ISMG Editors: When an Insider Threat Costs MillionsAlso: Facebook's Lawsuit and Highlights from ISMG's Northeast US Summit Anna Delaney (annamadeline) • June 27, 2022
In the latest weekly update, four Information Security Media Group editors discuss important cybersecurity issues, including how Canada's Desjardins Group settled a data breach lawsuit for $155 million, how Facebook is being sued after allegedly violating patient privacy, and highlights from ISMG's U.S. Northeast Summit held in New York this week.
The editors - Tom Field, senior vice president, editorial; Anna Delaney, director, productions; Mathew Schwartz, executive editor, DataBreachToday & Europe; and Marianne Kolbasuk McGee, executive editor, HealthcareInfoSecurity - discuss:
- Highlights from ISMG's in-person Northeast U.S. Summit in New York;
- How Facebook is facing a putative class action alleging it unlawfully collects patient data from the online portals of hundreds of medical providers without knowledge or consent;
- How Canadian financial services cooperative Desjardins Group has reached an out-of-court settlement with multiple plaintiffs to resolve a data breach class action lawsuit that involved a "malicious" insider stealing and selling personal details for 4.2 million active customers of the credit union group.
The ISMG Editors' Panel runs weekly. Don't miss our previous installments, including the June 3 edition discussing what's hot at RSA Conference this year and the June 17 edition discussing whether we are closing in on a U.S. federal law.
Anna Delaney: Hello and welcome to the ISMG Editors' Panel. I'm Anna Delaney. And this is our weekly roundup of the top stories in cybersecurity. And I'm delighted to be joined by some of my excellent colleagues. Tom field, senior vice president of editorial; Marianne Kolbasuk McGee, executive editor of HealthcareInfoSecurity; and Mathew Schwartz, executive editor of DataBreachToday and Europe. Wonderful to see you all.
Tom Field: Wonderful to be seen. Welcome.
Mathew Schwartz: Great to be here.
Delaney: Tom, I think I recognize that view. Are you in New York, perhaps?
Field: I was in New York. What's contrast is, I was on the 15th floor of the hotel that was across from the venue where we had our New York Summit this week. And opening my window, all I could see were other windows and other buildings. Now, contrast is to a colleague who will remain nameless, who was on the 30th floor above and was looking at the Empire State building.
Delaney: I think that nameless colleague was on the 33rd; just upgraded that, but yes, what a view to have behind me. I'm just looking out still. It's great. Marianne?
Marianne McGee: I'm in Plymouth Harbor, which is like 20-25 miles from where I live. Went there on Memorial Day, I don't know if you can see the Mayflower II behind me.
Delaney: It's gorgeous.
McGee: Yeah, you can't see it. But it's a replica of the original Mayflower from 1620, when the Pilgrims came over from England.
Field: The original might be behind me, but who'd know?
Delaney: Matt, very funky street art behind you.
Schwartz: Flashing back to the RSA Conference in San Francisco, there was just some good street art in the region of the Moscone. So, I couldn't resist.
Delaney: There was quite a bit of street art out there; urban artists taking advantage of those walls.
Schwartz: Yeah, sketching scenes amongst the extreme wealth and dereliction block by block.
Delaney: Yeah. Well, I am in a plane. I just thought with all the recent plane travel, this is the window view and it never fails to impress me — the clouds and the sunrises, the anticipation of arriving somewhere new or getting home.
Schwartz: You're up in the air, Anna.
Field: And she's getting used to it.
Delaney: Well, after two years of being deprived, I think.
Field: I think by the time we do our next one of these, you might be speaking with a New York accent.
Delaney: Give me time, I'm working on it. So Tom, we were in New York for a reason, our Northeast Summit. How was it for you? What were the highlights?
Field: Anna, it was so terrific for so many reasons. First of all, New York has always been our foundational summit location. And we were back there in the city for the first time since the fall of 2019. So here's the opportunity to bring together a community that we haven't had a chance to see for a long time; meet new faces, familiar faces, continue relationships. And think about the topics that we were able to discuss over the course of a day. You held a panel on the latest P2P fraud trends. We were able to talk about zero trust with the godfather of zero trust, John Kindervag. We were able to talk about supply chain security with Chris Wysopal of Veracode. We dug into the impacts that are being felt everywhere from the Russian war in Ukraine. We were able to dig into the real topical areas with significant thought leaders in the industry. We had the chance to sit down with Ari Redbord and Lisa Sotto for the first time ever. They had the chance to meet each other. We did bring a pretty good who's who together for a day of just nonstop conversation. We had four different discrete roundtable discussions over the course of the day. It was an amazing event for me, so those are my takeaways. How about for yourself?
