Category: Data Breach
18. January 2017
The United States breach notification law is not an uniformed one. There exist separate laws in each 47 states plus District Columbia.
Nowadays, this conglomerate makes law enforcement in the U.S. somewhat complicated, as it has led to tokenization among the White House, consumer groups, retailers and others („Tokenization – when applied to data security, is the process of substituting a sensitive data element with a non-sensitive equivalent, referred to as a token, that has no extrinsic or exploitable meaning or value“ – source: Wikipedia).
This way card data is being protected while transmitted from one place to another – by storage in point-to-point encryption, retailers´ computer anti-hacking systems and tokanization.
Due to the fact that any business affected by a data breach suffers reputational and financial losses, the idea of obliging every business to publicly report data breaches has raised.
For instance, to diminish the stealing of card data by thieves, retailers have called on banks to replace the U.S. antiquated magnetic stripe credit card system with chip-and-PIN cards commonly used in other parts of the world. It is believed that such a chip is difficult to counterfeit.
Even though so far there have already been taken some steps in favour of solving the data breach problem, there was still no radical step on the legal level taken.
Having it lately noticed, Mallory Duncan – general counsel of the National Retail Federation – states: „Our nation badly needs a federal data breach notification law requiring everyone to disclose their own breaches“ (…) „But a national law needs to be uniform and comprehensive, covering not just retail but telecom companies, banks, credit card companies, card processors and all other entities that handle sensitive consumer data“.
Therefore there is a thorough need for the U.S. of enacting a federal law, which would notify consumers about data breach and help to keep data from being used improperly in order to keep it unbreached. The solution is now being worked on.
13. December 2016
The ICO just released a statement saying that investigations have shown that the Royal Society for the Prevention of Cruelty to Animals, RSPCA, and the British Heart Foundation, BHF, did not act according to the Data Protection Act.
The statement explaines that these charities used to screen donors for wealth in order to increase their donations.
“The charities also traced and targeted new or lapsed donors by piecing together personal information obtained from other sources” is stated in the report. Furthermore, “they traded personal details with other charities creating a massive pool of donor data for sale. Donors were not informed of these practices, and so were unable to consent or object.”
Elizabeth Denham, Information Commissioner, fined both charities, the RSPCA 25,000 GBP and BHF 18,000 GBP. She explained that the reason for the fining is also due to the fact that “This widespread disregard for people’s privacy will be a concern to donors, but so will the thought that the contributions people have made to good causes could now be used to pay a regulator’s fine for their charity’s misuse of personal information”.
27. October 2016
The Federal Trade Commision just released Guidelines on how to act in case of a data breach. These are called Data Breach Response: A Guide for Business and also include a video and a business blog.
These Guidelines state the most imprtant steps to be taken in order to protect customer information:
- securing physical areas
- removal of improperly posted information from the web
- take service providers into account
- providing breach notification
- information about whom to contact in case of a data breach eg. law enforcement, affected businesses, and individuals
Furthermore, a model data breach notification letter is also included so that companies get to know the best way to alert concerned parties about an attack.
11. October 2016
The New York Post published that Verizon, which is about to purchase Yahoo for $4.8 billion, is now asking Yahoo for a $1 billion discount.
This is due to the fact that Yahoo announced only two weeks ago that it had been hacked two years ago and that at this time usernames and passwords for 500 million accounts were stolen. Furthermore, it was revealed that Yahoo had been ordered by a secret Foreign Intelligence Surveillance Court to investigate emails for terrorist signatures under the Foreign Intelligence Surveillance Act, but not under section 702.
According to the New York Post, a source said that AOL CEO, Tim Armstrong, “is getting cold feet” due to the “lack of disclosure” and therefore he is asking “Can we get out of this or can we reduce the price?”
29. September 2016
Forbes just released an article saying that Apple invited some of the best hackers to its headquarter in Cupertino.
Among them:
- the 19-year-old teenage prodigy who was the first to jailbreak an iPhone 7, and therefore now being a world-renowned iOS hacker as well as an
- ex-NSA employee who has repeatedly found security lacks concerning Mac OS X Luca Todesco.
