Category: Data Breach
2. July 2018
According to a report in the magazine ‘Der Spiegel’, personal data and images of users who wanted to create Panini images with their own photos could be accessed by third parties.
The Italian scrapbook manufacturer for football images Panini has serious problems with the security of their online customer database. Through changing the browser’s URL, unauthorized persons could have accessed personal data of other customers, including pictures of minors. Therefore, the case can be considered as particularly serious.
Through its ‘MyPanini’ service, Panini offers fans the opportunity to upload photos with their own images and have these personalised images sent to them. Until a few days ago, logged in users could have also seen the uploaded images and personal data of other customers. Apparently the full name, the date of birth and partly even the place of residence of the customers are listed.
To a certain degree, the uploaded images showed children and young children from different countries in the private domestic environment, some even with their naked upper body.
The data breach was confirmed and has been known internally for days. Supposedly, the problem has been solved by a security update, but it is not possible to access the website at the moment.
It remains to be seen what financial consequences the data breach has for either Panini or the technical service provider. In accordance with new European General Data Protection Regulation (GDPR) infringements of the provisions can lead to administrative fines up to 10 000 000 EUR or up to 2% of the total worldwide annual turnover of the preceding financial year.
1. June 2018
On the 25th of May, the day the General Data Protection Regulation (GDPR) came into force, noyb.eu filed four complaints over “forced consent” against Google (Android), Instagram, WhatsApp and Facebook.
The complaints filed by the organisation (None Of Your Business) led by Austrian activist Schrems could result in penalties worth up to 7 billion euros. Max Schrems has been fighting Facebook over data protection issues for almost ten years. His earlier lawsuit challenged Facebook’s ability to transfer data from the European Union to the United States (“Safe Harbor”).
The activist alleged that people were not given a “free choice” whether to allow companies to use their data. Noyb.eu bases its opinion on the distinction between necessary and unnecessary data usage. “The GDPR explicitly allows any data processing that is strictly necessary for the service – but using the data additionally for advertisement or to sell it on needs the users’ free opt-in consent.” (See https://noyb.eu/wp-content/uploads/2018/05/pa_forcedconsent_en.pdf) The organisation also claims that under Art. 7 (4) of the GDPR forced consent is prohibited.
The broadly similar complaints have been filed in authorities in various countries, regardless of where the companies have their headquarters. Google (Android) in France (data protection authority: CNIL) with a maximum possible penalty in the amount of 3.7 billion euro although its headquarter is in the USA. Instagram (Facebook) in Belgium (DPA). WhatsApp in Hamburg (HmbBfDI) and Facebook in Austria (DSB). All of these last three have their headquarters in Ireland and could face a maximum possible penalty in the amount of 1.3 billion euro.
9. May 2018
Pursuant to Art. 35 of the General Data Protection Regulation (GDPR) the controller of personal data shall carry out an assessment of the impact of the data processing that takes place in the controller’s responsibility. That means mostly, to anticipate the possible data breaches and to fulfil the requirements of the GDPR before the personal data is processed.
Even if the date of enforcement of the GDPR (25th May 2018) comes closer and closer, just a few of the EU member states are well-prepared. Only Austria, Belgium, Germany, Slovakia and Sweden have enact laws for the implementation of the new data protection rules. Additional to this legislation the national data protection authorities have to publish some advises on how to rule a DPIA. Pursuant to Art. 35 (4) sent. 2 GDPR these handbooks on DPIA’s should be gathered by the European Data Protection Board for an equal European-wide data protection level. The Board as well seems not to work yet, as the Article 29 Working Part (WP29) is still the official authority.
But at least, Belgium and Germany have published their DPIA recommendations and listed processes for which a DPIA is required, pursuant to Art. 35 (4) GDPR, and in which cases a DPIA is not required, see Art. 35 (5) GDPR.