Delaney: That's an excellent overview! I enjoyed watching your one-on-one interviews with Claire Le Gal and John Kindervag. Always amusing, because they are quite personal and you get to talk about their background and their personal journeys, their professional journeys. Claire Le Gal leads the cyber and fraud division at MasterCard. In her opinion, it’s not only about what she's doing to tackle cybercrime with her team, but also about breaking down industry silos. And what's scaring her in the future is quantum cryptography and cryptocurrencies. So they give her hope, but she knows that there are challenges ahead with those. Also, how cool is it to be on a panel with the Secret Service or members of the Secret Service in New York and how they're investigating crypto-related crimes. And what's on their mind? Well, Web 3 and DeFi. They're saying watch those. There are going to be challenges ahead and opportunities for criminals, and how can we have better law enforcement and cybersecurity in the industry work together. So those are my highlights. But yes, as you said, meeting people that we haven't met in person; we've been zooming for a couple of years with; and also the roundtable attendees as well, that a range of conversations. Loved every moment of it.
Field: It's such a relief not to have to say, 'excuse me, you're muted,' or 'oh, could you turn your camera on?' And just to have these conversations. I think another theme that you can't help but pay some attention to is just where the economy is going right now, there are so many warning signs out there. And I keep coming away from this feeling much like I did, and the conversation you and I had the other day when we recorded a session where I think when you look ahead to the next six months to a year, the rich may not get richer, but those who are poor, in terms of cybersecurity, are going to have to get more secure. So I don't think that the things that we're talking about and the areas that we focus on, are going to become any less priority. Certainly, the adversaries aren't going to let up because there's an economic downturn. So I think we're going to be continuing to discuss these issues with these and other thought leaders as we move forward.
Delaney: Marianne, we have a healthcare summit soon. So you'll be in New York as well.
McGee: Yeah, we have a great lineup. We have people representing different segments of the government from Department of Health and Human Services. We have the leader of medical device cybersecurity, Suzanne Schwartz will be speaking. We have the top HIPAA enforcement person under the Biden administration, Lisa Pino will be attending and speaking. We have Josh Corman, who recently completed a stint at CISA, representing the healthcare sector, who will be giving a keynote about you know, some of the observations that he made about the healthcare sector and the precarious position that it's in during his time at CISA. We have Errol Weiss who is the Chief Security Officer of the Health Information Sharing and Analysis Center. We have a lineup of other top notch CISOs and other security leaders from medical device makers, healthcare organizations. It runs the gamut so hopefully everybody will show up. Everyone that I just plugged here will be healthy and well and there. But that's what's planned.
Delaney: Marianne, you do attract the top names so that's an awesome job.
Field: If I may, one of your speakers showed up at our event this week, Marianne. Anahi Santiago of ChristianaCare from Delaware and Philadelphia.
McGee: Yeah, Anahi is great.
Delaney: So Marianne, Facebook has been in the news yet again this week. Tell us more.
