Dataleak of records of 9.4 Million passengers at Cathay Pacific

Cathay Pacific, one of the main airlines in Hong Kong, says records on as many as 9.4 million passengers may have been stolen in a data breach in March which has been made public last Wednesday.

The airline said in a statement that there was “no evidence” that passenger data had been misused, but warned that passenger names, dates of birth, nationalities, phone numbers, email and postal addresses, and passport and identity card numbers may have been taken. Historical travel information and remarks made by customer service was also accessed. This also included 860,000 passport numbers, about 245,000 Hong Kong identity card numbers, 403 expired credit card numbers and 27 credit card numbers with no card verification value (CVV). The company didn’t say if European authorities were notified but the airline is in the process of contacting affected people and authorities.

For more information on this topic, please visit: http://www.alphr.com/security/1010094/cathay-pacific-data-breach-exposes-94-million-customers

Visiting infected adult content by employee caused dataleak at USGS

Digital forensic examination revealed that an employee had an extensive history of visiting adult pornography websites. Many of the 9,000 web pages visited routed through websites that originated in Russia and contained malware. The analysis confirmed that many of the pornographic images were subsequently saved to an unauthorized USB device and personal Android cellphone connected to the US-Government- issued computer.

During the investigation two vulnerabilities were identified in USGS’s IT security: website access and open USB ports. What do you do to prevent malware damaging or disabling your computers or mobile phones or to prevent data being leaked or stolen?

 

For the original report please visit: https://www.oversight.gov/sites/default/files/oig-reports/ManagementAdvisory%20_USGSITSecurityVulnerabilities_101718_0.pdf

Microsoft: 20 percent of users immediately clicks on a malicious link

Twenty percent of Office 365 users who receive an e-mail with malicious link open this link within the first 5 minutes, according to Microsoft’s own research. The survey, in which billions of e-mails were analyzed, took place from January to September of 2018.

According to researchers at Microsoft, 300.000 phishing campaigns were analyzed. 8 million cases of ceo fraud were observed. Not only the scale increases, but also the speed with which users click on malicious links.

 

For more information on this topic see https://cloudblogs.microsoft.com/microsoftsecure/2018/10/17/how-office-365-learned-to-reel-in-phish/

Danish DPA: email encryption required for emails with sensitive data

Denmark’s Data Protection Authority announced that it requires higher levels of protective measures for emails containing sensitive personal data.

The use of email encryption is required starting at January 1, 2019 for these emails. Some types of personal information are more sensitive than others, and thus need more protection. These special categories of personal data are described in article 9 of GDPR, and include: Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.

Visit https://litmus.com/blog/beyond-gdpr-denmark-makes-email-encryption-mandatory for more information on this topic.

BUPA fined £175,000 by UK’s DPA for lack of security measures

Bupa Insurance Services Limited (Bupa) has been fined £175,000 by the Information Commissioner’s Office (ICO) for failing to have effective security measures in place to protect customers’ personal information.
 
Between 6 January and 11 March 2017, a Bupa employee was able to extract the personal information of 547,000 Bupa Global customers and offer it for sale on the dark web.
 

GDPR France: in 4 months 33 million cases of personal data breach

In 4 months, the French Data Protection Authority Cnil has received 742 notifications of personal data breaches, affecting 33.7 million people in France and abroad.

Since the start on the 25th of May the European Data Protection Regulation (GDPR) requires companies to notify CNIL within 72 hours of any violation of personal data held by them, if this breach entails a risk to the customer, the rights and freedoms of the persons concerned. CNIL adopts a repressive approach in case of non-compliance with the notification obligation within 72 hours.

A breach liable to a fine of € 10 million or 2% of turnover. On the other hand, it favors accompaniment when receiving notifications on time. CNIL received 742 notifications of data breaches (between May 25 and October 1). In an overwhelming majority of cases (695), reported violations are breaches of data privacy. But they can also be violations of data availability (71) or integrity (50). In 65% of cases, these notifications were related to a malicious act from outside. In 15%, it was an internal human error.

For more information on this topic visit: http://leparisien.fr/societe/en-quatre-mois-la-cnil-a-recense-33-millions-de-cas-de-violation-de-donnees-personnelles-16-10-2018-7920435.php

Do hardware and software security solutions comply to EU’s GDPR?

According to Dr Kuan Hon, director at law firm Fieldfisher, GDPR obligations almost certainly extend to hardware choices, and maintaining up-to-date firmware in a secure state. What does not get much attention as it should is that the GDPR obligation on data controllers regarding ‘data protection by design and by default’ should include ‘security by design and by default’.

This includes choosing and maintaining secure firmware (and software) for devices used to process personal data. Not checking if hardware is secure before procuring it, not configuring it securely (for example, not changing bad default passwords) and not expeditiously patching vulnerabilities in firmware (and other software) used to process personal data. ID Control the European Piracy and Cybersecurity company has chosen firmware and software which is made and carefully selected and made in Europe with a full source code check.