in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Data Breach Cost: Twitter Settles With FTC Because "It Deceived Consumers" And Lacked Adequate Security

Twitter has settled with the Federal Trade Commission over a couple of data breaches that occurred in 2009.  The FTC charged that Twitter had misled consumers by making certain claims in their privacy policy.  Twitter was facing one of those situations that cannot be protected with data security tools (such as encryption software like AlertBoot).  Instead, some commonsense practices were needed.

FTC Settlement

Twitter had two notable breaches in 2009 (which I've included further below).  Per the FTC, Twitter erred in two ways: they did not have adequate security in place, and they misled users about the state of security.  The lack of adequate security is described further below.

Regarding the deception of customers, the FTC maintains that Twitter's actual security did not live up to claims in their privacy policy, and customers were misled (eweek.com):

At the time of the attacks, Twitter’s privacy policy said the company was "very concerned about safeguarding the confidentiality of your personally identifiable information" and that Twitter employed "administrative, physical and electronic measures designed to protect your information from unauthorized access," the FTC said.

and,

The FTC said Twitter misled its users that it was taking appropriate security measures to safeguard their privacy. The company was using easily decipherable passwords, allowing employees to store information in vulnerable places, did not suspend accounts after a number of failed logins, did not set passwords to expire, and did not impose restrictions on administrator access, the FTC said.

This is not unlike the charges the FTC brought against Rite Aid, where the FTC noted that Rite Aid's actions (dumping in whole job applications and pharmacy labels full of personal data) did not mesh with their promises ("Rite Aid would like to assure you that we respect and protect your privacy").

ChoicePoint was also slammed by the FTC for similar reasons.

Eweek.com notes that Twitter's privacy policy was updated to remove certain language.

Twitter's agreement with the FTC bans the company from making misleading claims about security, privacy, and confidentiality for 20 years (Observation: the implication being that it's OK for Twitter to engage in such practices after 20 years...?).  The micro-blogging site will also maintain an information-security program that is audited every two years for the next 10 years.  Furthermore, Twitter has agreed to pay fines of up to $16,000 per violation, if such violations arise in the future.

Standard Byline

This is what I had to say back when I commented on Rite Aid's settlement with the FTC:

While I'm not a lawyer, I guess this just means you really have to pay attention to what you're promising or implying.  I mean, "Rite Aid takes its responsibility for maintaining your protected health information in confidence very seriously" is considered to be deceptive practice because actions didn't match up with words?

That claim, about taking its responsibilities seriously, is a fairly standard byline in pretty much all data breach notification letters I've read to date.

Twitter, Rite Aid, and ChoicePoint (plus other cases that probably exist but that I couldn't find).  I guess the FTC's message is clear: put up or shut up.

I wonder whether the FTC would also get involved in instances where, say, a laptop full of sensitive data got stolen (without the use of disk encryption software)?  Or, if it would step in instances where a laptop was "protected" not with encryption but "password-protection"?  I mean, the FTC has already shown via its charges against Twitter (they allowed thousands of password tries) that the commission will not tolerate security "in name only," so it only makes sense that they would frown on password-protection as well.

So far, I can't recall any such instances.

Twitter January 2009 Breach

Twitter's first breach was due to a brute-force, dictionary attack.  Hackers essentially set up a script where numerous passwords were tried until they found something that would give them access to an administrator's account.

Once they were successful in logging in as an administrator, passwords for the accounts of "lesser mortals" in the twitterverse were changed so that hackers could post fake tweets from them.

This particular breach could have been avoided in two ways: using a strong password or locking an account after multiple erroneous tries.  The first is largely controlled by the account holder: while twitter could ban the use of certain passwords (and it did), there are too many words to control.

Locking down an account after multiple wrong attempts is more in line with what the company can do.  I'm surprised that it wasn't in place from the very start.

Twitter April 2009 Breach

Twitter's second breach required a certain chain of events.  A twitter administrator's email account was hacked.  That person's twitter password was stored in the e-mail account in plaintext, which hackers promptly used to log in as an administrator and change other account holders' passwords.

There's very little that Twitter could have done about this, since the e-mail account was a personal one.


Related Articles and Sites:
http://www.eweek.com/c/a/Security/Twitter-Settles-with-FTC-Over-Privacy-Breach-and-Account-Hacking-151625/

 
<Previous Next>

HIPAA Data Breach Cost: Health Net Being Probed For Second Data Breach

Does HIPAA / HITECH Require Strong Passwords? No, But It's Expected

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing support of the AlertBoot disk encryption managed service. Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts University in Medford, Massachusetts, U.S.A.