IT Compliance Advisor

January 7, 2015  7:52 PM

More U.S. firms look to hack back after Sony data breach

Fran Sales Fran Sales Profile: Fran Sales
CIO, Cyberattacks, cybersecurity, Data breach, FBI, grc, Hackers, Network Intrusion, Sony, Threat intelligence, Two factor authentication

Business cybersecurity — or the lack thereof — continued to make headlines in the past few weeks as more U.S. private-sector firms consider counteroffensive tactics against attackers. Also in cybersecurity news, North Korea slammed new U.S. sanctions in response to the Sony hack, and a new report found that last year’s massive JPMorgan Chase data breach was the result of a basic security flaw.

After Sony breach, more firms consider hacking back

A growing number of private-sector companies — including some large U.S. banks — have been targeted by hackers in recent months and are frustrated with a perceived lack of follow-up from the federal government. These companies have started looking to outside options to strike back at their attackers, some security specialists and former law enforcement officials told Bloomberg.

These anxieties have only intensified after the breach of Sony Pictures’ network, according to the article. Some of these businesses have employed cybersecurity firms to advise them on various counteroffensive tactics, including disrupting hacker operations and peering into foreign-based networks to find out what data was stolen.

“Hacking back” efforts gained a higher profile after President Obama’s promise to mount a response against North Korea for the Sony data breach, but many companies don’t actually follow through with such measures, said some of the cybersecurity professionals. These experts and the FBI also discourage companies from retaliating because it might entice hackers still lurking in their networks to ramp up their attacks.

North Korea blasts U.S. sanctions; FBI stands behind its Sony breach assessment

North Korea has publicly criticized new sanctions authorized by President Obama last week, calling them “hostile” and “repressive.” The U.S. sanctions were imposed against three North Korean organizations and 10 government officials, and enacted in response to the Sony Pictures breach.

North Korea’s foreign ministry continues to deny responsibility for the cyberattack. The U.S. government has not offered any public evidence linking North Korea to the Sony breach, which has left many in the cybersecurity community unconvinced that the nation-state was responsible. Many cyberintelligence firms investigating the attack said they have not observed concrete evidence that confirms that North Korea backed the breach.

Security experts’ skepticism has only intensified after the FBI attended a three-hour briefing by a security firm whose research indicates the perpetrator was laid-off Sony staff. After the meeting, the FBI was steadfast in its assertion that North Korea was behind the attack, and officials stated there was “no credible information” to suggest otherwise. One U.S. official told Politico that the discrepancy could be due to the FBI having access to intelligence sources that others don’t.

JPMorgan hack could have been quelled with simple security fix

Last year’s breach at JPMorgan Chase, the largest cyberintrusion on a U.S. bank reported thus far, could have been prevented by updating one of the bank’s servers to include two-factor authentication, according to a report by The New York Times. JPMorgan spends $250 million on computer security annually to prevent sophisticated cyberattacks, but the security hole overlooked by the bank’s security team was a very basic one, people who have been briefed on the investigation into the attack explained to the Times.

Most large financial firms use two-factor authentication, and sources said the oversight is seen as an embarrassment inside JPMorgan as the company conducts an internal review to see if there are other weak spots in its large network.

Security experts say that one reason the vulnerability in JPMorgan’s network has gone so long without being addressed is because the bank’s size made it difficult to secure its information, especially as it acquires more companies and incorporates new networks.

December 23, 2014  3:49 PM

Obama plans response against North Korea for Sony Pictures hack

Fran Sales Fran Sales Profile: Fran Sales
backdoors, CIO, Cyberattacks, Cybercrime, cybersecurity, Hackers, Hacking, Information security, Microsoft, privacy, Sony

President Barack Obama declared that the U.S. government will respond to North Korea’s actions after the FBI announced that the nation-state was behind last month’s calamitous cyberattack against Sony Pictures. In other recent IT security and privacy news, U.S. Senator Ron Wyden introduced a bill to forbid the government from wiretapping users’ mobile devices, while dozens of technology companies — including Amazon and Apple — announced support for Microsoft in its ongoing legal battle against the U.S. government over search warrants.

