This is your Cyber Saturday edition of Fortune's tech newsletter for October 7, 2017.
For months government officials have waged a campaign against Kaspersky Lab, a Moscow-based maker of popular antivirus software. Their distrust culminated last month in a Department of Homeland Security ban on federal networks using the company’s products.
Now we finally have some insight into why the U.S. has been giving one of Russia’s greatest business successes—a protector of more than 400 million people’s computers—the snub. According to a much-pored over report by the Wall Street Journal, an NSA hacker flouted protocol (and all common sense) two years ago by taking work home to a personal computer that ran Kaspersky software. The mistake would prove catastrophic.
Kaspersky’s cloud-based malware detection engine is said to have discovered and catalogued the digital contents of the rogue employee’s machine, including its top secret hacking code. This trove then wound up in the hands of Moscow’s spies.
The unanswered question is how. Did Kaspersky tip off Moscow’s spooks? Does the Kremlin have a man on the inside? Have Russian agents so thoroughly compromised the company’s software and systems that they are unrestrictedly monitoring its activities? We don’t know.
National security hawks have long alleged that Eugene Kaspersky, founder and CEO of his namesake firm, has uncomfortably close ties to the Kremlin, despite his insistence otherwise. In light of the latest revelation, the billionaire maintained his innocence. “Kaspersky Lab does not have inappropriate ties to any government, including Russia, and the only conclusion seems to be that Kaspersky Lab is caught in the middle of a geopolitical fight,” he told the Journal.
There’s no doubt that Kaspersky—and his company—are caught in the crossfire of two increasingly discontented world powers. Even if the businessman testifies at a House committee hearing later this month, as he intends (assuming he gets an expedited visa), it’s hard to see how he’ll ever win back his former federal customers.
Welcome to the Cyber Saturday edition of Data Sheet, Fortune’s daily tech newsletter. Fortune reporter Robert Hackett here. You may reach me via Twitter, Cryptocat, Jabber (see OTR fingerprint on my about.me), PGP encrypted email (see public key on my Keybase.io), Wickr, Signal, or however you (securely) prefer. Feedback welcome.
That’s Equif@!#$ed up. Now that Equifax’s ex-CEO Richard Smith has testified before Congress about his company’s massive hacking, let us count the ways that the big three credit bureau dropped the ball in the lead-up to and aftermath of its breach: the company failed to notify people about their data exposure in a prompt manner, it failed to maintain its systems with patches, it failed to protect the most sensitive information it collected on consumers, it failed to conduct regular security audits, and on. Nevertheless, the IRS reccently awarded a multimillion-dollar anti-fraud contract to Equifax.
Try me at my other number. Government officials believe that the personal phone of John Kelly, President Donald Trump’s chief of staff, was compromised by hackers months ago—possibly as early as December of last year. It is uncertain what information spies may have been able to obtain from the former Homeland Security secretary’s handset. Kelly is said to have ditched the phone a while ago, using a government-issued one for official communications instead.
One man’s trash is another man’s Treasury Department. Unnamed government sources allege that the Treasury Department’s intelligence division has been illegally spying on the financial records of U.S. citizens, BuzzFeed reports. The allegations come from workers at the bank regulator known as the Financial Crimes Enforcement Network (FinCEN), which maintains a database of suspicious transactions in the U.S. The Treasury said that it has done nothing improper and that the BuzzFeed report is “flat out wrong…completely unfounded and off-base.”
Yahoooooo! Just when you thought the Yahoo hacking saga had ended, the media unit now owned by Verizon (and merged with Aol under the moniker “Oath”) popped back up to provide customers an update that it had severely underestimated the number of people potentially affected by an August 2013 data breach. The company has revised its the number of potential victims to 3 billion—the entirety of its user base—from its initially reported 1 billion.
From Russia with source code. Hewlett Packard Enterprise allowed a Russian defense agency to review the inner workings of the company’s ArcSight security software, which the Pentagon uses to defend itself from cyber attacks, according to an investigation by Reuters. The revelation raises questions about whether the inspection allowed Russian spies to find holes in the code to exploit.
From Russia with Facebook ads. About 10 million people in the U.S. reportedly saw at least one Facebook ad promoted by agents linked to Moscow over the course two years before and after the 2016 presidential election. Some of these ads targeted voters in swing states, like Michigan and Wisconsin. Subjects covered included gun and gay rights.
Share today’s Data Sheet with a friend:
Looking for previous Data Sheets? Click here.
—An excerpt of a Fortune op-ed from Timothy H. Edgar, author of Beyond Snowden: Privacy, Mass Surveillance, and the Struggle to Reform the NSA. Edgar also serves as the academic director for law and policy in Brown University’s Executive Master in Cybersecurity program and a senior fellow at the Watson Institute for International and Public Affairs.
Facebook Reportedly Cut Russia References from April Election Report, by Tom Huddleston, Jr.
Why Fidelity Is Mining Bitcoin and Ethereum, by Jeff John Roberts
Mattel Cancels Baby-Monitoring Smart Hub Amid Privacy Concerns, by Jonathan Vanian
How Equifax Is ‘Making Millions of Dollars Off Its Own Screwup’, by Jen Wieczner
The Feds Just Collected $48 Million from Seized Bitcoins, by Jeff John Roberts
Equifax Underestimated Number of Potential Breach Victims by 2.5 Million, by Robert Hackett
ONE MORE THING
Rise of the neo-Luddites. A growing band of Silicon Valley-heretical tech workers is swearing off technology. They won’t Snap, they don’t Like, and they refuse to download apps. These nay-sayers believe that smartphones and social networks are hijacking people’s minds. Something to consider while you unplug this weekend.