Probably not the best way to handle a breach.
Would you trust hackers to delete the data and never use it? Pinky
promise?
Uber Paid
Hackers to Delete Stolen Data on 57 Million People
Hackers stole the personal data of 57 million
customers and drivers from Uber
Technologies Inc., a massive breach that the company concealed
for more than a year. This week, the ride-hailing firm ousted its
chief security officer and one of his deputies for their roles in
keeping the hack under wraps, which included a $100,000 payment to
the attackers.
Compromised data from the October 2016 attack
included names, email addresses and phone numbers of 50 million Uber
riders around the world, the company told Bloomberg on Tuesday. The
personal information of about 7 million drivers was accessed as well,
including some 600,000 U.S. driver’s license numbers. No Social
Security numbers, credit card information, trip location details or
other data were taken, Uber said.
At the time of the incident, Uber was negotiating
with U.S. regulators investigating separate claims of privacy
violations. Uber now says it had a legal obligation to report the
hack to regulators and to drivers whose license numbers were taken.
Instead, the company paid hackers to delete the data and keep the
breach quiet. Uber said it believes the information was never used
but declined to disclose the identities of the attackers.
(Related) As inevitable as night follows the day.
New York
attorney general launches investigation of Uber’s $100,000 hack
cover-up
The sage (unfortunately) continues.
House
Committees Get Serious in New Letter to Equifax
The
chairpersons of the House Science, Space, and Technology Committee
and the House Oversight and Government Reform Committee on Monday
sent a new letter (PDF)
to Paulino Barros, the interim CEO of Equifax.
The
former committee's jurisdiction includes the standards of use for
securing personally identifiable information (PII), while the latter
committee's jurisdiction covers how data breaches impact the federal
workforce and national security. Both are investigating the loss of
PII on 145 million Americans announced by Equifax on September 7,
2017.
This
is not the first letter to Equifax
by chairpersons Lamar Smith (R-Texas) and Trey Gowdy (R-S.C.). They
also wrote (PDF)
on September 14, 2017 requesting 'all documents' relevant to five
specific areas; such as "to and from members of Equifax's
corporate leadership", and "relating to the NIST Framework
or other cybersecurity standards used by Equifax." That
first letter specified no later than September 28, 2017.
It
would seem that Equifax has not yet, or at least not yet
satisfactorily, fulfilled this first request almost eight weeks after
the deadline. "We look forward to Equifax providing
all documents in response to the five categories of requested
materials in the September 14 request, as well as the requests that
were made at subsequent Committee briefings." It adds that the
Committees expect to make additional requests in the future.
In
the meantime, however, it is clear the committees are beginning to
get to grips with the details of both Equifax and the breach.
While the first letter requested 'areas' of documents, the second
letter is far more specific. For example, it asks for documentation
that would allow the identification "of any and all individuals
in an executive leadership role", and those who received the DHS
email alert "regarding Apache Struts 2".
Actually,
he has a few ideas, but it might be amusing to ask my students to
prioritize what Congress should hear.
I'm
Testifying in Front of Congress in Washington DC about Data Breaches
- What Should I Say?
There's
a title I never expected to write! But it's exactly what it sounds
like and on Thursday next week, I'll be up in front of US congress on
the other side of the world testifying
about the impact of data breaches. It's an amazing opportunity
to influence decision makers at the highest levels of government and
frankly, I don't want to stuff it up which is why I'm asking the
question - what should I say?
For my Computer Security students.
Cybersecurity:
Cybercrime and National Security Authoritative Reports and Resources
CRS
Reports & Analysis – Cybersecurity: Cybercrime and National
Security Authoritative Reports and Resources. November 14, 2017
(R44408): “As online attacks grow in volume and sophistication, the
United States is expanding its cybersecurity efforts. Cybercriminals
continue to develop new ways to ensnare victims, whereas nation-state
hackers compromise companies, government agencies, and businesses to
create espionage networks and steal information. Threats come from
both criminals and hostile countries, especially China, Russia, Iran,
and North Korea. Much is
written on this topic, and this CRS report directs the reader to
authoritative sources that address many of the most prominent issues.
The annotated descriptions of these sources are listed in reverse
chronological order, with an emphasis on material published in the
past several years. This report includes resources and studies from
government agencies (federal, state, local, and international), think
tanks, academic institutions, news organizations, and other sources…”
Google wants to do what Russia did, but Russia
denies it ever did what Google says it did, so Google should have
just done it and denied it did.
The ominous cloud of doom surrounding the ongoing
U.S. investigations into alleged Russian interference in the 2016
federal elections got a little darker on Tuesday, with Russian state
communications agency Roskomnadzor allegedly threatening retaliation
against Google for suggesting it could lower government-funded
outlets RT and Sputnik in search rankings.
Imagine if someone on that list walked into a
church in Texas and started shooting people…
Colorado VA
Kept Secret List Of Patients Who Wanted Mental-Health Care
A new
federal investigation revealed Thursday that VA officials in
Colorado broke agency rules by using an off-the-books system to track
patients who wanted mental-health therapy — a violation that caused
veterans to wait for care and one that recalls past abuses by the
U.S. Department of Veterans Affairs.
Investigators with the VA’s internal watchdog
found that in three separate facilities — Denver, Golden and
Colorado Springs — agency officials did not follow proper protocol
when keeping tabs on patients who sought referrals for treatment of
conditions such as post-traumatic stress disorder.
The practice hindered proper oversight and made it
possible for Colorado veterans to fall through the cracks, wrote
officials with the VA Office of Inspector General, which examined
care at the facilities between October 2015 and September 2016.
Perspective. “They may look fake to you, but
they look Okay to me.”
New York
attorney general says the FCC won’t help investigate fake net
neutrality comments
New York Attorney General
Eric Schneiderman revealed today that his office has been
investigating a flood of spam
FCC comments that impersonated real people, and criticized the
FCC for withholding useful information. In
an open letter addressing FCC chairman Ajit Pai, Schneiderman
writes that his office has spent six months investigating who
submitted hundreds of thousands of identical anti-net neutrality
comments under the names and addresses of unwitting Americans. But
he says that the FCC has ignored multiple requests for logs and
records, offering “no substantive response.”
Amusing.
How Amazon,
Apple, Facebook and Google manipulate our emotions
For my students and the Boards of Directors of
Uber, Equifax, Wells Fargo, etc.
More than
50 tech ethics courses, with links to syllabi
There has never been a more urgent moment to merge
ethics and technology: this shared
spreadsheet of 57 (and counting) university courses on ethics and
tech includes links to syllabi, moderated
by Colorado University
information science assistant prof Casey
Fiesler, who runs The
Internet Rules Lab (hey, grad students, she's
hiring!)
No comments:
Post a Comment