Category: Cyber security

FaceApp reacts to privacy concerns

22. July 2019

The picture editing app FaceApp, which became increasingly popular on social media, was confronted with various concerns about their privacy.

Created in Russia by a four-person start-up company, the app applies a newly developed technology that uses neural networks to modify a face in any photo while remaining photorealistic. In this process, no filters are placed on the photo, but the image itself is modified with the help of deep learning technology.

However, the app is accused of not explaining that the images are uploaded to a cloud for editing. In addition, the app is accused of uploading not only the image selected by the user, but also the entire camera roll in the background. The latter in particular raises high security concerns due to the large number of screenshots that people nowadays take of sensitive information such as access data or bank details.

While there is no evidence for the latter accusation and FaceApp emphasizes in its statement that no image other than the one chosen by the user is uploaded, they confirm the upload into a cloud.

The upload to the cloud justifies FaceApp with reasons of performance and traffic. With this, the app developers want to ensure that the user does not upload the photo repeatedly during each editing process.

Finally, FaceApp declares that no user data will be sold or passed on to third parties. Also, in 99 % of cases, they are unable to identify a person because the app can be and actually is used without registration by a large number of users.

Hackers steal millions of Bulgarians’ financial data

18. July 2019

After a cyberattack on the Bulgarian’s tax agency (NRA) millions of taxpayers’ financial data has been stolen. In an estimate, it is said that most working adults in the 7 million country are affected by some of their data being compromised. The stolen data included names, adresses, income and social security information.

The attack happened in June, but an E-mail from the self-proclaimed perpetrator was sent to Bulgarian media on Monday. It stated that more than 110 databases of the agency had been compromised, the hacker calling the NRA’s cybersecurity a parody. The Bulgarian media were further offered access to the stolen data. One stolen file, e-mailed to the newspaper 24 Chasa,  contained up to 1,1 million personal identification numbers with income, social security and healthcare figures.

The country’s finance minister Vladislav Goranov has appologized in parliament and to the Bulgarian citizens, adding that about 3% of the tax agency’s database had been affected. He made clear that whoever attempted to exploit the stolen data would fall under the impact of Bulgarian law.

In result to this hacking attack, the Bulgarian tax agency now faces a fine of up to 20 million euros by the Commission of Personal Data Protection (CPDP). In addition, the issue has reignited an old debate about the lax cybersecurity standards in Bulgaria, and its adjustement to the modern times.

Hearing on the legal challenge of SCC and US-EU Privacy Shield before CJEU

17. July 2019

On Tuesday last week, the European Court of Justice (CJEU) held the hearing on case 311/18, commonly known as “Schrems II”, following a complaint to the Irish Data Protection Commission (DPC) by Maximilian Schrems about the transfer of his personal data from Facebook Ireland to Facebook in the U.S. The case deals with two consecutive questions. The initial question refers to whether U.S. law, the Foreign Intelligence Service Act (FISA), that consists a legal ground for national security agencies to access the personal data of citizens of the European Union (EU) violates EU data protection laws. If confirmed, this would raise the second question namely whether current legal data transfer mechanisms could be invalid (we already reported on the backgrounds).

If both, the US-EU Privacy Shield and the EU Standard Contractual Clauses (SCCs) as currently primeraly used transfer mechanisms, were ruled invalid, businesses would probably have to deal with a complex and diffucult scenario. As Gabriela Zanfir-Fortuna, senior counsel at Future of Privacy Forum said, the hearing would have had a particularly higher impact than the first Schrems/EU-US Safe Harbor case, because this time it could affect not only data transfers from the EU to the U.S., but from the EU to all countries around the world where international data trensfers are based on the SCCs.

This is what also Facebook lawyer, Paul Gallagher, argued. He told the CJEU that if SCCs were hold invalid, “the effect on trade would be immense.” He added that not all U.S. companies would be covered by FISA – that would allow them to provide the law enforcement agencies with EU personal data. In particular, Facebook could not be hold responsible for unduly handing personal data over to national security agencies, as there was no evidence of that.

Eileen Barrington, lawyer of the US government assured, of course, by referring to a “hypothetical scenario” in which the US would tap data streams from a cable in the Atlantic, it was not about “undirected” mass surveillance. But about “targeted” collection of data – a lesson that would have been learned from the Snowden revelations according to which the US wanted to regain the trust of Europeans. Only suspicious material would be filtered out using particular selectors. She also had a message for the European feeling of security: “It has been proven that there is an essential benefit to the signal intelligence of the USA – for the security of American as well as EU citizens”.

The crucial factor for the outcome of the proceedings is likely to be how valid the CJEU considers the availability of legal remedies to EU data subjects. Throughout the hearing, there were serious doubts about this. The monitoring of non-US citizens data is essentially based on a presidential directive and an executive order, i.e. government orders and not on formal laws. However, EU citizens will be none the wiser, as particularly, referring to many critisists’ conlusion, they do not know whether they will be actually surveilled or not. It remains the issue regarding the independence of the ombudsperson which the US has committed itself to establish in the Privacy Shield Agreement. Of course, he or she may be independent in terms of the intelligence agencies, but most likely not of the government.

However, Henrik Saugmandsgaard Øe, the Advocate General responsible for the case, intends to present his proposal, which is not binding on the Judges, on December 12th. The court’s decision is then expected in early 2020. Referring to CJEU judge and judge-rapporteur in the case, Thomas von Danwitz, the digital services and networking would be considerably compromised, anyways, if the CJEU would declare the current content of the SCC ineffective.

 

 

Privacy incidents cost Facebook 5 billion dollar

15. July 2019

According to a report of the Washington Post the Federal Trade Commission (FTC) has approved a $ 5 billion (approx. € 4,4 billion) settlement with Facebook. The settlement was reached between the FTC and Facebook due to various Data Protection incidents, in particular the Cambridge Analytica scandal.

The settlement relies on a three to two vote – the FTC’s three republicans supported the fine the two democrats were against ist – and terminates the procedure for investigating Facebook’s privacy violations against users’ personal information. The fine of $ 5 billion is the highest fine ever assessed against a tech company, but even if it sounds like a very high fine, it only corresponds to the amount of the monthly turnover and is therefore not very high in relative terms. So far, the highest fine was $ 22,5 million for Google in 2012.

The decision of the FTC needs to be approved by the Justice Department. As a rule, however, this is a formality.

This is not the first fine Facebook has to accept in connection with various data protection incidents and certainly not the last. Investigations against Facebook are still ongoing in Spain as well as in Germany. In addition, Facebook has been criticized for quit some time for privacy incidents.

Record fine by ICO for British Airways data breach

11. July 2019

After a data breach in 2018, which affected 500 000 customers, British Airways (BA) has now been fined a record £183m by the UK’s Information Commissioners Office (ICO). According to the BBC, Alex Cruz, chairman and CEO of British Airways, said he was “surprised and disappointed” by the ICO’s initial findings.

The breach happened by a hacking attack that managed to get a script on to the BA website. Unsuspecting users trying to access the BA website had been diverted to a false website, which collected their information. This information included e-mailaddresses, names and credit card information. While BA had stated that they would reimburse every customer that had been affected, its owner IAG declared through its chief executive that they would take “all appropriate steps to defend the airline’s position”.

The ICO said that it was the biggest penalty that they had ever handed out and made public under the new rules of the GDPR. “When an organization fails to protect personal data from loss, damage or theft, it is more than an inconvenience,” ICO Commissioner Elizabeth Dunham said to the press.

In fact, the GDPR allows companies to be fined up to 4% of their annual turnover over data protection infringements. In relation, the fine of £183m British Airways received equals to 1,5% of its worldwide turnover for the year 2017, which lies under the possible maximum of 4%.

BA can still put forth an appeal in regards to the findings and the scale of the fine, before the ICO’s final decision is made.

US Border Control – traveler photos and license plate images stolen in a data breach

11. June 2019

U.S. Customs and Border Control (CBP) announced on Monday, 10th June 2019, that photos of travelers, their cars and their license plate images were stolen during a data breach.

The network of CBP itself was not affected by the breach, but the photos were transferred to a subcontractor and stolen by a hack at the subcontractor. The name of the subcontractor was not mentioned. According to US media reports, the subcontractor is Perceptics which was hacked in May 2019.

CBP announced: “CBP learned that a subcontractor, in violation of CBP policies and without CBP’s authorization or knowledge, had transferred copies of license plate images and traveler images collected by CBP to the subcontractor’s company network.”  CBP has not terminated its cooperation with the hacked subcontractor despite breaches of data protection and security regulations.

CBP was informed about the breach on 31st May 2019. The breach affects nearly 100.000 people who travelled the USA. Besides the photos of travelers, their cars and license plates neither passport or other travel documents nor images of airline passengers were involved. The photos show travellers crossing either the US border to Canada or Mexico.

Until now, the hacked data could neither be found on the Internet nor in the Dark net.

San Francisco took a stand against use of facial recognition technology

15. May 2019

San Francisco is the first major city in the US that has banned the use of facial recognition software by the authorities. The Board of Supervisors decided at 14th May that the risk of violating civil rights by using such technology far outweighs the claimed benefits. According to the current vote, the municipal police and other municipal authorities may not acquire, hold or use any facial recognition technology in the future.

The proposal is due to the fact that using facial recognition software threatens to increase racial injustice and “the ability to live free from constant monitoring by the government”. Civil rights advocates and researchers warn that the technology could easily be misused to monitor immigrants, unjustly target African-Americans or low-income neighborhoods, in case governmental oversight fails.

It sent a particularly strong message to the nation, coming from a city transformed by tech, Aaron Peskin, the city supervisor who sponsored the bill said. However, the ban is part of broader legislation aiming to restrict the use of surveillance technologies. However, airports, ports or other facilities operated by the federal authorities as well as businesses and private users are explicitly excluded from the ban.

Google Introduces Automatic Deletion for Web Tracking History

7. May 2019

Google has announced on its blog that it will introduce an auto delete feature for web tracking history.

So far, users have the option to manually delete data from Google products such as YouTube or Maps. After numerous requests, however, Google follows other technology giants and revised its privacy settings. “We work to keep your data private and secure, and we’ve heard your feedback that we need to provide simple ways for you to manage or delete it,” Google writes on it’s blog.

Users will be able to choose a period for which the data should remain stored, lasting a minimum of 3 months and a maximum of 18 months. At the end of the selected period, Google will automatically delete the data on a regular basis. This option will initially be introduced for Location History and Web & App Activity data and will be available over the next few weeks, according to Google.

Google’s announcement came the day after Microsoft unveiled a set of features designed to strengthen privacy controls for its Microsoft 365 users, aimed to simplify its privacy policies.

On the same day, during Facebook’s annual developer conference, F8, Mark Zuckerberg announced a privacy roadmap for the social network.

Data of millions of US-citizens available in the internet

2. May 2019

Sensitive data of 80 million US households are unprotected available in the internet. The data are stored on an openly accessible database whose owner is unknown.

Affected are 65 % of all US households, in numbers, 80 million households. The database includes detailed information regarding the number of persons living in a household, their names, marital status, age, date of birth, residential address including GPS data for localization and household income.

The number of affected US-citizens cannot be named due to the fact, that in one household can live a different amount of people. Because of this it is possible that over 100 million people are affected.

On the basis of the accessible data an identification of individuals is easily possible because hackers or thefts of identity can find out the mailaddresses and connect this information with free accessible information from e.g. social media.

Regarding the owner of the database no information is known. It is presumed that it is a company from the health or insurance sector.

The owner need to be find, otherwise the leak cannot be closed.

Category: Cyber security · Data breach · USA

Latest Facebook Data Breach

25. April 2019

Since May 2016 Facebook uploaded email-contacts without respectively against the will of 1,5 million users.

Facebook itself discovered the mistake in March 2019 and according to it’s own statement has now corrected it. The data was uploaded unintentionally and not shared with third parties. The data will be deleted and Facebook will contact the concerned users.

Facebook was able to read the email-contacts of 1,5 million users, but the concerned amount of data subjects is a lot higher due to that many  users have thousands of contacts. Facebook denied that e-mails have been accessed by its employees. It expects a fine of three to five billion dollar in the USA.

Category: Cyber security · Data breach
Tags:
Pages: 1 2 3 4 5 Next
1 2 3 5