There are times when cyberthreats can come in places where you least expect them.
That could mean a selfie app, an email inbox or even within health care and medical services. Eric Chiu, cofounder and president of HyTrust, joined this week’s Hacker Tracker to share insights on the SEC examining the Yahoo breaches, why a selfie app may cause more harm than good and how the U.S. is handling its ever-growing number of reported cyberattacks.
SEC Keeps An Eye On Yahoo
As if Yahoo didn’t have enough on its plate, the tech company is now facing a probe from the Securities and Exchange Commission as to whether or not it could have acted more promptly in response to two massive data breaches that left over a billion customers’ information compromised.
“This is yet another blow that comes at a crucial time for Yahoo, particularly in light of its pending sale to Verizon,” Chiu told PYMNTS.
“It’s shocking that a company of Yahoo’s size and long history could fall prey to such attacks and that there were no countermeasures, such as data encryption, in place to prevent them.”
The SEC will investigate whether Yahoo’s disclosures about the cyberattacks aligned with civil securities laws that require firms to disclose cybersecurity issues at the point they become of material interest to investors.
Yahoo disclosed a breach of 500 million users’ data in Sept. 2016, despite the fact that the hack itself took place in 2014, and shared last month that a different massive breach in Aug. 2013 had compromised even more user data.
While the company has yet to share why it took years to disclose the incidents publicly, it is unknown at this point when and if the SEC will bring forward a case — though most experts do seem to agree that a case in this matter would clarify the law in this area, particularly in regards to when a breach becomes materially important to investors.
“But the real lesson now is that the repercussions of these kinds of incidents can range far beyond the damage done to a company’s reputation and its relationships with its customers,” Chiu noted. “One thing seems certain, though: The SEC’s investigation into these incidents is almost certain to result in stricter rules and guidelines around disclosures of major security incidents, which will make it much harder for companies who fall prey to attacks to avoid negative publicity and scrutiny in the future.”
Hold That Selfie
A selfie app that is growing in popularity in the U.S. may actually be putting users’ security at risk.
Meitu, the selfie app that improves pictures by enabling beautifying effects to be added to the photos, is free to download, but it could come at a cost: compromising users’ personal information.
According to a TechCrunch report, security experts believe the app requires users to offer up more data from their phones than is needed for a photo app. What’s more, these experts have also noted that the app has some “allegedly sketchy code.” Meitu isn’t the first app to let users download it in exchange for data off the phone, but with this one, privacy-conscious consumers may want to rethink using the app.
“The situation with Meitu — and there are plenty of other apps that seem to want access to more permissions than they should ever need — is very much related to the trend of an increase in data breaches due to human negligence,” Chiu commented.
“Actually, ‘negligence’ isn’t even necessarily the right word. Users are often willing to hand over dangerous permissions out of simple ignorance. They just don’t understand the risks involved. That’s why, at the organizational level, user education is every bit as critical as implementing IT security controls.”
Greg Linares, an information security researcher, told TechCrunch that the Android version of Meitu can access information about what other apps are running, the location of the user, the unique device identifier numbers, call information, carrier details and Wi-Fi connections. The iOS version of the app also seeks out a lot of data, forensic expert Jonathan Zdziarski said in the report.
“I’d like to see the major public app stores do a better job of communicating security information to laypeople and possibly to offer finer-grained controls. Today, it’s pretty much ‘take it or leave it,’ and the natural impulse is to just click ‘yes’ and forget about it,” Chiu said.
America’s Data Breach Problem
According to a report released jointly by CyberScout and the Identity Theft Resource Center, within the United States, the sheer number of data breaches is on the upswing, to the tune of about 40 percent, as the total number of breaches found across the duo’s research came in at 1,093.
Of all records exposed across all industries, 72 percent were uncovered across hacking, phishing and skimming efforts. Social Security numbers were exposed in more than half of all breaches last year.
The business sector was the focus of about 45 percent of breaches, while health care and medical services represented a combined 34 percent of breaches. And in what might be a relatively healthy spot in hacking, financial services saw a 26 percent decrease, the research showed. Looking at record exposure, 3,182 credit card and debit card records were exposed in financial services, compared to more than 3.6 million combined cards in health care.
“We’ve seen this trend for a while now, and the pace of these incidents shows no sign of slowing down. What the data in this report underscores is that perimeter security measures, such as firewalls and passwords, are not sufficient to prevent data breaches,” Chiu emphasized.
CyberScout’s Eric Hodge, director of consulting, stated that, even though there has been a decrease in financial services breaches, the sheer rise in attacks overall (across all sectors) shows that more people than ever are looking to expose weak links that can give up sensitive data. The attackers themselves are getting smarter, he added, and can expose and exploit vulnerabilities in relationships between firms and even along supply chains, where far-flung operations and outside parties are tougher to monitor.
“Encrypting data in place can help mitigate the damage done when breaches do occur,” Chiu noted. “But given the threat level we see out there today, IT organizations should also be implementing additional countermeasures, such as role-based access controls and two-factor authentication.”