Overnight Cybersecurity: Missouri AG subpoenas Facebook over data practices | Breach hits retailers Saks, Lord & Taylor | Tech scrambles to prepare for EU privacy law

View in your browser       Welcome to OVERNIGHT CYBERSECURITY, your daily rundown of the biggest news in the world of hacking and data privacy. We're here to connect the dots as leaders in government, policy and industry try to counter the rise in cyber threats. What lies ahead for Congress, the administration and the latest company under siege? Whether you're a consumer, a techie or a D.C. lifer, we're here to give you ...   THE BIG STORIES: --THE LATEST: MISSOURI AG SUBPOENAS FACEBOOK: Missouri's attorney general said on Monday that he's subpoenaed Facebook about its data practices following reports that a political consulting firm improperly obtained information on 50 million users. Josh Hawley, a Republican who is running for Sen. Claire McCaskill's (D) seat, announced that his office had sent the social media giant a list of 60 questions about data that it gives to political groups. "I want to know, does Facebook truly disclose to its users the kind of data that it collects?" Hawley said in a press conference. "Does it disclose how it uses this information? Does it disclose how it shares this information?" "We look forward to responding to Attorney General Hawley's questions when we receive the details of his request," Will Castleberry, Facebook's vice president for local and state policy, said in a statement. Hawley also said that he would be investigating whether there was a nexus between Google's data collection and Facebook's. He is asking Facebook for information on what data its app collects on Android phones and how it uses that data. In November, Hawley issued a subpoena to Google in an antitrust investigation, saying that federal regulators have given the search giant a "free pass." That announcement came a few months after Google was hit with a record fine from the European Union for favoring its own comparison shopping service in its search results. Hawley at the time blasted the Obama-era FTC for not taking action against Google in its own investigation of the company's search practices. Hawley was among the 37 attorneys general who sent a letter to Facebook last week demanding answers about reports that Cambridge Analytica, a company that was hired by the Trump campaign ahead of the 2016 election, obtained a trove of personal information on 50 million users without their knowledge or consent. "There is no excuse for this irresponsible handling of user data," Hawley said Monday. To read more from our piece, click here.   --RUSSIAN HACKER EXTRADITED: A Russian hacker accused of breaching LinkedIn and other U.S. companies in 2012 was extradited to the United States from the Czech Republic late last week. A spokesman for the Czech Justice Ministry confirmed to Reuters that Yevgeniy Nikulin, the Russian suspect, had been extradited to face hacking charges in the U.S. The Justice Department indicted Nikulin in October 2016 for hacking LinkedIn, Dropbox and Formspring, a now-defunct social networking site, in 2012. Authorities in the Czech Republic arrested Nikulin earlier that same month, in cooperation with the FBI. Authorities have been weighing the United States' extradition request with one from Russia, which wanted him extradited on separate charges dating back to 2009. The decision comes days after House Speaker Paul Ryan (R-Wis.) said during a trip to Prague that he hoped Nikulin would eventually be extradited. Nikulin is accused of hacking computers belonging to the San Francisco-based companies and stealing user names, email addresses and passwords. He allegedly later attempted to sell the information stolen from Formspring. The breach compromised the emails and passwords of 117 million LinkedIn users. To read more from our piece, click here.   --BREACH HITS MAJOR RETAILERS: Shoppers at a trio of department store chains may have had their personal information compromised after a data breach of the payment system for Hudson's Bay Company. The Associated Press first reported Sunday that hackers stole customer information from systems connected to Saks Fifth Avenue, Saks Off Fifth and Lord & Taylor. Hudson's Bay, the Canada-based parent company that owns all three retailers, confirmed the breach on Sunday, and said it has launched an investigation into the incident. The company also said it took steps to mitigate the breach. Meanwhile, New York-based security firm Gemini Advisory had released information on the breach earlier Sunday, saying that a hacking group called JokerStash had started selling credit and debit card information linked to the breach on the dark web. The company said there is evidence the data breach began about a year ago and that the hacking group responsible has previously targeted major hotel and restaurant chains. It is unclear how many customers were impacted by the breach, though hackers claimed last week to have 5 million stolen cards to put up for sale, according to the cybersecurity firm. The latest disclosure comes days after Under Armour revealed that a breach of its MyFitnessPal app impacted information on as many as 150 million users. Hackers accessed usernames, email addresses, and hashed passwords but did not make away with any information on payment cards, which is collected and processed separately, the company said. To read more of our breach coverage, click here and here.   A LEGISLATIVE UPDATE:  ELECTION SECURITY FUNDS: The Trump administration has given states $380 million to upgrade and secure their voting technology. The funding was included in the massive appropriations bill approved by Congress and signed by President Trump last week. It represents an effort by lawmakers in Washington to protect upcoming elections from cyber threats, following Russian interference in the 2016 presidential election. The U.S. Election Assistance Commission (EAC) has specified the exact amount allocated to each state, according to a list posted late this week. California will receive the largest award -- roughly $35 million -- followed by Texas with $23 million and New York with $19 million. States can use the funds to make technology and election security improvements in order to secure their voting infrastructure. For example, Vermont Secretary of State Jim Condos (D) recently told The Hill that his state may invest in additional penetration testing and implement two-factor authentication for town clerks who access portions of the voter registration database. The state of Vermont will receive $3 million of the election security funds, according to the EAC. "We will look at how we can ramp up even more security," Condos said. "We'll look at maybe beefing up our firewalls." Experts and lawmakers have stepped up calls for states to secure their digital voting systems after the Department of Homeland Security revealed that Russian hackers targeted election infrastructure in 21 states as part of a broader effort to interfere in the 2016 presidential election.  