Category: USA

Facebook data leak affects more than 500 million users

7. April 2021

Confidential data of 533 million Facebook users has surfaced in a forum for cybercriminals. A Facebook spokesperson told Business Insider that the data came from a leak in 2019.

The leaked data includes Facebook usernames and full name, date of birth, phone number, location and biographical information, and in some cases, the email address of the affected users. Business Insider has verified the leaked data through random sampling. Even though some of the data may be outdated, the leak poses risks if, for example, email addresses or phone numbers are used for hacking. The leak was made public by the IT security firm Hudson Rock. Their employees noticed that the data sets were offered by a bot for money in a hacking forum. The data set was then offered publicly for free and thus made accessible to everyone.

The US magazine Wired points out that Facebook is doing more to confuse than to help clarify. First, Facebook referred to an earlier security vulnerability in 2019, which we already reported. This vulnerability was patched in August last year. Later, a blog post from a Facebook product manager confirmed that it was a major security breach. However, the data had not been accessed through hacking, but rather the exploitation of a legitimate Facebook feature. In addition, the affected data was so old that GDPR and U.S. privacy laws did not apply, he said. In the summer of 2019, Facebook reached an agreement with the U.S. Federal Trade Commission (FTC) to pay a $5 billion fine for all data breaches before June 12, 2019. According to Wired, the current database is not congruent with the one at issue at the time, as the most recent Facebook ID in it is from late May 2019.

Users can check whether they are affected by the data leak via the website HaveIBeenPwned.

Microsoft Exchange Target of Hacks

29. March 2021

Microsoft’s Exchange Servers are exposed to an ever-increasing number of attacks. This is the second major cyberattack on Microsoft in recent months, following the so-called SolarWinds hack (please see our blog post). The new attacks are based on vulnerabilities that have been in the code for some time but have only recently been discovered.

In a blog post published on March 2nd, 2021, Microsoft explains the hack and a total of four found vulnerabilities. The first vulnerability allows attackers to gain access to a Microsoft Exchange Server, the second vulnerability allows them to execute their code on the system, and the third and fourth vulnerabilities allow the hacker write access to arbitrary files on the server. Microsoft Exchange Server versions 2019, 2016, 2013 and 2010 are affected, and Microsoft released a security update for all of them on March 2nd, even though support for Microsoft Exchange Server 2010 ended in October 2020.

Reportedly, Microsoft was informed about the vulnerability in January. Since then, a growing number of hacker groups have started to use the exploit. The initial campaign is attributed to HAFNIUM, a group believed to be state-sponsored and operating out of China. According to Microsoft, the vulnerabilities have been in the code for many years without being discovered. Only recently has Microsoft become aware of these vulnerabilities and begun working on them. Microsoft shared information on the vulnerability through the Microsoft Active Protections Program (Mapp), where they share information with a group of 80 security companies. The attacks began shortly after Microsoft began working to resolve the vulnerabilities. There are many similarities between the code Microsoft shared through Mapp and the code the attackers are using.

In an article about a recently published One-Click Exchange On-premises Mitigation Tool (EOMT), Microsoft developers describe how admins can secure Exchange servers against the current attacks within a very short amount of time. The tool only serves as an initial protective measure. For comprehensive protection, available security updates must be installed. In addition, it must be checked whether the hackers have already exploited existing gaps to leave behind backdoors and malware. This is because the updates close the gaps, but do not eliminate an infection that has already occurred. Hackers often do not use gaps immediately for an attack, but to gain access later, for example for large-scale blackmail.

Under the General Data Protection Regulation (GDPR), organizations affected by an attack on personal data must, in certain circumstances, report such an incident to the relevant supervisory authority and possibly to the affected individuals. Even after a successful patch, it should be kept in mind that affected organizations were vulnerable in the meantime. Pursuant to Art. 33 of the GDPR, system compromises that may affect personal data and result in a risk to data subjects must be notified to the competent supervisory authority. For such a notification, the time of discovery of the security breach, the origin of the security breach, the possible scope of the personal data affected, and the first measures taken must be documented.

