2014 was quite the year for high-profile hackings and puffed-up politicians trying to out-ham each other on who is tougher on cybercrime. I thought I’d assemble some of the year’s worst hits to ring in 2015.

In no particular order:

Home Depot: The 2013 Target breach that leaked around 40 million customer financial records was unceremoniously topped by Home Depot’s breach of over 56 million payment cards and 53 million email addresses in July. Both companies fell prey to similar infiltration tactics: the hackers obtained passwords from a vendor of each retail giant and exploited a vulnerability in the Windows OS to install malware in the firms’ self-checkout lanes that collected customers’ credit card data. Millions of customers became vulnerable to phishing scams and credit card fraud—with the added headache of changing payment card accounts and updating linked services. (Your intrepid blogger was mysteriously locked out of Uber for a harrowing 2 months before realizing that my linked bank account had changed thanks to the Home Depot hack and I had no way to log back in without a tedious customer service call. Yes, I’m still miffed.)

The Fappening: 2014 was a pretty good year for creeps, too. Without warning, the prime celebrity booties of popular starlets like Scarlett Johansson, Kim Kardashian, Kate Upton, and Ariana Grande mysteriously flooded the Internet in the September event crudely immortalized as “The Fappening.” Apple quickly jumped to investigate its iCloud system that hosted the victims’ stolen photographs, announcing shortly thereafter that the “celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions” rather than any flaw in its system. The sheer volume produced and caliber of icons violated suggests this was not the work of a lone wolf, but a chain reaction of leaks collected over time triggered by one larger dump. For what it’s worth, some dude on 4chan claimed the Fappening was the product of an “underground celeb n00d-trading ring that’s existed for years.” While the event prompted a flurry of discussion about online misogyny, content host ethics, and legalistic tugs-of-war over DMCA takedown requests, it unfortunately did not generate a productive conversation about good privacy and security practices like I had initially hoped.

The Snappening: The celebrity-targeted Fappening was followed by the layperson’s “Snappening” in October, when almost 100,000 photos and 10,000 personal videos sent through the popular Snapchat messaging service, some of them including depictions of underage nudity, were leaked online. The hackers did not target Snapchat itself, but instead exploited a third-party client called SnapSave that allowed users to save images and videos that would normally disappear after a certain amount of time on the Snapchat app. (Although Snapchat doesn’t exactly have the best security record anyways: In 2013, contact information for 4.6 million of its users were leaked online before the service landed in hot water with the FTC earlier this year for “deceiving” users about their privacy practices.) The hackers received access to 13GB library of old Snapchat messages and dumped the images on a searchable online directory. As with the Fappening, discussion surrounding the Snappening tended to prioritize scolding service providers over promoting good personal privacy and security practices to consumers.

Las Vegas Sands Corp.:  Not all of these year’s most infamous hacks sought sordid photos or privateering profit. 2014 also saw the rise of the revenge hack. In February, Iranian hackers infiltrated politically-active billionaire Sheldon Adelson’s Sands Casino not for profit or data, but for pure punishment. Adelson, a staunchly pro-Israel figure and partial owner of many Israeli media companies, drew intense Iranian ire after fantasizing about detonating an American nuclear warhead in the Iranian desert as a threat during his speech at Yeshiva University. Hackers released crippling malware into the Sands IT infrastructure early in the year, which proceeded to shut down email services, wipe hard drives clean, and destroy thousands of company computers, laptops, and expensive servers. The Sands website was also hacked to display “a photograph of Adelson chumming around with [Israeli Prime Minister] Netanyahu,” along with the message “Encouraging the use of Weapons of Mass Destruction, UNDER ANY CONDITION, is a Crime,” and a data dump of Sands employees’ names, titles, email addresses, and Social Security numbers. Interestingly, Sands was able to contain the damage internally so that guests and gamblers had no idea of the chaos that was ravaging casino IT infrastructure. Public knowledge of the hack did not serendipitously surface until early December, around the time of the Sony hack. It is possible that other large corporations have suffered similar cyberattacks this year in silence.

JP Morgan: You might think that one of the world’s largest banks would have security systems that are near impossible to crack. This was not the case at JP Morgan. From June to August, hackers infiltrated JP Morgan’s sophisticated security system and siphoned off massive amounts of sensitive financial data. The New York Times reports that “the hackers appeared to have obtained a list of the applications and programs that run on JPMorgan’s computers — a road map of sorts — which they could crosscheck with known vulnerabilities in each program and web application, in search of an entry point back into the bank’s systems, according to several people with knowledge of the results of the bank’s forensics investigation, all of whom spoke on the condition of anonymity.” Some security experts suspect that a nation-state was ultimately behind the infiltration due to the sophistication of the attack and the fact that the hackers neglected to immediately sell or exploit the data or attempt to steal funds from consumer accounts. The JP Morgan hack set off alarm bells among influential financial and governmental circles since banking systems were largely considered to be safe and impervious to these kinds of attacks.

