Senators Probe Home Depot, Apple Breaches

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.databreachtoday.com/senators-probe-home-depot-apple-breaches-a-7304

In hopes of getting stalled national data breach notification legislation
moving in Congress, two influential senators say they want Home Depot and
Apple Inc. to brief lawmakers on the circumstances behind their recent data
breaches that permitted unauthorized access to sensitive customer
information.

Sen. Jay Rockefeller, D-W.Va., and Sen. Claire McCaskill, D-Mo., jointly
wrote letters to the CEOs of Home Depot and Apple, asking them to explain
the details of their breaches.

"We have been advocates for data security and breach notification
legislation that would better protect consumers and improve corporate
responsibility," the senators said in a statement. "The recent data
security incidents that have affected major corporations, including Home
Depot, demonstrate the need for such federal legislation."

Rockefeller chairs the Senate Commerce, Science and Transportation
Committee and McCaskill chairs the panel's Subcommittee on Consumer
Protection, Product Safety and Insurance.

Earlier this week, two other senators, Richard Blumenthal, D-Conn., and
Edward Markey, D-Mass., requested the Federal Trade Commission investigate
the Home Depot breach, which potentially impacted customers using payment
cards at its U.S. and Canadian stores since April (see: Home Depot Confirms
Data Breach).

"We are concerned that the retailer's procedures for detecting and stopping
operations to steal customer data are inadequate, and we call on the
commission to investigate whether Home Depot's security procedures meet a
reasonable standard," Blumenthal and Markey said in a statement.

Breach Briefings

In their letter to Home Depot, Rockefeller and McCaskill ask the home
improvement retailer to provide a briefing on the investigation and latest
findings on the circumstances that may have permitted unauthorized access
to sensitive customer information.

"It has been a week since Home Depot announced its investigation into this
now-confirmed breach, and we expect that your security experts have had
time to examine the cause and impact of the attack and breach and will be
able to provide the [U.S. Senate Committee on Commerce, Science and
Transportation] with detailed information," the letter says.

The senators ask Apple to provide a briefing on its investigation into the
unauthorized access to iCloud data, which resulted in photos of
high-profile celebrities being released (see: Is Apple iCloud Safe?).

"We understand that the focused nature of the attack on specific iCloud
accounts is very different from the massive data breaches that affected
other companies, but nonetheless indicate potential vulnerabilities in your
cloud security protocols that were exploited by hackers," the letter from
the senators reads.

FTC Probe

Meanwhile, senators Blumenthal and Markey have asked FTC Chairwoman Edith
Ramirez to open an investigation into the Home Depot breach to determine
whether the retailer failed to employ reasonable and appropriate security
measures to protect sensitive personal information.

"Furthermore, it is troubling that Home Depot has not yet been able to
confirm that it has successfully shut down the data breach," Blumenthal and
Markey state in their letter to the FTC. "This means that its customers may
continue to be at risk of having their personal information stolen."

Under Section 5 of the FTC Act, the commission has jurisdiction to
investigate companies' privacy and information security policies,
procedures and practices.

Breach Legislation

While the Home Depot and Apple incidents draw the interest of senators
seeking more information, they may not be enough of a catalyst to get
cybersecurity legislation passed this year (see: Expectations Low for Cyber
Legislation).

Cybersecurity is seen as a growing concern among lawmakers, but it pales
when compared with other issues Congress must confront in the next few
weeks, including funding the government for fiscal year 2015, which begins
Oct. 1. Without enacting a so-called continuing resolution, the federal
government would shut down. Other issues are grabbing senators and
representatives attentions, too, such as the increasing threat posed by the
Islamic State terrorist group in Iraq and Syria and the Russian-Ukraine
conflict.

Rockefeller earlier this year introduced the Data Security and Breach
Notification Act, which would provide a federal standard for companies to
safeguard consumers' personal information throughout their system and to
quickly notify consumers if those systems are breached.

In February, Blumenthal and Markey introduced the Personal Data Protection
and Breach Accountability Act, which would help protect consumers' personal
and financial information from hackers through a multi-pronged approach
that combats the risks associated with data breaches by holding those who
fail to deter preventable data breaches accountable.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!