For example, in the following cases the Belgian authority requires a DPIA:
- Processing, that involves biometric data uniquely identifying in a space—public or private—which is publicly open,
- Personal data from a third party that determines whether an applicant is hired or fired,
- Personal data collected without given consent by the data subject (e.g. electronic devices like smart phones, auditory, and/or video devices),
- Processing done by medical implant. This data may be an infringement of rights and freedoms.
- Personal data that affects the vulnerable members of society (e.g., children, mentally challenged, physically challenged individuals),
- Highly personal data such as financial statement; employability; social service involvement; private activities; domestic situation.
5. January 2018
A billion people in India may be victims of identity theft. The Tribune newspaper uncovered a security breach in the country’s vast biometric database. The database contains personal data of almost every citizen in India. The biometric ID program called Aadhaar is a flagship policy of Prime Minister Narendra Modi against corruption.
The reporters of the newspaper were able to access names, email addresses, phone numbers and postal codes by typing in 12-digit unique identification numbers of people in the government’s database, after paying about 6,50 € ($8, 500 rupees).
The seller also sold software to print out unique identification cards, called Aadhaar cards that can be used to access various government services.
The seller had gained access to the database through former workers who were initially tasked with making the Aadhaar cards.
India’s Unique Identification Authority said in an official statement “Claims of bypassing or duping the Aadhaar enrollment system are totally unfounded. Aadhaar data is fully safe and secure and has robust, uncompromised security.” The governing Party officially tweeted that the report was fake news.
28. December 2017
As reported in August of this year, the Indian Supreme Court (SC) acknowledged that the right to privacy is “intrinsic to life and liberty” and is “inherently protected under the various fundamental freedoms enshrined under Part III of the Indian Constitution.”
In the same context, the SC had announced it will be hearing petitions on Aadhaar related matters (the term – meaning “foundation” – stands for a 12 digit unique-identity number supposedly issued to all Indian residents based on their biometric and demographic data) in November.
According to a Bloomberg report, India’a Prime Minister Narendra Modi is calling for an expansion of Aadhaar, even though its constitutionality is still to be debated. The SC has set January 10th as the beginning of the final hearings.
While officials say Aadhaar is saving the government billions of dollars by better targeting beneficiaries of subsidized food and cash transfers, critics point to unfair exclusions and data leaks. The latter on the one hand also fear that the database might lead India into becoming a state of surveillance. On the other hand, they are concerned about the high risk of major leaks, such as the ones reported by a news agency in India, the PTI (Press Trust of India): “Personal details of several Aadhaar users were made public on over 200 central and state government websites.”
Meanwhile, Medianama, a source of information and analysis on Digital and Telecom businesses in India, has launched a list of already compromised leaks and encourages people to point out any similar incidents.
22. December 2017
In 2015, a data breach occurred at 21st Century Oncology (21stCO), one of the leading providers of cancer care services in the USA, potentially affecting names, social security numbers, medical diagnoses and health insurance information of at least 2.2 million patients.
On its website, the provider had announced in 2016 that one of its databases was inappropriately accessed by an unauthorized third party, though an FBI investigation had already detected an attack as early as October 2015. The FBI, however, requested 21stCO to delay the notification because of ongoing federal investigations.
21stCO had then stated that ““we continue to work closely with the FBI on its investigation of the intrusion into our system” and “in addition to security measures already in place, we have also taken additional steps to enhance internal security protocols to help prevent a similar incident in the future.” To make amends for the security gap patients had been offered one year of free credit monitoring services.
Nevertheless, the provider now has to pay a fine worth 2.3 million dollars as settled with the Office for Civil Rights (OCR; part of the U.S. Department of Health and Human Services).
It has been accused of not implementing appropriate security measures and procedures to regularly review information system activity such as access or security incident reports, despite the disclosure by the FBI.
The OCR further stated that “the organization also disclosed protected health information to its business associates without having a proper business associate agreement in place”.
