The post SolarWinds hackers breach US nuclear weapons agency appeared first on GDPR Register | Compliance tool for privacy experts.

Ireland’s data protection regulator is set to announce this week whether Twitter will receive a hefty fine for making some users’ private tweets public.

The result of its investigation into the data breach, which happened two years ago, is to be unveiled by Wednesday, December 17th at the latest.

It comes a week after Facebook said that it has put aside €302m for potential regulatory fines in Europe, arising mostly from investigations by Helen Dixon’s office.

Under GDPR rules, European data regulators can fine companies up to 4% of their annual turnover which, for large tech firms, extends to billions of euros.

However, experts say that is unlikely this Twitter decision will result in a massive fine, given its nature and the company’s voluntary admission of its fault.

Nevertheless, if a fine is announced, it will be the first from the Irish regulator against a big tech company under European GDPR rules.

The Irish Commissioner, Helen Dixon, is Twitter’s lead supervisory authority in the EU. Her office circulated a draft decision to other European data protection authorities in May, but some countries weren’t happy with it. The issue was referred as a “dispute resolution procedure” to the European Data Protection Board. On November 10th, that body said it had made its own determination and that the Irish DPC had a month to finalise and announce the decision.

The move comes ahead of the DPC’s legal showdown against Facebook in the High Court next week. In August, the social media giant took judicial review proceedings against the regulator. Facebook is hoping to quash both an inquiry and a preliminary decision from Helen Dixon’s office on the issue of personal transfers from the EU to the US. The preliminary decision would put a halt to Facebook’s transfers of the personal data of millions of EU users to the US.

Source: Independent.ie

Photo by Brett Jordan on Unsplash

The post Irish Data Protection Commission to announce Twitter fine on December 17th appeared first on GDPR Register | Compliance tool for privacy experts.

Analysis reveals that out of the 4,179 businesses, 45% lost data to hackers in the past 12 months. IT and telecommunication companies saw breaches most often, with 53% of companies losing data. IT and telecommunication businesses often have customers’ financial information, in addition to other sensitive data, such as private conversations, social security numbers, and addresses.

Next up is the retail and wholesale industry, in which 52% of businesses experienced a data breach in the last year. Such cybersecurity incidents in retail businesses can damage the brand’s reputation, which leads to losing numerous customers, especially those who are privacy-conscious.

Third on the list is financial services, where exactly half of the respondents stated that their business lost sensitive data to fraudsters. Breaches in the financial industry are a huge concern since an unnoticed leak allows cybercriminals to drain the victims’ bank accounts.

Companies in the government sector are not an exception to the rule, as 46% of them had a data leak in the last 12 months. Attacks aimed at the government are more often than not supported by foreign authorities, whose aim is to obtain political and military information.

Finally, manufacturing and industrial companies experienced data breaches least often, but still a significant amount, at 43%. The danger is mostly to the businesses themselves, as competitors hire hackers to steal inside data which would destroy the competitive advantage the victim company had.

Most common threats overall

Shockingly, as many as 78% of surveyed businesses reported some kind of a cyber threat in their systems last year. On average, a cyber incident caused $312,117 in damages.

Besides data breaches, viruses and malware are the most common threats detected. Over 43% of companies experienced viruses and malware in their internal network in the last 12 months.

There is a wide variety of viruses and malware created by hackers. Nonetheless, the overwhelming majority of them are created to make money illegally.

Also, 39% of companies reported that bring-your-own-devices (BYOD) had been infected by malware as well. Some companies provide all the needed equipment for work, while others require employees to bring their own computers and mobile devices. Company-owned equipment usually has at-least some security measures in place as soon as the employee gets the device. However, that is not the case with BYOD equipment. There is no guarantee that employees update their computer software, which leaves vulnerabilities that hackers can abuse.

The fourth most common cyber threat in businesses globally is crypto-malware and ransomware. Crypto-malware is a type of ransomware that encrypts a user’s files and demands a ransom. Fraudsters can also steal the data, delete it from the company’s database, and request a ransom (usually in Bitcoin) to get back the data. Unfortunately, companies often choose to pay the ransom to avoid damaging their public reputation, hence further encouraging such attacks.

