Massive data breach in Sweden: Millions of Health Hotline Calls exposed online

22. February 2019

Recently around 2.7 million sensitive phone calls were uncovered by Swedish technology news site Computer Sweden. In total, 170,000 hours of conversation were available online on an unencrypted web server. The server had no login mechanism so the recorded calls could be accessed freely.

Sweden operates a national health advice line (1177), which is run by Swedish company Medhelp. For out-of-hour calls they subcontract with a Thailand-based firm called Medicall. According to repords, most of the uncovered calls were made outside the regular times and therefore answered by Medicall. A request from the BBC left Medicall unanswered.

The uncovered data is extremely private as People usually call 1177 seeking medical advice, talking about their symptoms, their kids’ illnesses and giving out their social security number.
The Swedish Data Protection Authority is currently investigating the case.

Australia: Parliament and Parties hacked

18. February 2019

Prime Minister Scott Morrison reports that the governing Liberal Party of Australia and the governing National Party of Australia as well as the strongest opposition party, Labor Party were the target of an cyber attack on Parliament’s server. It is assumed that the server was attacked by a foreign government. Not affected by the breach were the ministers an their offices because they operate on different computer servers.

The attack was discovered on the 8th of February 2019 during an investigation of a breach of Parliament House’s computer. According to the statement of the nation’s chief cyber security adviser, Alistair MacGibbon, who is the head of the Australian Cyber Security Centre, it is too early to tell whether and what information the hackers had accessed.

At the moment, election influences of the upcoming nationwide elections can be excluded.

As a first measure the security agency reset passwords after detecting the breach so that the politicians and their staff lost access to their emails.

 

The European Data Protection Board presents Work Program for 2019/2020

14. February 2019

On February 12, 2019 the European Data Protection Board (EDPB) released on their website a document containing a two-year Work Program.

The EDPB acts as an independent European body and is established by the General Data Protection Regulation (GDPR). The board is formed of representatives of the national EU and EEA EFTA data protection supervisory authorities, and the European Data Protection Supervisor (EDPS).

The tasks of the EDPB are to issue guidelines on the interpretation of key ideas of the GDPR as well as the ruling by binding decisions on disputes regarding cross-border processing activities. Its objective is to ensure a consistent application of EU rules to avoid the same case potentially being dealt with differently across various jurisdictions. It promotes cooperation between EEA EFTA and the EU data protection supervisory authorities.

The EDPB work program is based on the needs identified by the members as priority for individuals, stakeholders, as well as the EU legislator- planned activities. It contains Guidelines, Consistency opinions, other types of activities, recurrent activities and possible topics.

Furthermore, the EDPB released an information note about data transfers if a no-deal Brexit occurs. As discussed earlier, in this case the UK will become a so-called “third country” for EU member countries beginning from March 30. According to the UK Government, the transfer of data from the UK to the EEA will remain unaffected, permitting personal data to flow freely in the future.

Apple advises app developer to reveal or remove code for screen recording

12. February 2019

After TechCrunch initiated investigations that revealed that numerous apps were recording screen usage, Apple called on app developers to remove or at least disclose the screen recording code.

TechCrunch’s investigation revealed that many large companies commission Glassbox, a customer experience analytics firm, to be able to view their users’ screens and thus follow and track keyboard entries and understand in which way the user uses the app. It turned out that during the replay of the session some fields that should have been masked were not masked, so that certain sensitive data, like passport numbers and credit card numbers, could be seen. Furthermore, none of the apps examined informed their users that the screen was being recorded while using the app. Therefore, no specific consent was obtained nor was any reference made to screen recording in the apps’ privacy policy.

Based on these findings, Apple immediately asked the app developers to remove or properly disclose the analytics code that enables them to record screen usage. Apples App Store Review Guidelines require that apps request explicit user consent and provide a clear visual indication when recording, logging, or otherwise making a record of user activity. In addition, Apple expressly prohibits the covert recording without the consent of the app users.

According to TechCrunch, Apple has already pointed out to some app developers that they have broken Apple’s rules. One was even explicitly asked to remove the code from the app, pointing to the Apple Store Guidelines. The developer was given less than a day to do so. Otherwise, Apple would remove the app from the App Store.

 

620 million accounts available for sale on dark web

According to the British news website The Register, 620 million accounts from hacked websites are for sale on dark web. For less than $20.000 in Bitcoin, people can buy the stolen accounts on Dream Market, located in the Tor network. Criminals should also be able to buy the copied user data individually. The data comes from hacks from the years 2016 to 2018. Some were already known others now became acquianted.

Among the sixteen hacked websites are the video messaging application Dubsmash (162 million accounts), the diet and exercise app MyFitnessPal (151 million accounts) and the family-tree-tracking service MyHeritage (92million accounts).

As reported by The Register, the account records appear to be legit. The data leak contains e-mail addresses, names and passwords but it does not contain any bank or credit card information and the passwords are encrypted and must therefore be decoded before they can be used.

Depending on the affected side, there are also a few other categories of personal information such as social media authentication tokens. It can be expected that the vendees will use the data for credential stuffing attacks. In such attacks, attackers try out lists with email password pairs at various online services to hack accounts. These attacks are made possible because many users reuse the same password across many websites.

The seller told The Register that they possess one billion accounts in total and that their aim is to make “life easier” for hackers. The seller said “I don’t think I am deeply evil, I need the money. I need the leaks to be disclosed […] I’m just a tool used by the system. We all know measures are taken to prevent cyber attacks, but with these upcoming dumps, I’ll make hacking easier than ever.”

 

Update: 127 million more stolen accounts appeared a few days ago. Affected sites include architecture, interior and designe website Houzz (57 million records), live-video streaming site YouNow (40 million records) and travel booking site Ixigo (18 million records). This data is sold by the hacker for a total of $14,500 in Bitcoin.

