Tag Archives: GDPR

Security News Bites for the Week Ending July 17, 2020

Microsoft’s LinkedIn Sued for Abusing Clipboard Access

Apple’s Universal Clipboard allows you to share data between devices. According to the lawsuit, LinkedIn reads the data without notifying the user. However, LinkedIn is not alone. More than 50 apps, apparently, do that. Now that they have been sued, they are changing their app. Credit: Reuters

When is 10 million actually 140 million?

Apparently MGM resorts is not great at counting. In February ZDNet reported that hackers stole info on 10 million guests. Apparently the number is actually 142 million. How we know this is not because MGM said so but because a hacker is selling that much data. Credit: ZDNet

340 GDPR Fines Totaling 158 Million Euros Issued Since 2018

The smallest fine was 90 Euros. The largest fine was 50,000,000 Euros.

France, Italy and Germany represent 73% of all of the fines.

While fines issued by France total 51 million Euros, fines issued by the UK were just over a half million Euros.

While GDPR has been in force for around two years, that is just a blip when it comes to the legal world. Stay tuned for the next two years. Credit: Helpnet Security

The Same Senate That is Trying to Ban Encryption is Asking Why Twitter isn’t Encrypting DMs

While the Senate debates the EARNIT Act, which would require companies like Twitter to implement encryption back doors or the LEAD Act which FORCES judges to make companies decrypt data if the cops ask the judge to do it with no judicial descretion, that same body is asking why Twitter isn’t encrypting Direct Messages (DMs). Sounds kind of bizarre to me, but that is reality. Credit: Security Boulevard

Beware of VPNs That Keep No Logs

UFO VPN (first clue: based in Hong Kong) says this about their security practices:

UFO VPN does not collect, monitor, or log any traffic or use of its Virtual Private Network service, under any circumstances, on any platform

Which makes it hard to explain how 894 GB of log data, including encryption keys, was stored on an elastic search server with no password. This represents 20 million users logs.

If you care about your privacy, check out any VPN provider that you plan to use carefully. Credit: Hack Read

Security News for the Week Ending January 24, 2020

Breaches Gone Wild – Very Wild

Since EU’s GDPR went into effect on May 25, 2018 – about 18 months ago – 160,000 Breaches have been reported to EU authorities.  A calculator will tell you that means that people are reporting between 250 and 300 security incidents A DAY!

If you think that magically, 18 months ago, the number of breaches that were occurring skyrocketed – well that is not likely.  At least one of the data protection authorities says that there is over-reporting, but that two thirds of the reports are legitimate.

So far companies have PAID about $125 million in fines and the largest single fine was about $55 million.  Expect many more fines in the future since the authorities have not processed most of those 160,000 reports.  Source: ZDNet

Hacker Posts 500,000 Userid/Password Combinations

A hacker who is changing his business model posted the userids, passwords and IP addresses of 515,000 servers, routers and IoT devices on the Internet.  The hacker had used the compromised devices to attack other computers in Distributed Denial of Service attacks.

But he has decided to change his business model and instead use powerful servers in data centers to attack his victims, so he didn’t need all of these devices any more.

What is not clear is why he published the list.  He certainly could have sold it.  Maybe he thought that if the list became public people who change their passwords from the default or easy to guess ones that they were using.  Source: ZDNet

 

New York State Want to Ban Government Agencies From Paying Ransoms

Two NY Senators, a Republican and a Democrat, have each introduced bills that would outlaw using taxpayer money to pay ransoms.  One of the bills includes language to create a fund to help local municipalities improve their security.  Given the number of attacks on government networks, this would cause some tension.  If a city could pay a ransom and get operational in a few days vs. if they didn’t have good backups, it could take months to recover.  Stay tuned.  Source: ZDNet

 

U.N. Report: Bezos Hacked By Saudi Prince MBS

While some people are questioning the report by U.N. experts that Amazon and Washington Post CEO Jeff Bezos phone was hacked by Saudi Crown Prince Mohammed Ben Salman.  The report says that the hacking can be tied directly to a Whatsapp message sent from MBS’s phone.  Give other things MBS is accused of doing, this is certainly possible.  While the Saudis, not surprisingly, called the report absurd, others are calling for an investigation.  Source: The Register

Security News for the Week Ending December 27, 2019

Russia Claims to Have Successfully Disconnected from the Internet

Russia has been planning to install an Internet kill switch for a couple of years now.  Of course, we have no clue what that means.  Likely, it means that they have their own DNS servers so that they do not have to resolve web site addresses using servers controlled by the US and EU.  But that means any web sites that are outside of Russia will not work if they do this.

