Categories
Law Tech

Cable competition comes to my block

On a recent visit to a Spectrum cable TV store in Manhattan, I  experienced an emotion that one does not tend to connect with cable TV and internet service: delight.

The price of my service dropped by $10 a month. Besides alerting me to that happy news, the representative sent me home with the latest modem, which she told me can handle the faster internet speeds that Spectrum now delivers in my neighborhood. And she displayed a willingness to accommodate me whether I decided to change (or even abandon) service.

The experience left me feeling as if I had received an unexpected gift. (To be sure, a gift that costs the recipient about $120 a month. A few days later, the reason for the friendliness revealed itself.

It seems the owner of the apartment complex where I live, as part of a push to offer amenities that might lure prospective tenants, had invited Verizon to offer a competing internet service. Contractors for the company scurry throughout the buildings installing equipment that will carry strands of fiber optic cable to each of our apartments.

The left side of the staircase that serves my unit now holds risers for Verizon. The right side houses coaxial cable that belongs to Spectrum. The services parallel each other en route to every unit.

While Verizon is installing the connections, a representative for Spectrum, dressed in a blue polo shirt, is making the rounds, leaving his card at the doors of apartments that have yet to sign up. “Great offer, call me,” the rep jotted on a business card left on a neighbor’s door.

As both the anecdote and economics suggest, when competition arrives, consumers come out winners.

Such competition is a rarity. Just over a third (36%) of urban census blocks in the U.S. had two or more broadband providers at the end of 2015, according to data compiled by the Federal Communications. (The percentage fell to six percent in rural areas.)

As Jonathan Sallet, a former general counsel of the FCC who represented the agency in court battles over broadband policy has observed:

“[W]hen the FCC looked at the use of municipal broadband… it set out evidence showing that the presence of an additional broadband provider pushes down the prices and increases the quality of both new and incumbent providers.

In other words, such competition is ‘win-win.’ It benefits those consumers who switch and even those that do not but who gain from faster download speeds resulting from the incumbent’s response to competitive pressures.”

Sallet notes that in one city, the incumbent cable company reduced its prices when facing the prospect of a new broadband competitor and increased the top speed of its broadband service to 105 megabytes per second (mbps) from 8 mbps.

Though Verizon has yet to connect its service, the prospect of its arrival has spurred Spectrum to lower prices and up its game.

Categories
Tech

Transparency cannot replace net neutrality

Earlier this month, the chief financial officer of Verizon, one of the nation’s largest internet service providers, discussed the build-out of the company’s broadband fiber network to homes.

The network, which goes by the name FiOS, “continues to be a very good product,” Matt Ellis, the CFO, told investors at a conference sponsored by UBS. According to Ellis, consumers who opt out of cable but who subscribe to so-called over-the-top services such as Netflix “want the best broadband experience you can get, and FiOS is the best broadband experience in the marketplace.”

Therein lies the problem with the action led by FCC Chairman Ajit Pai to repeal so-called net neutrality rules, which prevent ISPs from blocking, slowing or impeding content from providers they don’t own. The rules, to borrow Ellis’ phrase, help to assure the best broadband experience you can get regardless who owns the content you consume.

As the Republican majority at the FCC sees it, net neutrality constitutes “heavy-handed, utility-style regulation” that depresses investment and innovation.

Rather than order ISPs to keep their networks open – which, by the way, is the whole point of the internet’s decentralized design – the FCC will require ISPs “to disclose information about their practices to consumers, entrepreneurs, and the Commission, including any blocking, throttling, paid prioritization, or affiliated prioritization.”

According to Pai, the market – backed by laws governing competition and consumer protection – will achieve the ends of net neutrality without the need for rules to achieve it.

The evidence suggests otherwise. Most of us connect to the internet through our ISP. And for most of us, the market for ISPs tends to be a monopoly. In the neighborhood where I live, you can choose Spectrum as your ISP. That’s the choice.

