Category: Cyber security

Hackers access Microsoft source codes

7. January 2021

In December 2020 cybersecurity firm FireEye reported that it had been attacked by what they called a “highly sophisticated cyber threat actor”, during which copies of its red team tool kit were stolen. Also in December, FireEye disclosed that it discovered attacks on SolarWinds’ tool “Orion” while investigating its own security breach. In a SEC filing, SolarWinds said up to 18,000 of 33,000 Orion customers may have been affected. The attacks may have begun in early 2020.

A group believed to be state-sponsored used contaminated updates for the “Orion” network management software. They accessed a SolarWinds system used to update Orion and from there inserted malicious code into legitimate software updates that were then distributed to customers. The affected versions are 2019.4 through 2020.2.1, which were released between March and June 2020. It is still unclear how the attackers initially gained access to SolarWinds’ network. Security researcher Vinoth Kumar stated on Twitter he contacted SolarWinds in 2019 regarding an FTP access uploaded to GitHub in 2018. Using the password “solarwinds123,” he was able to upload a file to the SolarWinds server as proof of the vulnerability.

Agencies and companies that have been penetrated by the Orion software include the U.S. Treasury Department, the U.S. Department of Homeland Security, the National Nuclear Security Administration, parts of the Pentagon, Belkin, Cisco, Intel, Microsoft, and Nvidia.
The FBI and other U.S. security agencies issued a joint statement calling the attack “significant and ongoing”. Also, agencies and companies in other countries such as Belgium, Canada, Germany, Israel, Mexico, Spain, the United Kingdom, and the United Arab Emirates were affected.

So far, it is unclear what damage, if any, was caused by the attacks and what data was accessed. According to reports, in some cases, internal communications were accessed and various documents were copied, with documents relating to ongoing product development, in particular, attracting the attackers’ interest. In an interview published by the U.S. State Department, U.S. Secretary of State Michael R. Pompeo claimed Russia was responsible for the attack.

“This was a very significant effort, and I think it’s the case that now we can say pretty clearly that it was the Russians that engaged in this activity.”

Among those affected, Microsoft is being most viral regarding the hack. In a blog post published on December 31, the company even admitted that the hackers had access to its source codes. According to that post, they were able to view the code but not modify it. Still, this could pose a significant security risk, as the attackers can now study the software’s architecture and look for possible entry points. Microsoft won’t reveal which tool’s source codes the attackers had access to. It also identified more than 40 of its own customers who were targeted.
Microsoft President Brad Smith wrote:

“This is not just an attack on specific targets but on the trust and reliability of the world’s critical infrastructure in order to advance one nation’s intelligence agency.”

This cyber-attack shows the importance of strong cybersecurity for every company and private user, as even tech-giants and fundamental U.S. authorities were victims of this attack. In particular, access to Microsoft’s source codes could be the ground for further attacks on high- and low-profile targets, as Microsoft’s tools are used in businesses of all sizes and by individuals as well.

CNIL fines Google and Amazon

10. December 2020

The French Data Protection Authority Commission Nationale de l’Informatique et des Libertès – “CNIL” – announced that it has fined the big tech companies Google and Amazon due to violations of the GDPR and the French Data Protection Act.

Regarding Google CNIL announced financial penalties of an combined record breaking amount of € 100 million. € 60 million are against Google LLC, the US-based mother company, and € 40 million against Google Ireland Limited, the Irish daughter company. According to the statement of CNIL the fines are based on violations regarding the Cookie requirements on the website google.fr. Due to an online investigation, conducted on March 16th, 2020, CNIL considers it as proven that Google “placed advertising cookies on the computers of users of the search engine google.fr, without obtaining prior consent and without providing adequate information”.

Besides the findings on Cookies, CNIL also critizes a lack of information on the processed personal data and a partial failure of the opposition mechanism.

The high amount of the financial penalties is justified with the seriousness of the violation, the high amount of concerned data subjects and the significant profits of the companies arising of the advertisements.