The settlement additionally requires 21stCO to set up a corrective action plan including the appointment of a compliance representative, completion of risk analysis and management, revision of cybersecurity policies, an internal breach reporting plan and overall in-depth IT-security. The organization will, in addition, need to maintain all relevant documents and records for six years, so the OCR can inspect and copy the documents if necessary.
Following the settlement, District Attorney Stephen Muldrow stated “we appreciate that 21st Century Oncology self-reported a major fraud affecting Medicare, and we are also pleased that the company has agreed to accept financial responsibility for past compliance failures.”
22. November 2017
Uber just admitted that hackers stole personal data of 50 million Uber customers and 7 million drivers. The data breach happened in October 2016, over a year ago, but was only published this week.
The data include names, e-mail addresses, phone numbers and the license numbers of 600.000 drivers. According to Uber neither social security numbers, nor credit card information, or trip location details were taken.
Uber did not disclose the data breach to public, as required by data protection law, but paid the hackers 100.000,00 $ to delete the information. Uber assumes that the data was not used.
Referring to Uber the hackers came in through a badly protected database in a cloud service to the data. Uber security Chief Joe Sullivan and another manager lost their jobs.
This data breach wasn’t the first incident that happened to Uber. Uber has a well-documented history of abusing consumer privacy.
Uber said it has hired Matt Olsen, former general counsel at the National Security Agency and director of the National Counterterrorism Center, as an adviser. He will help the company restructure its security teams.
11. September 2017
The consumer credit reporting agency Equifax has been hacked in the middle of May. The operators have noticed the breach much later, on 29th July. The public has learned about the breach just last week on Thursday, 7th September.
The breach potentially affects the sensitive data of approximately 143 million consumers. Data concerned are the consumer’s name, social security numbers, birth dates, addresses and in some cases driver’s license numbers. As well as credit card numbers for 209.000 U.S. consumers and other dispute documents that contained identifying information for 182.000 consumers.
Not only the US is concerned. A hired third-party cybersecurity company also found some residents of the U.K. and Canada.
The Equifax Chairman and CEO Rick Smith announced steps Equifax is taking at the moment to respond on the breach and is working with authorities.
2. March 2017
Yet another toy maker named Spiral Toys hit the headlines. The company suffered a big data breach with its stuffed animals called CloudPets resulting in the disclosure of 800,000 users’ personal data such as email addresses, passwords, profile pictures and 2 million voice recordings.
Spiral Toys’ CloudPets are able to connect to an app on a smartphone via Bluetooth so that parents can provide the toy with voice messages for their children.
The personal data were stored in an online database without authentication requirements so that hackers could easily access the database. According to Troy Hunt, a web security expert, the passwords were encrypted but Spiral Toys set no requirements for the password strength. That means hackers “could crack a large number of passwords, log on to accounts and pull down the voice recordings”.
Spiral Toys’ Mark Meyers denied that voice records were stolen. Still the company wants to increase the requirements for the password strength after the data breach was made public.
Both the decision of the German Federal Network Agency to take the doll “My friend Cayla” off the market in Germany and the data breach suffered by Spiral Toys, show that the privacy concerns smart toy producers are exposed to, should be taken seriously.
14. February 2017
Last month, the Pennsylvania Superior Court dismissed a class action lawsuit, which was filed against the University of Pittsburg Medical Center and ruled that the University has no responsibility in protecting employee data.
In this incident, the following data was compromised: dates of birth, names, social security numbers, addresses, salary, tax and bank information.
According to the court documents, the University had a breach in 2014, which finally resulted in approximately 788 tax fraud victims by compromising the information of nearly 62,000 UMPC employees.
Even though the University of Pittsburg Medical Center has been ruled not to have any legal duty to protect the personal and financial information of its employees under state law, the ruling is contradictory to a similar case of Texas hospital, which was penalized $3.2 million after a breach of data.
Pages: Prev 1 2 3 4 5 6 7 8 9 10 11 Next 