Last February, New York’s attorney general accused Spectrum of misleading consumers with promises of speeds for wired internet that, as it happened, were as much as 70 percent slower than promised. The company allegedly charged customers as much as $109.99 per month for premium plans that could not achieve speeds promised by Spectrum in its slower plans.

Consumers knew they were being ripped off. (You can test the speed of your connection.) But acting alone, there was little they could do to compel Spectrum to honor its promise.

Though a class action may force the company to reimburse consumers for the wrong, a rule that required Spectrum to serve customers at speeds the company promised would have allowed them to receive the service they paid for.

In short, all the transparency in the world won’t help if you’re served by a monopoly.

The internet is the infrastructure of our modern age and, for that matter, the medium of our democracy. It resembles the electric grid more than it does the entertainment, sports and social networks that stream across it.

As most consumers know, ISPs can (and do) charge as much for connections as the market will bear. Net neutrality asks in return that they not privilege one stream of content over another.

Categories
Law Tech

DOJ endorses net neutrality

The Trump administration is leading a double life when it comes to competition in the market for content that arrives via the internet.

The Department of Justice on Monday sued AT&T and Time Warner to block a proposed merger between the two that the government charges would lessen competition in violation of federal law.

The lawsuit upends a transaction that the companies announced a year ago, when AT&T agreed to pay about $85 billion for Time Warner, which owns CNN, HBO, Turner Sports and other networks.

Jekyll and Hyde?

DOJ contends that the deal, which is riding on regulatory approval, would set back competition and lead to higher prices for consumers.

A day later, the Federal Communications Commission voted to roll back rules that prevent cable companies and other internet service providers from blocking or slowing websites or social networks that do not pay for priority.

“We have one government, but two separate agencies with opposing views,”  Spencer Kurn, an analyst at New Street Research, told the Times. “You’ve got one agency saying that marrying content and distribution results in too much market power, and another agency saying there’s no problem with a distributor favoring their content over someone else’s.”

Net neutrality, as the rules are known, prevents ISPs from prioritizing content from companies they own. The FCC chairman opposes the rules, saying they slow development of broadband networks by lessening the incentive of the companies that own them to add connections.

But the arguments advanced by DOJ in court seem to validate the concerns that net neutrality reflects. A combination of AT&T and Time Warner (the owner of CNN and HBO, among other networks) would give the combined company the ability to throttle programs that someone else owns, leading to higher prices for consumers, DOJ charges.

“After the merger, the merged company would have the power to make its video distributor rivals less competitive by raising their costs, resulting in even higher monthly bills for American families,” the government told the court.

That sounds like a defense of net neutrality.

The rollback at the FCC is a win for AT&T, which is vowing to fight the move by DOJ to block the company’s deal for Time Warner.

Categories
Life Privacy Tech

Facebook loses appeal over search warrants

Facebook cannot challenge the constitutionality of a search warrant on its users’ behalf prior to the government’s executing the warrant, an appeals court in New York has ruled in a decision that delineates a boundary for Internet privacy.

The ruling follows a lawsuit by Facebook to void 381 search warrants the company received two years ago from the Manhattan district attorney’s office, which obtained then in connection with an investigation into Social Security disability claims by a group of retired firefighters and police officers whom the DA suspected of feigning illness they attributed to the aftermath of the 9/11 attacks.

Upon receiving the warrants, which sought information derived from the users’ accounts, Facebook asked the DA to withdraw the warrants or to strike a provision that directed the company to refrain from disclosing their existence to users whose postings were to be searched. The DA’s office asserted the confidentiality requirement was needed to prevent the suspects being investigated from destroying evidence or fleeing the jurisdiction if they knew they were being investigated.

After the DA declined to withdraw the warrants, Facebook sued to either quash them or compel the DA remove the non-disclosure provision. The trial court sided with the DA and Facebook appealed.

The appeals court affirmed that the legality of the searches could be determined only after the searches themselves were conducted. “There is no constitutional or statutory right to challenge an alleged defective warrant before it is executed,” Judge Dianne Renwick wrote for a unanimous panel of the court’s appellate division in a ruling released July 21. “We see no basis for providing Facebook a greater right than its customers are afforded.”