Obama promises response against North Korea for Sony hack

President Obama announced at a news conference last Friday that the U.S. will “respond proportionally” against North Korea for the cyberattack that crippled Sony Pictures’ computer systems and leaked staffers’ personal information online.

The president was not specific regarding how the U.S. government will respond, only saying that his administration is working on possible options. Obama also reprimanded Sony Pictures, saying it made a mistake by pulling the release of The Interview, its satirical film about a fictional plot to assassinate North Korean leader Kim Jong Un. He said the studio should have consulted him before responding to the hackers’ threats against theatergoers, and warned against getting “into a pattern in which you’re intimidated by these kinds of criminal attacks.”

The White House announcement came hours after the FBI released an update on the Sony hack investigation that concluded North Korea was behind the attack. The FBI added that the attack stands out from other cyberintrusions because of its “destructive” and “coercive” nature, and that it shows cyberthreats are one of the “gravest national security dangers to the United States.”

Senator introduces Secure Data Act to ban ‘back doors’ in products

Senator Ron Wyden (D-Ore.), a member of the Senate Intelligence Committee, has introduced the Secure Data Act legislation to prohibit government mandates that manufacturers create “back doors” into people’s mobile applications and devices for targeted surveillance purposes.

In an opinion column for the LA Times, Wyden argues that creating these “security holes” is bad for customer security and businesses’ bottom line because they deliberately create vulnerabilities that hackers and foreign governments can infiltrate. He also contended that Americans should demand more data encryption technology.

Apple and other tech giants back Microsoft in legal battle

Twenty-eight technology and media companies, including Amazon, Apple, Verizon Wireless and AT&T, joined computer scientists, trade associations and civil rights advocacy groups to sign friend-of-the-court briefs filed on Microsoft’s behalf last week.

The briefs are a show of the support for Microsoft as it battles a federal judge’s ruling that the company surrender individual user emails stored in Ireland to the U.S. government after being issued a search warrant for the files. Microsoft later appealed the ruling.

On Microsoft’s blog, General Counsel Brad Smith wrote that these briefs show the scope of the case no longer just focuses on legality, but is now a “broad policy issue that is fundamental to the future of global technology.” Microsoft also argues that the U.S. government’s subpoena disrespects international laws. Requiring Microsoft to turn over emails through a U.S. court order, without input from the Irish government, flouts the treatises the U.S. has established with other countries that deal with these types of situations, Microsoft contends.

December 11, 2014  6:31 PM

North Korea applauds Sony breach but denies responsibility

Fran Sales Fran Sales Profile: Fran Sales
CIO, Compliance, Cyberattacks, Cybercrime, cybersecurity, Data security breaches, grc, Hack, Information security, Startups

Sony is the latest big-name company to have its computer network hacked. Corporate information and entire films were leaked online in what some suspect is retaliation by the North Korean government. In other governance, risk and compliance (GRC) news, a growing number of U.S. law schools are offering compliance courses or programs, and specialized security startups are drawing the eye of Silicon Valley investors.

North Korea calls Sony hack a ‘righteous deed’

The North Korean government this week denied any involvement in last week’s hack of Sony Pictures’ computer systems, but said its “supporters and sympathizers” may have carried out the “righteous deed.”

An article published by the North Korean government-run KCNA news agency accused Sony of “abetting a terrorist act” by producing The Interview, a movie starring James Franco and Seth Rogen as journalists enlisted by the CIA to assassinate North Korean leader Kim Jong-un. The attackers posted films online that have not yet been released, and disclosed the salary information, email addresses and Social Security numbers of thousands of Sony employees, including celebrities. Sony Pictures said it is currently working with law enforcement to investigate the breach, and the FBI is also probing the attack.

More U.S. law schools offer compliance-centric programs

A dearth of U.S. law schools offer courses or degrees tailored to the compliance officer job, but Reuters reports the landscape is slowly changing. A major driver is the thriving compliance industry: The base salary of compliance offers has been rising 3.5% every year since 2011, and companies such as JPMorgan Chase are bolstering compliance functions even as they make cuts in other areas.

