Tag: Data breach

New Jersey changes data breach law to extend it to online account information

20. May 2019

On May 10, 2019, Phil Murphy, Governor of New Jersey, signed a bill amending the law regarding notification of data breaches in New Jersey. The purpose of the amendment is to extend the definition of personal data to include online account information.

The amendment requires companies subject to the law to notify New Jersey residents of security breaches concerning the user name, e-mail address or other account holder identifying information.

The amendment states that companies should notify their customers affected by violations of such information electronically or otherwise and instruct them to promptly change any password and security questions or answers or take other appropriate measures to protect their online account with the company. The same shall be done for all other online accounts for which the customer uses the same username or e-mail address and password or the same security question and answer.

In addition, the amended law prohibits the company from sending notifications to the e-mail account of a person affected by a security breach. Instead, notifications must be sent in another legally required manner or by a clear and unambiguous notification sent online when the customer’s account is connected to an IP address and the company knows that the customer regularly accesses their account from that online location.

The amendment will take effect on 1 September 2019.

Twitter shared location data on iOS devices

15. May 2019

Twitter recently published a statement admitting that the app shared location data on iOS devices even if the user had not turned on the “precise location” feature.

The problem appeared in cases in which a user used more than one Twitter account on the same iOS device. If he or she had opted into the “precise location” feature for one account it was also turned on when using another account, even if the user had not opted into using the feature on this account. The information on the real-time location was then passed on to trusted partners of Twitter. However, through technical measures, only the postcode or an area of five square kilometres was passed on to the partners. Twitter accounts or other “Unique Account IDs”, which reveal the identity of the user, were allegedly not transmitted.

According to Twitter’s statement, they have fixed the problem and informed the affected users: “We’re very sorry this happened. We recognize and appreciate the trust you place in us and are committed to earning that trust every day”.

Morrisons is Allowed to Appeal Data Protection Class Action

29. April 2019

The British food store chain VM Morrison Supermarkets PLC (“Morrisons”) has been granted permission by the Supreme Court to appeal the data protection class action brought against it and to challenge the judgment for all its grounds. The case is important as it’s the first to be filed in the UK for a data breach and its outcome may affect the number of class actions for data breaches.

An employee who worked as a senior IT auditor for Morrsisons copied the payroll data of almost 100,000 employees onto a USB stick and published it on a file-sharing website. He then reported the violation anonymously to three newspapers. The employee himself was sentenced to eight years in prison for various crimes.

5,518 employees filed a class action lawsuit against Morrisons for the violation. It claimed both primary and representative liability for the company. The Supreme Court dismissed all primary liability claims under the Data Protection Act (“DPA”), as it concluded that the employee had acted independently of Morrisons in violation of the DPA.

However, the court found that Morrisons is vicariously liable for its employee’s actions, although the DPA does not explicitly foresee vicarious liability. The company appealed the decision.

The Court of Appeals dismissed the appeal and upheld the Supreme Court’s ruling that the Company is vicariously liable for its employee’s data breach, even though it was itself acquitted of any misconduct.

In the future appeal of the Supreme Court, it will have to examine, among other things, whether there is deputy liability under the DPA and whether the Court of Appeal’s conclusion that the employee disclosed the data during his employment was incorrect.

Massive data breach in Sweden: Millions of Health Hotline Calls exposed online

22. February 2019

Recently around 2.7 million sensitive phone calls were uncovered by Swedish technology news site Computer Sweden. In total, 170,000 hours of conversation were available online on an unencrypted web server. The server had no login mechanism so the recorded calls could be accessed freely.

Sweden operates a national health advice line (1177), which is run by Swedish company Medhelp. For out-of-hour calls they subcontract with a Thailand-based firm called Medicall. According to repords, most of the uncovered calls were made outside the regular times and therefore answered by Medicall. A request from the BBC left Medicall unanswered.

The uncovered data is extremely private as People usually call 1177 seeking medical advice, talking about their symptoms, their kids’ illnesses and giving out their social security number.
The Swedish Data Protection Authority is currently investigating the case.

Apple advises app developer to reveal or remove code for screen recording

12. February 2019

After TechCrunch initiated investigations that revealed that numerous apps were recording screen usage, Apple called on app developers to remove or at least disclose the screen recording code.

TechCrunch’s investigation revealed that many large companies commission Glassbox, a customer experience analytics firm, to be able to view their users’ screens and thus follow and track keyboard entries and understand in which way the user uses the app. It turned out that during the replay of the session some fields that should have been masked were not masked, so that certain sensitive data, like passport numbers and credit card numbers, could be seen. Furthermore, none of the apps examined informed their users that the screen was being recorded while using the app. Therefore, no specific consent was obtained nor was any reference made to screen recording in the apps’ privacy policy.

Based on these findings, Apple immediately asked the app developers to remove or properly disclose the analytics code that enables them to record screen usage. Apples App Store Review Guidelines require that apps request explicit user consent and provide a clear visual indication when recording, logging, or otherwise making a record of user activity. In addition, Apple expressly prohibits the covert recording without the consent of the app users.

According to TechCrunch, Apple has already pointed out to some app developers that they have broken Apple’s rules. One was even explicitly asked to remove the code from the app, pointing to the Apple Store Guidelines. The developer was given less than a day to do so. Otherwise, Apple would remove the app from the App Store.

 

CNIL fines Telecom Operator

7. January 2019

The French Data Protection Authority CNIL imposed a fine of €250.000,00 on telecom operator BOUYGUES TELECOM for not taking required security measures to protect the personal data of its clients.

BOUYGUES TELECOM offered their clients an option to create a profile on their webpage to have easier access to their contract details and telephone bills.

