Security Researchers Find Biometric Data on 28 Million Records Is Exposed

It was reported this week by The Guardian and Forbes that security researchers from Vpnmentor have discovered and published a report that Suprema, a company that collects and monitors biometric information such as fingerprints and facial recognition data, has left exposed the biometric information of 28 million records and 23 gigabytes of data insecure.

Suprema services police departments, banks and defense contractors, and provides identity and time and attendance solutions, fingerprint scanners, and mobile authentication tools for employers. According to The Guardian, the system involved is Suprema’s Biostar 2 biometric identity solution, which “is used by 5,700 organisations in 83 countries, including governments, banks and the police.”

According to the researchers, highly sensitive biometric data and administrative usernames and passwords were left unencrypted. The researchers found plain-text passwords of administrator accounts and they were “able to change data and add new users.” The ability to add new users or manipulate the integrity of the data is frightening. The theft of biometric information also is frightening because we only have one set of fingerprints and one face. The researchers stated “they are saving people’s actual fingerprints that can be copied for malicious purposes.”

Suprema says it has shut down the vulnerability and is investigating the report. The information that was reported exposed includes “fingerprint data, facial recognition data, face photos of users, unencrypted usernames and passwords, logs of facility access, security levels and clearance, and personal details of staff.”

Can You Really Protect Against Ransomware?

We’ve written a few times recently about municipalities, companies, and government agencies hit with ransomware attacks this year. In early July, it was reported that a court system in Georgia was attacked with ransomware, causing lawyers, court employees and the public to have to rely on “old school” paper to file pleadings and keep the court system running. This got me thinking about ransomware, and then I came across a Security Tip (ST-19-01) sheet from the Department of Homeland Security, Cybersecurity and Infrastructure Security Agency (CISA) that I thought was worth sharing.

The tip sheet has three key suggestions to protect data and networks: back up data, store backups separately, and train your staff. Anyone who ever had a personal computer “crash” back in the day knows that having backup files is invaluable. Imagine if your entire company’s data, or your municipality’s or court system’s data were completely inaccessible. What would you do?

Being prepared by having data properly and completely backed up with files off-site and able to be restored in the event of a ransomware attack means the difference between being down for a brief period of time and being locked out of data permanently or potentially paying thousands of dollars for a decryption key that may or may not work. The federal government wants you to report ransomware attacks to the FBI and not to pay ransom at all.

Staff training is also critical, so staff is aware of all of the things that bad actors will do to try to trick people into clicking on malicious links. Simple things like calling someone to verify if they actually sent an email with new bank routing information or if they sent a request for confidential documents go a long way to protecting a company from a cyber-attack.

What else can a company do? Think about cyber liability coverage for ransomware attacks and other cyber threats. That premium payment for cyber coverage would be minuscule compared to the potential cost of a ransomware attack.

Beyond-Visual-Line-of-Sight Drone Operations in Alaska

A beyond-visual-line-of-sight (BVLOS) flight of a drone traveled along the Trans-Alaska pipeline system (TAPS) this month, led by a team from the University of Alaska Fairbanks (UAF) Center for Unmanned Aircraft Systems Integration. Operators flew the drone along 3.87 miles of TAPS, using onboard and ground-based detection systems (instead of human observers) to detect and avoid other aircraft. The drone also had onboard collision avoidance technology and a five-nautical mile system consisting of eight ground-based radars, which provided the aviation radar coverage during the flight.

Tom Barrett, President of Alyeska Pipeline Service Co., which operates TAPS, said, “The ability to use [drones] for surveillance in remote areas of the pipeline increases the tools at our disposal to operate TAPS more reliability and safely and better protect Alaska’s environment. This innovative step forward will advance safe performance not just in our industry, but in multiple disciplines and workspaces across the country.”

This flight was conducted as part of the unmanned aerial systems (UAS) Integration Pilot Program overseen by the Federal Aviation Administration (FAA). The goal of the flight, and others in this pilot program, is to help further integrate drones in the national airspace and find ways to safely fly BVLOS and carry out night operations and flights over people.

