Half of business leaders admit to hiding data breach information
News roundup: Data breach information is kept from customers 50% of the time, according to a report. Plus, the FBI director continues to preach against encryption, and more.
Half of business leaders surveyed said their organizations didn't fully inform customers when their personal information was compromised in a cyberattack, according to a new report.
Security company CyberArk surveyed over 1,300 security professionals, developers and business leaders in seven countries for its "Global Advanced Threat Landscape Report 2018." Vanson Bourne conducted the survey in the fall of 2017 from "IT security decision-makers and line of business owners" of organizations ranging from 500 to 5,000 or more employees. The most startling finding of the report is that 50% of respondents admitted that they didn't fully disclose data breach information related to customers' personal data exposed during a cyberattack.
"The implications of this lack of transparency are significant, including potential loss of future customers, executive departures and regulatory penalties that are evolving in severity," the report states.
The statistic may not be surprising since the world recently learned that ride-hailing company Uber covered up data breach information -- including the compromise of the personal data of 57 million of its customers and drivers -- for a year. However, the willingness of survey participants to admit to this behavior is unsettling.
"The data from the survey also reinforces that, despite these headline-generating breaches, organizations are not changing fundamental security behavior," the report states.
This follows a different report from Veracode that found that the awareness of major security breaches -- such as Equifax, Yahoo, Target and the Office of Personnel Management -- was low among business leaders in the U.S., U.K. and Germany.
CyberArk also pointed out in its report that many organizations are required to disclose data breach information both to customers and to regulators.
"In the U.S., 48 states have statutes that require businesses and government agencies to notify customers of data loss," CyberArk states in its report. "The U.S. does not have a single comprehensive federal law on data breach notification, but several federal statues require reporting, including the Health Insurance Portability and Accountability Act (HIPAA) and Gramm-Leach Bliley."
Additionally, when the EU's General Data Protection Regulation goes into effect on May 25, 2018, organizations subject to the standard will be required to disclose data breach information within 72 hours of discovery of a breach or face hefty fines.
In other news
- A researcher with Google Project Zero detailed an iOS 11 exploit that could jailbreak iOS 11.2.1. Project Zero's Ian Beer teased on Twitter last week that he found an exploit -- that he called "tfp0" -- in the kernel task port in iOS. This week he posted the entire proof of concept, which shows a way to bypass Apple's software restrictions and create a jailbreak for iOS 11. Beer noted vulnerabilities in IOSurface and kernel. The memory corruption flaw that enables the jailbreak is in iPhone 5s and later, iPad Air and later, and the iPod touch 6th generation. It could enable an application to execute arbitrary code with kernel privileges. Beer notified Apple of the issues and Apple patched them in its update of iOS 11.2.
- In a recent statement, FBI Director Christopher Wray continued to criticize the use of strong end-to-end encryption. In testimony before Congress about the FBI's priorities for 2018, Wray said that encryption presents "a significant challenge to conducting lawful court-ordered access to digital information or evidence, whether that information is being electronically transmitted over networks or is at rest on a device or other form of electronic storage." Wray also said that the FBI was unable to access over half of all mobile devices the agency investigated in 2017. "The benefits of our increasingly digital lives have been accompanied by new dangers, and we have seen how criminals and terrorists used advances in technology to their advantage," Wray said. "In the counterterrorism context, for instance, our agents and analysts are increasingly finding that communications and contacts between groups like ISIS and potential recruits occur in encrypted private messaging platforms." Both Wray and Deputy Attorney General Rod Rosenstein have repeatedly made public statements condemning the use of encryption that doesn't allow law enforcement access.
- Another keylogger has been discovered in HP Inc. laptops. The keylogger was discovered in Synaptics debugger driver, which is used in almost every HP laptop, as well as in some laptops from other vendors. It's turned off with default settings, but it could be turned on with a registry entry. HP has already issued updates for this vulnerability. "A party would need administrative privileges in order to take advantage of the vulnerability," HP explained in its security advisory. "Neither Synaptics nor HP has access to customer data as a result of this issue." The keylogger was discovered by a researcher known as 'ZwClose" and is the second one uncovered this year. Earlier in 2017, a keylogger was discovered in Conexant HD Audio drivers on HP laptops by researchers at Modzero AG in Switzerland. Synaptics released a statement in response to the discovery, noting that the debugging tool was incorrectly characterized as a keylogger. Synaptics also said it would drop the debugger, which is shipped with notebook PC products from multiple OEM manufacturers, writing "Synaptics will take the precautionary steps of defeaturing the debug tool for production drivers to further prevent the tool from being used in an unintended and malicious way."