Weekly podcast: Equifax, Facebook and Kaspersky

This week, we discuss the Equifax data breach, a fine for Facebook and a ban for Kaspersky.

Hello and welcome to the IT Governance podcast for Friday, 15 September 2017. Here are this week’s stories.

The obvious place to start is with Equifax, which announced at the end of last week that it had suffered a data breach potentially affecting approximately 143 million US customers’ “names, Social Security numbers, birth dates, addresses, and in some instances, driver’s license numbers. In addition, credit card numbers for approximately 209,000 consumers and certain dispute documents, which included personal identifying information, for approximately 182,000 consumers were accessed”.

It’s unclear how many British customers’ data was compromised, although The Telegraph states that as many as 44 million people in the UK were affected through companies such as BT, Capital One and British Gas, which use Equifax’s services. The ICO has advised Equifax to alert affected UK customers “at the earliest opportunity”.

The consumer credit reporting agency has established a dedicated website, equifaxsecurity2017.com, to help its US customers, and issued regular progress reports to keep affected parties informed. The latest of these, issued on Wednesday 13 September, revealed how the incident occurred.

From mid-May to July this year, criminals exploited a remote code execution vulnerability (CVE-2017-5638 for all you fans of vulnerability numbers) in Apache Struts 2, an open-source framework for developing Java web apps. This vulnerability was identified two months earlier, in March 2017, when users were recommended to upgrade to Struts 2.3.32 or 2.5.10. That Equifax didn’t do so is, shall we say, unfortunate.

Mitigating cyber risks is a constant battle, but the vast majority of attacks exploit known vulnerabilities and can be prevented by getting the basics right. Ensuring you run the latest versions and apply patches when they are released is fundamental, as is conducting regular penetration testing to determine the presence of vulnerabilities in your networks and applications.

Facebook has been fined €1.2 million by the Spanish Data Protection Agency, the AEPD, for collecting, storing and using personal data for advertising purposes – including information relating to “ideology, sex, religious beliefs, personal preferences [and] browsing activity” – without obtaining appropriate consent

According to the AEPD, “Facebook does not inform users in an exhaustive and clear way about the data that will [be collected] and the processing operations that will be carried out”.

The agency also found that “users are not informed that their information will be processed through the use of cookies […] when browsing non-Facebook pages containing the ‘Like’ button” – a situation that also affects people who are not Facebook members, but have visited one of its pages.

Moreover, the social network’s privacy policy “contains generic and unclear terms, and obliges users to access too many different links to get to know it” and the company “inaccurately refers to the use it will make of the data it collects, so that a Facebook user with an average knowledge of the new technologies does not become aware of data collection or storage and subsequent processing, nor for what purpose they will be used”.

Finally, the AEPD found that Facebook doesn’t delete the information it collects from users’ browsing habits. All of these are violations of the Organic Law on Data Protection (LOPD).

According to Bloomberg, Facebook will appeal the fine.

You may remember that in March, at a senate hearing into Russian interference in the 2016 US presidential election, the former NSA director Keith Alexander said he wouldn’t trust Kaspersky products. Now, the US Department of Homeland Security has issued a Binding Operational Directive requiring US federal government offices to remove Kaspersky products within 90 days.

According to a statement: “The Department is concerned about the ties between certain Kaspersky officials and Russian intelligence and other government agencies, and requirements under Russian law that allow Russian intelligence agencies to request or compel assistance from Kaspersky and to intercept communications transiting Russian networks. The risk that the Russian government, whether acting on its own or in collaboration with Kaspersky, could capitalize on access provided by Kaspersky products to compromise federal information and information systems directly implicates U.S. national security.”

In a statement obtained by Buzzfeed, a Kaspersky spokesperson said: “No credible evidence has been presented publicly by anyone or any organization as the accusations are based on false allegations and inaccurate assumptions, including claims about the impact of Russian regulations and policies on the company.”

Well, that’s it for this week. Until next time you can keep up with the latest information security news on our blog.

Whatever your information security needs – whether regulatory compliance, stakeholder reassurance or just greater business efficiency – IT Governance can help your organisation to protect, comply and thrive. Visit our website for more information: itgovernance.co.uk.