Sony: What a tangled web this was! On November 24, Sony employees were greeted by the mocking grin of a spooky screen skeleton informed they had been “Hacked by the #GOP” and that there was more to come. It was soon revealed that Sony’s email and computer systems had been infiltrated and shut down while some 100 terabytes of data had been stolen. The hackers proceeded to leak embarrassing company information, including emails in which executives made racial jokes, compensation data revealing a considerable gender wage disparity, and unreleased studio films like Annie and Mr. Turner. We also learned about “Project Goliath,” a conspiracy among the MPAA, Sony, and five other studios (Universal, Sony, Fox, Paramount, Warner Bros., and Disney) to revise the spirit of SOPA and attack piracy on the web “by working with state attorneys general and major ISPs like Comcast to expand court power over the way data is served.” (Goliath was their not-exactly-subtle codeword for Google.) Somewhere along the way, a few folks got wild notions that North Korea was behind this attack because of the nation’s outrage at the latest Rogen romp, The Interview. Most cybersecurity experts doubt that the hermit nation was behind the attack, although the official KCNA statement enthusiastically “supports the righteous deed.” The absurdity of the official narrative did not prevent most of our world-class journalistic and political establishment from running with the story and beating the drums of cyberwar. Even the White House and FBI goofed. The FBI and State Department still maintain North Korean culpability, even as research compiled by independent security analysts points more and more to a collection of disgruntled former Sony employees and independent lulz-seekers. Troublingly, the Obama administration publicly entertained cyberwar countermeasures against the troubled communist nation on such slim evidence. A few days later, the Internet in North Korea was mysteriously shut down. I wonder what might have caused that? Truly a mess all around.

LizardSquad: Speaking of Sony hacks, the spirit of LulzSec is alive in LizardSquad. On Christmas day, the black hat collective knocked out Sony’s Playstation network and Microsoft’s Xbox servers with a massive distributed denial of service (DDoS) attack to the great vengeance and furious anger of gamers avoiding family gatherings across the country. These guys are not your average script-kiddies. NexusGuard chief scientist Terrence Gareu warns the unholy lizards boast an artillery that far exceeds normal DDoS attacks. This seems right, given the apparent difficulty that giants Sony and Microsoft had in responding to the attacks. For their part, LizardSquad claims the strength of their attack exceeded the previous record against Cloudflare this February. Megaupload Internet lord Kim Dotcom swooped to save gamers’ Christmas festivities with a little bit of information age, uh, “justice.” The attacks were allegedly called off after Dotcom offered the hacking collective 3,000 Mega vouchers (normally worth $99 each) for his content hosting empire if they agreed to cease. The FBI is investigating the lizards for the attacks. LizardSquad then turned their attention to the TOR network, creating thousands of new relays and comprising a worrying portion of the network’s roughly 8,000 relays in an effort to unmask users. Perhaps they mean to publicize the networks’ vulnerabilities? The group’s official Twitter bio reads, “I cry when Tor deserves to die.” Could this be related to the recent Pando–Tor drama that reinvigorated skepticism of Tor? As with any online brouhaha involving clashing numbers of privacy-obsessed computer whizzes with strong opinions, this incident has many hard-to-read layers (sorry!). While the Tor campaign is still developing, LizardSquad has been keeping busy with it’s newly-launched Lizard Stresser, a distributed DDoS tool that anyone can use for a small fee. These lizards appear very intent on making life as difficult as possible for the powerful parties they’ve identified as enemies and will provide some nice justifications for why governments need more power to crack down on cybercrime.

What a year! I wonder what the next one will bring.

One sure bet for 2015 is increasing calls for enhanced regulatory powers. Earlier this year, Eli and I wrote a Mercatus Research paper explaining why top-down solutions to cybersecurity problems can backfire and make us less secure. We specifically analyzed President Obama’s developing Cybersecurity Framework, but the issues we discuss apply to other rigid regulatory solutions as well. On December 11, in the midst of North Korea’s red herring debut in the Sony debacle, the Senate passed the Cybersecurity Act of 2014, which contains many of the same principles outlined in the Framework. The Act, which still needs House approval, strengthens the Department of Homeland Security’s role in controlling cybersecurity policy by directing DHS to create industry cybersecurity standards and begin routine information-sharing with private entities.