The constitutional requirement that a warrant can issue only upon a showing of probable cause as determined by a judicial officer helps to ensure the government does not exceed its authority when requesting a search warrant and eliminates the need for a suspect to make a motion to void the warrant before it can be served, the court noted. “Indeed… the sole remedy for challenging the legality of a warrant is by a pretrial suppression motion which, if successful, will grant that relief,” Renwick explained.

According to Facebook, which was joined in the appeal by Google, Twitter, Microsoft and other tech industry firms, the federal Stored Communications Act also gave the company the right to challenge the warrants. But that law, which protects the privacy of email and other communications stored on servers belonging to ISPs, authorizes ISPs to challenge subpoenas and court orders but not warrants obtained from a judicial officer based on a showing of probable cause, the court noted.

Despite its ruling, the court agreed with Facebook that the DA’s serving 381 warrants swept broadly and suggested the users themselves may have grounds for suppression. “Facebook users share more intimate personal information through their Facebook accounts than may be revealed through rummaging about one’s home,” wrote Renwick. “These bulk warrants demanded ‘all’ communications in 24 broad categories from the 381 targeted accounts. Yet, of the 381 targeted Facebook users accounts only 62 were actually charged with any crime.”

Through civil liberties groups hoped the appeal might bolster protections for Internet privacy, experts said the ruling makes sense as a matter of law. As Orin Kerr, a professor of criminal procedure at George Washington University Law School who has written extensively about privacy and the Internet, wrote in The Washington Post:

“Think about how this plays out in an old-fashioned home search. If the cops show up at your door with a warrant to search your house, you have to let them search. You can’t stop them if you have legal concerns about the warrant. And if a target who is handed a warrant can’t bring a pre-enforcement challenge, then why should Facebook have greater rights to bring such a challenge on behalf of the targets, at least absent legislation giving them that right?”

Still, “that doesn’t mean the warrants were valid,” added Kerr, who imagined that the defendants themselves seem likely to challenge the sweep of the material seized from their Facebook accounts if they haven’t already.

For its part, Facebook disagreed with the ruling but said the company had not decided whether to appeal. “We continue to believe that overly broad search warrants—granting the government the ability to keep hundreds of people’s account information indefinitely—are unconstitutional and raise important concerns about the privacy of people’s online information,” Jay Nancarrow, a spokesman for the company, told the Times.

The DA’s office noted that the investigation led to the indictment of 134 people and alleged hundreds of millions of dollars in fraud. “In many cases, evidence on [the suspects’] Facebook accounts directly contradicted the lies the defendants told to the Social Security Administration,” Joan Vollero, a spokeswoman for the district attorney’s office, said in a statement.

 

Categories
Law Privacy

FCC to address Internet privacy

The chairman of the Federal Communications Commission announced in June that the agency plans this fall to address privacy in the context of consumers’ use of the Internet.

The spur for putting privacy on the agenda is the decision last winter by the FCC to enshrine the principle of an Internet open to all providers of content—a concept better known as net neutrality—within the agency’s authority to regulate common carriers pursuant to Title II of the Communications Act.

The decision included a determination that providers of broadband Internet service, including broadband delivered via mobile devices, will be subject to a section of the law that governs so-called customer proprietary network information (CPNI), which includes such things as the frequency, duration and timing of calls. In short, information that telecommunications companies know from providing service to customers.

Except for billing, emergencies and other exceptions provided by law, carriers cannot use CPNI without the approval of customers. But until the FCC’s net-neutrality ruling, the rules that govern use of CPNI applied only to services such as Voice over Internet Protocol—think Skype—that tie to the telephone network.

That seems likely to change. As the FCC noted in its net-neutrality ruling, the rules that govern use of CPNI by telephone companies would not be “well suited” to broadband Internet service. The reason: In recent years the FCC has revised the rules that govern CPNI after initially classifying broadband Internet service as a so-called information service, which exempted Internet service providers (ISPs) from common carrier status and later led a federal appeals court to order the FCC to revise its approach.