The state of Virginia is second state in the USA to enact major Data Protection Legislation

17. March 2021

On March 2nd, 2021, Virginia’s Governor, Ralph Northam, signed the Consumer Data Protection Act into law without any further amendments.

This makes the state of Virginia the second US state to enact a major privacy law, next to California’s CCPA enacted in 2018. At the point of the law passing to the Senate, there was debate that the bills were flawed as they are not including a private right of action and leaving all enforcement to the Office of the Attorney General. This caused some senators to oppose the bills, however it was ultimately passed by a vote of 32 to 7. The Consumer Data Protection Act will take effect on January 1st, 2023.

The bill establishes a comprehensive framework for controlling and processing personal data of Virginia residents. In addition, it provides Virginia residents with certain rights with respect to their personal data, including rights of access, correction, deletion, portability, the right to opt out of certain processing operations, as well as the right to appeal a controller’s decision regarding a rights request. The bill further states requirements relating to the principles of data minimization, processing limitations, data security, non-discrimination, third-party contracting and data protection assessments, as well as imposes certain requirements directly on entities who act as processors of data on behalf of a controller.

However, the law also includes a number of exemptions at entity level, such as exemptions for financial institutions subject to the Gramm-Leach-Bliley Act and also includes some data or context specific exemptions, such as an exemption for HR-related data processing.

The Attorney General’s office, as the enforcing entity, has to provide 30 days’ notice of any violation and allow an opportunity for the controller to cure any violation. In case a controller does not oblige and leaves the violation uncured, the Attorney General is able to file an action seeking $7,500 per violation.

Clubhouse Data Protection issues

28. January 2021

Clubhouse is a new social networking app by the US company Alpha Exploration Co. available for iOS devices. Registered users can open rooms for others to talk about various topics. Participation is possible both as a speaker and as a mere listener. These rooms can be available for the public or as closed groups. The moderators speak live in the rooms and the listeners can then join the virtual room. Participants are initially muted and can be unmuted by the moderators to talk. In addition, the moderators can also mute the participants or exclude them from the respective room. As of now, new users need to be invited by other users, the popularity of these invitations started to rise in autumn 2020 when US celebrities started to use the app. With increasing popularity also in the EU, Clubhouse has come under criticism from a data protection perspective.

As mentioned Clubhouse can only be used upon an invitation. To use the option to invite friends, users must share their address book with Clubhouse. In this way, Alpha Exploration can collect personal data from contacts who have not previously consented to the processing of their data and who do not use the app. Not only Alpha Exploration, but also users may be acting unlawfully when they give the app access to their contacts. The user may also be responsible for the data processing associated with the sharing of address books. Therefore, it is not only the responsibility of Alpha Exploration, but also of the user to ensure that consent has been obtained from the contacts whose personal data is being processed. From a data protection perspective, it is advisable not to grant the Clubhouse app access to this data unless the consent of the respective data subjects has been obtained and ideally documented. Currently, this data is transferred to US servers without the consent of the data subjects in the said address books. Furthermore, it is not apparent in what form and for what purposes the collected contact and account information of third parties is processed in the USA.

Under Clubouse’s Terms of Service, and in many cases according to several national laws, users are prohibited from recording or otherwise storing conversations without the consent of all parties involved. Nevertheless, the same Terms of Service include the sentence “By using the service, you consent to having your audio temporarily recorded when you speak in a room.” According to Clubhouse’s Privacy Policy, these recordings are used to punish violations of the Terms of Service, the Community Guidelines and legal regulations. The data is said to be deleted when the room in question is closed without any violations having been reported. Again, consent to data processing should be treated as the general rule. This consent must be so-called informed consent. In view of the fact that the scope and purpose of the storage are not apparent and are vaguely formulated, there are doubts about this. Checking one’s own platform for legal violations is in principle, if not a legal obligation in individual cases, at least a so-called legitimate interest (Art. 6 (1) (f) GDPR) of the platform operator. As long as recordings are limited to this, they are compliant with the GDPR. The platform operator who records the conversations is primarily responsible for this data processing. However, users who use Clubhouse for conversations with third parties may be jointly responsible, even though they do not record themselves. This is unlikely to play a major role in the private sphere, but all the more so if the use is in a business context.

