Polish privacy authority imposes first GDPR fine

The Polish data protection authority has for the first time imposed a fine on a company for violating the General Data Protection Regulation (GDPRG). The company, whose name is not mentioned, processed personal data obtained from public sources. It would be about 6 million records. The persons in question were not aware of this and were not informed by the company. “As a result, the data administrator has deprived them of the opportunity to exercise their rights,” said Urzad Ochrony Danych Osobowych, the Polish privacy regulator. He imposed a fine of 220,000 euros on the company.

Read more about this topic at: https://www.ceelegalblog.com/2019/03/pln-1-million-fine-for-gdpr-violation/?

Hackers Hijacked ASUS Software Updates to Install Backdoors on Thousands of Computers

Tech giant ASUS is believed to have pushed malware to hundreds of thousands of customers through its trusted automatic software update tool after attackers compromised the company’s server and used it to push the malware to machines. Half a million Windows machines received a malicious backdoor through the ASUS update server, although the attackers appear to have been targeting only about 600 of those systems.

Read more about this topic at: https://motherboard.vice.com/en_us/article/pan9wn/hackers-hijacked-asus-software-updates-to-install-backdoors-on-thousands-of-computers

Aluminium maker defends itself against ransomware with manual plan

Hydro with 35,000 employees with smelting plants, factories and offices in 40 countries – globally experienced a ransomware attack since Monday was forced to switch some systems to manual operation. The ransomware used might have been the relatively new and difficult-to-detect strain, dubbed LockerGoga, which criminals use to quickly encrypt computer files, before demanding payment to unlock them.

Read more about this topic at: https://www.wired.co.uk/article/norsk-hydro-cyber-attack

Dataleak: Fila UK formjacked with malicious code in payment process

Group-IB said it discovered and reported to FILA UK malware known as GMO that was active on the fashion brand’s website for the past four months – and may have sniffed the payment card information of thousands of customers placing online orders through the tainted pages.“Cybercriminals might have injected a malicious code by either exploiting a vulnerability of Magento CMS, used by FILA.co.uk, or simply by compromising the credentials of the website administrator using special spyware or cracking password with brute force methods.

Threat actors were able to compromise 4,800+ websites every month during 2018 according to a Symantec Report, using injected JavaScript code to steal payment information such as debit and credit cards from customers of eCommerce sites. The most high-profile formjacking attacks were against British Airways and Ticketmaster, but according to Symantec cyber criminals who used this technique also got a huge chunk of their illicit earnings from smaller online retailers who accept payments from their customers via online portals.

Read more about this topic at: https://vmvirtualmachine.com/hackers-cop-a-fila-thousands-of-uk-card-deets-after-slinking-onto-clothing-brands-servers-%E2%80%A2-the-register/

Dataleak: Elsevier Left Users’ Passwords Exposed Online

Publisher Elsevier has leaked the unencrypted passwords and e-mail addresses of users via an unsecured server. The data was accessible to everyone on the internet. How long the data was online and how many users were affected is still unclear.

Security investigator Mossab Hussein discovered Elsevier’s server. It contained unencrypted passwords of users and their e-mail addresses. Among other things, it would be about students and teachers from universities and educational institutions, according to Hussein on the basis of the .edu e-mail addresses found.

The researcher shared his discovery with Vice Magazine, which informed Elsevier. The publisher has launched an investigation into the data breach. “It looks like a server was incorrectly set up because of a human error,” said a spokesperson.

The server is now secured. The publisher says it will inform the Dutch Data Protection Authority, as well as all affected users. It will also reset the passwords of all affected accounts.

Read more about this topic at: https://motherboard.vice.com/en_us/article/vbw8b9/elsevier-user-passwords-exposed-online

Data breaches in 2018: An overview

Risk Based Security came out with their annual data breach report. Some highlights:

– Compared to 2017, the number of reported breaches was down 3.2% and the number of exposed records was down approximately 35.9% from 7.9 billion.
– The Business sector accounted for 65.8% of the records exposed followed by Unclassified at 31.8% and Government at 2.2%. The Medical and Education sectors combined accounted for 9.9 million records exposed, or less than 0.02% of the total records exposed in the year.
– Web regained the top spot for the breach type exposing the most records, accounting for 3% of compromised records, while
– Hacking remained the top breach type for number of incidents, accounting for 57.1% of reported breaches. 5% of breached organizations were unwilling or unable to disclose the number of records exposed.
– 6,515 breaches were reported through December 31, 2018, exposing approximately 5 billion records.
– the average number of days between discovery and disclosure has gone up from 48.6 in 2017 to 49.6 days in 2018.

Read more about this topic at: http://www.govtech.com/blogs/lohrmann-on-cybersecurity/data-breaches-what-do-the-numbers-mean.html

EE dataleak caused stalking via sim-swapping?

An EE customer has said she was stalked by an ex-partner who worked at the firm, after he accessed her personal data without permission. She was switched to a new handset and her address and bank details were accessed. She involved the police and claims the firm EE and police did not take the dataleak seriously. She claims her sim was swapped by her ex-partner with her personal data getting into his hands. She claims to have spent a lot of private time at the police station and missed days at work, while her ex having access to sort code, her account number, photocopy of her driver’s licence. “It did put her at risk and she feels all customers should know how poorly something like this will be handled if there is a data breach on their account

Read more about this topic at: https://www.bbc.com/news/technology-46896329

French CNIL imposes GDPR penalty of 50 Million euros against Google

The GDPR related violoations causing a penalty for Google of 50 Million euros are:

1. no transparency and information: the information provided by Google is not easily accessible for users and some information is not always clear nor comprehensive
2. not having a legal basis for ads personalization processing since the consent is not validly obtained as the users’ consent is not sufficiently informed, neither “specific” nor “unambiguous”

Read more about this topic at: https://www.cnil.fr/en/cnils-restricted-committee-imposes-financial-penalty-50-million-euros-against-google-llc

EU Guidelines on personal data breach notification

For the European Union Institutions and Bodies these Guidelines provide recommendations and indicate best practices to implement accountability for personal data protection by helping to assess and manage the risks for data protection, privacy and other fundamental rights of individuals in case of a personal data breach.

The Guidelines describe:

– What a personal data breach is
– How to assess a personal data breach
– How to notify a personal data breach to the EDPS
– How to communicate a personal data breach to the data subject
– How to document a personal data breach

American company sued for data leakage of nearly 4 million patients

The American company Medical Informatics Engineering (MIE) has been indicted by 12 American states for a data breach in 2015 in which nearly 4 million patient data came into criminal hands. In May 2015, malicious people were able to invade the company’s back-end systems. They managed to steal data from 3.9 million citizens there.

It was not just about names and address details, but also about social security numbers, laboratory results, medical diagnoses, names of doctors and other medical data. MIE is accused of violating 27 federal laws relating to reporting a data breach, misrepresentation and personal data protection, writes Naked Security. The company in question would have insufficiently secured the computer systems.

No one was informed about the poorly secured systems and the victims were informed too late. On 26 May 2015 the hack was discovered, on 10 June a report was made on the website of the company. In July, victims were informed by e-mail and only in December 2017 did the victims receive a letter by post about the incident. The complaint states that MIE failed to encrypt the sensitive data while the company claimed to do so.

 

For more information please visit the original article: https://nakedsecurity.sophos.com/2018/12/07/unencrypted-medical-data-leads-to-12-state-litigation/