GDPR Services: 24 stories worth reading from February 2019
Since our launch in the GDPR Services niche, we’re closely monitoring the public news sector. We gathered in this collection a few newsworthy cases and funny happenings.
- Timing is everything
- The online dating site Coffee Meets Bagel suffered a breach earlier this week. No payment data was compromised. Users were notified via emails. Coffee Meets Bagel announces a data breach on Valentine’s Day
- The unauthorised party gained access to partial user data on July 5, 2018
- The photo-sharing site 500px was attacked last summer which revealed user names and hashed passwords. They posted this announcement. All users’ passwords have been reset. Security Issue February 2019: FAQ
- The company is paying a group of financial institutions over negligence claims following a 2015 cyber attack.
- Wendy’s has agreed to pay out $50M to settle claims from financial institutions stemming from a 2015-2016 breach. Roughly half of the settlement, pending court approval, is from insurers and the other half is from its own pocket. Last fall, Wendy’s separately settled a class action lawsuit from its customers. WENDY’S AGREES TO PAY $50M TO SETTLE DATA BREACH CLAIMS
- Persistent identifiers are the bread and butter of the online tracking industry.
- Thousands of Android apps collect both the Ad ID and other device data as a way to target their advertising messages to specific endpoints and customers. You can see a partial list of some of them below. This is in violation of Google Play guidelines and is an invasion of users’ privacy too. Researchers show how this data is collected and who is doing the more egregious snooping. Ad IDs Behaving Badly
- All telephone calls made since 2013
- Millions of calls to a health hotline in Sweden have been digitally recorded since 2013 and stored on an open website. The calls contain all sorts of sensitive information, including phone numbers, and symptoms. All telephone calls made to 1177 since 2013 and received by the healthcare representative Medicall have been completely open as audio files on an unprotected web server 2.7 million recorded calls to the 1177 Care Guide completely unprotected on the internet
- Actionable intelligence about Chrome extensions
- About a third of Chrome extensions use third-party code that has known security vulnerabilities, and almost 85% don’t come with any stated privacy policies whatsoever. To help users, Duo has created the CRXCAVATOR utility to scan various Chrome add-ons for appropriate permissions and other security weaknesses. This tool should be useful for all GDPR Services provider. Democratizing Chrome Extension Security
- Social Networks are just the tip of the iceberg
- Even the most paranoid and cautious among us can’t control all of our personal data. A new research study shows that there are multiple layers, only one of which is under our control. Machines can gather data on you without your knowledge to better target ads and other messages. You only control one-third of your identity online
- Healthcare organizations handle an extensive amount of highly sensitive data
- Researchers have analyzed the federal government database of healthcare-related breaches in this new report. Active hacking has replaced lost or stolen devices as their primary cause. Healthcare Breaches and the Rise of Hacking and IT Incidents
HELPS YOU TO MEET GDPR REGULATIONS
Compliant and sustainable long-term GDPR operational behaviour. Have a rock-solid foundation for privacy procedures and GDPR mandate compliance.
- Government vs. government
- The Citizen Lab in Toronto has worked with the AP to document an attempt to compromise its researchers. Phoney sources contacted two staff members, misrepresenting themselves and asking about the organization’s relationship to Israeli NSO group’s activities APNewsBreak: Undercover agents target cybersecurity watchdog
- Collecting biometric data from individuals without consent
- Illinois Supreme Court held that consumers can sue for violations of their privacy under the state’s biometric privacy law. The case, Rosenbach v. Six Flags Entertainment Corp., concerned a 14-year-old boy who scanned his thumbprint to enter the park. The courts ruled thumbprints can’t be collected without explicit consent. Illinois Supreme Court rules Six Flags can’t collect thumbprint data without consent
- A data breach incident impacting Discover cards has provided attackers access to an undisclosed amount of customer information
- Discover reissued credit cards after an unknown number of them were stolen from a third-party supplier. This occurred during a breach that happened last August. Discover Card Users Affected by Data Breach, New Credit Cards Issued
- THE largest bank in the country and a highly ranked company in the Fortune 500
- The State Bank of India used an open online server storing hundreds of millions of customer details. It was discovered by an unnamed researcher and verified by Techcrunch. Text message inquiries could be viewed in real time, including bank balances and transaction details. The bank secured the data once reporters brought the issue to their attention. India’s largest bank SBI leaked account data on millions of customers
- Airbus has revealed its cyber-attack affecting its commercial aircraft business, which has compromised employee information
- Airbus’ corporate IT network has been recently breached and notified regulators about unauthorized data access. While the company acknowledged the leak, further details are scarce. Airbus Staff Caught in Data Breach
- A server security lapse has exposed a massive database of customer information
- Another open ElasticSearch data repository was discovered by a researcher, this one belonging to Rubrik, ironically a multi-billion dollar IT security consultancy. It contained its customer details and was indexed by the Shodan site. The firm admitted and corrected its mistake quickly after being notified. The database itself, running on a hosted Amazon Elasticsearch server, was storing tens of gigabytes of data, including customer names, contact information and casework for each corporate customer. Data management giant Rubrik leaked a massive database of client data
- Ex-NSA operatives reveal how they helped spy on targets for the Arab monarchy — dissidents, rival leaders and journalists.