It is suspected that Clubhouse creates shadow profiles in its own network. These are profiles for people who appear in the address books of Clubhouse users but are not themselves registered with Clubhouse. For this reason, Clubhouse considers numbers like “Mobile-Box” to be well-connected potential users. So far, there is no easy way to object to Clubhouse’s creation of shadow profiles that include name, number, and potential contacts.

Clubhouse’s Terms of Use and Privacy Policy do not mention the GDPR. There is also no address for data protection information requests in the EU. However, this is mandatory, as personal data of EU citizens is also processed. In addition, according to Art. 14 GDPR, EU data subjects must be informed about how their data is processed. This information must be provided to data subjects before their personal data is processed. That is, before the data subject is invited via Clubhouse and personal data is thereby stored on Alpha Exploration’s servers. This information does not take place. There must be a simple opt-out option, it is questionable whether one exists. According to the GDPR, companies that process data of European citizens must also designate responsible persons for this in Europe. So far, it is not apparent that Clubhouse even has such data controllers in Europe.

The german “Verbraucherzentrale Bundesverband” (“VZBV”), the german federate Consumer Organisation, has issued a written warning (in German) to Alpha Exploration, complaining that Clubhouse is operated without the required imprint and that the terms of use and privacy policy are only available in English, not in German as required. The warning includes a penalty-based cease-and-desist declaration relating to Alpha Exploration’s claim of the right to extensive use of the uploaded contact information. Official responses from European data protection authorities regarding Clubhouse are currently not available. The main data protection authority in this case is the Irish Data Protection Commissioner.

So far, it appears that Clubhouse’s data protection is based solely on the CCPA and not the GDPR. Business use of Clubhouse within the scope of the GDPR should be done with extreme caution, if at all.

Hackers access Microsoft source codes

7. January 2021

In December 2020 cybersecurity firm FireEye reported that it had been attacked by what they called a “highly sophisticated cyber threat actor”, during which copies of its red team tool kit were stolen. Also in December, FireEye disclosed that it discovered attacks on SolarWinds’ tool “Orion” while investigating its own security breach. In a SEC filing, SolarWinds said up to 18,000 of 33,000 Orion customers may have been affected. The attacks may have begun in early 2020.

A group believed to be state-sponsored used contaminated updates for the “Orion” network management software. They accessed a SolarWinds system used to update Orion and from there inserted malicious code into legitimate software updates that were then distributed to customers. The affected versions are 2019.4 through 2020.2.1, which were released between March and June 2020. It is still unclear how the attackers initially gained access to SolarWinds’ network. Security researcher Vinoth Kumar stated on Twitter he contacted SolarWinds in 2019 regarding an FTP access uploaded to GitHub in 2018. Using the password “solarwinds123,” he was able to upload a file to the SolarWinds server as proof of the vulnerability.

Agencies and companies that have been penetrated by the Orion software include the U.S. Treasury Department, the U.S. Department of Homeland Security, the National Nuclear Security Administration, parts of the Pentagon, Belkin, Cisco, Intel, Microsoft, and Nvidia.
The FBI and other U.S. security agencies issued a joint statement calling the attack “significant and ongoing”. Also, agencies and companies in other countries such as Belgium, Canada, Germany, Israel, Mexico, Spain, the United Kingdom, and the United Arab Emirates were affected.

So far, it is unclear what damage, if any, was caused by the attacks and what data was accessed. According to reports, in some cases, internal communications were accessed and various documents were copied, with documents relating to ongoing product development, in particular, attracting the attackers’ interest. In an interview published by the U.S. State Department, U.S. Secretary of State Michael R. Pompeo claimed Russia was responsible for the attack.

“This was a very significant effort, and I think it’s the case that now we can say pretty clearly that it was the Russians that engaged in this activity.”

Among those affected, Microsoft is being most viral regarding the hack. In a blog post published on December 31, the company even admitted that the hackers had access to its source codes. According to that post, they were able to view the code but not modify it. Still, this could pose a significant security risk, as the attackers can now study the software’s architecture and look for possible entry points. Microsoft won’t reveal which tool’s source codes the attackers had access to. It also identified more than 40 of its own customers who were targeted.
Microsoft President Brad Smith wrote:

“This is not just an attack on specific targets but on the trust and reliability of the world’s critical infrastructure in order to advance one nation’s intelligence agency.”