In addition, “the existing CPNI rules do not address many of the types of sensitive information to which a provider of broadband Internet services is likely to have access, such as (to cite just one example) customers’ web browsing history,” the FCC explained.

Until it can adopt rules that address the use of CPNI by broadband Internet providers specifically, the FCC says it “intends to focus on whether providers are taking reasonable, good-faith steps to comply” with restrictions on the use of CPNI set forth in the Communications Act. Note that CPNI does not include customers’ names, addresses and other personal information, the handling of which is governed by laws such as the Cable Television Privacy Act and the privacy notices that cable and phone companies deliver to subscribers.

So what protections for privacy should apply to broadband networks? In July, nine Democratic senators, including Elizabeth Warren and White House hopeful Bernie Sanders, wrote to FCC Chairman Tom Wheeler with some suggestions. The proposals include ensuring the definition of CPNI includes data pertaining to Internet usage, online activity and payments; directing ISPs to collect data transparently; requiring ISPs to obtain consumers’ express consent before sharing information; ordering ISPs to safeguard customers’ information and to notify customers in the event of a data breach; and giving consumers a clear process for resolving complaints.

“We call on the Commission to adopt a comprehensive definition of CPNI as it pertains to broadband,” the senators wrote. “Every click consumers make online paints a detailed picture of their personal and professional lives.”

Categories
News Privacy

Sorting out the cyberattacks

This post has been updated as of Nov. 11.

The cyberattack announced in June on a system that stores information about millions of current and former federal workers and contractors highlights yet again the vulnerabilities of the computer networks that connect us.

The breaches resulted in raids on files containing names, Social Security numbers, fingerprints and other personal information for nearly 26 million people, according to the Office of Personnel Management (OPM), the agency that was hacked. Investigators say the attack came from China, which has denied responsibility.

The attack on OPM spurred me to sift through a series of cyberattacks on the government, companies and others since 2013. The list, which appears below, is almost certainly incomplete. It also doesn’t include breaches of unsecured protected health information that by law are reported to the U.S. Department of Health and Human Services, which has logged 34 such intrusions this summer alone.

Though the attacks summarized below have been reported widely, the roster suggests the sweep and frequency of intrusions, which are likely to increase according to a survey fielded last fall by the Pew Research Center. I will update this post periodically. Please tweet additions, corrections or comments to @bbrowdie.

2015 (attacks listed in reverse chronological order by date of disclosure)

Scottrade (Oct.)—Between late 2013 and early 2014, thieves stole the names and street addresses of roughly 4.6 million clients, according to the retail brokerage firm, which said it had no evidence that trading platforms or clients funds were compromised.

E-Trade (Oct.)—The financial firm notified 31,000 customers that hackers may have accessed their names, email addresses, and street addresses. The intrusion reportedly occurred in 2013, but at the time the company did not think that customer information had been compromised.

Dow Jones (Oct.)—The publisher of The Wall Street Journal said in a statement that intruders who gained access to its systems may have swiped payment card and contact information for roughly 3,500 customers.

Experian (Oct.)—Hackers stole personal information for roughly 15 million Americans, the consumer data company said in a statement. The data included names, dates of birth and Social Security numbers for people who applied for service with T-Mobile over a period of two years starting in September 2013. In a statement, T-Mobile CEO John Legere said he is “incredibly angry about this data breach” and pledged to “institute a thorough review” of the company’s relationship with Experian.

CVS (Sept.)—The pharmacy chain, which in July revealed a possible breach of its online photo service, confirmed that personal information may have been swiped by hackers. The data included names, credit card numbers, phone numbers, email addresses, usernames and passwords. The company declined to say how many customers were affected.

Business Wire/PR Newswire Association (Aug.)—Federal officials charged a group of hackers and inside traders with stealing nonpublic information from servers belonging to two of the largest services that companies use to distribute news releases and using the information to profit illegally over a period of roughly five years.