Ranking Member of the Senate Homeland Security Committee, Tom Coburn, had this to say: “Every day, adversaries are working to penetrate our networks and steal the American people’s information at a great cost to our nation. One of the best ways that we can defend against cyber attacks is to encourage the government and private sector to work together and share information about the threats we face. ”

While the problems of poor cybersecurity and increasing digital attacks are undeniable, the solutions proposed by politicians like Coburn are dubious. The federal government should probably try to get its own house in order before it undertakes to save the cyberproperties of the nation. The Government Accountability Office reports that the federal government suffered from almost 61,000 cyber attacks and data breaches last year. The DHS itself was hacked in 2012,while a 2013 GAO report criticized DHS for poor security practices, finding that “systems are being operated without authority to operate; plans of action and milestones are not being created for all known information security weaknesses or mitigated in a timely manner; and baseline security configuration settings are not being implemented for all systems.” GAO also reports that when federal agencies develop cybersecurity practices like those encouraged in the Cybersecurity Framework or the Cybersecurity Act of 2014, they are inconsistently and insufficiently implemented.

Given the federal government’s poor track record managing its own system security, we shouldn’t expect miracles when they take a leadership role for the nation.

Another trend to watch will be the development of a more robust cybersecurity insurance market. The Wall Street Journal reports that 2014’s rash of hacking attacks stimulated sales of formerly-obscure cyberinsurance packages.

The industry had suffered in the past due to its novelty and lack of previous data to use to accurately price insurance packages. This year, demand has been sufficiently stimulated and actuaries have been familiar enough with the relevant risks that the practice has finally become mainstream. Policies can cover “the costs of [data breach] investigations, customer notifications and credit-monitoring services, as well as legal expenses and damages from consumer lawsuits” and “reimbursement for loss of income and extra expenses resulting from suspension of computer systems, and provide payments to cover recreation of databases, software and other assets that were corrupted or destroyed by a computer attack.” As the market matures, cybersecurity insurers may start more actively assessing firms’ digital vulnerabilities and recommend improvements to their systems in exchange for a lower premium payment, as is common in other insurance markets.

Still, nothing ever beats good old-fashioned personal responsibility. One of the easiest ways to ensure privacy and security for yourself online is to take the time to learn how to best protect yourself or your business by developing good habits, using the right services, and remaining conscientious about your digital activities. That’s my New Year’s resolution. I think it should be yours, too! :)

Happy New Year’s, all!

News about the Epsilon breach has spread relatively slowly. The breach of data held by an email service provider is bad—no question—but it’s not terribly consequential. Emails aren’t generally kept private.

But the Epsilon story may soon heat up. The presence of an email address on a list creates inferences about aspects of a person’s life that may be sensitive. So it is with GlaxoSmithKline’s lists related to prescriptions. As the Coalition Against Unsolicited Commercial Email points out, correlation between email addresses and interest in particular drugs makes spear-phishing attacks more potent. Fraudulent email that is tailored to a medication a person takes will have a higher uptake than average, and could be used to defraud people on matters relating to their health.

But is it helpful to exaggerate this serious threat? CAUCE titles its post: “Criminals Now Know What Prescriptions You Take.” Thought leaders like Jules Polenetsky have picked up that meme and run with it.

For people who are not data-literate, a likely implication of “criminals know what prescriptions you take” is that criminals have access to lists of the prescriptions they take. A person on ten different medications might think that criminals know each and every prescription he or she takes. That’s more frightening than knowing that an association between one or two prescriptions and an email address is available to criminals. (It’s possible that people have signed up for email relating to each of their prescriptions, all of which are from drug companies who use Epsilon as their email service provider, but I think it is unlikely and rare enough to treat as an irrelevant outlier.)

What criminals know is that people are on lists related to prescriptions. Many do take that prescription. Some used to take that prescription. Some have a loved one who takes it, some sell it, some prescribe it, and so on.

What’s the point of this observation? Not much. But under the rule of media and politics—“if it bleeds, it leads”—we may soon see a media and policy stampede. That stampede will treat an important security issue that deserves careful attention as a techno-cyber-apocalypse that demands immediate overreaction.

Well, then, this post (via Adam Shostack) is for you!