This cyber-attack shows the importance of strong cybersecurity for every company and private user, as even tech-giants and fundamental U.S. authorities were victims of this attack. In particular, access to Microsoft’s source codes could be the ground for further attacks on high- and low-profile targets, as Microsoft’s tools are used in businesses of all sizes and by individuals as well.

EDPS considers Privacy Shield replacement unlikely for a while

18. December 2020

The data transfer agreements between the EU and the USA, namely Safe Harbor and its successor Privacy Shield, have suffered a hard fate for years. Both have been declared invalid by the European Court of Justice (CJEU) in the course of proceedings initiated by Austrian lawyer and privacy activist Max Schrems against Facebook. In either case, the court came to the conclusion that the agreements did not meet the requirements to guarantee equivalent data protection standards and thus violated Europeans’ fundamental rights due to data transfer to US law enforcement agencies enabled by US surveillance laws.

The judgement marking the end of the EU-US Privacy Shield (“Schrems II”) has a huge impact on EU companies doing business with the USA, which are now expected to rely on Standard Contractual Clauses (SCCs). However, the CJEU tightened the requirements for the SCCs. When using them in the future, companies have to determine whether there is an adequate level of data protection in the third country. Therefore, in particular cases, there may need to be taken additional measures to ensure a level of protection that is essentially the same as in the EU.

Despite this, companies were hoping for a new transatlantic data transfer pact. Though, the European Data Protection Supervisor (EDPS) Wojciech Wiewiórowski expressed doubts on an agreement in the near future:

I don’t expect a new solution instead of Privacy Shield in the space of weeks, and probably not even months, and so we have to be ready that the system without a Privacy Shield like solution will last for a while.

He justified his skepticism with the incoming Biden administration, since it may have other priorities than possible changes in the American national security laws. An agreement upon a new data transfer mechanism would admittedly depend on leveling US national security laws with EU fundamental rights.

With that in mind, the EU does not remain inactive. It is also trying to devise different ways to maintain its data transfers with the rest of the world. In this regard, the EDPS appreciated European Commission’s proposed revisions to SCCs, which take into consideration the provisions laid down in CJEU’s judgement “Schrems II”.

The proposed Standard Contractual Clauses look very promising and they are already introducing many thoughts given by the data protection authorities.

EU offers new alliance with the USA on data protection

4. December 2020

The European Commission and the High Representative of the Union for Foreign Affairs and Security Policy outlined a new EU-US agenda for global change, which was published on December 2nd, 2020. It constitutes a proposal for a new, forward-looking transatlantic cooperation covering a variety of matters, including data protection.

The draft plan states the following guiding principles:

  • Advance of global common goods, providing a solid base for stronger multilateral action and institutions that will support all like-minded partners to join.
  • Pursuing common interests and leverage collective strength to deliver results on strategic priorities.
  • Looking for solutions that respect common values of fairness, openness and competition – including where there are bilateral differences.

As said in the draft plan, it is a “once-in-a-generation” opportunity to forge a new global alliance. It includes an appeal for the EU and US to bury the hatchet on persistent sources of transatlantic tension and join forces to shape the digital regulatory environment. The proposal aims to create a shared approach to enforcing data protection law and combatting cybersecurity threats, which could also include possible restrictive measures against attributed attackers from third countries. Moreover, a transatlantic agreement concerning Artificial Intelligence forms a part of the recommendation. The purpose is setting a blueprint for regional and global standards. The EU also wants to openly discuss diverging views on data governance and facilitate free data flow with trust on the basis of high safeguards. Furthermore, the creation of a specific dialogue with the US on the responsibility of online platforms and Big Tech is included in the proposal as well as the development of a common approach to protecting critical technologies.

The draft plan is expected to be submitted for endorsement by the European Council at a meeting on December 10-11th, 2020. It suggests an EU-US Summit in the first half of 2021 as the moment to launch the new transatlantic agenda.

