Tag: personal data

US court unsuccessfully demanded extensive information about user of the messenger app Signal

16. November 2021

On October 27th, 2021 Signal published a search warrant for user data issued by a court in Santa Clara, California. The court ordered Signal to provide a variety of information, including a user’s name, address, correspondence, contacts, groups, and call records from the years 2019 and 2020. Signal was only able to provide two sets of data: the timestamp of when the account was created and the date of the last connection to the Signal server, as Signal does not store any other information about its users.

The warrant also included a confidentiality order that was extended four times. Signal stated:

Though the judge approved four consecutive non-disclosure orders, the court never acknowledged receipt of our motion to partially unseal, nor scheduled a hearing, and would not return counsel’s phone calls seeking to schedule a hearing.

A similar case was made public by Signal in 2016, when a court in Virginia requested the release of user data and ordered that the request not be made public. Signal fought the non-publication order in court and eventually won.

Signal is a messenger app that is highly regarded among privacy experts like Edward Snowden. That’s because Signal has used end-to-end encryption by default from the start, doesn’t ask its users for personal information or store personal data on its servers and is open source. The messenger is therefore considered particularly secure and trustworthy. Moreover, no security vulnerabilities have become known so far, which is definitely the case with numerous competing products.

Since 2018, Signal is beeing operated by the non-profit organization Signal Technology Foundation and the Signal Messenger LLC. At that time, WhatsApp co-founder Brian Acton, among others, joined the company and invested $50 million. Signal founder Moxie Marlinspike is also still on board.

The EU commission is planning a legislative package to fight the spread of child abuse on the Internet. The law will also include automated searches of the content of private and encrypted communications, for example via messenger apps. This would undermine the core functions of Signal in Europe. Critics call this form of preventive mass surveillance a threat to privacy, IT security, freedom of expression and democracy.

New Android malware targetting with fake COVID-19 information

29. October 2021

Last month, TechRepublic reported a new and devious SMS malware called TangleBot that attempts to take control of mobile devices by sending notifications about COVID-19. Currently, it targets Android users in the USA and Canada and can lead to a variety of harmful activities, according to security firm Cloudmark.

TangleBot tries to deceive users into downloading the malware through fake messages about COVID-19, such as “New regulations about COVID-19 in your region. Read here…” or “You have received the appointment for the 3rd dose. For more information, visit…”.

The link contains a notice that the Adobe Flash Player on the affected device needs to be updated but leads to the installation of the malicious software instead. As a result, TangleBot gets permission to access and control a wide range of functions and content. It is assumed that for this reason, the malware was named TangleBot.

TangleBot has the ability to make and block phone calls as well as send, obtain and process text messages. It is used to message other devices in order to spread faster among others. The malware is also designed to spy on users through accessing the camera, screen or microphone and setting up additional methods to observe activity on the device. Of particular concern is the possibility to place overlay screens on the device covering legitimate apps, such as banking or financial apps, in an attempt to steal account credentials. Furthermore, the personal data stolen by the attacker usually moves to the dark web for sale, which poses a risk even if the victim manages to remove the malware.

Hank Schless, senior manager for security solutions at security firm Lookout, pointed out the dangers of cybercriminals exploiting the pandemic:

Social engineering that uses the pandemic as a lure continues to be a major issue globally. It’s advantageous for attackers to leverage socially uncertain situations in order to make their phishing campaigns more effective. People are more likely to let their guard down and interact with something online that promises information they need.

According to Schless, the risks exist not only for private individuals, but also for companies:

Mobile devices offer countless channels for attackers to deliver socially engineered phishing campaigns with the goal of swiping corporate login credentials or installing advanced malware that can exfiltrate sensitive data from the device. For organizations that allow employees to use personal devices for work in a BYOD model, the risk is even higher considering the number of personal apps people use. Attackers can deliver campaigns through SMS, social media, third-party messaging apps, gaming and even dating apps.