Carphone Warehouse (Aug.)—The UK-based mobile phone retailer said that a “sophisticated cyberattack” resulted in the theft of names, addresses, dates of birth and bank details for as many as 2.4 million customers. The intrusion also may have resulted in the theft of encrypted payment card information for as many as 90,000 customers, the company said.

Sabre/American Airlines (Aug.)—Sabre, a company processes reservations for hundreds of airlines and thousands of hotels, “recently learned of a cybersecurity incident” but could not say what data was stolen or who might be responsible, Bloomberg reported. American Airlines reportedly was investigating whether the intruders moved to its computers from Sabre’s systrems.

U.S. Dept. of Defense (Aug.)—A unclassified system that supports email for about 4,000 military and civilian personnel who work for the Joint Chiefs of Staff returned to operation roughly two weeks after an intrusion by hackers thought to be from Russia. Officials said that no classified information was swiped or compromised during the attack.

United Airlines (July)—Hackers based in China allegedly stole manifests in May or early June that detail passengers and their travel origins and destinations, Bloomberg reported. Investigators reportedly have linked the hackers to the group that stole information from both Anthem Inc. and the Office of Personnel Management. The intrusion reportedly occurred in May or early June.

Fiat Chrysler (July)—The automaker updated software that tethers its vehicles to a series of information and navigation services after two security researchers demonstrated they could take control of a Jeep Cherokee remotely and force it into a ditch.

Ashley Madison (July)— The online service that offers casual sexual encounters for married people said that hackers obtained information about some of its 37 million users, as well as financial information and other data that belongs to Avid Life Media, Ashley Madison’s company. The hackers, who go by the name “Impact Team,” threatened to release all of the company’s information, including nude photos and members’ private postings, if management did not take Ashley Madison’s sites offline. A month later Impact Team made good on that threat. On Aug. 18, the group released postal and email addresses, descriptions of users (including height and weight), encrypted passwords, partial payment card numbers and details of transactions. Two days later, the hackers leaked a trove of data twice as large that appeared to include additional files from the company.

Hershey Resorts (July)—The theme park operator is investigating a series of fraudulent charges that appeared in payment card accounts of customers who visited its attractions in Pennsylvania between mid-March and late May.

Hacking Team (July)—Emails and records that hackers stole from the Italian maker of software that itself allows governments to hack into computers showed that the company counts Russia, Saudi Arabia, and other nations with questionable human-rights records as clients.

Trump Hotel Collection (July)—The chain of 12 luxury hotels owned by Donald Trump said in a statement it was investigating “suspicious credit card activity” stemming from a breach that may date to February.

Houston Astros (June)—Federal law enforcement officials reportedly are investigating whether the St. Louis Cardinals stole scouting reports and information about players and prospects from a database belonging to the Astros. If true, the intrusion represents the first known example of a professional sports team breaking into the network of another team.

LastPass (June)—The service, which lets customers store their passwords online and access them with master log ins, disclosed that an intruder or intruders swiped email addresses, password reminders, authentication codes and more. The breach did not include customer accounts, LastPass said.

Negotiations with Iran (June)—An unnamed state—thought to be Israel—used malware to spy on negotiations between Iran and a group of nations that aim to prevent Iran from obtaining a nuclear weapon. According to Kaspersky Lab, whoever sought the information unleashed the malware, known as Duqu 2.0, on computers at hotels where the negotiations took place.

U.S. Army (June)—The U.S. Army’s website went offline following what appears to have been a distributed denial of service attack. The Syrian Electronic Army, a group of hackers who back President Bashar al-Assad, claimed credit.

Eataly (June)—The marketplace in Manhattan for foods from Italy warned that “unauthorized individuals” set up malware designed to harvest information from credit and debit cards in the company’s payment-processing system. The intruders may have obtained names and account numbers, as well as expiration dates and security codes for cards that customers swiped at Eataly in the first three months of this year.

