Friday Five: 10/19 Edition
Data security takeaways from a recent 11th circuit court case, an insurance data breach, and more – catch up on the week’s infosec news with this roundup!
1. The 3 Biggest Data Security Takeaways From The 11th Circuit Decision In FTC v. LabMD by Tom Kulik
An excellent blog here via Tom Kulik, a technology lawyer at the Dallas-based firm Sceef & Stone, on the 11th Circuit court's recent FTC v. LabMD decision. It's a bizarre story: Essentially the FTC issued a cease and desist order against LabMD, a cancer screening company, asking the company to establish a comprehensive information security program after a billing manager at the company improperly installed a peer to peer file sharing application. That led to the disclosure of data on 9,000 consumers. The 11th circuit court said the FTC went to far. The story itself is complex and fascinating; Kulik does a good job recapping it and adding his thoughts as the case relates to the FTC and the future of data security enforcement. There are some choice lines, especially at the end: “The need for a proper data security program has never been more clear. The FTC is not going to take this 11th Circuit decision sitting down, and will attempt to define 'reasonable and appropriate standards' in future actions or guidance. Remember — it’s not a matter of if, but when a company will need to address potential data breaches.”
Court image via Brittany Smith's Flickr photostream
2. Insurance data compromised at Minnesota Department of Human Services by Joseph Goedert
It feels like almost weekly we hear about a hospital, health plan, or insurance company that’s been breached after one of its employees was phished. This week, unfortunately, is no different than the others. This time thousands of patients, individuals who receive health insurance through Minnesota's Department of Human Services, may be at risk. Hackers were able to infiltrate state email accounts belonging to two DHS employees and send spam emails. The article is admittedly thin on details; 21,000 consumers are affected but a "relatively small number of people" had their financial information compromised.
3. Apple's New Data & Privacy Portal Lets You Download Your Data by Lawrence Abrams
Apple finally appeased its privacy-centric users this week when it debuted a new portal that allows users to download all of the data the company has on them. That includes transaction history, Apple app history, AppleCare history, marketing data, and more according to Bleeping Computer, which reported the news Thursday. The move comes a few months after Facebook offered a similar service. Fair warning: if you're an especially active user it could take Apple some time to compile it into a downloadable archive, potentially as long as seven days.
4. This Startup wants you to control your own data again by Lily Hay Newman
We don't usually spotlight startup news here but this is an interesting concept, especially in light of the recent scourge of data privacy stories (Cambridge Analytica, Google+, Facebook, and the like) as of late. Wired reported this week on a startup, Helm, that hopes users will take control of their data and manage it locally, on a personal server in your own home. The idea is that your data doesn't live with another company; it exists in your home, office, wherever you set it up. Users are encouraged to store photos, videos, and host their own email. Needless to say Helm will have an uphill battle to fight, not just convincing and enticing users but keeping them safe, ensuring data is encrypted, and that all of the servers are patched.
5. Super Micro Tells Senators No Evidence of Chinese Hardware Hack by Steven T. Dennis
It's been a few weeks since Bloomberg published its at the time explosive piece on how Chinese hackers allegedly infiltrated the supply chain of motherboard manufacturers to plant malicious spy chips. If you've been living under a rock there's been a lot of doubt cast in wake of the article. All parties involved penned vehement denials. The Department of Homeland Security said it had no reason to question the denials eithrr. Bloomberg is apparently sticking by its reporting as this week it published a follow up story on the news and didn’t back down from its previous claims. The story was on how Super Micro, the company believed to have been infiltrated by Chinese intelligence services, had no knowledge of tampering. In a letter, responding to Senators Marco Rubio (R-FL) and Richard Blumenthal (D-CT) the company's president said: "“With respect to the recent media reports, Supermicro has seen no evidence of any unauthorized components in our products, no government agency has informed us that they have found unauthorized components on our boards, and no customer has reported finding any such unauthorized components.” Much like we said weeks ago when this story broke, it will continue to be interesting to see how this all plays out.