At a glance.
- Twitter faces FTC complaint over use of customer data for targeted advertising.
- Blacklist Alliance data leaked.
- Lawsuit over alleged failure to wipe client data from decommissioned equipment.
- More organizations disclose that the Blackbaud ransomware incident affected their donors.
Draft FTC complaint alleges that Twitter misused user data in violation of 2011 consent order.
Twitter's most recent quarterly Form 10-Q, filed with the US Securities and Exchange Commission, discloses that the company faces a complaint from the US Federal Trade Commission. The FTC alleges that Twitter misused phone numbers or email addresses users provided for purposes of safety and security to deliver targeted advertising between 2013 and 2019, which would place the company in violation of its 2011 consent order with the Commission.
"On July 28, 2020, the Company received a draft complaint from the Federal Trade Commission (FTC) alleging violations of the Company’s 2011 consent order with the FTC and the FTC Act," the relevant disclosure says. "The allegations relate to the Company’s use of phone number and/or email address data provided for safety and security purposes for targeted advertising during periods between 2013 and 2019. The Company estimates that the range of probable loss in this matter is $150.0 million to $250.0 million and has recorded an accrual of $150.0 million. The accrual is included in accrued and other current liabilities in the consolidated balance sheet and in general and administrative expenses in the consolidated statements of operations. The matter remains unresolved, and there can be no assurance as to the timing or the terms of any final outcome."
Business Insider connects the complaint with Twitter's acknowledgement this past October that it may have "inadvertently" used such data for targeted advertising, and that it was unable to determine how many users might have been affected.
Twitter's 10-Q also disclosed that, in an unrelated action, "The Company is currently the subject of inquiries by the Irish Data Protection Commission with respect to its compliance with the GDPR."
Data from Blacklist Alliance leaked online.
According to KrebsOnSecurity, databases from the Blacklist Alliance have been leaking online. The Blacklist Alliance describes itself as "offering a comprehensive compliance and risk management solution to the lead generation industry and other companies engaged in direct response marketing campaigns." The company's services are designed to protect lead generation and other "direct response marketing efforts" from "predatory litigation" under various regulatory regimes (but especially the US Telephone Consumer Protection Act of 1991 and the subsequent, related CAN-SPAM Act) by providing compliance training, skip tracing, compliance support, a "litigation firewall," monitoring and support, and prepaid attorney services. KrebsOnSecurity summarized the problem: "Unfortunately for the Blacklist paying customers and for people represented by attorneys filing TCPA lawsuits, the Blacklist’s own Web site until late last week leaked reams of data to anyone with a Web browser. Thousands of documents, emails, spreadsheets, images and the names tied to countless mobile phone numbers all could be viewed or downloaded without authentication from the domain theblacklist.click."
The data have now been rendered inaccessible to unauthorized users, and BankInfo Security reports that the Blacklist Alliance has retained a privacy and data breach specialist to figure out the company's obligations under California's mandatory data breach reporting law. The Blacklist Alliance suggested to BankInfo Security that the exposure may have occurred through a web server directory left open to the Internet, but that the company is also looking into other possible causes and intends to notify all of its clients. The firm's CEO said, "We intend to examine every avenue, including third-party service providers with whom we work and pursue any legal action available to us."
Saryu Nayyar, CEO of Gurucul, emailed these comments on the incident:
“The irony of the recent breach of The Blacklist Alliance is hard to ignore. This is an organization that specializes in protecting marketing firms that use robocalls from litigation under 1991's TCPA (Telephone Consumer Protection Act). And now they themselves are revealing the phone numbers and other data of their own customers, along with the numbers of people who have sued because they were receiving robocalls.
“Other information, such as the Blacklist Alliance's customer ID's and passwords were also apparently leaked, due to a webserver misconfiguration. This is the kind of basic security mistake that shouldn't happen, but still happens with distressing frequency.
“A simple configuration review would have caught this before it became an expensive data release. This is something companies need to take to heart. Even the best information security infrastructure has a hard time defending against user errors. Hopefully, this incident will serve as a cautionary lesson about properly configuring databases, and what sorts of data should be on them in the first place.”