The meeting should have been secret and kept confidential, but unfortunately some details leaked. So for example that Apple plans to brief them on the launch of its bug bounty program. The hackers will be rewarded with up to $200,000 in case they can provide Apple with information on vulnerabilities about its laptops and phones. Furthermore, the mentioned program is expected to be put into effect before the end of the month due to the fact that this has been promised at the Black Hat security conference in Las Vegas last months. Nevertheless, Apple pursues an invite-only list-strategy in order to get quality over quantity.
22. September 2016
This week, heise-online reported that after last years attack on the German Parliament, this year on the 15th and 24th August the offices of several members of Parliament as well as their employees were targeted again in a new attack.
Emails containing malware were sent to the respective politicians. The Emails were supposedly sent by Heinrich Krammer working for the NATO-Headquarter.
The German Federal Office for Information Security (BSI) stated that the attacks probably originated from Russia. The BSI believes that the attacks might be linked to the hacking of private emails from Hillary Clinton’s campaign team in the US earlier this year.
The BSI assumes that the hackers might have been looking for potentially damaging information which could be released a few weeks before elections next year in an attempt to influence the result.
15. September 2016
Although it is difficult to predict the exact costs of a data breach as it depend on the individual case, the new Ponemon-IBM study tries to examine the costs arising in such a case.
The results can be summed up so that
- the average breach caused $4 million in damage or in other words
- roughly $158 per lost record have to be paid.
Privacy Ref, Bob Siegel tried to analyze what a data breach would cost for individual organizations as a part of a project with St. Joseph’s University professor Ronald Klimberg. For this projects undergraduate data analytics students compete to create the best metric in order to predict the impact of a data breach on an organization.
19. August 2016
The ICO fined Hampshire County Council with 100,000 GBP due to a data breach.
The fine was the result of missing measures protecting personal information against unauthorized access: Documents containing personal information of more than 100 data subjects were stored in an abandoned building. Furthermore, 45 bags of confidential waste were also found.
Hampshire County Council released a statement saying that “We are very sorry that this incident occurred. Hampshire County Council takes the management and protection of its data very seriously. Accordingly, appropriate procedures were in place at the time, but unfortunately, on this occasion, the process was not fully adhered to. However, at no time was any information disclosed outside of the site”.
Furthermore the statemet points out that “Immediate steps were taken to investigate the matter fully, and remedial action was taken. This has included strengthened and improved processes in the removal of, and destruction of, confidential waste from vacated buildings.”
The statement highlights that Hampshire County Council reported the incident to the ICO as soon as they became aware of it and that they have cooperated fully at all stages of the ICO’s investigation.
11. August 2016
The Ponemon Institute has recently published a study about security gaps and the protection of corporate data. The study was carried within U.S. and European organizations in France, Germany and the United Kingdom. The study aims at identifying gaps in organizations that may lead to data breaches.
The study reveals data theft by “insiders” as being the main reason for data breaches within organizations. A vast majority of the participants stated that their organization had suffered from such insider theft over the past two years.
Furthermore, respondents of the IT field confirmed that insider theft is twice more likely to compromise corporate information as any other external attack. Regarding this, the study reveals that data breaches by insiders is increasing due to the fact that employees require wide access rights to perform their job and, therefore, they have access to confidential and sensitive information of their organization.
The report suggests that companies should improve their tracking possibilities, in order to identify access and use of data by its employees and to detect in a shorter timeframe the intents of employees to access information and data which they are not authorized to see.
22. July 2016
The ICO has advised organisations to implement internal data breach procedures, which should be encouraged by employee trainings, in order to be prepared as soon as the General Data Protection Directive (GDPR) comes into effect in 2018.
Therefore, the recommendation made by the ICO in terms of its breach notification recommendation instruct companies to be compliant from the first day the GDPR is implemented. Furthermore, the recommendation states that “You should make sure that your staff understands what constitutes a data breach, and that this is more than a loss of personal data” and goes on by saying that “You should ensure that you have an internal breach reporting procedure in place. This will facilitate decision making about whether you need to notify the relevant supervisory authority or the public. In light of the tight timescales for reporting a breach, it is important to have robust breach detection, investigation and internal reporting procedures in place.” On top of this, the ICO points out that companies will not have much time to notify the authorities of any data breach due to the fact that article 33 of the GDPR requires notification to take place “without undue delay and, where feasible, not later than 72 hours after having become aware of it (…) unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons”.
A personal data breach is defined as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”.
Pages: Prev 1 2 3 4 5 6 7 8 9 10 11 Next 