Office of Personnel Management (June)—The attacks, which OPM discovered in April, resulted in the theft of personal information belonging to 4.2 million current and former federal workers, as well as another 21.5 million applicants for security clearances and their spouses or partners. In a letter dated June 11, the president of the American Federation of Government Employees—the largest federal employees’ union—charged that hackers stole information for every federal worker and retiree, and that the Social Security numbers the hackers obtained were unencrypted. The union has filed a class action lawsuit that charges OPM’s director and chief information officer with negligence in failing to protect information entrusted to them. On Sept. 23, OPM increased its count of the number of people whose fingerprints were stolen to roughly 5.6 million, from approximately 1.1 million previously. Though OPM termed the potential for misusing the fingerprint data “limited,” the agency noted “this probably could change over time as technology evolves.”

CareFirst BlueCross BlueShield (May)—Hackers suspected of operating from China obtained access to names, email addresses and dates of birth for roughly 1.1 million customers of this health insurer based in Maryland and D.C.

Tesla (April)—Hackers took over the automaker’s Twitter feed and defaced the company’s website.

Mandarin Oriental Hotel Group (March)—The upscale lodging chain said that intruders used malware to swipe payment-card information from some of the company’s hotels in the U.S. and Europe.

Anthem Blue Cross (Feb.)—Hackers said to be operating from China allegedly obtained names, dates of birth, Social Security numbers, and information about bank accounts and medical conditions for as many as 78 million people insured by this Indianapolis-based company, which does business in 14 states.

Internal Revenue Service (May)—Hackers thought to be operating from Russia stole tax forms containing Social Security numbers, dates of birth, home addresses and other information for as many as 334,000 people.

Sally Beauty Supply (May)—The Denton, Texas-based retailer of beauty supplies said that intruders had breached its payment system, though the company did not speculate on the scope of the breach. The cyberattack constituted the second on Sally Beauty in as many years.

US HealthWorks (April)—Hackers allegedly pilfered personal and health-related data for an unknown number of members of this California-based insurer. The thieves reportedly breached US HealthWorks’ systems via a laptop stolen from a vehicle belonging to one of the company’s employees.

Premera Blue Cross (March)—Hackers thought to be operating from China allegedly stole names, dates of birth, email addresses, Social Security numbers, information about bank accounts and more from as many as 11 million members of this health insurer based in Washington state.

Banks in Russia, Japan, Europe and the U.S. (Feb.)—A band of thieves that reportedly included Russians, Chinese and European hackers orchestrated an attack on more than 100 banks worldwide, making off with as much as $900 million.

Park ‘N Fly (Jan.)—The Atlanta-based airport parking service confirmed that intruders stole numbers, names and addresses, expiration dates and verification codes for credit cards stored in its reservations website. The company did not say how many cards might have been affected.

2014

Korea Hydro and Nuclear Power Co. Ltd. (Dec.)—A cyberattack reportedly erased some data at the state-owned company that runs the country’s 23 atomic reactors. South Korea later blamed North Korea for the intrusion.

Chik-fil-A (Dec.)—The fast-food chain said it was investigating reports of unauthorized activity concerning credit and debit cards used at some of its restaurants. Chik-fil-A later said the investigation revealed “no evidence” of its systems being hacked or payment cards stolen.

Bebe (Dec.)—The women’s clothing chain disclosed that hackers obtained names, account numbers, expiration dates and verification codes for payment cards swiped between Nov. 8 and Nov. 26 at its stores in the U.S., Puerto Rico, and the U.S. Virgin Islands.

Sony Pictures Entertainment (Nov.)—Cyber intruders obtained names, home addresses, and Social Security numbers, as well as information about bank accounts, payment cards, compensation and more for as many as 47,000 employees. According to the U.S. government, the hackers operated from North Korea, although some experts have doubted the charge. The thieves also swiped more than 173,000 emails and nearly 31,000 documents from the studio.

JPMorgan Chase (Oct.)—Hackers obtained names, home and email addresses, phone numbers and internal bank information about 83 million customers, including 76 million households.

Apple (Oct.)—Cyberattackers reportedly sought to intercept user IDs, passwords and other information from the company’s iCloud service in China. The Chinese government denied responsibility for the attack.