Additionally, Cloudmark advised that users should be vigilant in this regard and provided several tips to protect against SMS malware:

  • Look out for suspicious text messages,
  • Guard your mobile number,
  • Access any linked website directly,
  • Report SMS phishing and spam messages,
  • Be cautious when installing apps to your device,
  • Avoid responding to unsolicited texts,
  • Install apps only from legitimate app stores.

To keep ahead of the latest cybersecurity threats, companies should also take some precautions. These include especially the implementation of security across mobile devices, protection of cloud services and raising awareness among own employees.

Names of unvaccinated employees revealed in Canada

23. September 2021

The Ottawa Hospital’s human resources office admitted a data breach caused by a mass email revealing the identities of unvaccinated staff members, CTV News Ottawa reported. The system-generated email was sent on September 8th to employees who had declined the COVID-19 vaccination, making their email addresses inadvertently visible in the recipient section.

The reason for sending the email was the hospital’s expectation that every member would get vaccinated to ensure the safety of the community. To achieve this, education was also to be provided to unvaccinated employees. They were to be invited via email to attend a respective education session.

The hospital already apologized to the affected employees and made efforts to resolve the issue. The contacted IT services immediately recalled the emails, removed it from all inboxes and deleted the copies. Moreover, all those who forwarded the email to personal accounts were asked to delete it. Following an investigation by the hospital’s privacy office, a report to the Information and Privacy Commissioner of Ontario has been made as well.

Allegedly, this data breach involved 391 employees whose names were disclosed. However, the number was not officially confirmed by the hospital.

Conclusively, the hospital said in a statement explaining the case:

Health-care workers have worked tirelessly to protect our communities throughout the pandemic, and they deserve protection and support to enable them to do their jobs safely, and to the best of their abilities.

Discussions on Mongolian data protection bill

27. August 2021

The Mongolian legislation on the protection of personal data is currently limited to two laws: the Law on Personal Secrets and the Law on Organisational Secrets, both enacted in 1995. The provisions are considered vague, ambiguous and insufficient, which makes them rarely used in practice. This leads to the lack of interpretation and application. Therefore, the not well developed data protection legislation requires systematic and consistent reforms in order to meet the various societal challenges and to comply with international standards.

Within the framework of the “Action Plan of the Government of Mongolia for 2020-2021” a draft law on the protection of personal data is in the process of being approved. In this regard, the parliament of Mongolia, the State Great Khural, has recently announced discussions on several draft laws. They include the Law on Public Information, the Law on Protection of Personal Data, the Law on Cyber ​​Security, and the Law on Electronic Signatures.

The discussions were jointly held by the Standing Committee on Innovation and e-Policy and the Standing Committee on Legal Affairs on August 10th, 2021. Now, the Mongolian government is responsible for preparing the revised drafts.

The draft Law on Protection of Personal Data aims to regulate relations with regard to the collection, processing, and use of personal data as well as to ensure their security. It outlines rights and obligations of data processors and controllers, contains data subject rights and includes provisions for international data transfers.

The bill is an important step towards alignment with international data protection standards. If passed, the law will come into force on November 1st, 2021.

Officers’ data leaked in Poland

28. May 2021

The Polish Personal Data Protection Office (UODO) has received a notification of a data breach involving the disclosure of personal data of uniformed services officers. The case is currently being analyzed and supplemented with additional materials and information that shall clarify all its circumstances.

The data controller also notified other authorities about the incident. Among these are the police, the Governmental Computer Security Incident Response Team (CSIRT NASK) and the National Public Prosecutor’s Office. The controller informed UODO that the individuals whose data was subject to the breach would be notified individually through the officers’ home units. Nevertheless, many aspects are still unclear. Therefore, in the course of the investigation, UODO sent a letter to the data controller asking for explanations related to the data breach. Any further action will depend on the information provided by the data controller.

As a result of this situation, UODO emphasises that there is a risk associated with the possibility of unauthorized use of the officers’ personal data, which may involve tangible harm to them. Such activity may include (identity) fraud and invasion of privacy.