DDoS attacks are one of the most known types of cyberattacks, which affected 34% of companies globally in the last 12 months. DDoS is short for Distributed Denial of Service, and it is an attack used to crash a service or a website, making it temporarily inaccessible to its users. Although individuals suffering from DDoS attacks, typically, cybercriminals target services instead. They often attack services hosted on high-profile web servers, like banks or credit card payment gateways. Revenge, blackmail, and activism are the most common reasons behind the performed attacks.

Source: atlasvpn

Photo by Kevin Ku on Unsplash

The post Survey result: 45% of businesses faced a data breach in last 12 months appeared first on GDPR Register | Compliance tool for privacy experts.

The Data Protection Commission (DPC) has handed down a €65,000 fine to Cork University Maternity Hospital (CUMH) after the personal data of 78 of its patients was discovered disposed of in a public recycling facility elsewhere in the county.

The complaint was first raised with the DPC in June 2019 after a member of the public, who had discovered the documents, brought the matter to the HSE’s attention.

The executive then reported the data breach to the DPC.

The breach, an infraction of the hospital’s responsibilities under the EU’s General Data Protection Regulation (GDPR) which is understood to have consisted of a large number of documents, equated to the personal data of 78 people and the special category personal data of six of them.

Special category data under GDPR is the information of a particularly sensitive nature, the exposure of which could be expected to significantly impact the rights and freedoms of data subjects or could be potentially used against them in a discriminatory fashion.

It includes information regarding individuals’ race or ethnicity, religious beliefs, political opinions, biometric (identifiable) data, sexual orientation, and health data.

The breach at CUMH is believed to have comprised sensitive health data of patients, including medical histories and future planned programmes of care.

In its decision, handed down on August 18, the DPC said that the HSE had infringed Articles 5 and 32 of the GDPR by failing to “implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk presented by its use and disposal of hardcopy documents containing patients’ personal data”.

It is unknown whether or not any individual or individuals were held accountable for the breach, or how the documents came to be disposed of in the manner in which they were.

Regardless of what individual disposed of the documents, the hospital, as data controller, would have been deemed responsible.

The DPC said it had applied an administrative fine of €65,000 on the HSE for its infringements. The ruling has not been appealed.

“Cork University Maternity Hospital accepts the findings of the report of the Data Protection Commission in full and are working to implement all recommendations in the report,” said a spokesperson for the hospital.

They said that all patients affected by the breach had been notified of it.

“The HSE takes all breaches of data protection seriously and all such cases are fully investigated to establish how they occurred and preventative measures are put in place to reduce the risk of such breaches happening again,” they said.

“This is in addition to a comprehensive training and development programme for staff in GDPR as well as a range of policies and procedures designed to protect personal data.”

The DPC also ordered the HSE to bring its systems for processing and disposing of patients’ information “into compliance” with GDPR standards and issued the executive with a formal reprimand regarding same.

The decision is just the fifth fine handed down by the DPC since GDPR came into force in May 2018. The other four were delivered to child and family agency Tusla.

Source: Irish Examiner

Photo by Steve Johnson on Unsplash

The post Cork hospital fined €65k after patients’ personal data found in public recycling facility appeared first on GDPR Register | Compliance tool for privacy experts.

Marriott estimates that 339 million guest records worldwide were affected following a cyber-attack in 2014 on Starwood Hotels and Resorts Worldwide Inc. The attack, from an unknown source, remained undetected until September 2018, by which time the company had been acquired by Marriott.

The personal data involved differed between individuals but may have included names, email addresses, phone numbers, unencrypted passport numbers, arrival/departure information, guests’ VIP status and loyalty programme membership number.

The precise number of people affected is unclear as there may have been multiple records for an individual guest. Seven million guest records related to people in the UK.

The ICO’s investigation found that there were failures by Marriott to put appropriate technical or organisational measures in place to protect the personal data being processed on its systems, as required by the General Data Protection Regulation (GDPR).

Information Commissioner, Elizabeth Denham, said:

”Personal data is precious and businesses have to look after it. Millions of people’s data was affected by Marriott’s failure; thousands contacted a helpline and others may have had to take action to protect their personal data because the company they trusted it with had not.

“When a business fails to look after customers’ data, the impact is not just a possible fine, what matters most is the public whose data they had a duty to protect.”

The ICO’s investigation traced the cyber-attack back to 2014, but the penalty only relates to the breach from 25 May 2018, when new rules under the GDPR came into effect.