“Dissent” goes through the numbers revealed in the first year of data breach reporting under the Health Insurance Portability and Accountability Act regulations. The post gives extremely light treatment to the possibility—indeed, the likelihood—of noncompliance with the regulations due to unawareness of breaches or judgments that reporting is more dangerous than not reporting.

But one also must wonder . . . Why does this matter?

Data breach notification is the grown-up version of the schoolyard taunt: “Your epidermis is showing!” The questions are: What part of the epidermis? And what social or economic consequences does it have?

Of course, these statistics may be interesting and relevant to security professionals, but harm is where the rubber hits the road for consumer protection. (See this interesting colloquy recently on Concurring Opinions.) Some data breaches have some relationship to consumer harm, but gross breach statistics don’t seem to be a window onto harm prevention.

Recall a couple of years ago when I lauded Google – and also picked on them – for making customer data “more anonymous”?

“‘Anonymous’ is correctly regarded as an absolute condition,” I wrote. “Like pregnancy, anonymity is either there or it’s not. Modifying the word with a relative adjective like ‘more’ is a curious use of language.”

The challenge of these concepts – “anonymized” or “de-identified” data – is still around, and it’s still a difficult one.

Here’s a sophisticated take on the question:

Information is increasingly difficult to classify as “identified” or “de-identified,” particularly as it is copied, exchanged, or recombined with other information. With rapidly evolving technologies and databases, it is more appropriate to describe a spectrum of “identifiability,” rather than a binary classification of information as identifiable or not. The question could then become not whether deidentified information might be made re-identifiable, but rather which entities would be able to re-identify the information, how much effort they would have to expend, and what limits are placed on their doing so.

And here’s an advocacy group apparently lacking that sophistication. They treat information as flatly “de-identified” in a legal filing about a New Hampshire law that bans the sale of prescription drug data for marketing purposes:

[T]he Prescription Information Law does not implicate patient privacy. While it purports to protect privacy interests, the statute regulates patient de-identified information.

Here’s the thing: Both quotes were issued by the Center for Democracy and Technology.

The first is from CDT’s filing with the Department of Health and Human Services about the circumstances under which HHS should require health providers to notify patients about a data breach. CDT wants more breach notices, so it argues that information might be pieced together. The concept of “de-identification” is weak.

The second quote is from a CDT legal brief asking the Supreme Court to review (and I believe they would argue to reject) the New Hampshire law. CDT wants the data to be shared, so it argues that the data is “de-identified.”

However, as data is copied, exchanged, or recombined with other information such as payment claims to Medicare and Medicaid, it’s easy to imagine records of doctors’ prescribing practices being used to help piece together patients’ drug-taking habits and health conditions.

Is this mendacity on the part of CDT? I don’t think so. It illustratates how difficult these issues are, even for sophisticated parties. Until more intellectual groundwork is laid, information policy arguments before regulators, lawmakers, and courts will not rest on solid footing. Everyone’s trying their best!

You’re dying to know the right answers, of course: Government-mandated data breach notifications are part of a growing trend toward command-and-control data security. Giving injured parties common law remedies and letting the legal incentives sort things out would be much better. HHS, of all agencies, should not be doing data security.

The New Hampshire law weakens drug comanies’ ability to market to doctors, which deprives them of information that could help them serve patients better. The remote privacy risk to patients when doctors’ prescribing practices are shared should also be handled by common law remedies rather than the state’s regulation, with its attenuated privacy claims. Rather than the U.S. Supreme Court finding a federal trump card, the legislature in New Hampshire should correct its error and maximize the flow of information in the state’s health care system.

Earlier this month, Google made news when it announced that its cloud computing productivity suite Google Docs had suffered a technical glitch that temporarily compromised a subset of users’ shared documents. After becoming aware of this glitch, Google notified its users via email and posted an entry to the Official Google Docs Blog that offered a more detailed explanation of what happened.

It turns out that a bug in Google’s permissions code was causing certain documents that had been shared by their author with other users but subsequently unshared to remain visible to those users. By the time Google notified its users, the bug had already been resolved, and Google estimates that only around 0.05% of all documents were vulnerable due to the glitch. As to how many documents were actually viewed by unauthorized parties, it’s unclear at this point.

All in all, the Google Docs glitch, while troubling, seems relatively minor as far as bugs go. Nevertheless, the Electronic Privacy Information Center’s Mark Rotenberg jumped on the chance to attack Google, as he often does when Google makes news for anything privacy-related. Yesterday, EPIC filed a complaint with the Federal Trade Commission that called on the FTC to investigate Google’s privacy safeguards, order Google to shut down all cloud computing services—including Gmail, which has 26 million users—pending a thorough privacy evaluation, and force Google to pay $5 million to a fund that would be setup for “privacy research.”

