Privacy Monday - June 23, 2014
DC Update from Politico Morning Tech
"DATA BREACH DRAFT DELAYED - The thorny issue of FTC enforcement has slowed efforts to release a draft of Rep. Lee Terry's data breach bill, according to sources close to the process. Terry had hoped to release the draft he's been working on with Democrats John Dingell and Peter Welch after a Friday briefing with staff aimed at ironing out some final sticking points, but didn't get the consensus he'd hoped for. Republicans have historically bulked at handing over too much control to the consumer protection agency, which is angling for more authority to combat the rising threat of data theft. Democrats have tended to side with the FTC on the matter, although some insist any power shift does not weaken state laws."
More than a Wash and a Wax
This story caught my eye, since I just drove through a car wash yesterday, using my credit card. If you have also done that lately, you should check your credit card statements. Brian Krebs of Krebs on Security --- the security blogger who broke the stories of the Target and Neiman Marcus data breaches -- has done another fascinating inside look at an ongoing set of data breaches. Read Krebs' latest here.
There are several important takeaways from this:
(1) if you are running point-of-sale (POS) software (and you need not be a "retailer" to be running such software), when is the last time that you updated it? Your POS is connected to the Internet and can be an open hole, exposing your customers' credit card information the moment that card is swiped.
(2) How do you (or your vendors) access that POS? In the Krebs article, the POS software could be accessed using pcAnywhere - and old versions at that. We have worked on many breaches that used exactly this method for POS access either remotely by the store owner or for vendor support. That access is a "back door" that can also be easily hacked.
(3) Are you still running Windows XP? Time to upgrade....really.
If you fail to take the proper actions to keep systems up-to-date, and you experience a data breach, you may find yourself without insurance coverage and a defendant in a lawsuit.