McGee: Yeah. As you know, or maybe you don't know that Facebook is now called Meta and, as you said, it has been in the news in recent days for a couple of privacy controversies involving allegations that the company is collecting consumers' sensitive health data through its pixel tracking code. Pixel is a snippet of code used by organizations to track the website activities of users and to help improve targeted marketing and advertising. A proposed class action lawsuit filed in a California Federal Court alleges that Facebook is using pixel to scrape patient data from more than 600 websites and patient portals of U.S. hospitals and medical providers, including data concerning patients, website encounters, ranging from setting up appointments with doctors to searching for information about various diseases. The lawsuit alleges that this is all happening without the knowledge or consent of individuals in violation of various state and federal laws, including HIPAA. Now, under HIPAA, a covered entity must have an individual's prior written authorization before the use or disclosure of protected health information can be made for marketing communications. The lawsuit alleges that through pixel, Facebook is obtaining patient identifiers, including email addresses, IP addresses, the user's status of as being a patient of a certain medical provider, as well as contents of communications relating to appointments that the patient has set up. It should be noted, though, that Facebook has faced similar lawsuits in the past. For instance, a class action lawsuit that was filed in 2016 also alleges that Facebook violated various federal and state laws by collecting and using individuals' browsing data from healthcare-related websites. That federal lawsuit was dismissed in 2018. The U.S. Court of Appeals upheld a lower court's decision to dismiss the case ruling that plaintiffs were barred from suing Facebook because they had agreed to be bound by Facebook's contract terms, which prevented the lawsuit. And another Facebook controversy this week, nonprofit investigative reporting organizations, The Markup and Reveal alleged that Facebook again, through the use of pixel, is collecting ultra-sensitive personal data about individuals considering abortions, enabling anti-abortion organizations to use that data as a tool to target and influence these people online in violation of Facebook's own private own policies. Now, privacy experts are warning that, in that case, individuals' data trails could be used against them if some states criminalize abortion following the expected decision by the U.S. Supreme Court to overturn Roe v. Wade. So far, Facebook has not responded to our requests for comment on the allegations. But Facebook reportedly says that its filtering systems detect and remove potentially sensitive information before it gets stored in its advertising systems. So overall, the Facebook privacy controversies seem to fit into a theme that, in some cases, the fear of Big Brother government surveillance might come down to social media and other technology firms having access to too much sensitive data as part of their tech service offerings, and then the questions surrounding by how that data could get misused. And finally, along those same lines, Senator Elizabeth Warren, along with several other lawmakers, last week, introduced a bill into Congress, the Health and Location Data Protection Act, which proposes to ban third party data brokers from selling or transferring sensitive health and location data. So, you have a lot of controversies involving the privacy of health data.
Delaney: A lot of controversy. Marianne, has Meta had ever responded to your requests?
McGee: No, I'm not surprised. But like I said, they've responded in general, I guess, to some of the reporting that's been out there about this, that they have filtering systems that prevent the sensitive data from being stored in their systems. And then, as I mentioned, other lawsuit was similar and got dismissed, because when people agree to the policies of Facebook, they agree to give up certain rights, like suing. So I don't know if that pertains to this, or these latest controversies, but there's always the fine line. They are the tiny print that you don't read.
Schwartz: If only the U.S. had strong privacy protections, like you were saying, or health data or for anything else? In Europe that would be illegal.
Field: Once again, legislatively we're a third world country.
McGee: Yeah, there's always these national proposals for federal privacy laws that don't go anywhere.
Schwartz: Still waiting!
McGee: Yeah, when you want the health data, privacy security, there's so many interesting and promising legislative proposals that are being floated even now, as I speak, that probably won't gain any steam. So good ideas that never go anywhere.
Delaney: Let's see what happens next. As always, Matt, you're going a bit retro on us this week. Talk about Desjardins.
Schwartz: When you have a site called DataBreachToday, I won't say that you actively seek data breaches. But definitely when they come along, it seems like they need to be highlighted. And there's an interesting development in a class action lawsuit in Canada against Desjardins Group, which is a Canadian financial services cooperative. You may remember Desjardins from such data breaches as a massive one that came to light in 2019, when it was revealed that personal details for 4.2 million active customers of the credit union group had been sold to third parties. And by third parties, I think we're talking darknet sites, cybercrime forums, places where this information can be monetized. According to court documents, this information also ended up in the hands of other financial industry folks who wanted to use it for marketing purposes. So where did this horrible data breach trace back to? It traced back to somebody in the marketing department. Nothing says targeted marketing like this, right? A guy named Sebastien Vachon-Desjardins of Quebec has been arrested. Back in 2019, charged with fraud, identity theft, and tracking in stolen personally identifiable information. Now the case remains open, he hasn't appeared before a judge yet in a trial. He hasn't pleaded, as far as I know, guilty. It's