Friday Five: 6/8 Edition
Facebook in hot water again, malware hits Rhode Island, regulation for data brokers, and more - catch up on the week's infosec news with this roundup!
1. Cybersecurity News: Vermont, Colorado and Maybe California by Donna Wilson, Charles Washburn, Jr., Brett Natarelli
Going forward data brokers in Vermont will need to take the appropriate security measures before gathering information on users and notify the state if they've experienced a breach. Writing in Lexology, a legal water cooler blog of sorts, attorneys with Manatt Phelps & Phillips LLP, a law firm based in L.A. said the move makes Vermont the first state in the country to regulate the activity of data brokers. Brokers in the state will need to pay an annual $100 fee, disclose to consumers what data is collected, and provide instructions as to how to opt out of having it collected. The whole blog is worth a read, especially if you're curious about how other states' data breach laws are evolving. Recent changes to Colorado's laws, and a potential ballot initiative in California that would grant consumers "the right to request all personal information collected about them—both online and off—for the prior 12 months, as well as information on all third parties that purchased the data" are also covered.
2. Meltdown, Spectre Variants Could Endanger Healthcare Data Security by Fred Donovan
It’s been months since the words Meltdown and Spectre has entered the lexicon of some admins. The news broke in January and while fairly damning somewhat subsided over the last several months. New variants, discovered several weeks ago, could have an implication on healthcare data security. That angle isn't getting the attention it deserves HealthITSecurity.com said this week. The article cites a CERT advisory, issued in late May, and several alerts issued by medical device companies like BD and Abbott, which stressed that while they're monitoring the issues, they haven't seen any compromised products yet.
3. Facebook Gave Device Makers Deep Access to Data on Users and Friends by Gabriel J.X. Dance, Nicholas Confessore, and Michael LaForgia
The battle around privacy between users and Facebook reached another level this week after revelations the company shared user data with a slew of device manufacturers – at least 60 including Apple, Samsung, Amazon, and others - over the last 10 years. The true scope of the partnerships didn't come out until Sunday in a New York Times piece, which if you haven’t yet is worth a read. Naturally it didn't take long for officials from the U.S. Senate's Committee on Commerce, Science, and Transportation to come calling, asking CEO Mark Zuckerberg if there's any part of his previous testimony he'd like to amend. One voice (Germany's privacy regulator) called the news “an unprecedented violation of privacy laws and user trust.” Facebook, for its part, took umbrage with the New York Times' claims, specifically when it came to APIs. Shortly after the Times’ article went live Facebook issued a statement that its APIs are device-integrated, have been controlled "tightly from the get-go," and that 22 of the partnerships the NYT observed have already ended.
Healthcare Security: Understanding HIPAA Compliance and its Role in Patient Data Protection
4. Facebook privacy goof makes posts by 14 million users readable to anyone by Dan Goodin
That wasn't the only privacy slipup by Facebook this week. The social network revealed Thursday that earlier this year it accidentally made the posts of 14 million of its users public, even though the users had intended to make those posts private. The bug - or at least that's what Facebook called it - allowed posts from May 18 to 27 to be viewed by anyone on the internet. “To be clear, this bug did not impact anything people had posted before–and they could still choose their audience just as they always have. We’d like to apologize for this mistake,” the company's Chief Privacy Officer Erin Egan said Thursday. The social network likely wasn’t thrilled with the timing of the news, just days after the New York Times article and only three months removed from the Cambridge Analytica debacle.
5. Three Agencies Affected, No Data Compromised In Rhode Island Malware Incident by Government Technology
Rhode Island's Department of Children, Youth and Families; Human Services; and Behavioral Healthcare, Developmental Disabilities and Hospitals were all hit by malware last week. According to the state's Chief Information Officer and Chief Digital Officer the attack didn't result in data leakage. “In this case, we believe this could be through a generic phishing attack, clicking on a link in an email, just an external site which is clicked. We did some proactive upgrades and have since mitigated the issue," Bijay Kumar told WPRI, a local news affiliate. Government Technology recapped the attack, the most recent (and public) to hit a city since Atlanta's systems were hit by malware, an attack that this week the public learned cost at least $9.5 million to clean up after. The attack also apparently compromised years of video dashcam evidence, according to Atlanta police chief Erika Shields in a local newspaper interview.