More likely, this process, which forces all traffic through government controlled gateways, is designed to surveil its citizens even more than it already does.  Details at ZDNet.

Pentagon Tells Military Not To Use “At Home” DNA Tests

I am not sure that Ancestry.com or 23AndMe are terribly happy about the message, but the Pentagon put out a memo this week telling members of the armed services not to take at home DNA tests unless otherwise notified.

The cover story is that the tests might be unreliable and not reviewed by the FDA.  The next story is that negative results might require members of the armed forces to disclose things that could end their military careers.

The real story is they are worried about state actors getting their hands on the DNA of our service men and women for nefarious purposes.

It looks like the military is actually starting to understand risks of the 21st century.  Good work.  Note this is not voluntary or optional. Source: MSN

Telemarketing Firm Lays off 300 Before Christmas Due to Ransomware

A Sherwood, Arkansas telemarketing firm laid off 300 people just before Christmas after a ransomware attack shut down their systems.  The attack happened about two months ago and even though they paid the ransom, they have not yet been able to restore the systems.  Apparently, at this point, they have run out of money. The company finally put out a memo explaining what was happening and told employees to call on January 2nd to see if they were going to get their jobs back.  Merry Christmas.  Source: KATV

British Pharmacy Fined $350K for Failing to Protect Medical Records

It is not just the big companies that are getting fined.  In this case a British pharmacy was fined $350,000 for leaving a half million records unprotected and exposed to the elements.  In addition, the pharmacy was issued an order to fix its security practices in 90 days or face more fines.  We are seeing less willingness by courts and regulators on both sides of the Atlantic to deal with companies missteps when it comes to security and privacy.   Source The Register.

Georgia Supreme Court Says Victims of Medical Clinic Hack Can Sue

Moving to this side of the Atlantic, the Georgia Supreme Court says that victims of an Atlanta area medical clinic that was hacked can sue the clinic for negligence.  As I said, courts are becoming much less understanding as to why companies are not effectively protecting the data entrusted to them.  This decision reverses the Court of Appeals decision and is only binding in Georgia, but courts in other states may use this as a precedent in their decision process.  Source: Atlanta Journal Constitution

The Times They Are A Changin – So Says GDPR

The EU’s high court – the Court of Justice of the European Union – said this week that web sites including search engines must ask users to opt in to sharing of their data.

Web sites such as Google know that if users have to actively do something for the sole purpose of allowing Google to sell their data, that some percentage will not do it.  That is why in the US, the best that you might get from a web site is the ability to uncheck a box, which again, most users will not do.

But in Europe you have to deal with GDPR.

This particular case started in Germany when a local web site pre-checked a box that allowed them to use cookies.

I am not sure what these folks were thinking, but I had no doubt that doing what they did would violate GDPR.  Likely these folks will face a  big fine.  Then they should uncheck the box.

I think this is a precursor to this happening in the US, starting with California’s privacy law AB375.  It is not clear what web sites will need to do about cookies because clearly a user can opt out of data sharing and depending on how cookies are used, that could be a problem.

I see a huge number of web sites that have a banner on the home page that says that they are using cookies and the only option that users have to click on is OK.   THIS IS VERY LIKELY A VIOLATION OF GDPR and may well be a violation of laws like CCPA (AB375).  GDPR specifically says that you cannot refuse service if users do not allow you to sell your data and CCPA says that you have to give equal service whether users opt out of data sharing or not.

While companies love collecting data, they love paying large fines somewhat less, so now is the time to understand what is allowed and what is not allowed. Source: Politico

In Case You Thought GDPR Was Overblown – Its Not

When GDPR first went into effect in May 2018, people talked about horror stories of fines to the tune of 4% of a company’s total global revenue.

