Serious data breach in HIV clinic in London

11. May 2016

A clinic in London has been fined 180.000 GBP due to a “serious data breach”. The clinic offered a service to HIV-patients in order to receive newsletters and test results as well as make appointments via email. It sent an email newsletter to 781 of its patients with all patient emailaddresses in the “To” field and not in the “Bcc” field. 730 of the emailaddresses included the full names of the patients. The newsletter was used to inform the patients about sexual health services and general treatment details. The Information Commissioner´s Office (ICO) said, “the breach caused a great deal of upset to the people affected”. Information about the health or sexual life of a person is considered to be sensitive personal data and should be protected specifically. Chelsea and Westminster Hospital NHS Foundation Trust, which runs the clinic, has been fined 180.000 GBP. The responsible ICO investigation trust discovered, that a similar error had happened already in March 2010. Although some remedial measures were taken at that time, no specific training had taken place since then.

Is an exam personal data?

EU data protection legislation has been lately updated in several aspects. Last week, the GDPR was finally published in the Official Journal of the EU, also the Passenger Name Record (PNR) Directive and the Directive related to criminal records held by authorities have been published in the Official Journal of the EU.

In this evolving landscape, new questions related to the application of EU data protection legislation are arising. Recently, the Irish Supreme Court raised a question to the ECJ related to the scope of application of the definition of personal data. A man that took an accounting exam exercised his right to data subject access request regarding this exam on the basis of Irish Data Protection Laws. However, this access request was refused based on the argument that the data he wrote on the accounting exam could not be referred to as “personal data”, as it was not his “own” personal data, but data related to the subject of the exam in question.

According to the EU definition, personal data is “any information relating to an identified or identifiable natural person”. The scope of this definition is essential in order to determine if data protection laws are applicable or not. In this case, the ECJ will have to answer to this question in a preliminary ruling. In a similar case, an applicant for a Dutch residence permit exercised an access request, which had been refused. The refusal was based on a legal opinion. The ECJ stated that a legal opinion refers to a situation and not to personal data. However, counter-arguments may be given in order to support the inclusion of an exam in the definition of personal data, such as the person´s handwriting or the remarks of the examiner that may be related to the person who wrote the exam, etc.

The ECJ will have to decide whether such data is subject to data protection legislation and, therefore, the data subject access request should be accepted.

Twitter blocks U.S. Intelligence Agencies from Dataminr service

10. May 2016

Dataminr is used as a tool that analyzes and traces social media posts and notifies users about breaking news in real time, such as the terror attack in Brussel´s airport in March. This analysis is carried out by using key words, patterns, or geotags.

Twitter, that owns 5% of Dataminr, has now blocked U.S. intelligence services from its Dataminr service, in order not to appear to support the surveillance activities of the U.S. Intelligence services.

Dataminr services where used by the American Government in 2013 to detect any risks on the inauguration of U.S. President Obama´s second term. However, it is not clear how Dataminr provided this service to the U.S. Intelligence services, as Twitter´s privacy policy prohibits selling its data to governmental agencies.

Category: General · USA
Tags: ,

GDPR published in the Official Journal of the EU

9. May 2016

After the EU Parliament voted the final draft of the GDPR on April 14th and the EU Commission signed it, the GDPR was finally published in the Official Journal of the EU on May 4th. The GDPR will harmonize several aspects of data protection in order to achieve a higher data protection level within the EU.

The Regulation will enter into force 20 days after publication in the Official Journal of the EU but will be directly applicable two years after its entry into force, this is ending May 2018. This means that organizations have two years to implement the provisions of the GDPR and be compliant.

Korea updates its Data Protection Act

4. May 2016

Korea´s Personal Information Protection Act (“PIPA”) has been recently updated. The modifications reflect the increasing importance of privacy and data protection issues in this country. The most relevant amendments refer to the following points:

  • The legal grounds for the processing of RRN (Residence Registration Number) and the applicable security measures have been strengthened. It will be possible to process RRN data only in the cases stipulated by law. Moreover, it is mandatory to encrypt this data. However, this will be done gradually depending on the number of RRN held by the data controller. Inspections will be also carried out by the competent authorities.
  • The technical and organizational security measures that should be implemented have been also strengthened regarding sensitive information.
  • A notification obligation to data subjects regarding third party transfers has been also introduced. The notification should include the organization from which the data was received and the purposes for which the personal data will be used by the recipient. Previously, the data controller was the responsible for informing and obtaining consent from data subjects regarding data transfers to third parties, or the recipients upon the data subject´s request.
  • The amount of fines will increase considerably in cases of data breach (loss, theft, destruction, alteration etc.) and data subjects affected by the data breach will do not even have to prove actual damages.

Additionally, the Act on the Promotion of IT Network Use and Information Protection (IT Network Act) has been updated and will enter into force in September 2016. This Act relates to telecommunications service providers and the amendments aim at enforcing security of IT networks and of data protection

Spotify denies having suffered a data breach

29. April 2016

During this week credential data from hundreds of Spotify users was posted on the internet. This data includes country of registration, user name, password and type of account.