Ubers of the Future will Monitor Your Vital Signs

Uber has announced that it is considering developing self-driving cars that monitor passengers’ vital signs by asking the passengers how they feel during the ride, in order to provide a stress-free and satisfying trip. This concept was outlined in a patent filed by the company in July 2019. Uber envisions passengers connecting their own health-monitoring devices (e.g., smart watches, activity trackers, heart monitors, etc.) to the vehicle to measure the passenger’s reactions. The vehicle would then synthesize the information, along with other measurements that are taken by the car itself (e.g., thermometers, vehicle speed sensors, driving logs, infrared cameras, microphones, etc.). This type of biometric monitoring could potentially allow the vehicle to assess whether it might be going too fast, getting too close to another vehicle on the road, or applying the brakes too hard.  The goal is to use artificial intelligence to create a more ‘satisfying’ experience for the riders in the autonomous vehicle.

This proposed technology presents yet another way that ride-sharing companies such as Uber can collect more data from their passengers. Of course, passengers would have the choice about whether to use this feature, but this is another consideration for passengers in this data-driven industry.

Privacy Tip #203 – Cryptocurrency Woes

As cryptocurrency becomes more popular with investors, CipherTrace recently issued its Q2 2019 Cryptocurrency Anti-Money Laundering Report, which finds that “[O]utright thefts as well as scams and other misappropriation of funds from cryptocurrency users and exchanges continued apace, netting criminals and fraudsters approximately $4.26 billion in aggregate for 2019.” Yikes—that’s billion with a “b”.

The report (ciperhtrace.com) states that insider threats caused the largest losses, as well as a large Ponzi scheme, which defrauded “millions of users out of $2.9 billion in crypto assets.”

That’s the first cryptocurrency woe—if you are an investor in cryptocurrency, you are being targeted and are at risk of theft.

The second is that the Internal Revenue Service (IRS) appears to be concentrating on cryptocurrency investments and has sent a warning letter to 10,000 cryptocurrency traders alerting them that the IRS may be changing its methods for calculating the value of cryptocurrency and the forms and schedules that are used to report those holdings.

The IRS issued its initial guidance on cryptocurrency in 2014, which recognized that it may be used to pay for goods or services, or held for investment, and therefore has tax consequences and may be subject to taxation. Yes, taxes must be paid on cryptocurrency just like any other investment. The recent letters ask the traders to verify whether they filed their taxes on their cryptocurrency gains or losses correctly and to amend their tax forms if they think they might have made a mistake. The IRS suggested that traders should look at the exact date and time that they conducted a transaction and report accordingly.

As you know, I love speaking at the IRS Tax Preparers National Conference, but I really don’t want to be on the IRS’ radar screen. It’s not a good idea to have the IRS sending you a letter or asking you about your cryptocurrency gains and losses. If you have received one, or are a cryptocurrency investor, take heed of the IRS letters, as they provide guidance as we await the final cryptocurrency guidance to update the 2014 guidance that has been promised by the IRS in recent months.

Delta Sues Vendor for Causing Data Breach

In an unusual move, Delta Airlines (Delta) sued one of its vendors last week for the data breach it experienced in 2017. It’s an unusual move for several reasons. First, in our experience when a vendor causes a data breach, there is usually a contractual provision that can be followed that outlines the responsibility of the parties in the event of a security incident. The contractual language is usually followed and the parties can resolve the issues of reimbursement per the contract. Second, there may be insurance involved for both parties. The parties work with the insurers to make claims and seek reimbursement for costs associated with the data breach.

There also may be issues of limitation of liability, and in that scenario, there is usually an alternative dispute resolution clause and the parties may seek alternative means to resolve the issue of reimbursement. Only after all of these measures have been addressed would litigation be the favored option. It is a last resort to get involved in prolonged litigation—it is costly and very time consuming.

We don’t know whether any of these factors played into Delta Airlines’ decision to sue its vendor [24]7.ai, Inc. (24/7), but reading the allegations in the Complaint provides ample reasons for doing so. It reads like a novel. Please note that the Complaint sets forth only Delta’s side of the story; 24/7 has not yet answered the Complaint or provided its side of the story here.

According to the lawsuit, in early 2017, Delta commenced an RFP process for vendors to submit bids to provide a chat function on Delta’s website.  Although 24/7 was not part of the original RFP process, it was able to submit a proposal after the deadline, and Delta performed due diligence on its data security measures. In response to Delta’s questions about data security, 24/7 provided Delta with documentation and a security white paper specifically addressing its Chat Platform security and outlining the “extensive” security measures in place, including compliance with industry standards  and strict access controls.