Watchdog activist groups like EPIC can play a useful role in the public discourse on privacy, helping to publicize unsavory behavior by companies and educating consumers about keeping data secure. Unfortunately, however, these groups’ admirable focus on protecting privacy sometimes edges on the myopic, causing them to overreact to data breaches and sometimes even call for regulatory interventions that are decidedly anti-consumer. EPIC’s latest complaint about Google is a classic example of this.

How would it be in consumers’ interests for the FTC to shut down Google’s cloud computing services until Google can offer its users an ironclad data security guarantee? Gmail has been at the forefront of innovation in webmail, and was among the first providers to offer its users gigabytes of free storage and SSL-encrypted IMAP connectivity. And Google Docs is a wildly popular alternative to Microsoft Office that doesn’t cost a dime to use. Shutting down both of these services would be extremely detrimental to the millions of consumers and small businesses who find the service useful and valuable and are willing to accept the small risk of a bug or data breach. But Mark Rotenberg wants to deny consumers that choice. Concerned users can already close their Google account and switch to another productivity suite; Google even makes it easy for users to export their data in an open source format for painless migration.

It’s unrealistic to expect watertight privacy safeguards in a world in which information sharing is on the rise. As collaborative software and cloud computing grow in popularity, the number of potential avenues for breaches, bugs, and compromises will only increase. But closing every service that suffers a bug until federal regulators can comb through every line code isn’t the solution—the solution already exists. Companies like Google risk losing billions of dollars if consumers lose faith in cloud-based products.

Leaks of sensitive data did not begin with the invention of the Internet, and breaking agreements that promise confidentiality has long been a matter of civil liability. In other words, the proper venue for recourse against Google is not the FTC but the courts. Instead of EPIC complaining to the FTC, victims of the Google Docs bug should be taking Google to court. There’s no reason for the FTC to intervene every time there’s a security flub when existing liability laws combined with market pressures already give the Googles of the world a strong incentive to guard against breaches.

The ever-present threat of FTC action against firms can have extremely destructive consequences for online innovation. What EPIC is advocating — for the FTC force a company to shut down one of its product suites on account of a single, relatively minor bug — would be a case of harmful regulatory action.

In response to Adam and Berin’s excellent introduction to their Googlephobia series, invaluable TLF commenter Richard Bennett succinctly sums up the rap on Google.

There’s no denying that Google has the capacity to do some pretty heinous things with all the sensitive data stored on its servers. But the relevant question isn’t whether Google could do evil, but whether it realistically will. What incentive is there for Google to do anything but keep private data as secure as humanly possible? Sure, Google could earn a nice chunk of change if it were to sell user search queries to the highest bidder. But why would Google put its entire business on the line for a comparatively insignificant short-term gain?

A major privacy breach is Google’s nightmare scenario. If anything happened to cause users to lose trust in Google, they’d go someplace else for email and search. Advertisers would follow suit, causing Google’s stock price to plummet. Google might never be able to recover from a severe privacy fiasco. Obviously, Google is well aware of its vulnerabilities on privacy, which is why Google has incredibly strong safeguards to ensure that sensitive data can’t be uncovered by a rogue product manager with an itchy trigger finger.

Then there’s the liability issue. The multi-billion dollar lawsuits that would ensue were Google to suffer a data breach or an internal leak would deal a serious financial blow to the company, especially because Google’s privacy policy is more than just a comforting statement—it’s legally binding.

We go about our lives everyday with the ever-present risk that companies that we do business with could, in theory, give out our personal details. Comcast could sell its subscribers’ web browsing histories. Bank of America could offer individual financial records for a small fee. AT&T could put its wireless subscribers’ GPS locations online for all to see. But like Google, all of these firms have an overwhelming incentive to not do “bad” things with personal data.

Many users are comfortable enough with Google to use its services frequently without even masking their IP address. And those users who are worried about the small chance that Google might fumble on privacy already have plenty of safeguards that have been discussed in great depth here on TLF. Even if you want to use Google’s services, there are several methods to prevent Google from being able to identify you.

Ultimately, the threat to privacy posed by Google is far less worrisome than the risk of government agencies or hackers doing evil things with our personal information. We should remain vigilant, and call out Google when its practices result in unecessary privacy risks. The growing anti-Google hysteria, however, is seriously overblown.