One such program featured by Reuters is New York University Law School’s Corporate Compliance and Enforcement (PCCE), wherein students build compliance expertise through relevant coursework and insight from leading practitioners and guest teachers. Another institution, George Washington University Law School in Washington, D.C., offers a compliance and ethics course focusing on the legal issues that surround anticorruption regulations.

Security startups attract more investor funds

As data breaches become the norm, security startups are increasingly drawing attention from Silicon Valley investors, The New York TimesBits blog reports. According to research firm CB Insights, last year there were 240 investments in these startups with a combined worth of $1.7 billion, up from 83 investments worth $340 million in 2009.

All types of security startups are garnering money from investors, including those dedicated to access control and identity management, the creation of secure spaces on computers for different processes, and network monitoring and alerts if anything suspicious occurs.

Established security companies such as Symantec and Juniper are striving not just to compete with the more specialized products and services these startups offer, but also to attract and retain talent as their lucrative and well-paying smaller rivals hire much sought-after security engineers.

November 25, 2014  6:31 PM

Apple’s consumer privacy practices in the government’s crosshairs

Fran Sales Fran Sales Profile: Fran Sales
Android, Apple, Apple iOS, CIO, Data privacy, Data-security, Encryption, FBI, health, personal data

As U.S. federal agencies put tech giants’ data security practices under the microscope, consumer privacy issues are on everybody’s minds. Also in privacy news: Two U.S. business alliances are pushing for greater data management transparency, and a new study shows that Americans remain suspicious of online services and government spying.

FBI publicly censures Apple’s impenetrable encryption technology

Various government and law enforcement agencies are up in arms regarding new device encryption measures put in place by big technology firms. In September, Apple announced that new iPhone software would prevent anyone other than its user — including police armed with a court order — to access data on the phone. Shortly thereafter, Google disclosed that it would implement similar encryption technology on its devices that use the new Android OS.

The FBI met with Apple representatives about the issue Oct. 1, during which Deputy Attorney General James Cole warned that a child could die because the encryption tools would prevent law enforcement from looking inside a criminal’s phone for pertinent information. Apple’s representatives responded that the company is protecting the rights of consumers who are storing more personal data on their devices and losing trust in how technology companies store their information.

FBI Director James Comey also spoke out publicly against the new encryption measures, saying that Apple and Google have swung the “post-Snowden pendulum” too far in favor of protecting consumer privacy. The Obama administration said it plans to continue discussing these issues with the technology companies.

FTC in talks with Apple to confirm health data security

The Federal Trade Commission (FTC) is another U.S. agency with its eye on Apple’s handling of consumer data, particularly with regard to its Apple Watch and the HealthKit platform and the security and privacy of the health data they collect.

Reuters reported that there are no hints that the FTC plans to launch a formal investigation, but the agency has recently focused on the privacy safeguards for increasingly popular mobile health applications. Apple’s HealthKit offers consumers control over their health data and was designed with privacy in mind, Apple spokeswoman Trudy Muller told Reuters. In August, Apple also toughened its privacy policies so that developers cannot use the information collected by HealthKit for data-mining purposes.

Two coalitions publicly encourage user transparency in data practices

Two composite organizations are taking steps toward addressing consumers’ waning trust in data security as breaches grow larger in scale. Earlier this month, the Alliance of Automobile Manufacturers, which represents manufacturers such as Chrysler, Ford Motors, General Motors and Toyota, pledged more transparency into their data management and security practices. The American Farm Bureau has also addressed concerns regarding how agriculture technology providers use the data collected by their services.

While Fortune‘s Heather Clancy wrote that these statements are a step in the right direction, she also argues that businesses need to take privacy further. She cited a Forrester report that predicts the number of executives that view their security strategy as a competitive differentiator will grow next year.

Pew Research unearths pervasive distrust among U.S. consumers

A recent Pew Research Center study reflects a widespread belief among U.S. consumers that they’re losing control of their personal information. According to the study, which surveyed 607 American adults, 91% reported they “agree” or “strongly agree” that they have lost control of how their information is being collected and used by companies. Furthermore, 88% agree or strongly agree that it would be very challenging to remove inaccurate data about them online.