Delta chose 24/7 as the winning vendor and an agreement was entered into by the parties sometime in the summer of 2018. Further, on February 1, 2018, 24/7 entered into a GDPR Agreement with Delta that attested to its compliance with the GDPR and its minimum data security measures, including the requirement to notify Delta of a data breach.

According to the Complaint, just months after the initial agreement was entered into with 24/7, “at least one third-party attacker gained access to Defendants’ computer networks and modified the source code of Defendants’ chat services software to enable the attacker to ‘scrape’ PII and payment card data from individuals using websites of Defendants’ clients, including Delta’s website…”

Delta alleges that the attacker was able to obtain full access login because 24/7 had inadequate authentication measures. Delta further alleges that 24/7 had inadequate security measures, including “allowing numerous employees to utilize the same login credentials; did not limit access to the source code running the [24/7] chat function to only those individuals who had a clear need to access that code; did not require the use of passwords that met PCI DSS…standards; did not have sufficient automatic expiration dates for login credentials and passwords…; and did not require users to pass multi-factor authentication prior to being granted access to sensitive source code.”

As a result of these security lapses, Delta alleges that an intruder was able to use scraping malware to obtain the credit card information of approximately 800,000-850,000 of its customers.

Even worse, Delta alleges that 24/7 knew about the incident in September or October of 2017 and yet did not notify Delta of the incident until five months later through LinkedIn messages to some Delta employees. The Complaint alleges that 24/7 still has not provided “formal detailed notice” of the incident. Still worse, (how can it get worse?), 24/7 signed and returned the GDPR Addendum to Delta in February of 2018 when it knew that the security incident had occurred.

Delta publicly announced the breach, notified its customers, provided them with mitigation services and was promptly sued in class action litigation, all of which costs a lot money for which Delta is seeking reimbursement from 24/7, and that 24/7 is apparently refusing to pay.

There are so many “wrongs” here that make this case so unusual and warranted. There are also numerous lessons to learn for vendors—obvious “dont’s” when providing services to companies and in the aftermath of a security incident. It will be an interesting case to follow.

New Threat to Companies: Warshipping

It is so hard to keep up with the latest ways the bad guys try to infiltrate company data. One new technique is called warshipping, and its implementation is pretty simple and a little old school.

IBM X-Force Red investigated the technique to give its customers an idea of the newest threats to enterprise systems. The warshipping technique gets past the firewall, spam filter, and other tools that are placed on the perimeter of a company’s system, because it comes old-school—often in a package delivered to the lobby of your office. So you can have all the sophisticated tools that are available in the market, and this threat sneaks right in through the U.S. mail or via a package delivery company.

The intruder places a tiny, low-cost, low-power, “computer” (essentially a processor chip and a few other electronic components) in a package that is shipped to the company. The device is remote controlled and is powered by a telephone battery. The IBM researchers were able to manipulate the devices so they went off when not in use, and on when in use. They used an IoT modem to follow the devices in transit and to communicate with them when they were on.

The researchers were able to complete wireless scans while the devices were in transit and use GPS to confirm the devices reached their final destination. Once it was there, the researchers were able to use tools to try to get into the company’s system through the wireless connectivity, or implement an “evil twin attack,” which allows the intruder to set up a decoy Wi-Fi and steal credentials.

Using the warshipping technique, the IBM researchers were able to infiltrate company networks. And these are the good guys. They’re giving us information to combat these types of attacks, so the next step is to figure out how to detect these tiny devices in packages delivered to the office or mail room. Sounds like a great idea for an entrepreneur—to come up with a package monitoring system to combat warshipping.

Clever Call Center Concept

My husband was recently booking some travel for us and had an interesting experience that he thought was worth sharing. While he was providing his credit card number to the person who was assisting with the booking, that person told him before he gave the credit card number and CVV number to wait a moment, as she was going to stop recording the conversation. Both of us were impressed at the forward thinking this company shows in requesting credit card numbers over the telephone.