In this respect, UODO reminds what actions should be taken to minimize the negative consequences of such a breach. First of all, one should be very careful when providing data via the Internet. Furthermore, it is important to carefully analyse all content included e.g. in SMS messages or e-mails in order to avoid phishing attacks in particular, the aim of which is to obtain additional personal data. In this connection, materials were provided by UODO with further tips on how to reduce the risk of identity theft.

Belarus passes first personal data protection law

27. May 2021

Last month, on April 2nd, the Belarusian House of Representatives adopted in the second reading the draft law “On the Protection of Personal Data”. The law was passed on May 7th. It is the first Belarusian legal act specifically intended to lay down issues of data protection.

The law is aimed at the legal regulation of social relations arising from the processing of personal data of individuals as well as ensuring the protection of such data and the rights and freedoms of individuals in the processing of their personal data. It implies that

Processing of personal data must be commensurate with the stated purposes of its processing and ensure at all stages a fair balance between the interests of all persons concerned.

The provisions concern in detail, inter alia:

  • definition of the categories of personal data as well as principles and conditions of their processing, with and without the use of automated means
  • determination of the process for cross-border transfer of personal data; in particular, it is prohibited if a foreign country does not provide an adequate level of protection of personal data subjects rights
  • determination of the data subject rights and obligations of public authorities, legal entities and natural persons within the processing of personal data, with regard to particularly the appointment of a Data Protection Officer and data breach notifications
  • establishment of additional safeguards against arbitrary and uncontrolled collection, storage, use, dissemination, provision and other processing of personal data
  • procedure for the establishment of an authority empowered with the protection of data subject rights and its competence; the foundation of the mentioned authority shall be assigned to the Council of Ministers of the Republic of Belarus together with the Operations and Analysis Center under the President of the Republic of Belarus within three months after the official publication of the corresponding law
  • liability for violation of the provisions.

The purpose of adopting this law is to ensure an adequate level of protection of personal data and to support the development of business, trade and economic relations of the Republic of Belarus with other countries.

The main provisions of the law shall enter into force six months after its official publication.

AEPD issues highest fine for GDPR violations

5. March 2021

The Spanish Data Protection Authority, the Agencia Española de Protección de Datos (AEPD), imposed a fine of EUR 6.000.000 on CaixaBank, Spain’s leading retail bank, for unlawfully processing customers’ personal data and not providing sufficient information regarding the processing of their personal data. It is the largest financial penalty ever issued by the AEPD under the GDPR, surpassing the EUR 5.000.000 fine imposed on BBVA in December 2020 for information and consent failures.

In the opinion of the AEPD, CaixaBank violated Art. 6 GDPR in many regards. The bank had not provided sufficient justification of the legal basis for the processing activities, in particular with regard to those based on the company’s legitimate interest. Furthermore, deficiencies had been identified in the processes for obtaining customers’ consent to the processing of their personal data. The bank had also failed to comply with the requirements established for obtaining valid consent as a specific, unequivocal and informed expression of intention. Moreover, the AEPD stated that the transfer of personal data to companies within the CaixaBank Group was considered an unauthorized disclosure. According to Art. 83 (5) lit. a GDPR, an administrative fine of EUR 4.000.000 EUR was issued.

Additionally, the AEPD found that CaixaBank violated Art. 13, 14 GDPR. The bank had not complied with the information obligations since the information regarding the categories of personal data concerned had not been sufficient and the information concerning the purposes of and the legal basis for the processing had been missing entirely. What’s more, the information provided in different documents and channels had not been consistent. The varying information concerned data subjects’ rights, the possibility of lodging a complaint with the AEPD, the existence of a data protection officer and his contact details as well as data retention periods. Besides, the AEPD disapproved of the use of inaccurate terminology to define the privacy policy. Following Art. 83 (5) lit. b GDPR, a fine of EUR 2.000.000 was imposed.

