On the heels of a January 2019 announcement that it was charging nine persons with participation in a scheme that allowed them to hack into the SEC’s confidential database of public filings, commonly known as EDGAR. On February 28, the SEC named Gabriel Benincasa as its first-ever Chief Risk Officer (CRO). Although the two events have no direct causal link, they serve as useful reminders that the SEC is determined to re-emphasize its mission to ensure the smooth operation of the U.S. securities markets and to root out and punish instances of fraud and market manipulation, be it by traditional methods or where digital tools are implicated and databases are compromised. The position of CRO is a new one at the SEC. Created by SEC Chairman Jay Clayton to strengthen the agency’s risk management and cybersecurity efforts, Benincasa’s office will help to coordinate efforts to identify, monitor and address risks facing the agency.
Social media companies like Facebook and Twitter have written “white papers” and devoted considerable resources to projects intended to create services that encourage trust and a sense of familiarity on the part of users. Messages, photos and personal information are easily shared with groups of friends and co-workers, or in response to solicitations tailored to a user’s trusted brands, thus creating an environment of perceived safety and intimacy among users. However this communal atmosphere can be, and often is, exploited by “black hat” hackers and malware that lurk behind a façade of trust. In its April 27, 2017 White Paper entitled “Information Operations and Facebook,” and its September 6, 2017 “An Update on Information Operations on Facebook,” the company noted that there are, “three major features of online information operations that we assess have been attempted on Facebook.” Those features include: (1) targeted data collection such as hacking or spearfishing; (2) content creation including the creation of false personas and memes; and (3) false amplification by creating false accounts or using bots to spread memes and false content which, in turn sow mistrust in political institutions and spread confusion. Ironically, these techniques used to spread “fake news” and malware designed to amplify divisive social and political messages, are enhanced and made effective by the very environment of trust cultivated by social media sites.
As we discussed recently, the Equifax data breach has inevitably brought a great deal of scrutiny and legal action against the credit reporting agency. Amidst the numerous brewing class actions and other reactions from government agencies and state AGs, it’s worth pointing out another front on which the company—and more importantly, individuals within the company—may face legal consequences.
Since September 7, 2017, Equifax, one of three credit rating agencies in the United States, has been dealing with the fallout from one of the largest (known) data breaches of personal information, putting 143 million Americans at risk from fraud and identity theft (roughly 44% of the U.S. population).
After counter-protests ended in tragedy, a small group of social media users took to Twitter to expose the identities of the white supremacists and neo-Nazis rallying in Charlottesville, Va. Since last Sunday, the @YesYoureRacist account has been calling on Twitter users to identify participants in the rally. Twitter users identified several white supremacists, including Cole White. Users revealed White’s name and place of residence and his employer reportedly fired him from his job at a restaurant in Berkeley, Calif. Several other employers fired employees identified online as attending the rally. In the wake of what will likely be just the latest incident where such behavior will be exhibited and subsequently called out on social media, it’s a good time to look at doxing and the legal environment in which it exists.
Voting in local, state and national elections could be viewed as a rudimentary form of social media, by which voters share their views and preferences via selection of a candidate or party platform. The distance between this “old school” social media and its multi-headed modern form has shrunk thanks to the advent of electronic voting machines and online voting. But, as always, with the implementation of new technologies comes new risks. Even though some progress has been made to shore up and protect the voting process from cybersecurity threats, there are plenty of ways government data breaches can “rock the vote” outside of the voting booth.
On December 14, 2016, operators of online extramarital dating and social networking website AshleyMadison.com came to an agreement with the Federal Trade Commission, and several States, to settle FTC and related state charges that the website deceived consumers and failed to protect 36 million users’ account and profile information. As we discussed immediately following the July 2015 breach (and in several later posts) the data of some 36 million AshleyMadison.com accounts was posted online. It was reported by KrebsOnSecurity that the breach included the theft of user databases, financial records (including salary information), and other records from AshleyMadison, Cougar Life, and Established Men, three social networking web sites operated by the Toronto, Canada-based firm Avid Life Media, now known as Ruby Corp.
FriendFinder Networks is a company in the adult entertainment, social networking, and online dating space. Several databases from FriendFinder Networks web sites with more than 412 million accounts, including usernames, e-mails, and passwords, have been breached and leaked.
November reports of this data breach on The Verge, LeakedSource and TechCrunch, to name a few, describe it as of one of the largest security breaches of 2016, and possibly the largest breach to date, surpassing the breach of approximately 360 million Myspace usernames, passwords and e-mail addresses reported earlier this year.