Friday Five: 1/11 Edition
Google can limit 'right to be forgotten,' selling real-time phone location data, and more - catch up with the week's infosec news with this roundup!
1. Neiman Marcus to Pay $1.5 Million under Data Breach Settlement by David Bisson
Sometimes it's easy to forget just how long it takes the gears of the government to grind. Neiman Marcus, which was hit by a data breach way back in 2013, finally closed that chapter this week, nearly six years later, when it agreed to a settlement. As part of a joint settlement with attorney generals from 43 different states, the luxury department store said Tuesday it will pay $1.5 million after its systems were infected by credit card scraping malware between July and October 2013. The store has to maintain security measures, comply with PCI DSS, and maintain relationships with payment card industry forensic investigators as part of the agreement.
2. Vietnam's 'Cybersecurity' Law Says Little on Security by Suparna Goswami
Vietnam made headlines this week after the country called out Facebook for "allowing users to post anti-government comments on the platform," something that purportedly went against a little known cybersecurity law it recently implemented. It turns out the law actually says very little in the way of cybersecurity measures; instead it mostly compels sites and networks to prohibit civil discourse, like expressing views that run counter to the government of the Socialist Republic of Vietnam. Suparna Goswami, a correspondent at ISMG Asia, dug into the law on Thursday and found that it's lacking in a few ways; it's biggest drawback is that it prioritizes national security over privacy and free speech.
3. Google Can Limit 'Right to Be Forgotten' to EU Says Top Court Adviser by Douglas Busvine/Reuters
Some news that's worth following if you pay attention to EU data protection rules and/or GDPR: Google can limit "right to be forgotten" internet searches in the EU, a court adviser said this week. Google has been fighting France's CNIL data protection authority over the law. The company said it shouldn't apply to non-EU users but France fined the company in 2016 and said it should apply the delisting to all extensions, regardless of where they're accessed. Reuters, via the New York Times, on Thursday said that while the European Court of Justice aren't bound to follow such opinions but they usually do after a couple of months.
4. I Gave a Bounty Hunter $300. Then He Located Our Phone by Joseph Cox
Perhaps the biggest story of the week, via Motherboard, alleges that some of the biggest telecom companies sell access to their customers' data. Joseph Cox, a reporter with the site, gave a bounty hunter a phone number, some cash, and he had no issue geolocating a phone for him – no hacking required. The investigation, which is worth reading in full, digs into how susceptible mobile networks and their data are to spying. One of my favorite parts has to be this Thomas Rid quote: “Blade Runner, the iconic sci-fi movie, is set in 2019. And here we are: there's an unregulated black market where bounty-hunters can buy information about where we are, in real time, over time, and come after us. You don't need to be a replicant to be scared of the consequences.”
5. Hyatt Hotels launches bug bounty program by Charlie Osborne
Finally, some good news. Hyatt Hotels Corporation, the billion dollar hotel chain, said this week that it has launched a bug bounty program in hopes of shining a light on high severity flaws on the hotel's site and apps. The program follows up an invitation-only program that handed out almost $6K in rewards. The hospitality industry has proven ripe for cyberattacks, especially over the last several years. So much so that it might actually be easier to find a hotel that hasn’t had a cybersecurity issue than name all of the ones that have been hit.