It’s even worse than originally thought. Today’s top news includes an update about the Yahoo data breach I wrote about yesterday. Now it’s being reported that at least 500 million Yahoo customer user accounts were hacked back in July.  I now repeat with even greater emphasis and urgency what I said in yesterday’s post — Yahoo customers have to change their passwords right now!

Why is this mega data breach only being announced now by Yahoo — who knows the real reasons? The company is saying some of the usual reasons offered when there’s this kind of 2+ month delay. They’re saying they needed time to investigate the breach after there were the first signs detected that accounts were being hacked. The cynics — or realists — among us might also suggest that Yahoo wanted to wait until the Verizon deal was completed.

Regardless, the damage is done. What information was hacked? Per Yahoo, the hackers might have gotten customers’ email addresses, phone numbers, dates of birth and answers to security questions. Yahoo claims that customers’ credit card numbers weren’t stolen since that information is kept in a separate system.

However, Yahoo customers shouldn’t assume that there won’t be ways hackers can use the information they’ve already gotten to try and gain access to customers’ financial information.

Again, Yahoo customers must change their passwords ASAP and be very alert to suspicious financial transactions on credit and debit cards as well as bank accounts.

As was reported over the summer, Yahoo is investigating what appears to be a massive data breach. Graham Cluley posted an article today in which he said that, per a report by Recode, Yahoo might be making an announcement very soon about that investigation (www.grahamcluley.com; “Yahoo ‘expected to confirm massive data breach’ says Recode”).

The hacker or hackers breach was rumored to have gained access to 200 million user accounts. In fact, Yahoo has been sending out emails to users urging them to change their passwords.

It’s always a smart move to change passwords and now that’s even a more timely reminder for Yahoo users.

I’ll keep everyone posted as more news emerges about this breach.

I’ve written before about the set-top box proposal that the FCC Chairman Tom Wheeler and his fellow Commissioners were considering. The proposal generated strong pushback from various industry components due to a variety of content and competition issues. My concern is from a privacy perspective since the original proposal would have presented a cascading number of issues due to the number of companies that would have had potential access to consumers’ data.

Chairman Wheeler and the FCC responded to the criticisms by redrafting the proposal. He just circulated the revised proposal yesterday (Thursday, September 8th) as part of the FCC’s September meeting agenda. The latest proposal would give all the affected industry entities 2 years to implement the changes.

I’m going to review this latest version to see what, if any, improvements have been made from a consumer privacy perspective. I’ll post my analysis once I’ve done my review.

Stay tuned.

 

 

I am not one of those individuals who believes there are stronger privacy protections in foreign countries than in the United States. However, I believe in giving credit when it’s due so I want to applaud an upcoming proposal by the European Union (EU).

The EU is going to be proposing more rules soon that will apply stricter privacy and security protections for Internet communications companies. Although the proposed rules have not yet been issued, there are some details that have been made known. One of the key proposals will be do make it easy — or easier — for consumers to move their own information if they decide to switch to other services. That would be an excellent improvement and one that should be adopted in the U.S.

I’ll be following this issue and report more details as the proposed rules are released.

 

There is a major breaking news story about a data breach at the Starwood Hotels chain. More details are just emerging but what is currently known is that the systems containing guests’ credit card information were breached. It appears that the breach started sometime in 2015 and continued until its recent discover.

Starwood Hotels is the parent corporation for a wide-range of hotels located in the United States and abroad. The Starwood Hotels chain includes Marriott, Westin and Sheraton hotels. The data breach was reported to potentially include guests at many of these hotels.

Consumers who stayed at any of these hotels over the last year should be even more alert to any suspicious charges on their credit cards.

I’ll post updates as more information is reported.

 

The European Union (EU) is launching an important study that is worth noting. On July 13th, the European Union Agency for Network and Information Security (ENISA) announced that it is going to create a comprehensive list of the various cybersecurity policies and tools and standards and measures that can be used to strengthen security in the next-generation of cars.