In conclusion, the AEPD ordered CaixaBank to bring its data processing operations into compliance with the legal requirements mentioned within six months.

Dutch data scandal: illegal trade of COVID-19 patient data

19. February 2021

In recent months, a RTL Nieuws reporter Daniël Verlaan has discovered widespread trade in the personal data of Dutch COVID-19 test subjects. He found ads consisting of photos of computer screens listing data of Dutch citizens. Apparently, the data had been offered for sale on various instant messaging apps such as Telegram, Snapchat and Wickr. The prices ranged from €30 to €50 per person. The data included home addresses, email addresses, telephone numbers, dates of birth and BSN identifiers (Dutch social security number).

The personal data were registered in the two main IT systems of the Dutch Municipal Health Service (GGD) – CoronIT, containing details about citizens who took a COVID-19 test, and HPzone Light, a contact-tracing system, which contains the personal data of people infected with the coronavirus.

After becoming aware of the illegal trade, the GGD reported it to the Dutch Data Protection Authority and the police. The cybercrime team of the Midden-Nederland police immediately started an investigation. It showed that at least two GGD employees had maliciously stolen the data, as they had access to the official Dutch government COVID-19 systems and databases. Within 24 hours of the complaint, two men were arrested. Several days later, a third suspect was tracked down as well. The investigation continues, since the extent of the data theft is unclear and whether the suspects in fact managed to sell the data. Therefore, more arrests are certainly not excluded.

Chair of the Dutch Institute for Vulnerability Disclosure, Victor Gevers, told ZDNet in an interview:

Because people are working from home, they can easily take photos of their screens. This is one of the issues when your administrative staff is working from home.

Many people expressed their disapproval of the insufficient security measures concerning the COVID-19 systems. Since the databases include very sensitive data, the government has a duty to protect these properly in order to prevent criminal misuse. People must be able to rely on their personal data being treated confidentially.

In a press release, the Dutch police also raised awareness of the cybercrime risks, like scam or identity fraud. Moreover, they informed about the possibilities of protection against such crimes and the need to report them. This prevents victims and allows the police to immediately track down suspects and stop their criminal practices.

WhatsApp’s privacy policy update halted

22. January 2021

Already at the beginning of December 2020, first indications came up signaling that WhatsApp will change its terms of service and privacy policy. Earlier this year, users received the update notice when launching the app on their device. It stated that the new terms concern additional information on how WhatsApp processes user data and how businesses can use Facebook hosted services to store and manage their WhatsApp chats. The terms should be accepted by February 8th, 2021, to continue using the chat service. Otherwise, the deletion of the account was suggested, because it will not be possible to use WhatsApp without accepting the changes. The notice has caused all sorts of confusion and criticism, because it has mistakenly made many users believe that the agreement allows WhatsApp to share all collected user data with company parent Facebook, which had faced repeated privacy controversies in the past.

Users’ fears in this regard are not entirely unfounded. As a matter of fact, outside the EU, WhatsApp user data has already been flowing to Facebook since 2016 – for advertising purposes, among other things. Though, for the EU and the United Kingdom, other guidelines apply without any data transfer.

The negative coverage and user reactions caused WhatsApp to hastily note that the changes explicitly do not affect EU users. Niamh Sweeney, director of policy at WhatsApp, said via Twitter that it remained the case that WhatsApp did not share European user data with Facebook for the purpose of using this data to improve Facebook’s products or ads.

However, since the topic continues to stir the emotions, WhatsApp felt compelled to provide clarification with a tweet and a FAQ. The statements make it clear once again that the changes are related to optional business features and provide further transparency about how the company collects and uses data. The end-to-end encryption, with which chat content is only visible to the participating users, will not be changed. Moreover, the new update does not expand WhatsApp’s ability to share data with Facebook.

