In our interconnected world, data is constantly generated and flows through various digital channels, including websites, apps, devices, services, and organizations. Users may be required to share data or share more than what is relevant and necessary to use all the features offered by devices, apps, and software, straddling the fence of convenience and privacy. The increase in online activity and technological advances allow personally identifiable information (PII) and sensitive information to be at risk of being accessed, used, collected, shared, and stolen. The more data available online, the more potential for fraud and other malicious activities. As Data Privacy Week wraps up, organizations and users can take actionable steps to keep data safe year-round and help prevent data from getting into the wrong hands. Users may freely share personal data with the false hope or intention that it will remain private, despite the possibility of agreeing to the fine print in the Privacy Policy without scrutiny. Financial institutions, retailers, and other entities sell data to other companies or data brokers that buy and resell data. The Federal Trade Commission (FTC) continues to
target data brokers and ban them from selling users’ precise location data. Most recently, InMarket used and collected data from apps to create advertising profiles and deliver targeted ads. Third-party apps may not be aware that location data is merged with data from other sources to develop the profiles. Additionally, the FTC is investigating a complaint against Google for failing to uphold the promise to promptly delete location data about users’ visits to sensitive locations, such as abortion clinics, domestic abuse shelters, and addiction treatment centers. The complaint urges Google to delete the “wrongfully retained” location data and cease the “unlawful” collection, disclosure, and retention of personal data.

Furthermore, the FTC ordered several mental health platforms to pay fines to consumers for sharing their mental health data for advertising purposes with other companies, such as Facebook (Meta), Snapchat, Google, TikTok, and others. These examples highlight that data brokers or other companies that buy and sell data generate datasets (or profiles) and, subsequently, create consumer risks. If one or a combination of datasets from one company combine with datasets of other companies, then the data is at risk of being shared or exposed and can be used for fraud. Researchers discovered a massive leak of over 26 billion user data records, dubbed the “Mother of all Breaches,” from numerous new and previous breaches of platforms, such as Tencent, Weibo, Twitter, LinkedIn, and others. Threat actors could leverage the leaked user data and the high likelihood of password reuse across accounts to conduct credential-stuffing attacks, sophisticated social engineering schemes, spearphishing attacks, unauthorized access, and identity theft and fraud. Despite the lack of comprehensive federal data privacy laws for data collection, states must act to help protect consumers’ sensitive information, including the sale of consumers’ data without any disclosure or permission. Recent NJ legislation requires certain entities doing business in New Jersey to notify consumers when their personal data is collected and disclosed to third parties. The law requires posting opt-out links clearly and conspicuously on their websites, informing users what kind of data is held by website operators so they may request to have information corrected or deleted, and collecting data that is only relevant and necessary to business operations. The new law will become effective in one year and apply to data collected after its enactment. No enforcement actions can be taken for 18 months, and organizations will be given 30 days to resolve alleged violations before enforcement actions begin. Similar legislation has passed in other states.

Recommendation

The NJCCIC advises users and organizations to remain vigilant and adopt cybersecurity best practices. Regularly review privacy settings for accounts and devices, maintain awareness of what apps you have installed and only grant appropriate permissions, be cautious with sharing personal information, and reduce your digital footprint . Additionally, organizations are advised to develop and enforce robust data protection policies, conduct cybersecurity training for employees, and provide transparency about data collection practices. The FTC provides additional resources to implement a sound data security plan in its product, Protecting Personal Information: A Guide for Business. Users whose accounts have been compromised are advised to immediately change their password, as well as for any other account where the password is reused. Users are encouraged to enable any form of multi-factor authentication (MFA) offered while choosing a more secure method (authentication app, biometric, or hardware token) where available. Additionally, employ tools such as haveibeenpwned.com to determine if your PII has been exposed via a public data breach. Users who suspect their PII has been compromised should review the Identity Theft and Compromised PII NJCCIC Informational Report for additional recommendations and resources. If victimized, report the activity to the respective platform or entity, the FTC, the FBI Internet Crime Complaint Center (IC3), and the NJCCIC.

Reporting

The NJCCIC encourages recipients who discover signs of malicious cyber activity to contact the NJCCIC via the cyber incident report form at www.cyber.nj.gov/report.

Please do not hesitate to contact us here at Cyber Command with any questions.