In March 2018, CNIL was informed that a lack of security measures gave free access to personal data of clients of B&You, a subsidiary company of BOUYGUES TELECOM. Each profile had its own URL address, which involved the first and last name of the client. Just by exchanging the name in the URL address, one gained free access to first and last name, date of birth, e-mail address, address and phone number as well as contracts and bills. The violation of data security went on for two years and had an impact on over two million clients.

Shortly after CNIL was informed, BOUYGUES TELECOM notified the data breach to CNIL. The company explained that the incident occurred after the computer code, which depends on user authentication, was deactivated for a test phase, but was forgotten to be re-activated after completion of the test phase. After noticing the data breach, the company quickly blocked the access to the personal data.

Nevertheless, CNIL stated that the company failed to protect the personal data of its clients and violated its obligation to take all required security measures, especially as appropriate measures would have revealed the data breach earlier.

As the incident occurred before the legal validity of GDPR, CNIL decided to impose a fine of €250.000,00 on BOUYGUES TELECOM.

Data breaches in US-American healthcare sector discovered

4. January 2019

In the last weeks, several data breaches in different US states were discovered. The latest one occurred in the Choice Rehabilitation Center based in Missouri. Data of 4,309 patients was breached in a hack on a corporate email account from July 1 until the end of September. Choice discovered the hack in November and started an investigation after consulting with Microsoft. Provider’s emails were forwarded to a personal account, which was later deactivated.

The sent emails contained billing data for different medical services such as physical or speech therapy services. These included for example patient names, medical record numbers, treatment information, diagnoses and the beginning and end of treatment dates.

Just a few weeks before, the largest healthcare breach of 2018 became public. Due to a cyberattack on the health’s systems billing vendor AccuDoc Solutions, data of more than 2.65 million Atrium Health patients was breached. AccuDoc Solutions prepares bills and operates the online billing system for Atrium Health, which is a hospital network that comprises 44 hospitals in Georgia, North Carolina and South Carolina.

The compromised database contained data of patients and guarantors, comprising full names, addresses, dates of birth, insurance policy details, medical record numbers, account balances and dates of service. 700,000 patient’s social security numbers were also among the hacked data.

However, financial data such as credit card numbers are not affected. Even though the data breach is contained to AccuDoc Solutions, Atrium Health has hired a team to investigate the occurrence and has reviewed its security precautions. Those patients whose Social Security numbers were hacked are being offered one year of free credit monitoring.

Yahoo agreed to pay US$ 85 million after data breaches in 2013 and 2014

24. October 2018

As part of a court settlement filed Monday, Yahoo agreed to pay $50 million in damages and to provide two-years of free credit monitoring for services to 200 million people.

Around 3 billion Yahoo accounts were hacked in 2013 and 2014 but the company, which is now owned by Verizon, did not disclose the breach until 2016. Affected are U.S. and Israel residents and small businesses with Yahoo accounts at any time from January 1, 2012 to December 31, 2016. Apart from usernames and email addresses, millions of birthdates and security questions and answers were stolen. Not among the stolen information were passwords, credit card numbers and bank account information.

According to the settlement, the fund will compensate accountholders who paid for email services, who had out-of-pocket losses or who already have credit monitoring services. A refund of $25 per hour will be made for the time spent handling issues caused by the breach. Those with documented losses can ask for up to 15 hours of lost time ($375) whereas those who cannot document losses can ask for up to 5 hours ($125).

A hearing to approve the preliminary settlement is scheduled for November 29.

One year after the massive data breach at Equifax

27. July 2018

Last year at this time the Credit Bureau Equifax has been hacked and the sensitive data of approximately 143 million consumers has been affected.

The data breach is considered to be the worst data breach in US history, according to the scale and the nature of the information exposed. Hackers have entered the system and stole data like consumer’s name, social security numbers, birth dates, addresses and in some cases also driver’s license numbers, as well as credit card numbers.

After the data breach, the company had to be determined that they were not prepared for such an event, measures had to be taken. So what happened during the past year?

Equifax has remained fairly quiet amidst class action suits, congressional scrutiny, a Federal Trade Commission probe, and a wave of new state regulations designed to ensure that Equifax substantially improves its security defenses. Beyond others, in February a new Chief Information Security Officer, Jamil Farshchi, was hired. Farshchi had managed information security at high-stakes companies and cleaned up data breaches before. Furthermore, Equifax invested $200 million on data security infrastructure.

So the transformation is in process to create a world-class security program at Equifax.

TalkTalk fined by ICO

11. August 2017

According to a Press Release from the Information Commissioner’s Office (“ICO”), the TalkTalk Telecom Group (“TalkTalk”) was fined for violating the UK Data Protection Act. More than 21.000 customers could be the victims of scams and frauds.

As a result of an investigation in 2014, the ICO fined TalkTalk 100.000 GPB by failing to protect customer data. The breach was possible because of a lack of security of a portal holding a huge amount of customer data. One company with access to the portal was Wipro, an IT services company in India. 40 employees of Wipro had access to personal data of between 25.000 to 50.000 customers. During the investigation, three accounts were found that had unauthorized access to this portal. The ICO determined that TalkTalk did not ensure the security of the customer data held in this portal. There were different reasons:

  • The portal was accessible via any device. There was no restriction on which devices the portal can be accessed.
  • The search engine of the portal allowed wildcards searches (with * as a placeholder to get many results).
  • The search engine allowed up to 500 results per search.

The access rights were too wide-ranging regarding the high amount of customer data held by the portal. The ICO fined TalkTalk because it breached one of the principles of the UK Data Protection Act by not implementing enough technical and organizational measures.

Category: Personal Data · UK
Tags: , , ,
Pages: 1 2 Next
1 2