Category: Data breach

Persumed hacker attack on German politicians

22. September 2016

This week, heise-online reported that after last years attack on the German Parliament, this year on the 15th and 24th August the offices of several members of Parliament as well as their employees were targeted again in a new attack.

Emails containing malware were sent to the respective politicians. The Emails were supposedly sent by Heinrich Krammer working for the NATO-Headquarter.

The German Federal Office for Information Security (BSI) stated that the attacks probably originated from Russia. The BSI believes that the attacks might be linked to the hacking of private emails from Hillary Clinton’s campaign team in the US earlier this year.

The BSI assumes that the hackers might have been looking for potentially damaging information which could be released a few weeks before elections next year in an attempt to influence the result.

 

Category: Data breach · USA
Tags: , ,

Data breach: What are the costs?

15. September 2016

Although it is difficult to predict the exact costs of a data breach as it depend on the individual case, the new Ponemon-IBM study tries to examine the costs arising in such a case.

The results can be summed up so that

  • the average breach caused $4 million in damage or in other words
  • roughly $158 per lost record have to be paid.

Privacy Ref, Bob Siegel tried to analyze what a data breach would cost for individual organizations as a part of a project with St. Joseph’s University professor Ronald Klimberg. For this projects undergraduate data analytics students compete to create the best metric in order to predict the impact of a data breach on an organization.

Category: Data breach
Tags: ,

ICO fined Hampshire County Council with 100,000 GBP

19. August 2016

The ICO fined Hampshire County Council with 100,000 GBP due to a data breach.

The fine was the result of missing measures protecting personal information against unauthorized access: Documents containing personal information of more than 100 data subjects were stored in an abandoned building. Furthermore, 45 bags of confidential waste were also found.

Hampshire County Council released a statement saying that “We are very sorry that this incident occurred. Hampshire County Council takes the management and protection of its data very seriously. Accordingly, appropriate procedures were in place at the time, but unfortunately, on this occasion, the process was not fully adhered to. However, at no time was any information disclosed outside of the site”.

Furthermore the statemet points out that “Immediate steps were taken to investigate the matter fully, and remedial action was taken. This has included strengthened and improved processes in the removal of, and destruction of, confidential waste from vacated buildings.”

The statement highlights that Hampshire County Council reported the incident to the ICO as soon as they became aware of it and that they have cooperated fully at all stages of the ICO’s investigation.

Category: Countries · Data breach · UK
Tags:

Main cause for data breaches in organizations: data theft by „insiders“

11. August 2016

The Ponemon Institute has recently published a study about security gaps and the protection of corporate data. The study was carried within U.S. and European organizations in France, Germany and the United Kingdom. The study aims at identifying gaps in organizations that may lead to data breaches.

The study reveals data theft by “insiders” as being the main reason for data breaches within organizations. A vast majority of the participants stated that their organization had suffered from such insider theft over the past two years.

Furthermore, respondents of the IT field confirmed that insider theft is twice more likely to compromise corporate information as any other external attack. Regarding this, the study reveals that data breaches by insiders is increasing due to the fact that employees require wide access rights to perform their job and, therefore, they have access to confidential and sensitive information of their organization.

The report suggests that companies should improve their tracking possibilities, in order to identify access and use of data by its employees and to detect in a shorter timeframe the intents of employees to access information and data which they are not authorized to see.

In order to prepare for the GDPR the ICO advises companies to establish internal data breach procedures

22. July 2016

The ICO has advised organisations to implement internal data breach procedures, which should be encouraged by employee trainings, in order to be prepared as soon as the General Data Protection Directive (GDPR) comes into effect in 2018.

Therefore, the recommendation made by the ICO in terms of its breach notification recommendation instruct companies to be compliant from the first day the GDPR is implemented. Furthermore, the recommendation states that “You should make sure that your staff understands what constitutes a data breach, and that this is more than a loss of personal data” and goes on by saying that “You should ensure that you have an internal breach reporting procedure in place. This will facilitate decision making about whether you need to notify the relevant supervisory authority or the public. In light of the tight timescales for reporting a breach, it is important to have robust breach detection, investigation and internal reporting procedures in place.” On top of this, the ICO points out that companies will not have much time to notify the authorities of any data breach due to the fact that article 33 of the GDPR requires notification to take place “without undue delay and, where feasible, not later than 72 hours after having become aware of it (…) unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons”.

