtained in a much less adversarial manner.  In the meantime, the FTC will be watching over Wyndham’s information security program for the next 20 years and Wyndham probably spent tens of millions on legal costs, which they get to eat.

I do suspect that this may be the last time a company who has been breached attempts to fight the FTC in this manner.

While the FTC recently suffered a setback in their case against LabMD, that case was different because there was no show of harm.  In the Wyndham case, 600,000+ credit cards were compromised at a cost of over $10 million.

 

Information for this post came from the FTC.

Facebooktwitterredditlinkedinmailby feather

Verizon Has A New Friend – The U.S. Senate

Well, maybe not a friend that you want to have, but they will likely get to visit the nation’s Capitol.

Verizon has gotten way more press than it would like by inserting super-cookies into it’s customers web traffic to allow folks like the marketing giant Turn to build dossiers on Verizon customers and then sell that information to advertisers in a thousandth of a second to the highest bidder.

Senators Bill Nelson of Florida, Richard Blumenthal of Connecticut and Edward Markey of Massachusetts have asked the FTC to investigate whether Verizon’s use of super cookies violate FTC privacy rules.  These senators wrote Verizon a short note last week asking them a few questions, which Verizon said it would respond to.

The Senators want to know if legislation is required (I assume to regulate or outlaw this activity).

Advertisers are probably really, really mad at Verizon right now.

If Verizon had just done what AT&T did last year when they got caught doing this, the ad industry would not be getting all this unwanted attention.

When AT&T got caught doing this last year, they said it was just an experiment (yeah, right!), my bad, and we will stop doing this now.

Verizon, on the other hand said that no one would ever user our super cookies to track what users were doing.  Even though Turn, who was doing that exact thing, was a vendor to Verzion (must have been a different department).

Turn said that just because people were deleting their cookies didn’t mean that they did not want to be tracked.

If Verizon has just been a little smarter and taken the AT&T route and said sorry, this would all have gone away.

And six months later they could have re-contextualized the program and started it back up.

From my point of view, I am glad they were not being very smart.

Mitch

Facebooktwitterredditlinkedinmailby feather