Staples (Oct.)—The office-supply chain confirmed it was investigating a potential theft of payment-card data. Two months later, Staples said that hackers swiped information for roughly 1.16 million credit and debit cards after installing malware at 115 of the company’s 1,400 stores in the U.S.

NATO, the Ukraine, Poland and the European Union (Oct.)—Hackers working on behalf of the Russian government allegedly used a flaw in Windows to swipe documents and other files from government and university offices, as well as energy and telecommunications companies.

Kmart (Oct.)—The retailer disclosed that someone had installed malware on payment systems at its stores but that no email addresses, PINs or Social Security numbers were swiped. Still, the information that thieves grabbed may have allowed them to counterfeit stolen cards.

Home Depot (Sept.)—Cyber thieves allegedly used an account belonging to a refrigeration contractor in Pennsylvania to steal 56 million credit and debit cards, as well as 53 million email addresses.

Jimmy John’s (Sept.)—An intruder or intruders used log-in credentials to pilfer numbers for credit and debit cards swiped at 216 of the sandwich chain’s more than 1,900 stores, along with cardholders’ names, verification codes and expiration dates.

Viator (Sept.)—The tour-booking unit of TripAdvisor notified customers that an intruder or intruders may have made off with payment information for as many as 880,000 customers, along with email addresses and encrypted passwords for another 560,000.

AB Acquisition (Aug.)—The parent of the Albertsons, ACME, Jewel-Osco, Shaw’s and Star Markets chains warned customers of a breach that may have resulted in the theft of credit and debit card information from some of its stores. About six weeks later, the company disclosed a second breach in which thieves used “different malware” than that used in the incident announced in August.

Community Health Systems (Aug.)—Hackers allegedly operating from China stole names, addresses, Social Security numbers, birth dates and telephone numbers belonging to 4.5 million patients of the chain, which operates 199 hospitals in 29 states. The attackers did not swipe payment data or clinical information, the company said.

AT&T (June)—The company said that three employees of one of its vendors accessed records—including Social Security numbers and information about calls—for some customers.

State of Montana Dept. of Public Health and Human Services (June)—Someone who broke into the state’s systems allegedly made off with addresses, birth dates, Social Security numbers and medical records for as many as 1.3 million people.

Domino’s Pizza (June)—The company disclosed that hackers swiped customers’ names, email addresses and even favorite pizza toppings for roughly 650,000 customers in France and Belgium.

P.F. Chang’s China Bistro (June)—Cyber thieves allegedly stole more than 7 million credit and debit cards, including numbers, cardholders’ names and expiration dates, from 33 of the chain’s restaurants.

Feedly (June)—Websites for this service, which delivers RSS feeds to roughly 15 million users, went down as the result of a distributed denial of service attack.

EBay (May)—Intruders allegedly stole customers’ names, encrypted passwords, email and home addresses, phone records and dates of birth for as many as 233 million users of the auction site. Three months earlier, the Syrian Electronic Army defaced websites belonging to both eBay and its PayPal subsidiary.

Sally Beauty Supply (March)—The beauty supply chain said that hackers accessed its network and stole information for roughly 25,000 credit and debit cards.

University of Maryland (Feb.)—An attacker or attackers infiltrated a database that contained names, Social Security numbers, dates of birth and university IDs for roughly 288,000 students, faculty and staff. The hack reflected the work of someone or some group of people who knew the university’s systems well, the university’s chief information officer told The Washington Post.

Neiman Marcus Group (Jan.)—Hackers used malware to steal roughly 1.1 million credit and debit cards from the Dallas-based retailer.

Michaels Stores (Jan.)—The retailer reported that it was looking into a potential security breach. Three months later the company said that thieves broke into its payment system and made off with credit and debit card information for 3 million customers.

Snapchat (Jan.)—Hackers said they published phone numbers and handles for roughly 4.6 million users of the video-message service that the hackers swiped in a New Year’s Eve raid.

2013

Target (Dec.)—Cyber thieves suspected of operating from Russia stole credit and debit card information for roughly 40 million customers along with names, mailing addresses, phone numbers or email addresses for as many as 70 million people.