A personal data breach is defined as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”.

 

The new Dutch data breach notification obligation: 1.500 notifications in 2016

17. May 2016

From the 1st January 2016, data controllers located in The Netherlands are obliged to notify serious data breaches according to the Amendment made to Art. 34 of the current Dutch Data Protection Act. This obligation implies:

  • Notifying the Dutch DPA in the cases where there is a considerable probability that the breach hast serious adverse effects on the privacy if the affected individuals; and
  • Notifying the data subjects affected if there is a considerable probability that the privacy of the data subject is negatively affected.

According to a representative of the Dutch DPA, already 1.500 data breach notifications have been received since the new rule entered into force. This is not surprising for the Dutch DPA, as currently more than 130.000 organizations located in the Netherlands are subject to the data breach notification obligation. However, the Dutch DPA suspects that the number of occurred data breaches is actually higher.

In order to review the notifications, the Dutch DPA has implemented a software that separates the notifications that require action from the DPA from those that do not require additional action. The ones that do not require additional action are archived for future references, while the formers are further examined by the Dutch DPA. Nevertheless, the DPA has examined all received notifications, in order to identify the main sources of data breaches, which result to be based on one of the following reasons:

  • Loss of devices that were not encrypted; or
  • Disposal of information without observing adequate security measures, such as the use of a shredder or the disposal in locked containers; or
  • Insecure transfer of information, especially related to sensitive data; or
  • The access by unauthorized third parties to data bases and personal data.

This shows that most of data breaches occur because organizations do not implement adequate technical and organizational security measures or they do not follow the existing obligations regarding IT security and data protection, or employees are not trained in theses aspects.

Moreover, two-thirds of the reports were subject to a further investigation by the Dutch DPA and actions have been already taken against around 70 organizations. Also, in some cases additional information was required from the organization or the individuals had to be notified about the data breach. Information to data subjects is required if sensitive personal data is affected by the breach, the Dutch DPA has enumerated some of the data categories that are included in the definition of sensitive personal data: financial information, data that may lead to an stigmatization or exclusion of the data subject, user names, passwords or data that can be misused for identity fraud.

The new GDPR also regulates the obligation to notify data breaches. According to the Regulation, the DPA should be always notified, unless it is unlikely that the breach results in a risk for the privacy of data subjects. Furthermore, data subjects should be directly notified if the breach could result in a high risk for their privacy, so that the regulation of data breaches in the GDPR is stricter than that in The Netherlands regarding the notification to data subjects.

 

Serious data breach in HIV clinic in London

11. May 2016

A clinic in London has been fined 180.000 GBP due to a “serious data breach”. The clinic offered a service to HIV-patients in order to receive newsletters and test results as well as make appointments via email. It sent an email newsletter to 781 of its patients with all patient emailaddresses in the “To” field and not in the “Bcc” field. 730 of the emailaddresses included the full names of the patients. The newsletter was used to inform the patients about sexual health services and general treatment details. The Information Commissioner´s Office (ICO) said, “the breach caused a great deal of upset to the people affected”. Information about the health or sexual life of a person is considered to be sensitive personal data and should be protected specifically. Chelsea and Westminster Hospital NHS Foundation Trust, which runs the clinic, has been fined 180.000 GBP. The responsible ICO investigation trust discovered, that a similar error had happened already in March 2010. Although some remedial measures were taken at that time, no specific training had taken place since then.

Spotify denies having suffered a data breach

29. April 2016

During this week credential data from hundreds of Spotify users was posted on the internet. This data includes country of registration, user name, password and type of account.

However, Spotify denied having suffered a data security breach. Furthermore, a company spokesman stated that they monitor certain websites regularly in order to find out if user credentials have been stolen and check if these credentials are authentic. If so, they inform the user and request a password change. Despite the statement of the spokesman, several users confirmed that their playlists had been accessed and their passwords and associated e-mails changed.

Spotify has suffered during the last years several hacker attacks. The last occurred in November 2015 and also user data was made public. Regarding the data posted online this week, the company states that it could affect data related to previous hack attacks.

Category: Data breach · General
Tags:
Pages: Prev 1 2 3 4 5 6
1 4 5 6