Seventy percent expressed concern about how the government accesses their data, and 80% agreed or strongly agreed that Americans should be concerned about how the government monitors their phone and Internet communications.

The study also found that 80% of those who use social networking sites are concerned about how third parties such as advertisers are using the information they share on those sites. Social media sites garnered the most distrust, with 81% of respondents stating that they are “not very” or “not at all secure” when using the sites to share personal data with other people or organizations. However, 55% of respondents said they were willing to share some of their data in exchange for the use of free online services.

October 30, 2014  6:23 PM

Apple Pay sidesteps compliance rules; FCC takes first privacy action

Fran Sales Fran Sales Profile: Fran Sales
Apple, CIO, Data security standards, FCC, Google, Mobile, privacy

Apple Pay rolled out to much fanfare earlier this week, but may have bypassed some compliance requirements that Apple’s mobile payment rivals have to maintain. In other recent headlines, the FCC took its first steps toward data security enforcement, Google cracked down on online piracy, and Verizon is in hot water with privacy advocates.

Apple Pay under less regulatory scrutiny than rivals

Apple faces less stringent compliance demands than its competitors in the mobile payment space, according to some experts. The company didn’t have to register the recently launched Apple Pay with the U.S. Treasury Department’s Financial Crimes Enforcement Network (Fincen), and thus didn’t have to set up an anti-money laundering compliance program for the service.

This is because Apple merely facilitates the transaction between the consumer and a merchant and doesn’t actually accept or transmit payment, industry insiders told the Wall Street Journal. A phone using Apple Pay doesn’t store card numbers, but rather an encrypted token that unlocks payment card data once the user holds the device near a merchant’s reader.

Rivals PayPal, Google and Facebook are registered with Fincen, however, and thus have to maintain anti-laundering programs.

FCC dives into security, hits two companies with $10 million fine

The Federal Communications Commission (FCC) made its first foray into data security enforcement last Friday, imposing a $10 million fine against two telecom companies for storing personally identifiable information (PII) collected on the Internet without instituting security controls.

From September 2012 to April 2013, YourTel America and TerraCom collected PII from as many as 300,000 applicants to a federal subsidy program. This information included names, addresses and Social Security numbers, according to the FCC. Instead of securing the data or destroying it, the companies stored it on publicly accessible online servers. Reporters for the Scripps Howard News Service discovered the PII with a simple Google search.

The $10 million fine will be split between the two companies.

Google revamps search algorithm to deter piracy

Google announced that it has modified its search algorithm to make it less likely that illegal piracy websites will rank highly on its search results pages when users search for copyrighted media content. The company announced its decision through an updated version of its “How Google Fights Piracy” report, which was originally published last year.

The update includes changes to how Google presents its ads in search results pages for queries associated with entertainment media. The ads will be featured prominently at the top of the page and positioned in a way that points users to legitimate sources of content.

Google is currently only implementing these new results in the U.S., but it plans to expand the effort internationally.

Verizon uses identifiers to help clients target advertisements at users

Verizon Wireless is adding tokens to Web requests traveling across its network that allow the cellular services provider to collect data on consumers’ interests. The user profiling, part of the company’s Relevant Mobile Advertising service, affects all Verizon Wireless customers. The tokens, called Unique Identifier Headers (UIDHs), link website visitors to Verizon’s internal profiles.

The service allows clients to tailor their website advertisements to specific consumer market segments. The websites can request advertisements and UIDHs from an on-demand advertising network, which can then ask for consumer data such as geolocation information from Verizon so it can provide targeted advertising.

Verizon says its users remain anonymous and that this marketing data is private. But because the database is not under any legal scrutiny, privacy advocates say that the service tracks users and should not be using the data outside of the intended purposes.

October 17, 2014  4:12 PM

JPMorgan Chase hackers compromised 13 other finance companies

Fran Sales Fran Sales Profile: Fran Sales
CIO, Customer data, Cyberattacks, Cybercrime, cybersecurity, Data privacy, Data security breaches, Financial firms, Financial industry, Google, Retail/point-of-sale applications, Search engines, Search Indexing

Online consumer security and privacy remains in the headlines as big-name companies continue to report cybersecurity breaches. Further investigations into the JPMorgan Chase cyberhack revealed that 13 other financial institutions’ computers were also breached, while Dairy Queen and Kmart’s in-store payment systems were compromised in recent hacks. In other consumer privacy news, Google added information on European de-indexing requests to its Transparency Report.

