Friday Five: 3/22 Edition
Looking back at last year's 230M person breach, Facebook's latest privacy slipup, and more - catch up on the week's infosec news with this roundup!
1. Law enforcement needs to protect citizens and their data by Robert Anderson
The debate around "going dark" has raged for years now but one former FBI official believes law enforcement needs to look at the broader picture and contextualize that everyone, the public and law enforcement alike, need privacy. Robert Anderson, the former executive assistant director of the FBI's Criminal, Cyber, Response and Services Branch penned an editorial for TechCrunch this week pointing out that that legal restrictions around access, along with robust encryption and policies, are needed. “Providers and the law enforcement community should be held to robust security standards that ensure the security of our citizens and their data—we need legal restrictions on how government accesses private data and on how private companies collect and use the same data,” Anderson wrote. Anderson, who served as a Special Agent with the FBI for over 21 years and supervised more than 24,000 agents, is the latest former FBI official to come out in favor of encryption. Michael Hayden, the former head of the CIA and NSA, said a few years ago that the downsides of a backdoor in technology "outweigh the very real public safety concerns."
2. Here's What It's Like to Accidentally Expose the Data of 230M People by Andy Greenberg
A great look here at last summer's breach of Exactis, a Florida-based marketing and data aggregation firm, by Wired on Monday. Headlines initially put the number of records exposed around 340 million but 110 million of those belonged to businesses. Not that 230 million people is anything to sneeze at. WIRED's Andy Greenberg digs into the company's experience around the breach this week, why it disagrees with it even being called a breach, how it found out about the news, and the fallout it faced in the weeks following. It's a fascinating read, if for no other reason than for how transparent the company's founder, Steve Hardigree, comes off as. Hardigree disagrees with the concept the data was ever leaked, discusses how he was targeted by death threats, and the ax he has to grind with the researcher who discovered the data on an unsecured server.
3. How Is the GDPR Doing? by Josephine Wolff
This one year post-mortem on GDPR is admittedly two months early - the regulation didn't go into effect until May 25 last year- but it's a well-informed read, chockful of statistics, lessons learned, and failures stemming from GDPR so far. Wolff, a professor at Rochester Institute of Technology and associate at the Harvard Berkman Center for Internet and Society, points out that the biggest drawback of GDPR has been the lack of fines imposed under the statute. Organizations are being fined yes - penalties totaled 55,955,871 euros in February - but not nearly to the extent the general public expected. “The vast majority of companies are still not being fined for failing to protect their customers’ data, and the vast majority of fines are still too small to register with the companies that are being penalized.” That 50 million euro fine against Google two months ago? That would only be 90 percent of the 55 million fine.
4. Facebook Stored Hundreds of Millions of User Passwords in Plain Text for Years by Brian Krebs
Forgive us for sounding like a broken record but this week saw Facebook acknowledge yet another privacy faux pas. The company announced Thursday morning that its staff had access to hundreds of millions of users passwords - if this wasn't bad enough - in plain text. A source at the company informed Brian Krebs that between 200 million and 600 million users had their account passwords stored on internal company servers, searchable by more than 20,000 employees. Facebook’s VP of Engineering, Security and Privacy Pedro Canahuati confirmed the incident, admitting it caught the problem as part of a security review in January, in a blog post Thursday morning. While the news is obviously discouraging, Facebook drives home the point that it has no proof anyone outside of Facebook saw the passwords, nor did anyone abuse or improperly access them, a statement that should give at least a semblance of a sigh of relief.
5. Oregon DHS Reveals Data Breach of More than 350,000 Clients' Data by Jamie Parfitt
File this under something to watch: Oregon's Department of Human Services (HHS) said Thursday this week that the sensitive data of more than 350,000 Oregonians may have been accessed in a breach. The incident, like so many other healthcare data breaches of late, was spurred by a phishing email. As this is a state's DHS we're talking about here, it appears medical information, data protected under the Health Insurance Portability and Accountability Act (HIPAA) was impacted, according to a local ABC affiliate Thursday. Based on the notice, it sounds like nine different employees opened a phishing email and clicked a link that basically compromised their email inboxes. In turn, attackers got access to two million emails and while it's not completely certain clients' personal data was acquired, it's still considered a breach under Oregon's Identity Theft Protection Act, hence the notice (.PDF). According to KDRV, the ABC affiliate, Oregon's DHS discovered the breach on January 28. It's believed the phishing scam started targeting DHS employees 20 days before, on January 8.