Verizon publishes Data Breach Investigations Report 2016: Phishing attacks trend upwards

20. June 2016

Verizon, a company that provides communication and technology services, has recently published the 2016 Data Breach Investigations Report (DBIR). The report reveals the trends regarding the sources and reasons for incidents and data breaches. It also provides recommendations on how to prevent or minimize the risk to be victim of a data breach.

The study has been developed by using data from 100.000 occurred data breaches provided by different industries. The study showed that the most affected industries are such as accommodation, finance, retail or the public sector. According to the report, the most common cause for attacks is directly or indirectly financial. Additionally, when it comes to a data disclosure, the attacker is usually an external person, not directly from inside.

The report describes nine main types of vulnerabilities that involve a risk for companies and persons. Phishing attacks have increased considerable in the last year and constitute together with stolen credentials the main cause of data breaches. Phishing attacks aim at tricking the victim by sending an e-mail so that he/she clicks on a link that contains malware in order to obtain certain personal or confidential information.

The report remarks that 30% of the phishing messages were opened and even 12% of people tested clicked on the phishing attachment. Moreover, only 3% reported management about the phishing e-mail. Phishing messages mostly aim at stealing credentials such as ID and password authentication. 63% of the confirmed data breaches involved stolen passwords.

In order to minimize the risk of being victim of a phishing attack, the report gives the following recommendations:

  • Filter your e-mail and test its implementation
  • Rise employee awareness and offer means to report such events
  • Protect your network by segmenting it and implement strong authentication mechanisms between the user and the networks
  • Monitor external connections

McAffee also provides useful recommendations regarding the identification and prevention of phishing attacks and the use of effective passwords.

Microsoft acquires LinkedIn: privacy issues arise

16. June 2016

Early this week, Microsoft announced the acquisition of LinkedIn, a professional network with more than 400 million users. This makes LinkedIn to be one of the largest databases worldwide. The acquisition will allow Microsoft to have access to the professional profiles of LinkedIn users.

According to Microsoft´s CEO, Satiya Nadella, this operation will make possible that, for example, LinkedIn´s newsfeed shows articles related to the project the user is working on and on the other hand, Office may suggest professionals in LinkedIn who are experts in the task that is being completed at the time.

However, privacy related issues have aroused upon the acquisition, especially regarding the amount of personal data that LinkedIn processes. Dimitri Sirota, CEO of BigID, a customer data protection company, states that Microsoft should show that this acquisition “can enrich the software offerings from Microsoft in areas such as CRM, communication, productivity, etc.” He also remarks the importance of personal data management, so that there is no infringement of local data privacy legislations.

Software companies, such as Microsoft, gain marketing, sales and intelligence value through these kind of operations, but they also have to deal with privacy risk and compliance legislation.

In this scenario, LinkedIn should continue handling personal data as stipulated in its terms of service. This does not prevent Microsoft from signing a data transfer agreement with LinkedIn in order to have access to the data. Such access would allow Microsoft to analyze the personal data received.

Several IT-Security experts agree on the fact that data privacy and data protection should stay at the foreground.

Uber must pay a total over $1 million

14. June 2016

Accoring to the New York Times, Uber was fined €800,000, about $900,000, plus court fees, which adds to a total over $1 million, for running an illegal transport service and breaking privacy laws in France.

Half of those sanctions that Uber has to pay are “suspended sentences,” which means that Uber only needs to pay 50 percent of the fines as long as there are no further breaches of the law.

On top of that, Uber’s EMEA director Pierre-Dimitri Gore-Coty and Thibaud Simphal, the French company’s boss, were fined €30,000, about $34,000, and €20,000, about $22,500. The two men were detained for questioning by French authorities a year ago.

 

Category: General
Tags: , ,

Twitter: 32 million accounts may have been hacked and leaked

9. June 2016

Hackers may have used malware in order to gain more than 32 million Twitter login-data that are now presumable being sold on the dark web. However, a Twitter spokesman said that “We are confident that these usernames and credentials were not obtained by a Twitter data breach – our systems have not been breached. In fact, we’ve been working to help keep accounts protected by checking our data against what’s been shared from recent other password leaks.”