CNIL also considers the fact, that this procedure is no longer in place since an update in September 2020, because the newly implemented banner does not allow to understand the purposes for which the cookies are used and does not let the data subject know that they can refuse the coolies.

This is already the second, financial penalty CNIL imposes against Google.

Also for violations in connection with cookies CNIL fines Amazon Europe Core a financial penalty of € 35 million. The accusation is the same as with Google and based on several investigations conducted between December 12th, 2019 and May 19th, 2020. CNIL found out, that when a user visited the website, cookies were automatically placed on his or her computer, without any action required on the users part. Several of these cookies were used for advertising purposes. Also a lack of information has been conducted.

The high amount of the financial penalties is in all cases justified with the seriousness of the violation, the high amount of concerned data subjects and the significant profits of the companies arising of the advertisements.

Update: The Council of the European Union publishes recommendations on encryption

8. December 2020

In November, the Austrian broadcasting network “Österreichischer Rundfunk” sparked a controversial discussion by publishing leaked drafts of the Council of the European Union (“EU Council”) on encryption (please see our blog post). After these drafts had been criticized by several politicians, journalists and NGOs, the EU Council published “Recommendations for a way forward on the topic of encryption” on December 1st, in which it considers it important to carefully balance between protecting fundamental rights with ensuring law enforcement investigative powers.

The EU Council sees a dilemma between the need for strong encryption in order to protect privacy on one hand, and the misuse of encryption by criminal subjects such as terrorists and organized crime on the other hand. They further note:

“We acknowledge this dilemma and are determined to find ways that will not compromise
either one, upholding the principle of security through encryption and security despite
encryption.”

The paper lists several intentions that are supposed to help find solutions to this dilemma.

First, it directly addresses EU institutions, agencies, and member states, asking them to coordinate their efforts in developing technical, legal and operational solutions. Part of this cooperation is supposed to be the joint implementation of standardized high-quality training programs for law enforcement officers that are tailored to the skilled criminal environment. International cooperation, particularly with the initiators of the “International Statement: End-to-End Encryption and Public Safety“, is proclaimed as a further intention.

Next the technology industry, civil society and academic world are acknowledged as important partners with whom EU institutions shall establish a permanent dialogue. The recommendations address internet service providers and social media platforms directly, noting that only with their involvement can the full potential of technical expertise be realized. Europol’s EU Innovation Hub and national research and development teams are named key EU institutions for maintaining this dialogue.

The EU Council concludes that the continuous development of encryption requires regular evaluation and review of technical, operational, and legal solutions.

These recommendations can be seen as a direct response to the discussion that arose in November. The EU Council is attempting to appease critics by emphasizing the value of encryption, while still reiterating the importance of law enforcement efficiency. It remains to be seen how willing the private sector will cooperate with the EU institutions and what measures exactly the EU Council intends to implement. This list of intentions lacks clear guidelines, recommendations or even a clearly formulated goal. Instead, the parties are asked to work together to find solutions that offer the highest level of security while maximizing law enforcement efficiency. In summary, these “recommendations” are more of a statement of intent than implementable recommendations on encryption.

16 Million brazilian COVID-19 patients’ personal data exposed online

7. December 2020

In November 2020, personal and sensitive health data of about 16 Million brazilian COVID-19 patients has been leaked on the online platform GitHub. The cause was a hospital employee, that uploaded a spreadsheet with usernames, passwords, and access keys to sensitive government systems on the online platforms. Under those affected were also the brazilian President Jair Bolsonaro and his family as well as seven ministers and 17 provincial governors.

Under the exposed systems were two government databases used to store information on COVID-19 patients. The first “E-SUS-VE” was used for recording COVID-19 patients with mild symptoms, while the second “Sivep-Gripe” was used to keep track of hospitalized cases across the country.

However, both systems contained highly sensitive personal information such as patient names, addresses, telephone numbers, individual taxpayer’s ID information, but also healthcare records such as medical history and medication regimes.