JPMorgan Chase hackers targeted 13 more financial companies

More than a month after the JPMorgan Chase cyberattack was made public, the Obama administration and top national security advisers still don’t know whether the financial company’s hack was a typical act of theft or perhaps retaliation initiated by Vladimir Putin for U.S. sanctions on Russia. In addition to JPMorgan Chase, the hackers who perpetrated the attack targeted 13 other financial institutions, including Citigroup, HSBC Holdings, E*Trade Financial and Automated Data Processing, according to a Bloomberg news report. Signs of intruders were discovered in these companies’ computers or logged by their security tools, sources said.

The FBI, the U.S. Secret Service, attorneys general from at least two states and New York federal prosecutors are also conducting investigations, as questions remain regarding the hackers’ motives and the impact of the attacks on the financial industry.

Kmart, Dairy Queen payment systems hit by cyberattacks

Two more U.S. retailers are victims of cyberbreaches that compromised their customers’ payment card information. As in the recent Home Depot breach, hackers infected in-store payment systems at Kmart and Dairy Queen with malware meant to evade antivirus software.

Kmart announced its breach last Friday; company representatives said it was attacked in early September and is working with law enforcement and forensics teams to determine the source of the attack. The company didn’t disclose how many of its stores were affected or how many cards were compromised, but said the malware has been removed from its systems.

Dairy Queen revealed last Thursday that its in-store payment systems were infected, and that it’s working with franchisees to determine which locations were affected. Details of the attacks are provided on its website. According to forensics experts, customer account numbers and expiration dates were stolen.

Google adds details on European de-indexing requests to transparency report

Google is adding a new section to its online Transparency Report called “European privacy requests for search removal,” where it’s listing details about requests for search-listing removals the company receives in Europe.

The section lays out the total number of URLs Google has received for removal, as well as the number of de-listing requests it has received. To date, Google has received 146,938 removal requests and 498,830 URLs to evaluate. The report also breaks down those numbers by European country. Overall, Google grants about 41% of requests, according to the report.

Google’s Transparency report also details removal requests from governments and courts, as well as copyright requests. In May, the Court of Justice of the European Union ruled that Google and other search engines must evaluate individuals’ requests for de-indexing, and that they can only list display results if they serve public interest.

September 30, 2014  4:14 PM

Facebook’s Atlas arms advertisers with deeper reach into user data

Fran Sales Fran Sales Profile: Fran Sales
advertising, Android, Antitrust lawsuits, CIO, Data privacy, Facebook, Google, iOS 8, Marketing, Mobile applications, Search

Facebook has unveiled a new ad platform that promises marketers deeper insight into the data of billions of its users — a move that has raises big concerns among privacy advocates. Also in data privacy headlines this week: Law enforcement officials are uneasy about Apple’s and Google’s new mobile encryption policy; the EU’s antitrust agency continues to call on Google to change its search practices; and mobile developers clamor for clear-cut health data guidelines.

Facebook’s new ad platform equips marketers with deep user data

On Monday, Facebook rolled out a revamped version of Atlas, its digital advertising platform. The updated platform will allow marketers to analyze the data of Facebook’s 1.3 billion users to target ads to these individuals on other websites and within mobile apps. Atlas also provides advertisers with information that determines which ads are most successful.

With the platform, Facebook plans to compete with Google, Yahoo and other online companies’ advertising networks. But while the detailed tracking Facebook conducts on its users’ information certainly provides marketers with a uniquely valuable tool, the revamped version of Atlas has also caused consumers and their advocates to voice privacy concerns. Facebook representatives are on the record claiming that the company never reveals users’ identity to advertisers.