The Controversy around the Council of the European Union’s Declaration on End-to-End Encryption

27. November 2020

In the course of November 2020, the Council of the European Union issued several draft versions of a joint declaration with the working title “Security through encryption and security despite encryption”. The drafts were initially intended only for internal purposes, but leaked and first published by the Austrian brodcasting network “Österreichischer Rundfunk” (“ORF”) in an article by journalist Erich Möchel. Since then, the matter has sparked widespread public interest and media attention.

The controversy around the declaration arose when the ORF commentator Möchel presented further information from unknown sources that “compentent authorities” shall be given “exceptional access” to the end-to-end encryption of communications. This would mean that communications service providers like WhatsApp, Signal etc. would be obliged to allow a backdoor and create a general key to encrypted communications which they would deposit with public authorities. From comparing the version of the declaration from 6 November 2020 with the previous version from 21 October 2020, he highlighted that in the previous version it states that additional practical powers shall be given to “law enforcement and judicial authorities”, whereas in the more recent version, the powers shall be given to “competent authorities in the area of security and criminal justice”. He adds that the new broader wording would include European intelligence agencies as well and allow them to undermine end-to-end encryption. Furthermore, he also indicated that plans to restrict end-to-end encyption in Western countries are not new, but originally proposed by the “Five Eyes” intelligence alliance of the United States, Canada, United Kingdom, Australia and New Zealand.

As a result of the ORF article, the supposed plans to restrict or ban end-to-end encryption have been widely criticised by Politicians, Journalists, and NGOs stating that any backdoors to end-to-end encryption would render any secure encryption impossible.

However, while it can be verified that the “Five Eyes” propose the creation of general keys to access end-to-end encrypted communications, similar plans for the EU cannot be clearly deduced from the EU Council’s declaration at hand. The declaration itself recognises end-to-end encryption as highly beneficial to protect governments, critical infrastructures, civil society, citizens and industry by ensuring privacy, confidentiality and data integrity of communications and personal data. Moreover, it mentions that EU data protection authorities have identified it as an important tool in light of the Schrems II decision of the CJEU. At the same time, the Council’s declaration illustrates that end-to-end encryption poses large challenges for criminal investigations when gathering evidencein cases of cyber crime, making it at times “practically impossible”. Lastly, the Council calls for an open, unbiased and active discussion with the tech industry, research and academia in order to achieve a better balance between “security through encryption and security despite encryption”.

Möchel’s sources for EU plans to ban end-to-end encryption through general keys remain unknown and unverifiable. Despite general concerns for overarching surveillance powers of governments, the public can only approach the controversy around the EU Council’s declaration with due objectivity and remain observant on whether or how the EU will regulate end-to-end encryption and find the right balance between the privacy rights of European citizens and the public security and criminal justice interests of governments.

Microsoft reacts on EDPB’s data transfer recommendations

24. November 2020

Microsoft (“MS”) is among the first companies to react to the European Data Protection Board’s data transfer recommendations (please see our article), as the tech giant announced in a blog post on November 19th. MS calls these additional safeguards “Defending Your Data” and will immediately start implementing them in contracts with public sector and enterprise customers.

In light of the Schrems II ruling by the Court of Justice of the European Union (“CJEU”) on June 16th, the EDPB issued recommendations on how to transfer data into non-EEA countries in accordance with the GDPR on November 17th (please see our article). The recommendations lay out a six-step plan on how to assess whether a data transfer is up to GDPR standards or not. These steps include mapping all data transfer, assessing a third countries legislation, assessing the tool used for transferring data and adding supplementary measures to that tool. Among the latter is a list of technical, organizational, and contractual measures to be implemented to ensure the effectiveness of the tool.

Julie Brill, Corporate Vice President for Global Privacy and Regulatory Affairs and Chief Privacy Officer at Microsoft, issued the statement in which she declares MS to be the first company responding to the EDPB’s guidance. These safeguards include an obligation for MS to challenge all government requests for public sector or enterprise customer data, where it has a lawful basis for doing so; to try and redirect data requests; and to notify the customer promptly if legally allowed, about any data request by an authority, concerning that customer. This was one of the main ETDB recommendations and also included in a draft for new Standard Contractual Clauses published by the European Commission on November 12th. MS announces to monetary compensate customers, whose personal data has to be disclosed in response to government requests.  These changes are additions to the SCC’s MS is using ever since Schrems II. Which include (as MS states) data encrypted to a high standard during transition and storage, transparency regarding government access requests to data (“U.S. National Security Orders Report” dating back to 2011; “Law Enforcement Requests Report“) .