LeakedSource, a site with a search engine of leaked login credentials, says that the respected data of Twitter contains 32,888,300 records consisting of email addresses, usernames and passwords.

Due to the provided information included in the respected data, for example the fact that passwords are displayed without encryption, LeakedSource stated that the data was collected by malware that has infected internet browsers rather than stolen directly from Twitter. In order to verify that the leaked data is valid, LeakedSource asked 15 users to verify their passwords. All of them confirmed that the passwords were correct.

However, Twitter stated that the hacking of accounts belonging to celebrities was due to the re-use of passwords that were leaked in the LinkedIn and Myspace breaches. A spokesman said that “A number of other online services have seen millions of passwords stolen in the past several weeks. We recommend people use a unique, strong password for Twitter”.

Whether or not the leaked data is valid, it is recommended to change passwords, not only when using the same password for several accounts.

Accountability initiative by the EDPS: achieving compliance with the GDPR

8. June 2016

The EDPS announced yesterday the launch of a new initiative that may help EU institutions, public bodies and private organizations to be compliant and prepare for the GDPR. This initiative relates to the accountability principle, which is explicitly mentioned in the GDPR. Accountability regarding the processing of personal data means:

  • Implementing policies within the organization in order to achieve transparency
  • Training employees and persons within the organization with regard to the implementation of the policies
  • Monitoring the implementation of the policies
  • Establishing procedures in order to identify incompliances and act against data breaches

The EDPS states that the accountability principle involves a culture change within organizations and means the promotion of sustainable data processing. This means that organizations should assess the fairness and legality of complex data processing operations. This involve that both, public bodies and private organizations, should develop a risk management strategy that addresses their specific needs, so that they are compliant with the GDPR upon its entry into force in May 2018.

This initiative has been firstly implemented at the EDPS institution itself by using questionnaires addressed to the Supervisors, the Director, the staff responsible for processing operations and the DPO. The implemented actions were also documented and followed up on a regular basis. The questions aimed at ensuring a control over the processing of personal data and the lawfulness of the processing.

The role of the DPOs under the new GDPR: the German reference

7. June 2016

The new GDPR, which will enter into force in May 2018, updates the current European Data Protection legislation. One of the key aspects of the Regulation is the obligation to appoint a Data Protection Officer (DPO) in the following cases:

  • If the processing is carried out by a public authority, except court acting in their judicial capacity
  • If the core activities of the controller or the processor consist of processing operations which according to their nature or scope require regular and systematic monitoring of data subjects on a large scale or
  • If the core activities of the controller or the processor consist of processing on a large scale of sensitive data

Currently, several jurisdictions mention the possibility to appoint a DPO, but Germany is the only EU member State that imposes the obligation to appoint a DPO if more than nine people within an organization handle with personal data. The DPO can be a member of the organization or an external expert.

According to German Data Protection law, DPOs are appointed by the management of the organization but fulfill their duties without being subject to any instructions of the data controller. Moreover, they have the obligation to report the management regarding the compliance status of the organization and, even if they recommendations are not followed, the DPO has fulfilled his/her duty. This DPO culture in Germany means also that not only people with legal backgrounds are DPO; furthermore, the role of the DPO is assumed by persons with different backgrounds, for example by engineers or HR employees that have been given this responsibility.

Thomas Spaeing, CEO of the German Association of Data Protection Officers, remarks the importance that the appointed person knows the processes and organization of the company and that he/her can integrate the legislation with the organizational data processing activities. The DPO should be seen as a person who helps businesses implementing data protection processes in interest of both, the data subjects and the company itself.

The GDPR mentions the possibility to appoint either an external or an internal DPO and describes their position in similar terms to those existing under German Data Protection law. In Germany, this will not mean a greater change in the local legislation, but other countries who do not even currently regulate the institution of the DPO, will have to make any necessary changes to be compliant with the requirements of the GDPR until May 2018.

German DPA fines three companies for illegal data transfer to the U.S.

The Data Protection Authority of Hamburg just announced in a press statement that it checked the data transfers of 35 international organizations that are based in Hamburg.