Law enforcement uneasy about Apple’s, Google’s new encryption policy

Both Apple and Google’s new mobile operating systems, iOS 8 and Android L, respectively, include encryption protection that doesn’t allow the companies to extract information from smartphones protected by a four-digit passcode, even when a warrant is issued. This development has spurred members of the law enforcement community, including Law Enforcement Legal Defense Fund President Ronald T. Hosko, to express concern that such policies would hinder efforts to solve crimes and punish criminals.

Apple’s and Google’s new policies “will create needless delays that could cost victims their lives,” Hosko said. He pointed out that while these policies won’t make it more difficult for law enforcement officials to intercept calls, it will be more challenging for them to access information stored on the devices.

EU’s antitrust authorities again demand that Google amend search settlement

European Union antitrust chief JoaquĆ­n Almunia is demanding that Google amend its settlement proposal for a fourth time, as antitrust authorities continue a nearly four-years-long investigation into the company’s search practices in Europe.

Almunia’s agency has been probing allegations that Google tweaks its search results in order to prioritize the company’s own products. The agency and Google reached a deal in February that would have allowed the search company to evade fines of around $6 billion if Google agreed to present rivals’ search results in a manner similar to its own. The settlement collapsed, however, when senior EU politicians and prominent publishing houses criticized the decision and called for authorities to diminish Google’s dominance of the search market.

Mobile app startups pursue developer-friendly health data guidelines

Earlier this month, a group of mobile app developers filed a letter of complaint to Rep. Tom Marino (R-Pa.) regarding the lack of current online guidance concerning the Health Information Portability and Accountability Act’s patient health information privacy rules. The App Association, a group that claims to represent 5,000 mobile app providers, was among the letter’s signers.

Developers say it’s difficult to compete with larger rivals that have the means to hire legal experts, while startups must rely on out-of-date information available on government websites, according to Reuters. The group of developers also requested resources including better guidance for storing health data in the cloud, as well as increased participation by members of the Department of Health and Human Services in mobile health events.

September 19, 2014  3:58 PM

Former staffers spill on Home Depot’s lacking customer data protection

Fran Sales Fran Sales Profile: Fran Sales
CIO, Compliance, Data breach, Data protection, Governance, regulatory compliance, SEC

Five former Home Depot employees claim the company lacked adequate customer data protection tools and that executives discouraged security system improvements that could have helped prevent the widespread hack of its payment systems earlier this month. Also in compliance and governance news this week: The Securities and Exchange Commission (SEC) vowed to put insider trading practices under closer scrutiny, and a study found that good corporate governance, combined with environmental and social factors, contribute to better stock performance.

Former Home Depot staffers reveal inadequate customer data protection

Home Depot’s in-store payment system did not include encryption tools to protect customers’ payment card data, according to five former employees interviewed by Bloomberg Businessweek. This vulnerability possibly opened the door for the payment system hack that could have begun in early April; the company revealed it Sept. 8.

One former information security manager also disclosed that a Symantec check of Home Depot’s security systems two months ago revealed out-of-date antivirus systems. The former staffers also claimed there was high employee turnover in the company’s information security department, and that technology executives preferred “C-level security” processes because ambitious upgrades would have been too expensive.

SEC fines corporate executives for late insider trade notices

The SEC has filed charges against 36 companies and individuals for allegedly failing to comply with security rules for reporting insider transactions. These charges are part of a broader SEC strategy to take a closer look at how executives and insiders manage stockholdings and trades.

The SEC used algorithms to identify insiders who allegedly broke the rules, including 13 officers and directors, 15 shareholders and six companies. The cases showed filing delays of insider transaction reports that ranged from weeks to years. Except for one case still being contested, all enforcement actions were settled for sanctions that totaled $2.6 million.

Andrew Ceresney, the SEC’s enforcement chief, said that the actions were “the first time where we have systematically brought a series of cases in this area,” and that their purpose was to urge companies, investors and executives to improve compliance. Some legal experts, however, felt that such technical rule breaches are low-hanging fruit for the SEC when compared with proving insider trading by company executives.

Governance, environmental and social factors boost stock performance

Improving compliance processes benefits the business, according to a study conducted by the Smith School of Enterprise and the Environment at the University of Oxford and Arabesque Asset Management. The study found that companies that practice good corporate governance and target environmental and social issues improve stock price performance and lower capital costs. Workforce relations, environmental management and executive compensation all had a strong effect on these improvements, according to the study.