an open case still. So I don't know how that's going to resolve. But that didn't stop a bunch of customers from filing lawsuits. Those were consolidated. And earlier this year, Desjardins Group suggested that it settled the lawsuit with these individuals who had filed it for a total of about $200 million Canadian, so a bit over $150 million U.S. And this has been approved now. So this is interesting, because data breach lawsuits tend to get settled. Companies don't want a court deciding or jury deciding what damages should go to the plaintiffs. I think because they think it could go horribly wrong for them. So typically, if things proceed, if they can't get thrown out, eventually they will settle in order to not set a precedent they might regret later. So that is what has happened here. Interesting that the breach happened, or 26 months before being discovered in late 2018. And is only now getting settled. Another interesting thing is we've had an investigation into what went wrong, both by the privacy watchdog in Quebec, as well as Canada's Office of the Privacy Commissioner, and they decided to join forces, they did a joint investigation. And it's always fascinating to me, when you have a big bad breach, and a privacy watchdog comes in and is legally allowed to get anything they want, and then they publicly released a report about what went wrong. Fascinating, highly recommended for anybody in this industry or who's trying to prevent data breaches to see what went wrong. And so just to give a couple of highlights. There was segmentation in place to protect people's personal information when it was being stored on a banking system, a banking data warehouse. And so if you tried to get access to the information, you had to have appropriate access credentials. This is exactly what should be the case. But this information was also being stored in a credit data warehouse and the controls weren't in place there. Also somebody in the marketing department was taking the information, including sensitive, regulated, confidential customer information. And they were copying it over. They had a batch job, they ran once a month to copy it over onto a database in the marketing department. So this malicious insider didn't allegedly hack into anything. The malicious insider allegedly just accessed information that was being inappropriately stored in the marketing department. Bad thing that happens that the organization should have spotted in advance. And so there was a number of recommendations that the OPC, the Office of the Privacy Commissioner of Canada made, and one of them was access controls. This employee was able to find the data, get access to it, he shouldn't have had it, copied onto a USB key in circumvention of the confidentiality agreement that he signed, and then sell all this information. And it wasn't detected for more than two years. So huge list of things that were done wrong. Class action lawsuit, which was not going in Desjardins' favor. So they ended up settling it. And here we have a breach story, which, again, like so many data breach stories, happened a long time ago and still hasn't been resolved.
Delaney: That's an incredible story. So other than reading the report, lessons learned for organizations would be?
Schwartz: Make sure you have the right controls in place. This comes down to a simple problem: marketing was just bringing information in a matter that it shouldn't have done in order to make its life a little bit easier. And I've certainly been in organizations before where it has been copied left, right and center. I don't think in violation of any laws or anything, but the people will try to get their jobs done. And so there needs to be the right controls and the right tools. They didn't have those in place to facilitate this while maintaining security. So I was just reading the findings and just seeing if anything looks like it could happen in your own organization, and then maybe investigate to see whether or not it is and whether or not you'd be able to detect it if it was happening.
Delaney: Incredible that nobody in the organization got a sense of it as well. It's not just about the controls. It's the activity that's going on.
Schwartz: Exactly and that's a great point as well. When we were at RSA, and we were talking to a lot of organizations that do threat intelligence, and one of the big deliverables from that, one of the big products that organizations, especially the financial services sector sign up for, is any hints or clue that data from their systems might be appearing where it shouldn't be, especially on cybercrime markets. If you get a sense that it's showing up, then maybe they could have caught this breach a month into it, as opposed to 26 months into it.
Delaney: Always great insights, Matt, thank you.
Schwartz: Thank you very much.
Delaney: So final question. You have been commissioned, of course, to create the next big blockbuster film. And surprisingly, it's all about cybersecurity. What would you call it?
Field: I'm going to do a remake. We're going to update it. 30 years later or 40 years later, almost. We're going to call it Revenge of the Nerds: Back to the Breach.
Delaney: Love that! Marianne?
McGee:Hacker Wars; you can use that for any kind of hackers you want to think of: nation states fighting each other, low grade hackers doing petty crimes. There's a lot of possibilities there.
Delaney: Yeah, definitely. I can see that. Matt?
Schwartz: I was going to do Star Wars: Revenge of the Cybers. I just think that Star Wars is casting around for something new, right? We have all these flashback shows, all these little characters. They need to rethink things. So cybersecurity is hot. Why not?
Delaney: We'll have to call Harrison Ford, if he is free for that. A Whole New World is what I'm going for. Just because there's a whole new world, everybody's having to adapt — law enforcement, my mom, schools. So yes, hopefully, there's a hint of hopefulness. There's a bit of positivity spin on there, I think.
Field: So back to Hacker Wars: A New Hope.
Delaney: This has been entertaining, informative, and fun. Thank you very much, Tom, Marianne, and Matt. Always a pleasure.
Field: Until next time!
Delaney: Thanks so much for watching. Until next time!