Friday Five: 10/26 Edition
A 9.4 million user data breach, Apple advocating for a US privacy law, and more - catch up with the week's infosec news with this roundup!
1. Major airline Cathay Pacific says up to 9.4 million passengers had their data stolen 1 by Shannon Liao
We realize data breaches are a dime a dozen these days but every so often you see one that really raises your eyebrows. Cathay Pacific, an international airline that counts Hong Kong, Bangkok, and Vancouver among its destinations, did just that on Wednesday when it said that as many as 9.4 million passengers may have had their data stolen. No word on what led to the breach or what took Cathay Pacific so long to disclose it - the breach apparently occurred in March but the airline waited six months to announce it – but per reports passport information, including identity card numbers, names, dates of birth, and postal addresses may all have been compromised. Like any breach, the potential for identity theft is especially ripe here, as attackers could use it to open new lines of credit and carry out sophisticated phishing attacks.
2. Tim Cook calls for strong US privacy law, rips “data-industrial complex” by Jon Brodkin
As we teased in this space a few weeks ago Tim Cook, Apple's CEO gave the keynote at the International Conference of Data Protection and Privacy Commissioners, a meeting of the minds of sort for privacy authorities, this week. Cook said a lot of things, calling for a comprehensive federal privacy law, stressing that data belongs to users and that if companies collect it they need to de-identify it or not collect it at all. The speech is worth watching if you have the time, failing that, Computerworld has a transcript.
3. Google mandates two years of security updates for popular phones in new Android contract by Jacob Kastrenakes and Russell Brandom
This has been a long time coming: The Verge reported this week that at long last manufacturers will keep their phones updated with the latest software, at least contractually, for the next two years. The site apparently got its hands on a contract that stipulates Android device makers provide at least four updates within a year's launch. This has been an issue for years if you haven't been running a device manufactured by Google itself. Many fall hopelessly out of date, exposing them to new threats. According to The Verge “Manufacturers have to patch flaws identified by Google within a specific timeframe. By the end of each month, covered devices must be protected against all vulnerabilities identified more than 90 days ago. That means that, even without an annual update minimum, this rolling window mandates that devices are regularly patched.”
4. OIG Publishes 2016 Medicaid Data Breach Report by HIPAA Journal
Despite recent news, Medicaid data breaches aren't nearly as bad as the hype. That's according to a new report by the Office of Inspector General (OIG), a division of HHS, released this week. The report only looked at Medicaid breaches that state agencies and contractors reported in 2016 but still, only found that only nine percent, less than one percent was the result of hacking. The culprit should come as no surprise if you read Verizon's Protected Health Information Data Breach Report (PHIDBR) this year. The bulk of attacks, 88 percent, 1,114 breaches were cause by unauthorized access. According to Verizon's report, released in April, the healthcare industry is the worst when it comes to stopping insider data breaches. This week's OIG report had another surprising stat: very few of the breaches affected a lot of patients; "large-scale breaches," breaches that leak more than 500 patients, only accounted for one percent of the annual total.
5. A Few Key Words Divide Allies on Data Protection Measure Proposition B by Andrew Stelzer
Some interesting news from San Francisco on a proposition that may not get enacted but if it does, could become the "toughest data protection policy of any U.S. city." Proposition B would ensure there are laws in place to prevent data from unwarranted collection or disclosure of data collected by government agencies and private entities doing business with the city. If you're unfamiliar with the measure, like I was, the San Francisco Public Press does a good job of breaking down the pros and cons. Some of the biggest complaints are actually coming from journalists who worry it would hurt the city's Sunshine Ordinance Task Force, an ordinance that makes sure citizens can obtain access to public records.