However, Spotify denied having suffered a data security breach. Furthermore, a company spokesman stated that they monitor certain websites regularly in order to find out if user credentials have been stolen and check if these credentials are authentic. If so, they inform the user and request a password change. Despite the statement of the spokesman, several users confirmed that their playlists had been accessed and their passwords and associated e-mails changed.

Spotify has suffered during the last years several hacker attacks. The last occurred in November 2015 and also user data was made public. Regarding the data posted online this week, the company states that it could affect data related to previous hack attacks.

Category: Data breach · General
Tags:

U.S. House of Representatives passes Email Privacy Bill

The U.S. House of Representatives voted unanimously on Wednesday about the Email Privacy Bill. The bill aims at updating the current Electronic Communications Privacy Act (ECPA) from 1986. Under the ECPA, U.S. Authorities can access email communications directly from service providers with just a subpoena, if data is more than 180 old. However, under the new Email Privacy Act, they will need furthermore a warrant to access emails or other electronic communications no matter how old they are.

Currently, access to electronic communications from U.S. authorities is being subject to debate at an international level. Specially, after some weeks ago the FBI requested Apple to develop a software that allows to extract data from an iPhone device that belonged to the San Bernardino terrorist.

The Email Privacy Bill will have to be voted by the Senate, but the position of the upper chamber towards the bill is still not clear.

Category: USA
Tags: ,

Data from dating website stolen and sold

28. April 2016

As BBC just reported the data of more than a million members of the dating website www.beauftifulpeole.com has been sold online. The traded data not only included the weight, height, job, and phone numbers of members but further more income, sexual preferences, smoking and drinking habits and relationship status. The firm stated that the data belonged to members, who joined before July 2015 and that no passwords or financial information were included.

The data has now been sold on the online black market, said security expert Troy Hunt, an Australian security expert, who runs the website HaveIBeenPwned.com, where people can verify whether their data has been leaked. Although he does not know exactly where or for how much money the data was sold, he stated that by selling data tens of thousands of dollars can be earned, bearing in mind that the data originally can cost as little as $300.

Chris Vickery, security researcher, told the BBC that the affected company acted quickly after notifying them that he had discovered it. However, the data had then already been sold. He went on by saying that “they published it openly to the world with no protection whatsoever”. This is a contradiction to the company’s statement that the content was from a test server. Therefore, Vickery added that “whether or not it’s in the test database makes no difference if it’s real data”. His analysis is further supported as a second researcher had identified the same weakness on the same day.

However in a statement BeautifulPeople said that “the breach involves data that was provided by members prior to mid-July 2015. No more recent user data or any data relating to users who joined from mid-July 2015 onward is affected”.

David Emm, principal security researcher at Kaspersky Lab commented on the stolen and sold data by summarizing “now it’s public, cybercriminals have the opportunity to use this information to steal personal identities or more” and added “unfortunately, once a breach of this nature has been made, there is not much that can be done.”

Emm went by giving the advise that “organisations need to take action and use more data, analytical insights and triangulation of multiple-identity proofing techniques to minimise the potential effects of identity theft for both the user and the businesses serving them”.

 

Category: USA
Tags:

FBI paid probably more than 1 Million for cracking San Bernardino iPhone

26. April 2016

NBC News reports that FBI Director James Comey might have disclosed how much the agency spent for cracking the iPhone of the San Bernardino attackers.

Comey commented on the case so that the organization paid “a lot, more than I will make in the remainder of this job, which is seven years and four months, for sure” at a security conference in London. He went on that it “was in my view worth it” and that the FBI will now be able to crack any other iPhone 5s with IOS 9 by using the developed software.

Based on this given timeframe and by multiplying his salary of $180,000 per year, NBC News comes to a figure of $1.3 million. However, there was no official comment on part of the FBI.

Category: USA
Tags: , ,

After the GDPR, the ePrivacy Directive as next step on the EU Agenda

The EU Parliament approved some weeks ago the new General Data Protection Regulation (GDPR). As a next step, the EU Commission has launched a public consultation on the evaluation and review of the ePrivacy Directive, as part of the Digital Single Market Strategy proposed by the EU Commission in May 2015. The consultation started on the 12th April and will be open until the 5th July 2016.

The current ePrivacy Directive was initially adopted for the telecoms sector. However, most of the EU Member States have also extended its application to other sectors. This Directive is also known as “cookie law”, but it also regulates the confidentiality of communications, the obligation to notify data breaches, the scope and definition of unsolicited communications, etc.

The “update” of the ePrivacy Directive is necessary in order to achieve a higher harmonization at all levels, including the field of electronic communications, and to complement the GDPR. The head of unit for policy and consultation at the EU Data Protection Supervisor, Sophie Louveaux, unofficially stated that the modification of the ePrivacy Directive is a priority regarding privacy issues and that a “full coherence” between the GDPR and the ePrivacy Directive should be achieved.

The legislative proposal for a new ePrivacy Directive is expected by the end of 2016.

Pages: Prev 1 2 3 ... 18 19 20 21 22 23 24 25 26 27 28 Next
1 22 23 24 25 26 28