Because the breach happened before the UK left the EU, the ICO investigated on behalf of all EU authorities as lead supervisory authority under the GDPR. The penalty and action have been approved by the other EU DPAs through the GDPR’s cooperation process.

In July 2019, the ICO issued Marriott with a notice of intent to fine. As part of the regulatory process, the ICO considered representations from Marriott, the steps Marriott took to mitigate the effects of the incident and the economic impact of COVID-19 on their business before setting a final penalty.

Details of the cyber attack

In 2014, an unknown attacker installed a piece of code known as a `web shell’ onto a device in the Starwood system giving them the ability to access and edit the contents of this device remotely.

This access was exploited in order to install malware, enabling the attacker to have remote access to the system as a privileged user. As a result, the attacker would have had unrestricted access to the relevant device, and other devices on the network to which that account would have had access.

Further tools were installed by the attacker to gather login credentials for additional users within the Starwood network. With these credentials, the database storing reservation data for Starwood customers was accessed and exported by the attacker.

The ICO acknowledges that Marriott acted promptly to contact customers and the ICO. It also acted quickly to mitigate the risk of damage suffered by customers, and has since instigated a number of measures to improve the security of its systems.

Source: ICO

Photo by ActionVance on Unsplash

The post ICO fines Marriott International Inc £18.4million for failing to keep customers’ personal data secure appeared first on GDPR Register | Compliance tool for privacy experts.

Updating name allegedly only possible in case of marriage.

After changing her surname and consequently her email address, an Austrian passenger of Wizz Air needed to update her data stored with the company using her right to rectification provided by GDPR. As the passenger couldn’t do this herself, she filed a “rectification request” for her surname and email address with Wizz Air’s Data Protection Officer (DPO).

Three months later, the data subject still had not received any response. She submitted a new request to change her surname using the company’s contact form. Customer Service told her that she could not change her surname online except in case of marriage. In her case, she would need to call the Wizz Air Call Center, which costs of more than 1 Euro per minute.

35,67 Euros later – a partial success. 

Only after being on the phone for about 32 minutes did Wizz Air change the passenger’s surname, however, they still did not change her email address. Even minor inaccurate data often has real life consequences: Information about a cancelled flight was sent to the passenger’s former email address. As a result, the passenger only coincidentally learned about the cancelled flight in the last minute, as the notification was sent to the passenger’s former email address.

“Wizz Air requires passengers to keep their account data accurate. By law, updating your data must be free, so low costs airlines can’t make compliance with the GDPR another one of their hidden fees.” – Ala Krinickytė, data protection lawyer at noyb

The GDPR gives customers the right to correct their information free of charge (Article 12(5) GDPR). By forcing customers to call their expensive hotlines for changes, Wizz Air fails to let customers exercise this “right to rectification”. The case of the passenger is not an isolated one. Other Wizz Air customers have complained about similar issues too (for example here).

“The GDPR states controllers should take ‘every reasonable step’ to ensure that data is accurate. In this case, it feels like Wizz Air failed to take any steps at all. The request for rectification is probably the least contentious data protection request a data subject can submit to the controller. Especially with airlines, it is of great importance that their passenger lists matches the passports. They make things more complicated and costly than necessary.” – Ala Krinickytė, data protection lawyer at noyb

Complaint filed, with a potential fine of up to €97 million.

Due to the fact that Wizz Air has shown a systematic failure to deal with the right to correct personal data without undue delay and free of charge, noyb has filed a complaint with the Austrian data protection authority.

“According to Forbes, Wizz Air is now ‘Europe’s largest airline’, which makes it all the more important for them to adjust their practices and ensure their customers’ GDPR rights. Given that this is a larger problem at Wizz Air, the data protection authority should impose an effective and dissuasive fine. Companies need to understand that they can’t simply ignore their passengers’ data protection rights.” – Ala Krinickytė, data protection lawyer at noyb

Original article: NOYB

Photo by Markus Winkler on Unsplash.

The post Wizz Air: €1 for a flight, €35 for your GDPR right appeared first on GDPR Register | Compliance tool for privacy experts.

The post IAB Europe’s ad tracking consent framework found to fail GDPR standard appeared first on GDPR Register | Compliance tool for privacy experts.

An ICO investigation found the airline was processing a significant amount of personal data without adequate security measures in place. This failure broke data protection law and, subsequently, BA was the subject of a cyber-attack during 2018, which it did not detect for more than two months.