The leak was discovered after a GitHub user spotted the spreadsheet containing the password information on the personal GitHub account of an employee of the Albert Einstein Hospital in Sao Paolo. The user informed the Brazilian newspaper Estadao, which analysed the information shared on the platform before it notified the hospital and the health ministry of Brazil.

The spreadsheet was ultimately removed from GitHub, while government officials changed passwords and revoked access keys to secure their systems after the leak.

However, Estadao reporters confirmed that the leaked data included personal data of Brazilians across all 27 states.

EU offers new alliance with the USA on data protection

4. December 2020

The European Commission and the High Representative of the Union for Foreign Affairs and Security Policy outlined a new EU-US agenda for global change, which was published on December 2nd, 2020. It constitutes a proposal for a new, forward-looking transatlantic cooperation covering a variety of matters, including data protection.

The draft plan states the following guiding principles:

  • Advance of global common goods, providing a solid base for stronger multilateral action and institutions that will support all like-minded partners to join.
  • Pursuing common interests and leverage collective strength to deliver results on strategic priorities.
  • Looking for solutions that respect common values of fairness, openness and competition – including where there are bilateral differences.

As said in the draft plan, it is a “once-in-a-generation” opportunity to forge a new global alliance. It includes an appeal for the EU and US to bury the hatchet on persistent sources of transatlantic tension and join forces to shape the digital regulatory environment. The proposal aims to create a shared approach to enforcing data protection law and combatting cybersecurity threats, which could also include possible restrictive measures against attributed attackers from third countries. Moreover, a transatlantic agreement concerning Artificial Intelligence forms a part of the recommendation. The purpose is setting a blueprint for regional and global standards. The EU also wants to openly discuss diverging views on data governance and facilitate free data flow with trust on the basis of high safeguards. Furthermore, the creation of a specific dialogue with the US on the responsibility of online platforms and Big Tech is included in the proposal as well as the development of a common approach to protecting critical technologies.

The draft plan is expected to be submitted for endorsement by the European Council at a meeting on December 10-11th, 2020. It suggests an EU-US Summit in the first half of 2021 as the moment to launch the new transatlantic agenda.

The Controversy around the Council of the European Union’s Declaration on End-to-End Encryption

27. November 2020

In the course of November 2020, the Council of the European Union issued several draft versions of a joint declaration with the working title “Security through encryption and security despite encryption”. The drafts were initially intended only for internal purposes, but leaked and first published by the Austrian brodcasting network “Österreichischer Rundfunk” (“ORF”) in an article by journalist Erich Möchel. Since then, the matter has sparked widespread public interest and media attention.

The controversy around the declaration arose when the ORF commentator Möchel presented further information from unknown sources that “compentent authorities” shall be given “exceptional access” to the end-to-end encryption of communications. This would mean that communications service providers like WhatsApp, Signal etc. would be obliged to allow a backdoor and create a general key to encrypted communications which they would deposit with public authorities. From comparing the version of the declaration from 6 November 2020 with the previous version from 21 October 2020, he highlighted that in the previous version it states that additional practical powers shall be given to “law enforcement and judicial authorities”, whereas in the more recent version, the powers shall be given to “competent authorities in the area of security and criminal justice”. He adds that the new broader wording would include European intelligence agencies as well and allow them to undermine end-to-end encryption. Furthermore, he also indicated that plans to restrict end-to-end encyption in Western countries are not new, but originally proposed by the “Five Eyes” intelligence alliance of the United States, Canada, United Kingdom, Australia and New Zealand.

As a result of the ORF article, the supposed plans to restrict or ban end-to-end encryption have been widely criticised by Politicians, Journalists, and NGOs stating that any backdoors to end-to-end encryption would render any secure encryption impossible.

