The Weekly Breach Breakdown Podcast by ITRC - Bad News travels Fast - S4E33

Show Transcript

Welcome to the Identity Theft Resource Center’s (ITRC) Weekly Breach Breakdown for November 17, 2023. Thanks to Sentilink for their support of the podcast and the ITRC. Each week, we look at the most recent events and trends related to data security and privacy. This week, we discuss the Federal Trade Commission (FTC) and the Kochava FTC battle. We update you on a podcast we brought you over a year ago about Kochava suing the FTC  after a proposed complaint and settlement offer. We also have the latest on the MOVEit data event and some of the top breaches in October.

There is a saying that bad news travels at the speed of light while good news travels like molasses – thank you, Tracy Morgan. It is safe to say that bad news travels fast – faster than good news. We bring this up because there is typically no news when the FTC takes action against a company selling personal information. However, it’s big news when a company sues the FTC – thank you, James E. Lee.

Kochava Sued the FTC in 2022 After Proposed Complaint & Settlement Offer

If you recall, ad tech company Kochava sued the FTC last September after the government agency sent a proposed complaint and settlement offer alleging that the company’s data collection practices made it possible for third parties to track mobile phone users, enhancing the Kochava FTC battle. Fast forward to May, and a judge ruled the FTC had not provided sufficient evidence in its complaint. However, they allowed the agency to build more evidence and file an amended complaint, which the FTC did in June.

Order Entered to Unseal FTC Complaint & Dismiss Sanctions Against the Agency

Last week, an order was entered to unseal the complaint and dismiss sanctions against the FTC. According to The Record, experts say it is a promising turnaround in the landmark FTC action against Kochava. It adds that Kochava is under increasing scrutiny for gathering exceptionally sensitive data on vast numbers of consumers with little regulation.

The FTC complaint also alleges the company has lax procedures for determining to whom it sells data. The Commission says purchasers can use a generic personal email address, label an alleged company as “self,” and explain they plan to use the data for “business.” In the case of this update in the battle between Kochava and the FTC, the bad news traveled fast.

Notable Breaches in October/MOVEit Data Event Update

In other news, the ITRC tracked 235 data compromises in October, impacting eight million people. The top three compromises in the month by victim count were Arietis Health, LLC, DNA Micro and NASCO, combining to affect over three million people. Two of the top three compromises (Arietis Health and NASCO) were due to the MOVEit attack we’ve previously discussed.

As of November 9, the ITRC has tracked 1,279 organizations impacted by MOVEit, with an estimated 55.6 million victims. Of those 1,279 organizations, 1,189 were affected indirectly (through a single or multiple vendors) and 90 directly.

Get the Latest Data Breach Information

For more information on the latest data breaches, visit the ITRC’s data breach tracking tool, notified. Also, as a reminder, if you would like to receive an email alert if a company you do business with suffers a data compromise, sign up for the ITRC’s Breach Alert for Consumers Service free of charge. It allows you to create a limited list of companies and receive an email if one of them is added to the ITRC’s notified data breach database.   

What to Do if You Receive a Data Breach Notice

If you receive a data breach notice, follow the advice offered by the impacted company and freeze your credit to ensure no new credit accounts can be opened in your name. Immediately change your password and switch to a 12+-character passphrase, change the passwords of other accounts with the same password as the breached account, use multi-factor authentication (MFA) with an app – SMS can be spoofed – and keep an eye out for phishing attempts that claim to be from the breached organization.

Contact the ITRC

If you want to know more about how to protect your business or personal information or think you have been the victim of an identity crime, you can speak with an expert ITRC advisor on the phone, chat live on the web, or exchange emails during our normal business hours (Monday-Friday, 6 a.m.-5 p.m. PST). Just visit www.idtheftcenter.org to get started.

Thanks again to Sentilink for their support of the ITRC and this podcast. There will be no podcast next week as the ITRC offices will be closed for Thanksgiving. In two weeks, we will have an episode of our sister podcast, The Fraudian Slip, breaking down the findings in our Biometric Working Group discussion paper, which will be released on November 29. We will have a special guest, Linda Miller of Audient Group. For the discussion paper, the ITRC formed a Biometric Working Group, which included Miller, tasked with finding practical solutions to help prevent identity crimes while respecting privacy and ensuring data protection. You will be able to download the discussion paper by visiting www.idtheftcenter.org/publications. 

We will return in three weeks with another episode of the Weekly Breach Breakdown.