Security News Survey – April 26, 2019

This week, we look at Facebook’s expected privacy fine, Washington State University’s $4.7 million breach settlement, and a creative insider threat at GE.

Last month, we took a brief look at the price tags associated with a few major data breaches, with costs stemming from lawsuits, lost operations, and other expenses. This week, we are seeing a couple more figures come to light that illuminate the costs of security and privacy blunders.

Facebook is facing billions in penalties for privacy mistakes

It looks like Facebook’s chickens are coming home to roost with respect to some of its privacy gaffes. The social networking company has been in negotiations with the Federal Trade Commission (FTC) for several months over its 2011 privacy consent decree violations, and an additional investigation was opened by the regulator last year following the Cambridge Analytica disaster. According to Facebook’s quarterly earnings report, which was issued Wednesday, the company is setting aside cash for an expected penalty when the inquiry closes, which they estimate could be between $3 billion and $5 billion.  

A penalty of this size would set a new record and be a big step for the U.S. in regard to holding big tech companies responsible for privacy and security mistakes. However, even at $5 billion, the penalty pales in comparison to Facebook’s annual revenue, which sits comfortably at $56 billion.

That being said, it seems that the company is due to face consequences from more than just the U.S. government. This week, Canadian regulators accused Facebook of violating local laws of personal information use following an investigation into the company’s relationship with Cambridge Analytica. The Office of the Privacy Commissioner of Canada is vowing to take Facebook to court as a result of these “serious” violations and “refusal to act responsibly.”

Washington State University settles data breach investigation for $4.7 million

Speaking of financial consequences, Washington State University (WSU) has reached a settlement of $4.7 million following a 2017 data breach that impacted 1.2 million people. The breach occurred when WSU suffered the theft of several portable hard drives that contained unencrypted personal and health data that was collected by the university’s Social and Economic Science Research Center. Victims of the breach, some of whom suffered identity theft as a result of the incident, accused the university of being irresponsible with the security of such data. Some victims weren’t even aware that the university had their data at all. In addition to the cash settlement, WSU will be destroying archived data and has committed to an extensive risk assessment and audit.

Department of Justice investigating insider threat at General Electric

The U.S. Department of Justice (DoJ) has unsealed a criminal complaint revealing that General Electric (GE) may have been the victim of a targeted insider threat attack. The DoJ is accusing Xiaoqing Zheng, a New York engineer, of stealing confidential data pertaining to GE’s gas and turbine technology via steganography, a method whereby someone conceals a file within another file. It appears  GE had banned the use of USB drives after discovering that Zheng had copied thousands of files to a key. With no USB option, he took a new route. According to the complaint, Zheng hid the desired data within an unsuspicious file (a digital photograph, it seems) and then emailed the file to himself. He then sent the files to a business partner in China, allowing the data to be used by Liaoning Tianyi Aviation Technology Co., Ltd and Nanjing Tianyi Avi Tech Co. Ltd—two companies based in the People’s Republic of China. This incident is a great reminder that cybercriminals will get creative when need be!