Cyber News “In Brief”

By: Jennifer Wolak, Adam Adler and Samantha Lemery Rowles

Welcome to our Cyber News “In Brief” post, here’s a quick overview of some of the significant recent headlines.

Case Updates
Under Armour recently announced that its nutrition app, MyFitnessPal, has suffered a data breach that impacted approximately 150 million users.  The app allows users to track their caloric intake and exercise.  The breach allegedly did not compromise credit card information or birthdays.  Instead, the breach compromised usernames, emails, and passwords.  These email addresses can be particularly valuable to spammers.  Some of the password information stolen was protected by “bcrypt,” which converts the information into an unintelligible format that could take longer and more resources to unravel.  Other information, however, may have been stored in a less protected format.

Dating app Grindr has indicated that it will stop sharing the HIV status of its users with other companies.  According to media reports, user information was sent to two companies that test the performance of Grindr’s products and allegedly to create new features.  Grindr has insisted that it had security measures in place to protect users’ privacy, such as the encryption of sensitive information.  Grindr also insisted that it never sells any user information and will isolate the information going forward.

Grindr is just one example of the recent media focus on data-sharing practices and the privacy disclosures that companies use to disclose these practices.  Facebook has been in the spotlight for its purported knowledge of Cambridge Analytica’s harvesting of data from up to 87 million users.  There are allegations that this information was then used to influence the recent U.S. presidential election.  Cambridge Analytica gathered the data through a personality app.  Facebook announced that it will notify users as to whether their data was at issue.  A link also will be provided to allow users to delete apps and prevent them from collecting information.  According to some reports, Facebook has suspended CubeYou, a data analytics company, due to CubeYou’s alleged gathering of data via quizzes and then sharing that information with marketing companies.  We expect to see more of these types of suspensions.

Most of us voluntarily put quite a bit of personal information on publicly available social media apps but how much control should we have over how that information is used?  How should these data-sharing practices be regulated and to what extent?  By some accounts, Facebook’s Mark Zuckerberg has indicated that he may not be willing to impose the EU General Data Protection Regulation (the “GDPR”) as the standard without exception worldwide but eventually, there may not be a choice in the matter.  Zuckerberg will testify before Congress this week.

Apps are not the only targets – Retailers Saks Fifth Avenue and Lord & Taylor recently announced that 5 million credit and debit cards have been compromised.  It appears the card information may have been stolen from stores using the “chip and signature” standard but it is not clear whether the information was subject to encryption.   Recently, hackers posted the stolen information on the dark web.  The hack allegedly was committed by a group known as JokerStash (also known as Fin7), which may have been behind the Whole Foods and Chipotle breaches as well.  By some reports, the group has disclosed 125,000 credit card numbers thus far and promised to release more shortly.

It appears Sears, Delta, and Best Buy all were affected by a recent breach.  According to media reports, all three companies use the same third-party firm, [24]7.ai, to provide online and mobile chat services for customers.  Some customer payment information may have been compromised.  [24]7.ai has maintained that it has confidence in the security of its platform.

Loyalty programs could also present a significant vulnerability.  Panera recently was hit by a data breach.  We understand the records targeted belonged to customers that enrolled in the loyalty program.  As a result, names, emails, physical addresses, birthdays, and the last four digits of credit card numbers may have been compromised.  By some accounts, Panera allegedly was warned that its website was exposing sensitive data but did not immediately fix the issue.  There have been conflicting reports regarding the number of consumers affected.

In drone news, the Trump administration has recently asked Congress to give the Departments of Homeland Security and Justice the ability to track and destroy drones that could be used by terrorist groups to deliver harmful substances or conduct reconnaissance.  There is some concern that the proposal could lead to power that is unnecessarily broad.

The information in this blog post (“post”) is provided for general informational purposes only, and may not reflect the current law in your jurisdiction. No information contained in this post should be construed as legal advice from Fields Howell or the individual author, nor is it intended to be a substitute for legal counsel on any subject matter. No reader of this post should act or refrain from acting on the basis of any information included in, or accessible through, this post without seeking the appropriate legal or other professional advice on the particular facts and circumstances at issue from a lawyer licensed in the reader’s state, country or other appropriate licensing jurisdiction.