Then reality hit and there were no fines or tiny fines.  Or so it seemed.

The problem with regulators is that it always takes them a while.

Legitimately, you do want them to make sure that they only issuing fines when appropriate.

This week we have two big fines on the horizon.

The UK Information Commissioner’s Office (ICO) has decided to fine Marriott 99 million Pounds Sterling or roughly $125 million for the Starwood breach.  While not the end of the world for a company like Marriott and it is even possible that they have insurance to cover some or all of that,  Marriott is fighting it.  (Source: BBC).

Also in the UK, The ICO decided to fine British Airways 183 million Pounds Sterling or about $225 million for a website breach that affected about a half million people.  That represents 1.5% of their global revenue for 2017. Source: BBC.

Some people were hoping that the various data protection authorities were going to be all bark and no fine, but reality is a little different.

We have already seen many smaller fines.  But it is all relative.  A Polish taxi cab company was fined 160,000 Euros for failing to delete data that they could not justify why they retained it.  160,000 Euros for a taxi company might be harder to swallow than 183 Pounds for BA.

And from the scuttlebutt, what we hear is expect many more fines during 2019 and 2020 as the authorities ramp up their staff and complete investigations.  As of January of this year, authorities had received about 60,000 complaints (Source: Law.com).  Helen Dixon, the Irish Data Protection Commissioner, had 29 people on her staff in 2015 – before GDPR.  Ireland is where companies like Facebook have their European HQs due to tax reasons.  Helen has a staff of 133 right now with 30 openings and is anticipating adding more staff in 2020.

Companies big and small should not plan on flying under the radar because even if one of the data protection authorities don’t single you out, if your users are among those 60,000 complaints — you still could wind up being investigated.

GDPR Regulators Getting Their Game On

Poland’s data protection regulator made an interesting decision affecting a Swedish based digital  marketing company named Bisnode.

Poland’s regulator, the national Personal Data Protection Office (UODO in Polish), fined Bisnode 220,000 Euros for failing to comply with Article 14 of GDPR.

Article 14 requires a data controller to inform a person when it collects data about that person from another source. In addition, you have to tell them the purpose that you are collecting the data for and give them the option to object.

Bisnode’s business model is to collect data from public records of various types and then, we assume, sell that data.

Bisnode apparently understood that obligation to notify people because of the 6 million records they scraped, they sent out notices to the people for whom they had email addresses.  That represented about 90,000 businesses.  Of those 90,000, about 12,000 or 13% responded back saying that the company did not have their permission to use this data for the purpose stated.

For the rest of the people, even those for whom they had a phone number, they opted not to notify them at all.

Instead, they put a notice on their web site.  Of course, those 6 million people had no reason to look at the company’s website and besides, I am guessing that they did not include a list of 6 million names on the web site, but maybe they did.

Bisnode objected to having to notify people because they said it would be too expensive to send everyone a registered letter.  Of course an email is not equivalent to registered mail, actually closer to a postcard, and they could have  sent 6 million postcards for a whole lot less than the cost of 6 million registered letters.

There is a lot more information in the source article linked below, but for now the point is that businesses that depend on scraping other people’s data and selling it should be wary about their business model.

At a bare minimum, they need to consider the notification requirements and understand that each distinct purpose the data is being used for requires its own notification (if you know now that it will be used for, say, 3 purposes, you can include all three purposes in one notice, but if you decide next month that you have  new purpose, you have to renotify.  And, the notice cannot be generic in nature like “we are going to sell your information to folks who are going to do stuff with it, like spam you”.

The Polish DPA also required them to notify the 5.9+ million people that they didn’t notify.  Bisnode is thinking about deleting the data instead, but even if they do, will that relieve them of their notification obligation?

Assuming Bisnode does appeal, hopefully that appeals decision will improve the clarity of the rules under GDPR, but given what I  have seen in the past, Bisnode is unlikely to get a free pass in this situation.

So for businesses that depend on the ability to take data from third parties and use it in a way that the consumer did not anticipate, anticipate that you could be on the wrong side of a DPA decision and then will need to decide if you can afford to fight.   Not being able to do that freely may make the business not viable, so either way, those businesses have a problem.

Source: TechCrunch.