Most of the efforts were not successful, officials have said, though Illinois has disclosed that its voter registration database was breached. Officials also maintain there is no evidence any vote tallies were changed. But the developments have nevertheless raised awareness about security surrounding voter registration databases and even voting machines themselves. Experts have increasingly called for states to do away with outdated paperless voting machines and replace them with systems that produce voter-verified paper backups that can be audited in the event a result is called into question. To read more from our piece, click here.   A REPORT IN FOCUS: Researchers for risk intelligence firm Flashpoint say hackers are increasingly targeting e-commerce websites that run on the widely used open-source Magento platform in order to steal credit card numbers as well as distribute malware to illegally mine cryptocurrency. Cybercriminals are using "brute-force password attacks" to breach administration systems on the websites, which then gives the hackers uninhibited access to the site, including webpages that process payment information, according to a report released Monday. Hackers appear increasingly interested in targeting the Magento platform since 2016 as well as "other popular ecommerce-processing content management systems such as Powerfront CMS and OpenCart," the report found, noting that it has uncovered at least 1,000 compromised Magento admin panels. "The attackers are keen on avoiding detection and update the malicious files daily in order to sidestep signature- and behavior-based detection," according to the report. Some attackers succeeded in getting access to such information because admins did not change their credentials after installing the platform, allowing cybercriminals to launch "automated scripts loaded with known credentials to facilitate access of the panels." The Flashpoint analysts said Malware is first dispersed through the installation of AZORult, a trojan malware hosted on GitHub, and then steals sensitive information that it got from its victims, the analysts found. From there, the infection chain kicks off and AZORult continues to download even more malware into the system like cryptocurrency mining software. The researchers offer a range of recommendations to combat such attacks, including making an account's organizational password requirements complex, preventing users from reusing old passwords, and employing a two-factor authentication for sensitive systems.   A LIGHTER CLICK: Happy late Easter -- look out for phishing scams! (US-CERT)   WHAT'S IN THE SPOTLIGHT:  GDPR: Facebook and other internet companies are racing to prepare for a sweeping new European Union (EU) privacy law that aims to give consumers greater control over the use of their data. The law comes at a critical time for the industry, which is already facing tough questions over its data practices. The General Data Protection Regulation (GDPR), which goes into effect across the EU on May 25, will drastically change what internet companies can do with customers' data. Users will have greater control, including the ability to learn what information companies have on them. The GDPR will also codify what's known as "the right to be forgotten," meaning consumers will be able to order web services to delete their data or stop distributing it to third parties. The rules will also require companies to give users the ability to easily revoke consent for handing over personal information. "I think it's going to have a fundamental seismic shift in the whole industry because it grants people rights over their data that they don't currently have," said David Carroll, an associate professor at the Parsons School of Design who studies digital media and data practices. "It really empowers consumers to get a better deal; we've never really had a say in the deal," Carroll added. Companies must also be upfront about what they are doing with users' personal information. Regulators say that web services will no longer be able to cloak the terms of their data practices in legalese. "One of the main tenets of GDPR is to make sure that there is trust and to make it clear what the data is being used for," said Greg Sparrow, vice president and general manager of CompliancePoint. The impending deadline has companies scrambling to bring themselves in line with the new law. Violations under the new rules would be met with hefty fines of $24.6 million or 4 percent of a company's global revenue -- whichever is larger. Hovering over those efforts is the data scandal that saw a political consulting firm with ties to President Trump's 2016 campaign improperly obtain the personal information of 50 million Facebook users. Věra Jourová, the EU's consumer protection chief, thinks the Cambridge Analytica incident underscores why privacy regulations like the GDPR are crucial. "In my view this is not only about data protection [from] breaches, this is about a threat to democracy and individual freedoms," Jourová said in an interview with Bloomberg earlier this month. "I can say that in Europe we are ready for these cases," she added. A Facebook spokesperson told The Hill in a statement that the company is making sure its services comply with the new laws and will announce new updates before the deadline. To read the rest of our piece, click here.   IN CASE YOU MISSED IT: Links from our blog, The Hill, and around the Web. Accused leaker Reality Winner wants to subpoena Homeland Security, states. (The Hill) DOJ asks Supreme Court to dismiss case again Microsoft. (The Hill) Agencies have one-year deadline to identify cyber workforce shortages. (The Hill) Trump renews attack on Justice Department. (The Hill) Lawmakers press Linux on security of open-source software. (The Hill) Atlanta is still reeling after SamSam ransomware attack struck last week. (Gizmodo) Hackers used spearphishing to harvest login credentials on a GSA website. (FedScoop) The Department of Defense launches its fifth bug bounty program. (HackerOne) Malaysia has outlawed so-called 'fake news.' (Reuters) Apple is going to use its own chips in Macs as soon as 2020. (Bloomberg) If you'd like to receive our newsletter in your inbox, please sign up here.           Did a friend forward you this email? Sign up for Cybersecurity Newsletters     Forward Cybersecurity Newsletters       Privacy Policy  |  Manage Subscriptions  |  Unsubscribe  |  Email to a friend  |  Sign Up for Other Newsletters   The Hill 1625 K Street, NW 9th Floor, Washington DC 20006 ©2016 Capitol Hill Publishing Corp., a subsidiary of News Communications, Inc.