This is quite brilliant on two levels. The first is, if the call center stops recording the call while a customer is giving the full credit card number and CVV, then that information is not contained in any recordings that may be compromised in the future—not only from outside intrusions, but also from insider threats. This is a reduction of risk to the company in the event of a compromise of the call center recordings. The second is that it is respectful to the customer and shows that the company cares enough about the privacy of the customer to literally stop the conversation and tell the customer that the company is stopping the recording of the credit card information before taking it down. I know we felt good about this process, and felt really good about the company’s protection of our credit card information. We were impressed at the fact that the company was focused enough on privacy and security to even think of this detail. It was a great customer relations move, and we will not hesitate to book with this company again. In fact, we would go out of our way to do so.

Based upon this recent positive experience—if you are taking personal information, such as Social Security numbers and credit card numbers with CVV codes over the telephone, consider putting a process in place to stop recording customer calls while that sensitive information is being provided to your call center representatives. It has the potential to reduce the company’s risk in the event of a compromise and also conveys to your customers how much you care about data privacy and security.

New Hampshire Enacts Insurance Data Security Law

New Hampshire Governor Chris Sununu recently signed the New Hampshire Insurance Data Security Law, which “establishes the exclusive state standards applicable to licensees for data security, the investigation of a cybersecurity event…, and notification to the commissioner.” The law is applicable to all persons or entities licensed, authorized to operate, registered or required to be licensed, authorized or registered, pursuant to the insurance laws of the State of New Hampshire. It becomes effective on January 1, 2020.

The law requires insurance companies to implement an Information Security Program (ISP) that contains administrative, technical and physical safeguards to protect non-public information and includes a security risk assessment. The ISP must include:

  • a program to manage the threats identified in the risk assessment, including encryption and multi-factor authentication;
  • cybersecurity awareness training;
  • due diligence in hiring third parties and requiring those third parties to implement security measures; and
  • an incident response plan.

Licensees are required to investigate cybersecurity events, and notify the Commissioner within three days “of a determination that a cybersecurity event has occurred,” defined to mean, actual knowledge that the event occurred. Insurance companies are required to provide the Commissioner with a copy of any notification letter that is sent to any consumers under the New Hampshire data breach notification law.

The Commissioner has the right to investigate any cybersecurity event of a licensee to determine if it has been in violation of the law, and “may take action that is necessary or appropriate to enforce the provisions of the law.”

Licensees exempted from the law include:

  • covered entities that have fewer than 20 employees
  • an employee who is also a licensee
  • a continuing care retirement community
  • a life settlement provider
  • a licensee that is a bank or credit union covered by Gramm-Leach-Bliley or the Fair Credit Reporting Act
  • a motor vehicle retail seller or finance company
  • a vendor, as defined under RSA 402-K:1.

There is also a safe harbor for HIPAA-covered entities and companies covered by the New York Department of Financial Services Cybersecurity Regulations.

Licensees have until December 31, 2021, to implement an Information Security Program and until December 31, 2022 to implement a vendor management program, including to “exercise due diligence in selecting its third-party service provider” and requiring the third party to implement a data security program.

Based upon our experience with similar requirements in the Massachusetts data security regulations, it takes more time than you think to map all of the vendors that have access to data and to get written confirmation or contractual provisions in place to comply with this requirement, so you may wish to consider starting the process now.

New B4UFly App Released by FAA and Kittyhawk

At the beginning of 2019, the Federal Aviation Administration (FAA) and Kittyhawk, an unmanned aerial systems (UAS or drone) service provider, announced a partnership to update the FAA’s B4UFly app. The newly updated app was released last week for drone operators (both commercial and recreational alike), which now determines in real-time which airspace restrictions are in effect at any location in the United States, so that all drone operators can determine if their drone flight is in compliance with federal laws and regulations. The FAA’s Executive Director of the UAS Integration Office, Jay Merkle, said, “As the skies become more crowded and UAS operations become more complex, basic airspace situational awareness, especially for the newest of fliers, will be essential.” The updated app is set to assist those fliers.

B4UFly also generates data from the FAA including National Park boundaries, controlled airspace, military routes and special use airspace. The app provides straightforward prompts such as “Good to Go,” “Warning,” and “Do Not Fly.” The FAA’s Low Altitude Authorization and Notification Capability (LAANC) platform is now also included in the B4UFly app, which allows users to obtain authorization from local air traffic control to fly in controlled airspace.

The FAA and Kittyhawk plan to release more updates to the B4UFly app soon, including new capabilities for weather, remote ID and additional data layers for uses in public safety, natural disasters, and emergency response.

LexBlog