> 1 As The Markup report makes clear, existing privacy regulations like the Health Insurance Portability and Accountability Act (HIPAA) were not built for telehealth, so much of this sloppy handling of consumer data falls through the cracks. Most consumers, meanwhile, operate from the false belief that this data is far more protected than it actually is. .
Surprise: Telehealth Startups Playing Fast And Loose With Sensitive User Medical Data
from the nothing-is-sacred-when-there's-money-to-be-made dept
"From the Internet of very broken things to telecom networks, the state of U.S. privacy and user security is arguably pathetic. It’s 2022 and we still don’t have even a basic privacy law for the Internet era, in large part because over-collection of data is too profitable to a wide swath of industries, which, in turn, lobby Congress to do either nothing, or the wrong thing.
Sensitive medical data, supposedly held to a higher standard, isn’t much of an exception. The Markup and STAT this week had an interesting joint report showcasing how many telehealth startups routinely play fast and loose with consumer data. . .
Inevitably there will be a medical privacy data scandal so massive it
will force the culture to truly own the fact they’ve prioritized money
over consumer/market health, privacy, and safety for decades. But even
then, it’s a steep uphill climb to get a comically corrupt Congress to
craft even the most modest of guardrails." READ MORE (7 comments)
Filed Under: consumer protection, ftc, medical data, privacy, remote medical, security, startups, telehealth
- Epic To Pay $520 Million Over Deceptive Practices To Trick Kids
- Twitter's Big Ad Plan: Violate FTC Consent Decree, California Privacy Law & EU Privacy Laws To Force Users To Hand Over Info For Ad Targeting
- Rubio's Bill To Ban TikTok Is A Dumb Performance That Ignores The Real Problem
- Connecticut AG Sues Cable Giant Altice For Selling Broadband Speeds It Can't Deliver
- Swiss Data Protection Commissioner Orders Government To Publicly Release Surveillance Tech Export Licenses
✓ It’s a shame the FBI wasn’t aware of this before being contacted by people who don’t work for the FBI. If the agency wants the private sector to trust it with its threat reports and data, it needs to be ahead of things like this, rather than simply refusing to talk about incidents it should have been more proactive about.
FBI Private Sector Cyberthreat Reporting Database Hacked By Apparently Unreported Cyberthreat
from the target-rich-environment-unsurprisingly-targeted dept
"Is this irony? It kind of seems like it is. Maybe it isn’t. It could just be a coincidence. An extremely unfortunate, ironic coincidence.
Whatever it is, it doesn’t look good for the FBI, which encouraged pretty much every private company to register as reporting entities so the FBI could (theoretically, it appears) respond to reported security threats.
The FBI wants to be part of the cyber Pearl Harbor discussion. Here’s its latest contribution to that conversation, as first reported by Brian Krebs.
InfraGard, a program run by the U.S. Federal Bureau of Investigation (FBI) to build cyber and physical threat information sharing partnerships with the private sector, this week saw its database of contact information on more than 80,000 members go up for sale on an English-language cybercrime forum. Meanwhile, the hackers responsible are communicating directly with members through the InfraGard portal online — using a new account under the assumed identity of a financial industry CEO that was vetted by the FBI itself.
Trust, but don’t even bother verifying, I guess. That’s how they — and by “they,” I mean the hacker referring to themselves as “USDoD” — get you. A portal for private companies to report threats has been compromised using nothing more than credentials that have likely been floating around the web (dark or otherwise) for some time now.
USDoD said they gained access to the FBI’s InfraGard system by applying for a new account using the name, Social Security Number, date of birth and other personal details of a chief executive officer at a company that was highly likely to be granted InfraGard membership.
The CEO in question — currently the head of a major U.S. financial corporation that has a direct impact on the creditworthiness of most Americans — told KrebsOnSecurity they were never contacted by the FBI seeking to vet an InfraGard application.
With access obtained, the breach began. USDoD “asked a friend” to create a script that would pull all available user data from the database, which apparently had no defensive methods in place to thwart the script, or any siloing in place to ensure one user’s approved access wouldn’t allow them to obtain other users’ information.
In an effort to increase collaboration between private sector contributors (if not the FBI itself, although there doesn’t appear to be any actual FBI data/communications included in the hacking haul), InfraGard acted as a quasi-social media hub to allow private companies to share info with each other. That connectivity apparently contributed to the easy exfiltration of data, albeit data of disputable value.
USDoD acknowledged that their $50,000 asking price for the InfraGard database may be a tad high, given that it is a fairly basic list of people who are already very security-conscious. Also, only about half of the user accounts contain an email address, and most of the other database fields — like Social Security Number and Date of Birth — are completely empty.
While the eventual sale of this data will put USDoD in the black, the ultimate end game may not be the easily-absconded-with user data. The hacker is taking full advantage of this impersonation to contact private sector participants in hopes of securing additional data and/or credentials usable for bigger and better data heists.
The FBI has responded to these reports with a no comment.
“This is an ongoing situation, and we are not able to provide any additional information at this time,” the FBI said in a written statement.
It’s a shame the FBI wasn’t aware of this before being contacted by people who don’t work for the FBI. If the agency wants the private sector to trust it with its threat reports and data, it needs to be ahead of things like this, rather than simply refusing to talk about incidents it should have been more proactive about.
But spending tax dollars on “cyber security furniture” only buys so much competence. While it’s essential private sector contributors are able to share information easily with each other, a breach like this will only encourage them to cut the FBI out of the loop. There are obviously more secure channels for communication about these issues. Allowing a hacker to make off with critical data suggests the FBI is not only failing to fully vet contributors to its cyber security marketplace of ideas, but failing to ensure the private companies it hires to provide solutions are capable of meeting the demands of the job.
Filed Under: cyberthreat reportingg, fbi, hacker, infragard
- No, The FBI Is NOT 'Paying Twitter To Censor'
- Apple Angers FBI By Offering More Privacy And Security To Users
- J6 Suspect Challenges FBI's Geofence Warrant, Exposing The Massive Scale Of The Fed's Data Haul
- Docs Freed With FOIA Lawsuit Show FBI Misled Congress About Plans For Deploying NSO Spyware
- Bullshit Reporting: The Intercept's Story About Government Policing Disinfo Is Absolute Garbage
RELATED CONTENT
No comments:
Post a Comment