James McQuiggan, Security Awareness Advocate at KnowBe4, pointed out that whether data are held in a testing or production system, they've got to be protected. He suggested that those whose information was exposed in this incident should not only change their passwords, but be alert to the social engineering that often follows such data loss.
Chris Clements, VP of Solutions Architecture at Cerberus Sentinel, offered some (qualified) sympathy for the telemarketing industry:
"People respond to incentives and the prospect for a consumer to sue telemarketers for up to $500 per unwanted call under the TCPA is likely compelling enough for some people to invent ways such as maintaining multiple phone numbers to receive more ‘unwanted’ calls from those organizations in an attempt to extract many more penalty payouts than they otherwise would. Still, it’s difficult to sympathize with the telemarketing industry here. The telemarketing industry in general does not have a history of respecting the people targeted for their sales pitches nor their own workers and has been frequently caught flouting laws and rules designed to reign in their worse impulses. The Blacklist Alliance’s breach demonstrates that at least some of their customers have in the past employed advanced tactics to ensure that their email spam campaigns avoid filters and blocklists so it is not much of a stretch that these organizations would also engage in phone number spoofing and other deceptive methods to fool their targets into answering their calls. This suggests that rather than wanting to ensure that they are following the rules and trying to avoid falling victim to consumers that open multiple numbers in search of maximizing penalty payouts, customers of The Blacklist Alliance are seeking to avoid consequences of unethical behaviors by avoiding the consumers most likely to report them to authorities."
Qualified sympathy. The most irritating and least legitimate precincts of that sector are likely to continue as they have. Spoofing phone numbers remains among their most objectionable practices. Clements isn't necessarily talking about either Blacklist Alliance or its clients, but he has some harsh words for that particular practice as it's used by unscrupulous operators:
"Still, the exposure of this information is not likely to stop the most egregious telemarketing spam techniques used by spoofing the phone number the call is coming from. The legacy phone system does not have a great solution to ensure that the number showing up on your phone is really the number the call originated from. In some cases, there are legitimate reasons for this such as having a large company’s support department’s outbound calls appear to be one recognizable number, but the ease of spoofing a phone number means that it is widely used by unethical organizations to hid their identity and deceive their targets. Ultimately this is a problem that only the telecom providers can address and unfortunately there aren’t many compelling incentives for them to do so. If sufficient incentives were put in place, providers would no doubt be able to effectively resolve the spoofing problem in short order."
Failure to wipe.
Morgan Stanley faces two US Federal lawsuits filed by seven current and former customers who allege that the financial services giant compromised their "Social Security, passport and account numbers" when it decommissioned two data centers in 2016, Financial Planning reports. The company hired a third-party to purge data from the centers' systems, but learned in 2019 that a software flaw had left copies of unencrypted, deleted data on hard drives. The company has also lost track of some of the imperfectly wiped devices: they and their contents are apparently in the air.
Morgan Stanley has said it's “continuously monitored the situation and [has] not detected any unauthorized activity related to the matter, nor access to or misuse of personal client data.” The plaintiffs allege that the company's "negligence" and "recklessness" with respect to their data expose them to identity theft and fraud. They also say it took Morgan Stanley too long to detect the potential data compromise.
More fallout from the Blackbaud ransomware incident.
The effects of the Blackbaud ransomware incident continue to ripple through the educational, political, and not-for-profit sectors, affecting the sorts of operations that have donors as opposed to customers.
In the US a new set of universities are now known to have been affected. The Universities of Texas and Oklahoma have both warned donors and alumni that their information may have been accessed by the attackers. And, after a coy, slow-reveal from California State University Northridge, EdScoop reports that the California State University system is now investigating the possibility that the Blackbaud attackers successfully compromised all twenty-three institutions in the system. (The California State University system is a public higher education institution distinct from its sister system, the University of California.)
There have been other victims in the United Kingdom, too. Third Sector reports that more than thirty British charities have been affected. And it’s not just charities, either. The Labour Party has disclosed that personal information about thousands of its donors was exposed in the incident. Labour had been using “Raiser’s Edge,” a fundraising and donor management solution from Blackbaud.