Friday Five: 3/1 Edition
News on a new data privacy bill, the FTC's latest $5.7M fine, and hacking Instagram profiles - catch up on the week's infosec news with this roundup!
1. A New Data Protection Bill Aims to Tackle Racial Ad Targeting by Erin Corbett
There of course has been no shortage of data privacy bills to make their way through Congress, post-GDPR, post-Cambridge Analytica, and post-Equifax, but one introduced on Thuresday, designed to prevent online platforms from racially discriminating against users via targeted advertising, looks like one of the first of its kind. The DATA Privacy Act, introduced by Sen. Catherine Cortez Masto (D-NV) would compel the FTC to decide what's discriminatory in ad and data practices. Like a lot of other bills brought forward lately the bill would also mandate organizations be more transparent in how they collect, process, and store user data, and allow users to opt out in some cases.
2. FTC Hits TikTok With Record $5.7M Fine Over Children's Privacy by Louise Matsakis
Speaking of the FTC: we hear every few weeks when the FTC levies a huge fine on a company; last week for instance we heard the FTC may fine Facebook billions over the Cambridge Analytica/Russian interference debacle. This week's entry hit TikTok, a company that apparently used to go by Musical.ly, over children's privacy violations. The Chinese app, which is a bit like a cross between YouTube and Vine, was fined $5.7M to settle the "largest civil penalty ever obtained by the Commission in a children's online privacy case." The app, which illegally collected information from children under the age of 13, allegedly failed to notify parents how the app collected information on underage users; even worse, it didn't allow parents to request to have that data deleted.
3. Turkish Group Using Phishing Emails to Hijack Popular Instagram Profiles by Jai Vijayan
File this story under script kiddie behavior: Hackers, possibly based out of Turkey, have taken to Instagram with a phishing campaign, forcing users out of their accounts. Once in, the hackers, per Dark Reading, are changing the contact information on breached accounts. Businesses aren't being impacted by the campaign but profiles with between 15,000 and 70,000 followers are. Without a complex password and a form of two-factor authentication, Instagram can be low-hanging fruit for attackers.
4. California's Toughest-in-U.S. Privacy Law May Get Even Stricter by Kartikay Mehrotra, Laura Mahoney, and Ben Brody
A proposed amendment to the California Consumer Privacy Act, filed last week, could put big tech companies like Facebook and Google in hot water. A trio of reporters for Bloomberg looked into some facets of the law this week, including the right for consumers to sue over data breaches. The new amendment would allow consumers to sue companies that violate the law. Currently individuals can only file a lawsuit if they're victims of a data breach and when the state's department of justice has decided not to sue on the consumers' behalf. Still, clarity around the law is still needed, especially following a meeting of the California Privacy and Consumer Protection Committee last week and two hearings around federal data privacy legislation, one in each chamber of Congress, this week.
5. NSA’s Joyce outlines how U.S. can disrupt and deter foreign hacking by Sean Lyngaas
Nation states, particularly North Korea and Russia, have moved from exploitation to disruption when it comes to meddling with cyberspace and the U.S. needs to do more, according to Rob Joyce, a senior cybersecurity adviser at NSA this week. Joyce, speaking at a local chapter of the Armed Forces Communications and Electronics Association (AFCEA) this week that the U.S. needs to be more proactive when it comes to tightening networks, scanning networks for malicious tools, and "working with industry to remediate, publicize, and degrade the tools’ efficacy," a CyberScoop report said this week. Joyce's talk echoed sentiments made by the Department of Defense last fall in its Cyber Strategy Summary document: “We will defend forward to disrupt or halt malicious cyber activity at its source, including activity that falls below the level of armed conflict. We will strengthen the security and resilience of networks and systems that contribute to current and future U.S. military advantages. We will collaborate with our interagency, industry, and international partners to advance our mutual interests.” (.PDF)