Friday’s headline reported that Marriott’s computer records were hacked, exposing information on 500 million of their hotel guests. The problem of compromised online data is rampant.
In the first nine months of 2018, cyber breaches exposed 3.8 billion customer records according to Risk Based Security. Only this past October, the Centers for Medicare and Medicaid’s website — HealthCare.gov — was breached, compromising 75,000 records of consumer information including sensitive personal information such as social security numbers, dates of birth, and income. Other major breaches this year include the websites of Department of Homeland Security, FedEx, Orbitz, Under Armour, along with more than a dozen major retailers.
The cybersecurity risks faced by consumers were highlighted in two recently published studies by the American Consumer Institute (ACI). Both studies ultimately highlight the need to continually improve the products and cybersecurity practices to protect customers from breaches. Yet, it is the Congress who must also work on national privacy legislation to set clear rules that safeguard consumers and give companies room to evolve on a level playing field.
The first ACI report, titled How Safe Are Popular Apps, illustrates that many popular apps are not as secure as they should be. The majority of apps currently rely on open source, generic binary code that allows application developers to share programming components. This practice helps reduce developer costs, boost innovation, and bring products to market much quicker than customized software.
While open source has strong merits, mining for known vulnerabilities makes it easier for hackers to find opportunities to steal or corrupt data across thousands of applications and millions of consumers. ACI analyzed 330 of the most popular Android apps in the U.S. and found “an average of 6 vulnerabilities per app over the entire sample.” That is astounding, considering many of these apps are used every day, everywhere around the world, for everything from finance to personal health or games.
When it comes to finance apps, positive cybersecurity efforts become even more grim. For a brief period of time, Wells Fargo and Bank of America apps had the highest frequency of critical vulnerabilities in the finance category that could potentially enable remote access to devices, denial of service attacks, or memory corruption. While Wells Fargo and Bank of America quickly updated their binary codes and patched all of the vulnerabilities found in the previous versions, there was a short period of time when consumers were at risk. Bravo to their quick actions, but many other popular applications are not being updated, exposing millions of businesses and consumers to hacking.
Another ACI report, Securing IoT Devices: How Safe Is Your Wi-Fi Router?, showcases vulnerabilities that extend into our homes and small businesses. In May of 2018, the FBI issued a warning that hundreds of thousands of home and office routers had been compromised by Russian hackers, urging owners to restart and download firmware updates from the manufacturers. Our findings show that of the 186 sampled routers, 155 (83 percent) were found to have vulnerabilities to potential cyberattacks with an average of 172 vulnerabilities per router. The study found that in total, there was a staggering number of 32,003 known vulnerabilities. Within the sample, 28 percent of the vulnerabilities were considered high-risk or critical.
These two reports confirm that vulnerabilities and cybersecurity risks exist at every level of the internet ecosystem, from the routers we use to connect to the internet to the apps on our smartphones. With consumers’ continuing to develop voracious appetites for more connectivity, these concerns will only grow. And while industries and individual companies have important roles to play in setting and adopting best practices, it is time for Congress to step up to ensure consumers are protected and secure.
Today, a hodge-podge of outdated regulations is exposing critical gaps in consumer data regulations. The European Union and states like California are crafting their own laws, leaving consumers and companies confused about their rights and responsibilities.
With midterm elections now gone, only the 116th Congress can set clear guidance with comprehensive, national legislation, and it should look for solutions that will not stifle innovation. Threats across the internet ecosystem are growing by the minute as we become more connected. Our elected officials must not postpone this growing issue any longer.
Krisztina Pusok is Director of Policy and Research, and Steve Pociask is President of the American Consumer Institute or follow us on Twitter @ConsumerPal. Published in The Hill.