The ENISA initiative was the subject of an informative article by Winston Maxwell and Timothy Tobin, attorneys with Hogan Lovells, an international law firm (www.hldataprotection.com/2016/07/articles/international-eu-privacy-enisa-jumpstarts-con; “ENISA Jumpstarts Connected Car Cybersecurity Study for EU”). In their article, Mr. Maxwell and Mr. Tobin note that the ENISA study was generated by the EU’s recognition of the ever increasing interconnection between and among cars. These advances means a corresponding increase in concerns about the global repercussions from a security perspective.

The ENISA study writers will issue recommendations following the conclusion of their work. The recommendations will focus on measures that will help enhance smart car security for EU consumers. When issued, the study’s findings and recommendations should be studied by U.S. federal, State and local agencies and policy makers with responsibility for these car and cybersecurity issues.

The U.S. should gain the benefit of the ENISA report so that our next-generation cars are as safe as possible from cybersecurity issues.

Brian Krebs published an article alerting consumers that the Kimpton Hotel chain is investigating a data breach at its hotels (www.krebsonsecurity.com/2016/07/kimpton-hotels-probes-card-breach-claims). It appears that thieves have stolen credit card information from multiple locations of this hotel.

So this is a “heads up” alert for anyone who has stayed at a Kimpton Hotel over the last few months. Read Mr. Krebs article and — as always in these situations — keep a very close tab on your credit card charges.

The Office of Civil Rights (OCR) at the Department of Health and Human Services (HHS) has issued a new fact sheet providing guidance to entities that have patient medical records covered under the Health Insurance Portability and Accountability Act (HIPAA).  The fact sheet identifies the types of information security measures that these entities should have in place to prevent a cyber or ransomware attack (www.hhs.gov; “FACT SHEET: Ransomware and HIPAA”).

Although not addressed to consumers, the FACT SHEET is worth reading for educational purposes. For example, the OCR HHS fact sheet underscores the notification obligations of an organization that experiences a ransomware breach.

Reading the OCR HHS FACT SHEET  will help consumers understand the kinds of security safeguards OCR HHS recommends for their medical providers as well as others in the health industry.  That way, in case of a breach, consumers can know what information they should receive and be pro-active if they haven’t gotten timely notification.

Yes, the primary tax season has been over for several months. And no, that doesn’t mean the IRS scams have are also over. How do I know this? From first-hand knowledge in addition to the various news reports and alerts.

I got robo calls on two consecutive days. Each was clearly a robo call with a woman — with a flat and menacing voice — announcing — “this is your final IRS notice.” The robo call likely said much more but I hung up immediately after just hearing the first few seconds.

And you should do the same. These scams are meant to scare individuals by sounding as if this is an official IRS call and the recipient’s being warned that she or he or they owe taxes. And how to fix this problem? By simple sending the stated dollar amount via prepaid debit card or wire transfer to the site that’s given in the rest of the message.

I’ve said it before but it’s worth repeating: the IRS does NOT make these kinds of calls to taxpayers. So hang up ASAP if you get one of these robo calls. What else can you do? Well, I went to the website of the Treasury Inspector General for Tax Administration (TIGTA) and hit the red “IRS Impersonation Scam Reporting” box that’s on the right hand side. I entered all the needed information and submitted my complaint. I first tried their “800” scam reporting hotline but that line had gotten so many calls about these IRS impersonation scams that the recording urged individuals to go to the TIGTA website unless the individual had actually suffered a financial loss.

So please don’t be taken in if you get one of these calls or a phishing email.  Go to the “Scams and phishing” link at the IRS website (www.irs.gov)  where you’ll find helpful contact information for TIGTA, the Federal Trade Commission and other agencies to contact about these and other scams.

I’ve been following the Federal Communications Commission’s (FCC) proposed broadband privacy regulations. While well intended, the scope of the FCC’s proposed regulations is much too narrow. I am concerned that their final regulations will create confusion and inconsistency in online consumer protections.

I wrote an article about my concerns that TechCrunch published on June 23rd. The article is titled New FCC Regulations May Not Give Consumers True Online Privacy Protection. It can be found at: https://techcrunch.com/2016/06/23/new-fcc-regulations-may-not-give-consumers-true-online-privacy-protection/.