“We believe that the most successful future investors will be those with continuous research programmes that analyze a range of ESG (environmental, social and governance) factors,” said Andreas Feiner of Arabesque. The report was based on about 200 academic research studies, industry reports and books.

September 4, 2014  8:11 PM

Post-hack focus on Apple iCloud security; Microsoft defies warrant

Fran Sales Fran Sales Profile: Fran Sales
Apple, CIO, Cloud Security, Data breach, Data Leakage, Data privacy, Data protection, icloud, Microsoft

Data privacy riddled tech headlines this week as Apple was forced to defend iCloud’s security when hackers leaked celebrities’ intimate photos. The tech giant also announced changes to its privacy policy, making it more difficult for developers to share data collected from its HealthKit app with third parties. Also in data privacy news, Microsoft is holding its ground against the U.S. government regarding user data held overseas, and the E.U. is discussing reforms to its 1995 data protection law.

Apple security under fire in iCloud celebrity hack

Apple announced Tuesday that it would probe media reports suggesting that vulnerabilities in iCloud, its online storage service, led to the hacks of celebrities’ accounts last weekend. In one scenario, a GitHub user found a weakness in Apple’s Find My iPhone app, an iCloud service that tracks an iPhone’s location and allows its user to remotely disable it, according to a post on the online code-sharing site. The vulnerability could have allowed the hacker to perform “brute force” attacks until the correct passwords were identified.

Rich Mogull, chief executive of security research and advisory firm Securosis, told the Wall Street Journal it’s possible that hackers exploited the Find My iPhone bug, but added it’s more likely that they hacked the celebrities’ individual accounts.

Apple said in a statement that the hacks were a result of hackers deducing the victims’ login credentials by targeting user names, passwords and security questions, and not by breaching Apple’s security systems. The company did, however, patch a flaw in its Find My iPhone app that security experts said could be partially responsible for the leak.

Apple updates health app’s data privacy policy

Apple also updated its privacy policy to prevent developers from selling users’ health information gathered through its HealthKit platform to advertisers, data brokers or resellers. HealthKit, part of iOS 8, provides developers with APIs to share their applications’ data with Apple’s Health app, which offers a dashboard of users’ health and fitness data. Additionally, the updates bar developers from using the data for purposes other than “providing health and/or fitness services.”

Apple’s efforts to ensure that HealthKit is compliant with U.S. regulatory requirements is noteworthy as health data has gained value with advertisers, according to Forbes, which cited a Senate Commerce Committee report that said companies are developing databases consisting solely of people’s health-related information. Apple’s new privacy rules allow developers to share users’ health data with third parties “for medical purposes,” which could potentially be a loophole in the policy. Developers will, however, need users’ permission to do so.

Microsoft defies U.S. data search ruling

Microsoft is still standing its ground against Judge Loretta Preska’s ruling to turn over customer emails and records stored at its Ireland data center. In July, Judge Preska upheld a U.S. magistrate judge’s ruling that because Microsoft can control data stored physically in Ireland without actually entering the country’s domain, the data’s location isn’t relevant and Microsoft must comply with a government search warrant for that data. Microsoft argued that user emails should be afforded the same legal protections as U.S. mail and phone conversations.

Microsoft said that it will not be turning over the customer records and will bring the case to the appeals court. AT&T, Apple and other tech heavyweights are submitting briefs to support Microsoft’s defiance of the search warrant.

E.U. reforms data protection law to include steeper penalties

The E.U. will soon reform its 1995 data protection rules in an effort to unify legislation across Europe and strengthen privacy guarantees, as well as enforce steep penalties should the new rules be violated. Under the reforms, the responsibility for violations would be shared between the organizations that own the data, or data controllers, and data processors, such as cloud providers that store the data.

Peter Groucutt, managing director at cloud backup provider Databarracks, told Business Cloud News that the proposed reforms could spur organizations to toughen their IT security policies. Additionally, the upcoming changes could help chief security officers acquire greater security funding due to the number of potential fines, which make it a priority for boards of directors, he added.