Nevertheless, despite all efforts, WhatsApp has not managed to explain the changes in an understandable way. It has even had to accept huge user churn in recent days. The interest in messenger alternatives has increased enormously. Eventually, the public backlash led to an official announcement that the controversial considered update will be delayed until May 15th, 2021. Due to misinformation and concern, users shall be given more time to review the policy on their own in order to understand WhatsApp’s privacy and security principles.

Admonition for revealing a list of people quarantined in Poland

27. November 2020

The President of the Personal Data Protection Office in Poland (UODO) imposed an admonition on a company dealing with waste management liable for a data breach and ordered to notify the concerned data subjects. The admonition is based on a violation of personal data pertaining to data subjects under medical quarantine. The city name, street name, building/flat number and the fact of remaining under quarantine of the affected data subjects have been provided by the company to unauthorized recipients. The various recipients were required to verify whether, in a given period, waste was to be collected from places determined in the above-mentioned list.

The incident already happened in April 2020. Back then, a list of data subjects was made public, containing information on who had been quarantined by the administrative decision of the District Sanitary-Epidemiological Station (PPIS) in Gniezno as well as information on quarantined data subjects in connection with crossing the country border and on data subjects undergoing home isolation due to a confirmed SARS-CoV-2 infection. After becoming aware of the revelation, the Director of PPIS notified the relevant authorities – the District Prosecutor’s Office and the President of UODO – about the incident.

PPIS informed them that it had carried out explanatory activities showing that the source of disclosure of these data was not PPIS. These data were provided to the District Police Headquarters, the Head of the Polish Post Office, Social Welfare Centres and the Headquarters of the State Fire Service. Considering the fact that these data had been processed by various parties involved, it was necessary to establish in which of them the breach may have occurred.

UODO took steps to clarify the situation. In the course of the proceedings, it requested information from a company dealing with waste management being one of the recipients of the personal data. The company, acting as the data controller, had to explain whether, when establishing the procedures related to the processing of personal data, it had carried out an assessment of the impact of the envisaged processing operations on the protection of personal data according to Art. 35 GDPR. The assessment persists in an analysis of the distribution method in electronic and paper form in terms of risks related to the loss of confidentiality. Furthermore, the data controller had to inform UODO about the result of this analysis.

The data controller stated that it had conducted an analysis considering the circumstances related to non-compliance with the procedures in force by data processors and circumstances related to theft or removal of data. Moreover, the data controller expressed the view that the list, received from the District Police Headquarters, only included administrative (police) addresses and did not contain names, surnames and other data allowing the identification of a natural person. Thus, the GDPR would not apply, because the data has to be seen as anonymized. However, from the list also emerged the fact that residents of these buildings/flats were placed in quarantine, which made it possible to identify them. It came out that the confidentiality of the processed data had been violated in the course of the performance of employee duties of the data processor, who had left the printed list on the desk without proper supervision. During this time, another employee had recorded the list in the form of a photo and had shared it with another person.

Following the review of the entirety of the collected material in this case, UODO considered that the information regarding the city name, street name, building/flat number and placing a data subject in medical quarantine, constitute personal data within the meaning of Art. 4 (1) GDPR, while the last comprises a special category of personal data concerning health according to Art. 9 (1) GDPR. Based on the above, it is possible to identify the data subjects, and therefore the data controller is bound to the obligations arising from the GDPR.

In the opinion of UODO, the protective measures indicated in the risk analysis are general formulations, which do not refer to specific activities undertaken by authorized employees. The measures are insufficient and inadequate to the risks of processing special categories of data. In addition, the data controller should have considered factors, such as recklessness and carelessness of employees and a lack of due diligence.

According to Art. 33 (1) GDPR, the data controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of the data breach, notify it to the competent supervisory authority. Moreover, in a situation of high risk to the rights and freedoms of the data subjects, resulting from the data breach (which undoubtedly arose from the disclosure), the data controller is obliged to inform the data subject without undue delay in accordance with Art. 34 (1) GDPR. Despite this, the company did not report the infringement, neither to the President of UODO nor to the concerned data subjects.

Pages: 1 2 Next
1 2