Austria: Deletion does not necessarily mean destruction

Article 17 of the General Data Protection Regulation (GDPR) stipulates the data subject the right to erasure, also called right to be forgotten. The Austrian Data Protection Authority decided that the right to erasure not necessarily mean destruction of the stored data. According to the Authority anonymization may be sufficient.

The decision is based on a complaint of an Austrian who request his former insurance company to delete all stored data. The insurance company deleted his e-mail address and phone number as well as insurance offers and stopped all advertising. However, name and address of the data subject were anonymized and the insurance company told the data subject that the data would be destructed in March 2019.

The Austrian Data Protection Authority proved the company right. According to Art. 4 Nr. 2 GDPR the company can choose whether it deletes or destructs the stored data, it only had to “be ensured that neither the person responsible himself nor a third party can restore a personal reference without disproportionate effort”, explained the Authority.

The German Bundeskartellamt prohibits Facebook to combine their user data from different sources

7. February 2019

The Bundeskartellamt announced in a press release on their website on Febraury 7, 2019 that it imposes far-reaching restrictions on Facebook.

Up to now Facebook’s terms and conditions stated that users have only been able to use the social network under the precondition that Facebook can collect user data also outside of the Facebook website in the internet or on smartphone apps and assign these data to the user’s Facebook account. Therefore, all data collected on the Facebook website, by Facebook-owned services which includes Instagram and WhatsApp as well as on third party websites can be combined and assigned to the account of a Facebook user.

The authority’s decision affects said processing of user data in Germany and covers different sources of data.
Firstly, all social networks/services can continue to collect data under the existing laws. But the collected data can only be transferred to Facebook itself if consent is given by the data subject (the user). If such a consent is not given, the data cannot be assigned to an existing Facebook account. Secondly, the same applies to collecting data from third party websites.
Consequently, without the above mentioned consent Facebook will face far-reaching restrictions concerning collecting and combining data.

The Bundeskartellamt states as reason for this decision that in December 2018 Facebook had 1.52 billion daily active users and 2.32 billion monthly active users and therefore also occupies a dominant position in the German market for social networks. It further claims that the market share of Facebook concerning social networks in Germany is more than 95 % (daily active users) and more than 80 % (monthly active users). Therefore, the conclusion is drawn that the group with its subsidiaries WhatsApp and Instagram occupy a key position in the market which indicates a monopolisation process. Competitors like Google+, Snapchat, YouTube or Twitter or professional networks like LinkedIn or Xing provide only components of the services offered by the Facebook Group.

The authority’s decision is not yet final. Facebook has one month to appeal the decision to the Düsseldorf Higher Regional Court. The company has already announced that it will appeal against the decision.

Category: EU · General · German Law · Instagram · Personal Data
Tags:

GDPR in numbers

6. February 2019

The European Commission lately posted an infographics about the impact of the General Data Protection Regulation (GDPR) since its entering into force on May 25, 2018. The graphic looks at complying, enforcement and awareness of the GDPR. It illustrates inter alia that:

  • In total 95.180 complaints to Data Protection Authorities came from individuals who believe their rights under GDPR have been violated. Most of the complaints were related to CCTV, telemarketing or promotional e-mails.
  • Until January, the number of notifications of data breaches has increased up to 41.502. The data controllers have to notify data breaches within 72 hours to their national supervisory authority.
  • Data Protection Authorities have initiated 225 investigations in cross border cases.
  • In Europe, 23 countries have adopted their national data protection law since the GDPR came into force. Bulgaria, Greece, Slovenia, Portugal and Czech Republic are still in progress doing so.
  • So far, three fines have been issued under GDPR. In Germany, a social network operator was fined € 20.000 for not securing its users data. In France, Google was fined € 50 million for lack of transparency, inadequate information and lack of valid consent regarding the ads personalization (we reported) and in Austria, a sports betting café was fined € 5.280 for unlawful video surveillance.

Aetna to pay fine for HIV privacy breach

31. January 2019

Healthcare insurer Aetna will have to pay a 935,000$ fine after letters had been sent to nearly 12.000 patients in 2017, disclosing highly sensitive information on the windows of the envelopes.

The information revealed that the recipients were taking HIV-related medications.

In addition, the insurance company will have to complete privacy risk assessments annualy for three years.

The patients have received compensation through a private class action settlement.

 

Data Protection Day

28. January 2019

On the occassion of this year’s Data Protection Day, which was launched in 2006 by the Council of Europe, the Commission has issued the following statement :

“This year Data Protection Day comes eight months after the entry into application of the General Data Protection Regulation on 25 May 2018. We are proud to have the strongest and most modern data protection rules in the world, which are becoming a global standard.”

On January 28th in 2006, the Council of Europe’s data protection convention, known as “Convention 108”, was opened to signature. Data Protection Day is now celebrated globally and is called Privacy Day outside of Europe.

More than 50 countries around the world have already signed up to the convention, which sets out key principles in the area of personal data protection.

The convention has been ratified by the 47 Council of Europe member states and Mauritius, Senegal, Uruguay and Tunisia. Other countries such as Argentina, Burkina Faso, Cabo Verde, Mexico and Morocco have been invited to accede. Many more participate as Observers States in the work of the Committee of the Convention (Australia, Canada, Chile, Ghana, Indonesia, Israel, Japan, Korea, New-Zealand, United States of America).

Governments, parliaments, national data protection bodies and other actors carry out activities on this day to raise awareness about the rights to personal data protection and privacy. These may include campaigns targeting the general public, educational projects for teachers and students, open doors at data protection agencies and conferences.

 

Pages: Prev 1 2 3 4 5 6 7 8 9 10 ... 38 39 40 Next
1 7 8 9 10 11 40