August 21, 2014  7:58 PM

Regulatory compliance challenges mount in recession’s wake

Fran Sales Fran Sales Profile: Fran Sales
Chief Compliance Officer, CIO, Compliance, Data brokering, Data privacy, Employee training, FCC, FTC, personal data, Safe Harbor

U.S. companies, particularly those in the financial services industry, continue to wrestle with compliance regulations: Recent headlines show that the current regulatory environment remains a top issue for CEOs and that many companies have difficulty measuring the effectiveness of compliance training programs. Meanwhile, in recent weeks, PricewaterhouseCoopers was fined for watering down a bank report, and a complaint filed with the Federal Communications Commission (FCC) alleges that 30-some U.S. tech giants are violating Safe Harbor agreements.

Regulatory issues No. 1 challenge for U.S. CEOs

The regulatory environment in the wake of the recent recession is the top issue that could have the most impact on business operations, according to a Forbes Insight and KPMG study. Of the 400 U.S. CEOs surveyed across all major industries, 34% reported spending more time with government officials and regulators than they did before the downturn, or are considering doing so.

Financial services is among the sectors most affected due to the sheer number of regulations requiring transparency and risk reduction processes, according to Forbes. Companies also face additional regulatory costs, such as those related to revamping data monitoring systems to remain compliant. KPMG representatives advised CEOs to extract business value from mandated compliance processes, such as by using regulatory data to analyze sales and compile insight into product profitability.

PwC hit by penalties for diluting bank report

Wall Street consulting firm PricewaterhouseCoopers (PwC) is facing heat from New York financial regulators. The firm, according to interviews and confidential documents reviewed by The New York Times, watered down its report on one of the world’s largest banks, Bank of Tokyo-Mitsubishi UFJ. PwC agreed to pay a $25 million fine, and one of its regulatory consulting units cannot undertake assignments from New York-regulated banks for two years.

In 2007, the Bank of Tokyo-Mitsubishi recruited PwC to quantify its improper transactions with U.S.-blacklisted countries. The initial draft of PwC’s report showed that the bank excluded names of Iranian customers to evade detection. The consulting firm, however, under pressure from Bank of Tokyo-Mitsubishi’s legal team and executives, deleted or diluted harsh characterizations and critical passages when it filed the report, according to the Times‘ sources.

This case highlights how authorities are reassessing their relationships with consulting firms, according to the Times. While regulators have previously ignored these firms’ potential conflicts with banking institutions, federal authorities are now releasing guidelines for employing consultants.

Compliance officers struggle to measure training effectiveness

Many firms, especially those in financial services, have improved their compliance and ethics training programs but are finding it difficult to measure their efficacy, according to two Navex Global researchers who spoke with Thomas Reuters. Chief compliance officers also have difficulty making a business case for investing in such programs, said the researchers.

The best training programs, the researchers found, are those customized to the needs of a particular job and contribute to an organization-wide “culture of compliance” that encourages ethical behavior. There is a gap in compliance training, the researchers said, because effectiveness measures vary widely. To improve training, the researchers advised partnering with other business groups within an organization to draw on their expertise, as well as investing more in manager training.

U.S. tech titans violating Safe Harbor, FTC complaint claims

More than 30 large tech companies are violating their Safe Harbor commitment to keep European citizens’ data private, according to a complaint filed with the Federal Trade Commission (FTC). The Washington, D.C.-based Center for Digital Democracy (CDD) claimed that these firms, which include AOL, Adobe, Salesforce, Datalogix and Marketo, are “compiling, using and sharing EU consumers’ personal information without their awareness and meaningful consent.”

In the complaint, the CDD also claimed that the aforementioned tech firms are involved in “data profiling,” entangled in a “web of powerful multiple data broker partners who, unknown to the EU public, pool their data on them so they can be profiled and targeted online.” It also alleges that the FTC is failing to enforce Safe Harbor regulations by neglecting to impose sanctions. Currently, the U.S. and EU are negotiating a new data privacy agreement that could give European citizens the same rights of redress as U.S. citizens should their data be used wrongly.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: