Category: Data breach

How to rule a Data Protection Impact Assessment (DPIA)?

9. May 2018

Pursuant to Art. 35 of the General Data Protection Regulation (GDPR) the controller of personal data shall carry out an assessment of the impact of the data processing that takes place in the controller’s responsibility. That means mostly, to anticipate the possible data breaches and to fulfil the requirements of the GDPR before the personal data is processed.

Even if the date of enforcement of the GDPR (25th May 2018) comes closer and closer, just a few of the EU member states are well-prepared. Only Austria, Belgium, Germany, Slovakia and Sweden have enact laws for the implementation of the new data protection rules. Additional to this legislation the national data protection authorities have to publish some advises on how to rule a DPIA. Pursuant to Art. 35 (4) sent. 2 GDPR these handbooks on DPIA’s should be gathered by the European Data Protection Board for an equal European-wide data protection level. The Board as well seems not to work yet, as the Article 29 Working Part (WP29) is still the official authority.

But at least, Belgium and Germany have published their DPIA recommendations and listed processes for which a DPIA is required, pursuant to Art. 35 (4) GDPR, and in which cases a DPIA is not required, see Art. 35 (5) GDPR.

For example, in the following cases the Belgian authority requires a DPIA:

  • Processing, that involves biometric data uniquely identifying in a space—public or private—which is publicly open,
  • Personal data from a third party that determines whether an applicant is hired or fired,
  • Personal data collected without given consent by the data subject (e.g. electronic devices like smart phones, auditory, and/or video devices),
  • Processing done by medical implant. This data may be an infringement of rights and freedoms.
  • Personal data that affects the vulnerable members of society (e.g., children, mentally challenged, physically challenged individuals),
  • Highly personal data such as financial statement; employability; social service involvement; private activities; domestic situation.
Category: Article 29 WP · Belgium · Data breach · EU · GDPR

Risk of identity theft for a billion people in India

5. January 2018

A billion people in India may be victims of identity theft. The Tribune newspaper uncovered a security breach in the country’s vast biometric database. The database contains personal data of almost every citizen in India. The biometric ID program called Aadhaar is a flagship policy of Prime Minister Narendra Modi against corruption.
The reporters of the newspaper were able to access names, email addresses, phone numbers and postal codes by typing in 12-digit unique identification numbers of people in the government’s database, after paying about 6,50 € ($8, 500 rupees).
The seller also sold software to print out unique identification cards, called Aadhaar cards that can be used to access various government services.
The seller had gained access to the database through former workers who were initially tasked with making the Aadhaar cards.
India’s Unique Identification Authority said in an official statement “Claims of bypassing or duping the Aadhaar enrollment system are totally unfounded. Aadhaar data is fully safe and secure and has robust, uncompromised security.” The governing Party officially tweeted that the report was fake news.

Indian government urges people to sign up to Aadhaar – the world’s largest biometric ID system – while the Supreme Court still needs to determine its legality

28. December 2017

As reported in August of this year, the Indian Supreme Court (SC) acknowledged that the right to privacy is “intrinsic to life and liberty” and is “inherently protected under the various fundamental freedoms enshrined under Part III of the Indian Constitution.”

In the same context, the SC had announced it will be hearing petitions on Aadhaar related matters (the term – meaning “foundation” – stands for a 12 digit unique-identity number supposedly issued to all Indian residents based on their biometric and demographic data) in November.

According to a Bloomberg report, India’a Prime Minister Narendra Modi is calling for an expansion of Aadhaar, even though its constitutionality is still to be debated. The SC has set January 10th as the beginning of the final hearings.

While officials say Aadhaar is saving the government billions of dollars by better targeting beneficiaries of subsidized food and cash transfers, critics point to unfair exclusions and data leaks. The latter on the one hand also fear that the database might lead India into becoming a state of surveillance. On the other hand, they are concerned about the high risk of major leaks, such as the ones reported by a news agency in India, the PTI (Press Trust of India): “Personal details of several Aadhaar users were made public on over 200 central and state government websites.”

Meanwhile, Medianama, a source of information and analysis on Digital and Telecom businesses in India, has launched a list of already compromised leaks and encourages people to point out any similar incidents.

Category: Data breach · General · India · Personal Data
Tags: ,

Cancer Care Organization settles for 2.3 Mio $ after Data Breach

22. December 2017

In 2015, a data breach occurred at 21st Century Oncology  (21stCO), one of the leading providers of cancer care services in the USA, potentially affecting names, social security numbers, medical diagnoses and health insurance information of at least 2.2 million patients.

On its website, the provider had announced in 2016 that one of its databases was inappropriately accessed by an unauthorized third party, though an FBI investigation had already detected an attack as early as October 2015. The FBI, however, requested 21stCO to delay the notification because of ongoing federal investigations.

21stCO had then stated that ““we continue to work closely with the FBI on its investigation of the intrusion into our system” and “in addition to security measures already in place, we have also taken additional steps to enhance internal security protocols to help prevent a similar incident in the future.” To make amends for the security gap patients had been offered one year of free credit monitoring services.

Nevertheless, the provider now has to pay a fine worth 2.3 million dollars as settled with the Office for Civil Rights (OCR; part of the U.S. Department of Health and Human Services).

It has been accused of not implementing appropriate security measures and procedures to regularly review information system activity such as access or security incident reports, despite the disclosure by the FBI.

The OCR further stated that “the organization also disclosed protected health information to its business associates without having a proper business associate agreement in place”.

The settlement additionally requires 21stCO to set up a corrective action plan including the appointment of a compliance representative, completion of risk analysis and management, revision of cybersecurity policies, an internal breach reporting plan and overall in-depth IT-security. The organization will, in addition, need to maintain all relevant documents and records for six years, so the OCR can inspect and copy the documents if necessary.

Following the settlement, District Attorney Stephen Muldrow stated “we appreciate that 21st Century Oncology self-reported a major fraud affecting Medicare, and we are also pleased that the company has agreed to accept financial responsibility for past compliance failures.”

Uber hid massive data breach

22. November 2017

Uber just admitted that hackers stole personal data of 50 million Uber customers and 7 million drivers. The data breach happened in October 2016, over a year ago, but was only published this week.

The data include names, e-mail addresses, phone numbers and the license numbers of 600.000 drivers. According to Uber neither social security numbers, nor credit card information, or trip location details were taken.

Uber did not disclose the data breach to public, as required by data protection law, but paid the hackers 100.000,00 $ to delete the information. Uber assumes that the data was not used.

Referring to Uber the hackers came in through a badly protected database in a cloud service to the data. Uber security Chief Joe Sullivan and another manager lost their jobs.

This data breach wasn’t the first incident that happened to Uber. Uber has a well-documented history of abusing consumer privacy.

Uber said it has hired Matt Olsen, former general counsel at the National Security Agency and director of the National Counterterrorism Center, as an adviser.  He will help the company restructure its security teams.

Category: Cyber security · Data breach · USA
Tags:

Credit Bureau Equifax has been hacked

11. September 2017

The consumer credit reporting agency Equifax has been hacked in the middle of May. The operators have noticed the breach much later, on 29th July. The public has learned about the breach just last week on Thursday, 7th September.

The breach potentially affects the sensitive data of approximately 143 million consumers. Data concerned are the consumer’s name, social security numbers, birth dates, addresses and in some cases driver’s license numbers. As well as credit card numbers for 209.000 U.S. consumers and other dispute documents that contained identifying information for 182.000 consumers.

Not only the US is concerned. A hired third-party cybersecurity company also found some residents of the U.K. and Canada.

The Equifax Chairman and CEO Rick Smith announced steps Equifax is taking at the moment to respond on the breach and is working with authorities.

Category: Data breach · General · USA
Tags:

Hundreds of thousands of users affected by CloudPets data breach

2. March 2017

Yet another toy maker named Spiral Toys hit the headlines. The company suffered a big data breach with its stuffed animals called CloudPets resulting in the disclosure of 800,000 users’ personal data such as email addresses, passwords, profile pictures and 2 million voice recordings.

Spiral Toys’ CloudPets are able to connect to an app on a smartphone via Bluetooth so that parents can provide the toy with voice messages for their children.

The personal data were stored in an online database without authentication requirements so that hackers could easily access the database. According to Troy Hunt, a web security expert, the passwords were encrypted but Spiral Toys set no requirements for the password strength. That means hackers “could crack a large number of passwords, log on to accounts and pull down the voice recordings”.

Spiral Toys’ Mark Meyers denied that voice records were stolen. Still the company wants to increase the requirements for the password strength after the data breach was made public.

Both the decision of the German Federal Network Agency to take the doll “My friend Cayla” off the market in Germany and the data breach suffered by Spiral Toys, show that the privacy concerns smart toy producers are exposed to, should be taken seriously.

University of Pittsburgh Medical Center found not responsible for employee data securance

14. February 2017

Last month, the Pennsylvania Superior Court dismissed a class action lawsuit, which was filed against the University of Pittsburg Medical Center and ruled that the University has no responsibility in protecting employee data.

In this incident, the following data was compromised: dates of birth, names, social security numbers, addresses, salary, tax and bank information.

According to the court documents, the University had a breach in 2014, which finally resulted in approximately 788 tax fraud victims by compromising the information of nearly 62,000 UMPC employees.

Even though the University of Pittsburg Medical Center has been ruled not to have any legal duty to protect the personal and financial information of its employees under state law, the ruling is contradictory to a similar case of Texas hospital, which was penalized $3.2 million after a breach of data.

Category: Data breach · Personal Data · USA

News on federal data breach notification law in the U.S.

18. January 2017

The United States breach notification law is not an uniformed one. There exist separate laws in each 47 states plus District Columbia.

Nowadays, this conglomerate makes law enforcement in the U.S. somewhat complicated, as it has led to tokenization among the White House, consumer groups, retailers and others („Tokenization – when applied to data security, is the process of substituting a sensitive data element with a non-sensitive equivalent, referred to as a token, that has no extrinsic or exploitable meaning or value“ – source: Wikipedia).

This way card data is being protected while transmitted from one place to another – by storage in point-to-point encryption, retailers´ computer anti-hacking systems and tokanization.

Due to the fact that any business affected by a data breach suffers reputational and financial losses, the idea of obliging every business to publicly report data breaches has raised.

For instance, to diminish the stealing of card data by thieves, retailers have called on banks to replace the U.S. antiquated magnetic stripe credit card system with chip-and-PIN cards commonly used in other parts of the world. It is believed that such a chip is difficult to counterfeit.

Even though so far there have already been taken some steps in favour of solving the data breach problem, there was still no radical step on the legal level taken.

Having it lately noticed, Mallory Duncan – general counsel of the National Retail Federation – states: „Our nation badly needs a federal data breach notification law requiring everyone to disclose their own breaches“ (…) „But a national law needs to be uniform and comprehensive, covering not just retail but telecom companies, banks, credit card companies, card processors and all other entities that handle sensitive consumer data“.

Therefore there is a thorough need for the U.S. of enacting a federal law, which would notify consumers about data breach and help to keep data from being used improperly in order to keep it unbreached. The solution is now being worked on.

ICO fines charities with a total of 43,000 GBP

13. December 2016

The ICO just released a statement saying that investigations have shown that the Royal Society for the Prevention of Cruelty to Animals, RSPCA, and the British Heart Foundation, BHF, did not act according to the Data Protection Act.

The statement explaines that these charities used to screen donors for wealth in order to increase their donations.

“The charities also traced and targeted new or lapsed donors by piecing together personal information obtained from other sources” is stated in the report. Furthermore, “they traded personal details with other charities creating a massive pool of donor data for sale. Donors were not informed of these practices, and so were unable to consent or object.”

Elizabeth Denham, Information Commissioner, fined both charities, the RSPCA 25,000 GBP and BHF 18,000 GBP. She explained that the reason for the fining is also due to the fact that “This widespread disregard for people’s privacy will be a concern to donors, but so will the thought that the contributions people have made to good causes could now be used to pay a regulator’s fine for their charity’s misuse of personal information”.

Category: Data breach · UK
Tags:
Pages: 1 2 3 Next
1 2 3