After the judgment declaring the former Safe Harbor Framework by the European Commission invalid  in October 2015 by the European Court of Justice, the DPA contacted organizations in Hamburg operating also in the U.S. and reviewed the transfer of personal data to the U.S. in order to determine whether other instruments are used than the Safe Harbor Framework. According to the mentioned press statement, the review has revelied that the majority of the companies had changed the legal basis of their transfers of data by implementing standard contractual clauses (SCC).

However, according to a report by Spiegel Online, there were three companies that did not change their legal basis for data transfer. Therefore, the three companies were fined:

Adobe (8.000 Euros), Punica (9.000 Euros) and Unilever (11.000 Euros)

As all three companies have changed the legal basis for data transfering during the proceeding, the DPA imposed a fine that was significantly smaller than the maximum of 300.000 Euros.

 

 

Further developments regarding EU-U.S. data transfers: the “Umbrella-Agreement” has been signed

6. June 2016

On the 2nd June, the so called “Umbrella-Agreement” was signed between the EU and the U.S. This agreement aims at creating a cooperation framework between the EU and the U.S. regarding criminal law enforcement and the prevention of serious crime and terrorism.

Personal data covered under this agreement includes data exchanged between police and criminal Authorities of the EU Member States and the US Authorities for the purpose of prevention, investigation, detection and prosecution of criminal offences as well as terrorist acts. The data transfers will be carried out according to the existing legal frameworks and enough safeguards will be provided.

The agreement provides EU citizens an equal treatment with U.S. citizens before American courts regarding judicial redress and a full respect for fundamental rights.

However, this agreement does not provide a legal basis for data transfers but it is a complement to the existing and future frameworks between law enforcement authorities.

Belgian court ruled on “right-to-be-forgotten”

3. June 2016

The Belgian Court of Cassation confirmed the broad interpretation of the “right-to-be-forgotten” by a Belgian Court of Appeal.

The case was initiated by a person who fought against a Belgian newspaper because it did not comply with a request to remove an article from 1994 from its online archives regarding a car accident causing the death of two persons in which the individual was involved.

The Court of Appeal ruled that disclosing the name of the individum in the article was not in public interest and that is why it was damaging the reputation of the relevant individual. Therefore, it ordered the newspaper to anonymize the online version of the article.

However, the newspaper contested the Court of Appeal’s judgment and brought the case before the Belgian Court of Cassation.

The Court of Cassation decided that the publication of articles in newspapers’ online archives can be considered as a new disclosure of facts of an individual’s judicial past, which could potentially infringe the individual’s right-to-be-forgotten. Furthermore, the Court of Cassation confirmed that the online publication of the non-anonymized article years after the accident could have caused damages to the individual’s reputation. Therefore, the Court of Cassation decided that the right to privacy of the relevant individual could justify an interference with the newspaper’s right to freedom of expression and that in this case the newspaper has to remove all references to the individual from the article in its online archives.

European Data Protection Supervisor issues opinion on EU-U.S. Privacy Shield

1. June 2016

The European Data Protection Supervisor (EDPS), Giovanni Buttarelli, issued this week his opinion on the EU-U.S. Privacy Shield. The EDPS is an independent EU institution created in 2004 that assesses EU institutions on policies and legislation related to privacy and data protection and cooperates with authorities in these matters.

The EDPS emphasized on the following key aspects related to the EU-U.S. Privacy Shield:

  • The current draft is not solid enough and improvements should be made in order to withstand scrutiny before the ECJ.
  • The Privacy Shield should offer a long-term solution regarding international data transfers to the U.S.
  • The protection provided by the Privacy Shield should ensure the rights to redress, transparency, data privacy and oversight.
  • It should also prevent from indiscriminate surveillance by American authorities.
  • The draft should comply with the GDPR, including international data transfers.
  • International companies should be aware of and comply with their obligations on privacy and data protection issues.

To sum up, the Privacy Shield should offer an equivalent data protection level to that existing in the EU.

Category: EU · General
Tags: ,
Pages: Prev 1 2 3 ... 19 20 21 22 23 24 25 26 27 28 29 Next
1 21 22 23 24 25 29