Adobe Systems (Oct.)—A cyberattack on the software maker exposed names, IDs, passwords, and payment card information for nearly 3 million customers.

Experian (Oct.)—A subsidiary of the credit bureau sold personal and financial information about millions of Americans to a Vietnamese man who later pleaded guilty to running an identity theft service. The company said its credit files were not breached.

South Korean banks (March)—A cyberattack, alleged to have originated in North Korea, suspended online banking and paralyzed systems at Shinhan Bank, Nonghyup Bank and Cheju Bank.

LivingSocial (March)—The online marketplace asked customers to change their passwords after a cyberattack on the company’s systems exposed names, email addresses, passwords and dates of birth for more than 50 million people worldwide.

Evernote (March)—The note-taking service directed 50 million users to reset their passwords after hackers gained access to user IDs, email addresses and passwords tied to accounts.

U.S. financial institutions (March)—Distributed denial of service attacks slowed websites at a series of banks. A hacktivist group that called itself the al-Qassam Cyber Fighters claimed responsibility for some of the slowdowns.

Categories
News

South Africa with (and without) the Internet

Sunset in South Africa's Midlands
Sunset in South Africa’s Midlands

At around 4:00 p.m. on Sunday the power went out here in the part of South Africa’s Kwa-Zulu Natal province that we live, one in a series of rolling blackouts by the republic’s main utility, which struggles to meet demand.

The weather outside was 75 degrees with a light breeze that carried a trace of smoke. My significant other and I heard a beep that signaled the shutdown, then the appliances kicked off.

The outage seemed like a good time to get out of the house. We resolved to bicycle around the village, a circuit that takes about an hour.

Others had similar thoughts. On our road, a neighbor walked her beagle. A couple from the cul-de-sac at the end were out with their two retrievers. Our ridgebacks, Tala and Juma, raced to them. The wife, who happens to be the vet who cares for our dogs, pushed their infant daughter in a stroller.

Later the sun set and the stars appeared. One burned a bright yellow.

That’s how it’s been here the past 10 days, when a combination of power cuts and spotty Internet conspired to connect me more closely with the days and nights.

Internet in the village comes from Telkom, a state-owned monopoly that serves most of the republic. Our house receives Internet via so-called ADSL, a pre-broadband era technology that, in theory, delivers Internet over copper telephone lines at speeds of around 5 gigabytes per second on a good day.

The ADSL here gives out at sundown sometimes. The house receives about one bar of cellphone service, which means you can’t use your phone as a hotspot.

Service delivery can be spotty in South Africa. Of course, we’re well off compared with most people. Nearly 65% of households in South Africa have no access to the Internet, according to the latest census.

Our spotty Internet connection feels like a throwback to the mid-1990s in the U.S., when the World Wide Web had just appeared and most of us dialed into the Internet via modems.

You connect when you can.

That leaves plenty to discover when you can’t connect. A week ago we biked along the beach in Durban, from the city front to the Blue Lagoon, where on Sundays Indian families, three and four generations strong, gather. We read a book of drawings by Jean-Michel Basquiat and watched a documentary about the artist in downtown Manhattan in the 1990s. We hooked up the speakers to the stereo that had been unconnected for years and listened to jazz. I began reading “The Fear,” a chronicle by the journalist Peter Godwin about Zimbabwe under Robert Mugabe.

Most days the dogs and I walk together at a farm nearby. They wake me in the morning.

Internet and more
Internet and more

If I want to work with an Internet connection, I head to the village library, where I can pick up a cellphone signal from Vodacom that registers four or five bars.

The library, which occupies a low-slung building, has sections in English, Zulu and Afrikaans. It also displays the latest local newspapers and periodicals. One day recently, I read the Mercury, a daily from Durban, flipped through an issue of GQ’s South Africa edition, and lost myself in an collection of essays by Nadine Gordimer, the South African writer who died last year.

The place is pin quiet. Sometimes the librarians chat softly in Zulu.