ICO investigators found BA ought to have identified weaknesses in its security and resolved them with security measures that were available at the time.

Addressing these security issues would have prevented the 2018 cyber-attack being carried out in this way, investigators concluded.

Information Commissioner Elizabeth Denham said: “People entrusted their personal details to BA and BA failed to take adequate measures to keep those details secure.

“Their failure to act was unacceptable and affected hundreds of thousands of people, which may have caused some anxiety and distress as a result. That’s why we have issued BA with a £20m fine – our biggest to date.

“When organisations take poor decisions around people’s personal data, that can have a real impact on people’s lives. The law now gives us the tools to encourage businesses to make better decisions about data, including investing in up-to-date security.”

Because the BA breach happened in June 2018, before the UK left the EU, the ICO investigated on behalf of all EU authorities as lead supervisory authority under the GDPR. The penalty and action have been approved by the other EU DPAs through the GDPR’s cooperation process.

In June 2019 the ICO issued BA with a notice of intent to fine. As part of the regulatory process the ICO considered both representations from BA and the economic impact of COVID-19 on their business before setting a final penalty.

Details of the cyber attack

The attacker is believed to have potentially accessed the personal data of approximately 429,612 customers and staff. This included names, addresses, payment card numbers and CVV numbers of 244,000 BA customers.

Other details thought to have been accessed include the combined card and CVV numbers of 77,000 customers and card numbers only for 108,000 customers.

Usernames and passwords of BA employee and administrator accounts as well as usernames and PINs of up to 612 BA Executive Club accounts were also potentially accessed.

Failure to prevent the attack

There were numerous measures BA could have used to mitigate or prevent the risk of an attacker being able to access the BA network. These include:

• limiting access to applications, data and tools to only that which are required to fulfil a user’s role
• undertaking rigorous testing, in the form of simulating a cyber-attack, on the business’ systems;
• protecting employee and third party accounts with multi-factor authentication.

Additional mitigating measures BA could have used are listed in the penalty notice.

None of these measures would have entailed excessive cost or technical barriers, with some available through the Microsoft Operating System used by BA.

Since the attack, BA has made considerable improvements to its IT security.

Lack of awareness of the attack

ICO investigators found that BA did not detect the attack on 22 June 2018 themselves but were alerted by a third party more than two months afterwards on 5 September. Once they became aware BA acted promptly and notified the ICO.

It is not clear whether or when BA would have identified the attack themselves. This was considered to be a severe failing because of the number of people affected and because any potential financial harm could have been more significant.

Original article: ICO

The post ICO fines British Airways £20m for data breach affecting more than 400,000 customers appeared first on GDPR Register | Compliance tool for privacy experts.

Mentioned organizations worked closely together and failed to separate the personal data of political subscribers and insurance customers. Leave.EU sent 300,000 political messages to Eldon Insurance customers. Meanwhile, Eldon Insurance sent emails to more than 1 million of Leave.EU subscribers through two illegal marketing campaigns.

ICO will review data protection practices and data processing activities of both companies. Also, the policies and procedures that are in place regarding staff training. Employees and DPOs of both companies will be interviewed. 

Learning TIP: GDPR requires companies to keep the records of data processing activities. It is crucial when providing evidence, that adequate data protection practices are followed. Regular trainings should take place regularly to inform employees about data protection regulations and requirements. 

Read the full article on ICO page.

The post GDPR fines for unlawful marketing messages appeared first on GDPR Register | Compliance tool for privacy experts.

Moreover, this is not the only data breach that NASA suffers. Back in October 2018, hackers accessed one of NASA servers which contained personally identifiable information (PII), which housed social security numbers and other sensitive data.

LEARNING TIP:  Human error causes 4 out of 5 data breaches (in UK). Lack of training,  unclear responsibilities or imprudence, can give rise to error (confidential data emailed to the incorrect recipient, loss or theft of paperwork, data left in an insecure location and others). In order to avoid possible human errors, clear directions should be given to each employee about their responsibilities. Also, training should take a place after adapting new technical or organizational security measure. Employees must be well informed on how to recognize a threat and what to do in case of an accident.
Also, decent technical and operational security measures should be implemented. This should be done in order to protect the data from cyber attacks and other possible threats.

The post NASA Suffers Another Data Breach appeared first on GDPR Register | Compliance tool for privacy experts.