Recently European authorities have been criticizing MS and especially its Microsoft 365 (“MS 365”) (formerly Office 365) tools for not being GDPR compliant. In July 2019 the Ministry of Justice in the Netherlands issued a Data Protection Impact Assessment (DPIA), warning authorities not to use Office 365 ProPlus, Windows 10 Enterprise, as well as Office Online and Mobile, since they do not comply with GDPR standards. The European Data Protection Supervisor issued a warning in July 2020 stating that the use of MS 365 by EU authorities and contracts between EU institutions and MS do not comply with the GDPR. Also, the German Data Security Congress (“GDSC”) issued a statement in October, in which it declared MS 365 as not being compliant with the GDPR. The GDSC is a board made up of the regional data security authorities of all 16 german states and the national data security authority. This declaration was reached by a narrow vote of 9 to 8. Some of the 8 regional authorities later even issued a press release explaining why they voted against the declaration. They criticized a missing involvement and hearing of MS during the process, the GDSC’s use of MS’ Online Service Terms and Data Processing Addendum dating back to January 2020 and the declaration for being too undifferentiated.

Some of the German data protection authorities opposing the GDSC’s statement were quick in welcoming the new developments in a joint press release. Although, they stress that the main issues in data transfer from the EU to the U.S. still were not solved. Especially the CJEU main reserves regarding the mass monitoring of data streams by U.S. intelligence agencies (such as the NSA) are hard to prevent and make up for. Still, they announced the GDSC would resume its talks with MS before the end of 2020.

This quick reaction to the EDPB recommendations should bring some ease into the discussion surrounding MS’ GDPR compliance. It will most likely help MS case, especially with the German authorities, and might even lead to a prompt resolution in a conflict regarding tools that are omnipresent at workplaces all over the globe.

California Voters approve new Privacy Legislation CPRA

20. November 2020

On November 3rd 2020, Californian citizens were able to vote on the California Privacy Rights Act of 2020 (“CPRA”) in a state ballot (we reported). As polls leading up to the vote already suggested, California voters approved the new Privacy legislation, also known as “Prop 24”. The CPRA was passed with 56.2% of Yes Votes to 43.8% of No Votes. Most provisions of the CPRA will enter into force on 1 January 2021 and will become applicable to businesses on 1 January 2023. It will, at large, only apply to information collected from 1 January 2022.

The CPRA will complement and expand privacy rights of California citizens considerably. Among others, the amendments will include:

  • Broadening the term “sale” of personal information to “sale or share” of private information,
  • Adding new requirements to qualify as a “service provider” and defining the term “contractor” anew,
  • Defining the term “consent”,
  • Introducing the category of “Sensitive Information”, including a consumer’s Right to limit the use of “Sensitive Information”,
  • Introducing the concept of “Profiling” and granting consumers the Right to Opt-out of the use of the personal information for Automated Decision-Making,
  • Granting consumers the Right to correct inaccurate information,
  • Granting consumers the Right to Data Portability, and
  • Establishing the California Privacy Protection Agency (CalPPA) with a broad scope of responsibilities and enforcement powers.

Ensuring compliance with the CPRA will require proper preparation. Affected businesses will have to review existing processes or implement new processes in order to guarantee the newly added consumer rights, meet the contractual requirements with service providers/contractors, and show compliance with the new legislation as a whole.

In an interview after the passage of the CPRA, the initiator of the CCPA and the CPRA Alastair Mactaggard commented that

Privacy legislation is here to stay.

He hopes that California Privacy legislation will be a model for other states or even the U.S. Congress to follow, in order to offer consumers in other parts of the country the same Privacy rights as there are in California now.

Pages: 1 2 3 4 5 6 7 8 9 10 11 12 13 Next
1 2 3 13