However, while it can be verified that the “Five Eyes” propose the creation of general keys to access end-to-end encrypted communications, similar plans for the EU cannot be clearly deduced from the EU Council’s declaration at hand. The declaration itself recognises end-to-end encryption as highly beneficial to protect governments, critical infrastructures, civil society, citizens and industry by ensuring privacy, confidentiality and data integrity of communications and personal data. Moreover, it mentions that EU data protection authorities have identified it as an important tool in light of the Schrems II decision of the CJEU. At the same time, the Council’s declaration illustrates that end-to-end encryption poses large challenges for criminal investigations when gathering evidencein cases of cyber crime, making it at times “practically impossible”. Lastly, the Council calls for an open, unbiased and active discussion with the tech industry, research and academia in order to achieve a better balance between “security through encryption and security despite encryption”.

Möchel’s sources for EU plans to ban end-to-end encryption through general keys remain unknown and unverifiable. Despite general concerns for overarching surveillance powers of governments, the public can only approach the controversy around the EU Council’s declaration with due objectivity and remain observant on whether or how the EU will regulate end-to-end encryption and find the right balance between the privacy rights of European citizens and the public security and criminal justice interests of governments.

Microsoft reacts on EDPB’s data transfer recommendations

24. November 2020

Microsoft (“MS”) is among the first companies to react to the European Data Protection Board’s data transfer recommendations (please see our article), as the tech giant announced in a blog post on November 19th. MS calls these additional safeguards “Defending Your Data” and will immediately start implementing them in contracts with public sector and enterprise customers.

In light of the Schrems II ruling by the Court of Justice of the European Union (“CJEU”) on June 16th, the EDPB issued recommendations on how to transfer data into non-EEA countries in accordance with the GDPR on November 17th (please see our article). The recommendations lay out a six-step plan on how to assess whether a data transfer is up to GDPR standards or not. These steps include mapping all data transfer, assessing a third countries legislation, assessing the tool used for transferring data and adding supplementary measures to that tool. Among the latter is a list of technical, organizational, and contractual measures to be implemented to ensure the effectiveness of the tool.

Julie Brill, Corporate Vice President for Global Privacy and Regulatory Affairs and Chief Privacy Officer at Microsoft, issued the statement in which she declares MS to be the first company responding to the EDPB’s guidance. These safeguards include an obligation for MS to challenge all government requests for public sector or enterprise customer data, where it has a lawful basis for doing so; to try and redirect data requests; and to notify the customer promptly if legally allowed, about any data request by an authority, concerning that customer. This was one of the main ETDB recommendations and also included in a draft for new Standard Contractual Clauses published by the European Commission on November 12th. MS announces to monetary compensate customers, whose personal data has to be disclosed in response to government requests.  These changes are additions to the SCC’s MS is using ever since Schrems II. Which include (as MS states) data encrypted to a high standard during transition and storage, transparency regarding government access requests to data (“U.S. National Security Orders Report” dating back to 2011; “Law Enforcement Requests Report“) .

Recently European authorities have been criticizing MS and especially its Microsoft 365 (“MS 365”) (formerly Office 365) tools for not being GDPR compliant. In July 2019 the Ministry of Justice in the Netherlands issued a Data Protection Impact Assessment (DPIA), warning authorities not to use Office 365 ProPlus, Windows 10 Enterprise, as well as Office Online and Mobile, since they do not comply with GDPR standards. The European Data Protection Supervisor issued a warning in July 2020 stating that the use of MS 365 by EU authorities and contracts between EU institutions and MS do not comply with the GDPR. Also, the German Data Security Congress (“GDSC”) issued a statement in October, in which it declared MS 365 as not being compliant with the GDPR. The GDSC is a board made up of the regional data security authorities of all 16 german states and the national data security authority. This declaration was reached by a narrow vote of 9 to 8. Some of the 8 regional authorities later even issued a press release explaining why they voted against the declaration. They criticized a missing involvement and hearing of MS during the process, the GDSC’s use of MS’ Online Service Terms and Data Processing Addendum dating back to January 2020 and the declaration for being too undifferentiated.

