Security News Survey – April 19, 2019

This week, we look at Microsoft’s data breach, an update on Facebook’s email password privacy issue, and Canada’s Equifax investigation.

We’re hearing a steady drumbeat of security breaches this month. This week, a few new security issues popped up, but we’ve also seen some updates come to light in regard to ongoing security and privacy sagas with companies like Facebook and Equifax. Let’s take a look at some news that caught our eye.

Microsoft suffers data breach following compromised account

Microsoft has admitted that a data breach compromised its web-based email services—Outlook, MSN and Hotmail—for three months. There are not a lot of details available yet, but we do know that Microsoft issued an email to an unknown number of impacted users stating that a support agent’s credentials were compromised, allowing external actors to access account information including email subject lines and contact lists between January 1st and March 28th. Microsoft claims to have disabled the compromised account.

These types of incidents are a good example of the types of insider threat uses cases that Interset tackles on a daily basis. Compromised accounts frequently involved in data breaches, and they can be detected best through the lens of behavioral analytics. This incident demonstrates that compromised accounts are a type of insider threat that isn’t just a disgruntled employee, but rather an external actor impersonating a user. We call this an insider threat because even though the bad actor is on the outside, the behavior of the account can be monitored on the inside. (Also, we don’t know the circumstances of the compromise; employee neglect may have been involved!) You can learn more about how this type of attack might play out in our blog, “Most Wanted Insider Threats: A Tale of a Compromised Account.”  

Facebook email password ask has compromised 1.5 million users

A few weeks ago, it was reported that social-networking giant Facebook has been asking users to provide email passwords when registering. It seems a security researcher was alarmed when Facebook requested email account passwords for new users signing up and found that Facebook leveraged these logins to access and important contacts—without explicit permission. This week, we’ve learned that an estimated 1.5 million users have had their email contacts “harvested” through this privacy issue since 2016. Facebook is aware of the problem and claims that the contacts were “unintentionally” harvested and are now being deleted.

It’s evident that Facebook has very big privacy problems and very little idea of how to get ahead of them. Some problems, such as the one we’re dealing with today, are preventable. Apart from the blatant privacy blunder with this specific issue, there is also a major security concern. As Forbes puts it, the request for an email password “breaks every security protocol imaginable” because it leaves email accounts and their content vulnerable. Facebook is in the process of notifying those affected users, so keep an eye and be sure to change your password if you’re one of the impacted individuals.

Canada’s Equifax investigation underscores the United States’ lack of response

Speaking of corporate accountability, the fallout from Equifax’s massive 2017 data breach has been…well, let’s say “disproportionate.” Slate contributor Josephine Wolff published an article this week looking at regulatory consequences and safety measures that have been put in place since the consumer reporting agency’s security disasters. Wolff, who also serves as assistant professor of public policy and computing security at Rochester Institute of Technology, pointed out that the U.S. governmental response to the 2017 incident has been underwhelming. She does, however, give credit to Canada, whose government has been more proactive about upholding security standards and have forced Equifax Canada into a compliance agreement.

Canada’s Privacy Commissioner completed an investigation into the breach last week and reported that Equifax will be required to adhere to a strict data retention and deletion schedule and comply to security assessments every two years for the next six years. Unfortunately, the investigation’s completion has been a reminder that the U.S. has failed to deliver similar consequences. While some state-level banking regulatory authorities have attempted to instate compliance measures, there has been no movement on the federal level in terms of security oversight. Of course, the issue of federal security regulations continues to be a hotbed of contention in the U.S. in general, so it may yet be some time before we see movement. For now, Wolff suggests, we might see more luck holding Equifax accountable in the courts, as we have seen done with companies like Yahoo.