- US intelligence analysts worked in Abu Dhabi to help the UAE hack into phones and computers of its enemies. Called Project Raven, this is the story of how it eventually targeted US citizens. An NSA spokesman declined to comment on Raven. An Apple spokeswoman declined to comment. A spokeswoman for UAE’s Ministry of Foreign Affairs declined to comment. INSIDE THE UAE’S SECRET HACKING TEAM OF AMERICAN MERCENARIES
- xDedic provided access to more than 85,000 hacked servers in its heyday
- The FBI and EU police have seized the servers of the online criminal marketplace xDedic. Three Ukrainian suspects were also arrested. The site listed credentials for more than 70,000 hacked servers. These were available for a few dollars per server. Authorities shut down xDedic marketplace for buying hacked servers
on-demand GDPR COMPLIANCE
A Partner You Can Depend on to Help Your Organisation Meet GDPR Compliance. Industry leaders. Award-winning experience. All you need to know, to keep your business safe.
- APT39 focus on the telecommunications and travel industries
- The activities of the Iranian state-sponsored hacking group APT39 are dissected in this report. The group monitors staffers at telecom and travel businesses and has developed a variety of malware tools. APT39: An Iranian Cyber Espionage Group Focused on Personal Information
- A ruling will ensure doctors no longer judged by Google on fitness to practise
- A Dutch court has issued a landmark ruling supporting the right to be forgotten. Google brought the suit against a surgeon who wanted parts of her search history removed from the Dutch Google site. The court ruled in the doctor’s favour. Dutch surgeon wins landmark ‘right to be forgotten’ case
- Houzz data breach:
- The online home furnishings design website Houzz (houzz.com) experienced a data breach in December and notified their customers about it last week. No payment card data or SSNs were part of the leak. They recommended users change their passwords. Why informing your customers is the right call
- It appears using Twitter to reveal the news was a last-ditch attempt for Eskom to take the exposure seriously.
- South Africa’s largest electric utility Eskom has had a major data leak. The company was slow to respond to researchers who found it. The data contains customer financial data, including payment card CVVs. In what may be a case of “if we ignore it, it will go away,” South Africa’s largest electricity company has become the subject of the public exposure of customer data after ignoring researcher pleas to resolve the problem. Researcher reveals data leak at South Africa’s main electricity provider
- The social media network’s practice of merging its users’ data that was gleaned from WhatsApp, Instagram and millions of third-party websites and apps
- German antitrust regulators have issued restrictions on Facebook, saying they can’t gather data from third-party websites without each user’s explicit permission. Facebook is appealing the decision. Facebook Can’t Gather Users’ Data From Other Websites, German Antitrust Office Says
- 8 major Airlines affected
- Researchers have found at least eight airline online ticketing systems vulnerable because of unencrypted links that could be intercepted with man-in-the-browser attacks. (See the diagram below.) Once this is done, passenger private information could be at risk. Are airlines putting your data at risk?
- 617 million online account details stolen from 16 hacked websites
- A huge collection of more than 600M accounts were stolen from 16 different websites, including MyFitnessPal and MyHeritage. The data is available for purchase from Dream Market, a dark website and contains hashed passwords and email addresses. A few site owners verified the data as legit. 620 million accounts stolen from 16 hacked websites now for sale on the dark web
- Hackers did not ask for a ransom. VFEmail described the incident as “attack and destroy.”
- Email provider VFEmail has been breached and all its data and backups deleted. The site is back online but barely operational. Hackers wipe US servers of email provider VFEmail
data protection OFFICER
Identify high-risk problems. Taking access and rights management into serious consideration is the foundation for a safely guarded online presence throughout your domain.