Some of the German data protection authorities opposing the GDSC’s statement were quick in welcoming the new developments in a joint press release. Although, they stress that the main issues in data transfer from the EU to the U.S. still were not solved. Especially the CJEU main reserves regarding the mass monitoring of data streams by U.S. intelligence agencies (such as the NSA) are hard to prevent and make up for. Still, they announced the GDSC would resume its talks with MS before the end of 2020.

This quick reaction to the EDPB recommendations should bring some ease into the discussion surrounding MS’ GDPR compliance. It will most likely help MS case, especially with the German authorities, and might even lead to a prompt resolution in a conflict regarding tools that are omnipresent at workplaces all over the globe.

ICO fines Marriott International

9. November 2020

The Information Commissioner’s Office (ICO) fines Marriott International Inc. (Marriott) £18.400.00  (€20.397.504).

The fine refers to a data breach which occurred in 2018. Back then the world’s largest hotel company based in the USA suffered a massive data breach affecting up to 383 million customers. For Marriott it is still not possible to state the exact number of people affected.

The ICO considers it proven that Marriott failed keeping customers’ personal data secure. In context of the breach confidential data like name, address and contact data as well as unencrypted passport and credit card data has been unauthorized accessed.

In a previous statement in 2019 the ICO announced, that it intends to fine Marriott with a fine of £99.200.396 (€109.969.591) this fine has now been reduced.

The reduction is based on the following reasons: the ICO considered the presentations from Marriott as well as the taken steps by Marriott as well as the consequences of the COVID-19 pandemic.

In October, the fine previously issued by the ICO against British Airways was also reduced, again partly because of the consequences of the COVID-19 pandemic.

Since the data breach occurred before the UK left the EU, the ICO investigated on behalf of all European Data Protection Authorities as lead Supervisory Authority and the fine has been approved by all other Authorities.

British Airways: Fine reduced

20. October 2020

In 2018 British Airways (BA) had to announce that they suffered a massive data breach. The data breach referred to the online booking tool. Login data and credit card data as well as travel data and address data were accessed illegaly. Affected were more than 400.000 customers.

Back in 2019 the UK’s Information Commissioners Office (ICO) evaluated the breach and stated that weak security precautions enabled the hakers to access the data. Thus, the ICO fined BA as a consequence of the breach a record fine of £183.000.000 (€ 205.000.000).

BA appealed against the fine and now – in 2020 – the ICO announced a reduced fine.

On October 16th, 2020, the ICO announced the final sanction for BA. The initial fine of £183.000.000 (€ 205.000.000) has been reduced to a total fine of £20.000.000 (€ 22.000.000). Reason for the reduction is inter alia the current COVID-19 situation and it’s consequences for the Aviation industry.

The notification from the authority states in this context:

As part of the regulatory process the ICO considered both representations from BA and the economic impact of COVID-19 on their business before setting a final penalty.

ICO passed Children’s Code

8. September 2020

The UK Information Commissioner’s Office (ICO) passed the Age Appropriate Design Code, also called Children’s Code, which applies especially to social media and online services likely to be used by minors under the age of 18 in the UK.

The Children’s Code contains 15 standards for designers of online services and products. The aim is to ensure a minimum level of data protection. Therefore, the Code requires that apps, games, websites etc. are built up in a way which provides already a baseline of data protection. The following default settings should be mentioned here:

  • Glocalization disabled by default,
  • Profiling disabled by default,
  • Newly created profiles private and not public by default.

Base for the Children’s Code is the UK Data Protection Act of 2018 – local implementation law of the GDPR. Thus, the standards also include the GDPR Data Protection principles Transparency and Data Minimisation.

The requirements also and especially apply to the major social media and online services used by minors in the UK, e.g. TikTok, Instagram and Facebook.

The Code is designed to be risk-based. This means that not all organizations have to fulfil the same obligations. The more companies use, analyse and profile data from minors, the more they must undertake to comply with the Code.

Pages: 1 2 3 4 5 6 7 8 Next
1 2 3 8