Category: USA

Uber hid massive data breach

22. November 2017

Uber just admitted that hackers stole personal data of 50 million Uber customers and 7 million drivers. The data breach happened in October 2016, over a year ago, but was only published this week.

The data include names, e-mail addresses, phone numbers and the license numbers of 600.000 drivers. According to Uber neither social security numbers, nor credit card information, or trip location details were taken.

Uber did not disclose the data breach to public, as required by data protection law, but paid the hackers 100.000,00 $ to delete the information. Uber assumes that the data was not used.

Referring to Uber the hackers came in through a badly protected database in a cloud service to the data. Uber security Chief Joe Sullivan and another manager lost their jobs.

This data breach wasn’t the first incident that happened to Uber. Uber has a well-documented history of abusing consumer privacy.

Uber said it has hired Matt Olsen, former general counsel at the National Security Agency and director of the National Counterterrorism Center, as an adviser.  He will help the company restructure its security teams.

Category: Cyber security · Data breach · USA
Tags:

Irish High Court refers Facebook case to the CJEU

6. October 2017

On October 3rd 2017, the Irish High Court publicised it will refer the Facebook case to the Court of Justice of the European Union (CJEU). The lawsuit is based on a complaint to the Irish Data Protection Commissioner filed by Max Schrems, an Austrian lawyer and privacy activist. Schrems was also involved in the case against Facebook resulting in the CJEU’s landmark decision declaring the Commission’s US Safe Harbour Decision invalid.

In his new complaint, Schrems is challenging the data transfers of Faceook to the US on the basis of the “Model Contracts for the transfer of personal data to third countries”, also known as standard contractual clauses (SCCs). Schrems himself said, “In simple terms, US law requires Facebook to help the NSA with mass surveillance and EU law prohibits just that.”

In contrast to Schrems, the Irish Data Protection Commissioner challenged the validity of the SCCs in general and not only in matters of Facebook. Due to the importance of the case, the Irish High Court referred it to the CJEU. The CJEU will now have to decide whether data transfers to the US are valid on the basis of the Commission’s Model Contracts. It remains to be seen what the CJEU will decide and if its decision will have an impact on the Privacy Shield framework.

Credit Bureau Equifax has been hacked

11. September 2017

The consumer credit reporting agency Equifax has been hacked in the middle of May. The operators have noticed the breach much later, on 29th July. The public has learned about the breach just last week on Thursday, 7th September.

The breach potentially affects the sensitive data of approximately 143 million consumers. Data concerned are the consumer’s name, social security numbers, birth dates, addresses and in some cases driver’s license numbers. As well as credit card numbers for 209.000 U.S. consumers and other dispute documents that contained identifying information for 182.000 consumers.

Not only the US is concerned. A hired third-party cybersecurity company also found some residents of the U.K. and Canada.

The Equifax Chairman and CEO Rick Smith announced steps Equifax is taking at the moment to respond on the breach and is working with authorities.

Category: Data breach · General · USA
Tags:

Nationwide: multistate data breach investigation settled by paying $ 5.5 million

11. August 2017

According to Hunton & Williams, on the 9th of August, Nationwide Mutual Insurance Company (“Nationwide”), agreed to pay $ 5.5 million to settle a data breach investigation by attorneys general from 32 states concerning a data breach that exposed personal data of about 1.2 million individuals. They also published the settlement.

In October 2012, Nationwide and its wholly-owned subsidiary Allied Property & Cansualty Insurance Company (“Allied”) experienced a data breach that led to an unauthorized access to and exfiltration of certain personal data of their customers, as well as other consumers. Since Nationwide and Allied provide customers with insurance quotes, inter alia the following personal data are collected: full name, Social Security number, date of birth or credit-related score.

The attorneys general alleged that the data breach occurred when hackers exploited a vulnerability in the companies’ web application hosting software. Further, it is alleged that, after the data was exfiltrated, Nationwide and Allied applied a software patch, that was not previously applied, to address the vulnerability.

Besides the $ 5.5 million Nationwide and Allied agreed to implement a series of steps to update its security practices. Besides other measures that are listed in the settlement a technology officer shall be appointed that should manage and monitor security and software updates to ensure that future patches and other security updates are applied.

Annual Transparency Report released by the US Intelligence

10. May 2017

In April 2017, the Office of the Director of National Intelligence released its fourth annual Statistical Transparency Report Regarding Use of National Security Authorities for calendar year 2016.

The annual Transparency Report provides information (in form of statistics) about how often the US government uses certain national security authorities for surveillance activities. Further, it explains under which legal basis a surveillance has to be performed and names national security authorities (besides the FISA authorities) that are involved, such as the CIA, FBI or the NSA.

It is shown that based on the applied surveillance activity and the purpose of the investigation, U.S.-persons as well as non-U.S.-persons can be targets. Furthermore, it is described which legal prerequisites have to be fulfilled when investigating a target.

For example, the Transparency Report provides information about the number of issued National Security Letters (NSLs) by the Federal Bureau of Investigation (FBI). The number of NSLs slightly decreased compared to last year. However the number of issued NSLs does not contain the number of individuals or organisations that are the subjects of the NSLs.

During an investigation, personal data may be collected for example telephone numbers or email addresses.

 

New genetic testing law launch – USA

30. March 2017

The “Süddeutsche Zeitung” has reported that in the US, under the exclusion of the public, a new law on genetic testing was launched. According to this law, workers must submit genetic tests to their employers.
The genetic tests are not based on a voluntary basis, since the company will be allowed to demand genetic tests in the future. Therefore, employees must carry out a genetic test and disclose its results. This can be perceived as a strong intrusion into privacy, since genetic tests should be voluntary and, above all, there shall be no force to publish the results. Likewise according to the European Society of Human Genetics (ESHG).

The law seems to appall not only American geneticists. European scientists also expressed their fears that innovations in the field of bioethics would eventually spread from the USA on Europe, which can lead to the risk of an outreaching intervention into the private sphere of one being. Whether such an action in the European area is actually planned remains not known, however if such a law has to be passed, first the legal review by the supreme courts has to resist. Therefore, it looks like so far there should be nothing to fear about.
Regarding this topic, to prohibit such a genetic testing in the USA, there has already been a law, which was passed in 2008.

However, the interest of companies in such an investigation is undoubted. From then on, companies could get genetic information and therefore decide on the issues regarding their employees. It is clear that a risk-prone employee may be more costly to the company in case of illness. Employers could surely draw logical conclusions out of the results of the tests. These could, for instance, result in a non-renewal or non-adjustment of the employment contract.

One may say that the risk of a disease is not yet a certainty of a real outbreak of the disease. However the concern about the interference in the privacy should still be undoubtedly high.

Category: USA
Tags:

Google – “sharing location” option

24. March 2017

On the 22nd of March 2017 Google Maps, came up with a real time sharing location (the newest “share location” option), which now gives its users an opportunity of sharing their whereabouts with each other. It`s range is said to be from 15 minutes till around three days.

Since now on your friends can follow your location (if you will make it visible for them), for example when you attempt to navigate the city’s bus system or while you are stuck in traffic. Its aim is to make the social life like meetings and hang-outs easier by giving your friend an updated information on your localization.

Furthermore, via this new option, it is also possible to create itineraries, see the most popular local businesses hours, track parking spots or special traffic-destroying events around the area.

All of these facilities have their price to be paid though. Namely, if you will activate this option Google is going to get all the information about your daily habits and rituals (on what you are doing, when, where and which is your favorite coffee shop), which could later be sold for instance to advertisers.

However, Erik Gordon, a student of the University of Michigan’s Ross School of Business´ (entrepreneurship and strategy) says: “If you can couch it in social, it’s your friends that can track you—not that Big Brother can track you, not that an ad server can track you, not that Travis Kalanick can track you”.

Google itself stresses the interface makes it clear that the option to share will be entirely and only in the hands of the individual users when it comes to sharing locations.

Category: Personal Data · USA
Tags:

CIA´s circumvention methods on Wikileaks

10. March 2017

Tuesday, 7th March on Wikileaks there was a release of around 9,000 pages of documents on the U.S. Central Intelligence Agency hacking methods, called “Year Zero”, which revealed CIA´s hardware and software world´s top technology products circumvention methods (including smartphone operating systems exploitation). These methods are believed to allow agents to circumvent encryption apps.

According to a Reuters report U.S. government contractors are suspected by the law enforcement and U.S. intelligence to have likely handed over the information to Wikileaks.

However, after it has already occurred in government contractor employees´ cases (Harold Thomas Martin´s and Edward Snowden´s), sensitive government information leak nowadays remains no wonder anymore.

Google Director, Apple, Microsoft and Samsung believe that they are continuously and accurately looking into any identified vulnerabilities in order to implement necessary protections.

Even though the authenticity of the leaks still awaits the confirmation, the CIA has expressed its concern about the topic.

Open Whisper Systems confirm that there was no Signal protocol encryption break, even though the New York Times originally reported that the CIA could break the encryption of WhatsApp, Signal and Telegram apps.

Category: Cyber security · Encryption · USA
Tags: ,

European Union’s justice commissioner Jourová threatens to suspend Privacy Shield

6. March 2017

Vera Jourová, the European Union’s justice commissioner, is willing to suspend Privacy Shield in case the Trump administration budges from the result of the negotiation between the Obama administration and the European Union.

The Privacy Shield pact was meant to replace the Safe Harbor decision of the European Commission that was overturned in October 2015 by the European Court of Justice (ECJ). The pact’s purpose is to enable the transfer of EU citizens’ personal data to the US while ensuring the protection of those data.

Concerns about the effectiveness of the Privacy Shield came up as President Trump passed an executive order in January 2017 saying “agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information.”

Although the US Department of Justice already affirmed the US’s commitment to the Privacy Shield, Jourová stays sceptical and wants to keep an eye on the US government’s stance. In case EU citizens’ personal data are not safe in the US Jourová will not hesitate to suspend the pact.

House of Representatives passes Email Privacy Act

22. February 2017

On February 6, 2017 the House of Representatives in the United States of America passed the Email Privacy Act by voice vote, which amends the existing online communications law, in particular the Electronic Communications Privacy Act (ECPA) of 1986.

Within the ECPA, emails stored on a third party’s server for over 180 days are considered to be abandoned. Due to this justification it was enough for law enforcement agencies to provide a written statement certifying that the requested information is relevant to an investigation in order to obtain the content of stored emails. The Email Privacy Act requires authorities to obtain a warrant in order to access emails, data in cloud storage and other digital communications, which are more than 180 days old.

Meanwhile it is the third try for a new law in this field. The last proposal for a regulation also passed the House in the last Congress, but it could not pass the Senate. The first try has already failed in the House. It remains to be seen whether the current proposal of the Email Privacy Act will pass the Senate.

The Email Privacy Act has won the backing of Google, Microsoft and other big players based in the USA.

Pages: Prev 1 2 3 4 5 6 7 8 9 10 11 Next
1 3 4 5 6 7 11