Cloud Provider PCM Suffers Data Breach*:
- Cloud solution provider PCM has been hit with a data breach in which attackers reportedly accessed the email and file-sharing systems for some of its clients.
- PCM, which has 2,000-plus customers and generated about $2.2 billion in 2018, detected the breach in mid-May, sources report.
- Those same sources say intruders were able to steal admin credentials the company uses to handle client accounts in Office 365.
- It seems the attackers want to use the stolen data in gift card fraud schemes at financial organizations and retailers, according to a security expert at a PCM client who was informed of the intrusion.
- In this, security experts noticed a similarity between the attack against PCM and the data breach at Wipro, which was targeted in April.
- Attackers behind the Wipro breach reportedly collected gift card data from customers.
- It has not been determined whether the Wipro and PCM incidents are related or whether PCM is the victim of a separate attack.
- PCM has confirmed it recently experienced a cyber incident that affected certain systems.
- Its own investigation indicates the company's systems experienced "limited" impact and "minimal-to-no impact" on PCM customers.
- The incident has been remediated, PCM reports, and any affected customers have been made aware of it.
- Earlier this week, Insight Enterprises announced plans to acquire PCM.
- It's unclear whether this attack will affect the transaction.
*Source: Dark Reading, June 28, 2019
Egypt’s Regulators Pass Country’s First Data Protection Regulation Law*:
- Due to the increasing developments of the internet, maintaining personal data has become very difficult.
- Hence, under the state’s efforts to prevent illegal spreading of personal data over the internet, the country will apply data protection regulation in Egyptian Law.
- The data protection regulations were finally approved by parliament on Monday, June 17.
- The regulations are to protect data and privacy for all Egyptian citizens and European Union citizens in Egypt.
- The regulations contain provisions and requirements pertaining to the processing of personal data of individuals.
- However, the personal data considered to be information about the individual can identify them directly or indirectly, using names or pictures, or any other data identifying the individual’s economic, cultural, or social conditions.
- Meanwhile sensitive personal data is what reveals the physical, or mental health, the financial, religious data, and political opinions also are sensitive data.
- The data protection regulation obliges companies which deal with personal data to follow these regulations.
- Personal data may not be collected, processed, or disclosed by any means without permission from the concerned person.
- The law shall punish any person that does not comply by imprisonment for a period of not less than three months and a fine between EGP 100,000 and EGP 1m.
- Moreover, the second article of the law prohibits the collection, transfer, storage, preservation, or processing of sensitive personal data, or making it available without a license from the centre, with the obligation to obtain written consent of the concerned person.
- Article 14 prohibits the transfer or sharing of personal data to a foreign country, except by a license from the centre.
- The law would fine any person between EGP 300,000 and EGP 3m.
- For electronic commercials, article 18 requires permission from the receiver to get any commercial messages.
- Any violation can lead to imprisonment or a fine from EGP 100,000 up to EGP 1m.
*Source: ZAWYA, June 22, 2019
Banks Are Increasingly Trying To Monetize Data Troves*
- Banks are increasingly looking for ways to monetize the large troves of data they hold on customers, be it with credit card sales or offering discounts on a customers’ special interest, like food or fashion, Reuters reported.
- To help their bottom lines, banks like JPMorgan, Barclays and HSBC are taking a page out of the Google, Facebook or Twitter playbook with advanced data analysis.
- Banks are using the data to help with stock predictions, marketing campaigns and to fuel artificial intelligence (AI) tools for credit decisions.
- The new revenue, while it may be small, is helping banks during a time when regulation is high and interest rates are low.
- New rules introduced in the European Union last year allowing tech companies access to bank data with customer permission, as well as new privacy laws, have not hindered the movement.
- A poll done of 27,000 EU citizens showed that less than a third know their data rights, and that only about 13 percent read privacy agreements.
- Banks also don’t disclose how much money they’re making from data mining.
- One of the main ways to monetize data is to team up with retail firms to offer customers special deals or services that align with their interests.
- Some banks, like Lloyds and Santander, have partnered with a data advertising firm called Cardlytics.
- The banks offer a loyalty program that offers discounts at shops that a customer frequents, as well as deals involving favorite foods.
- The banks then get a percentage of the fee that Cardlytics charges to run the campaign.
*Source: PYMNTS, June 21, 2019
States Proactively Amended Data Security Laws Expanding The Definition Of Data Breach*
- When a company or organization falls victim to a data breach, one decisive way to mitigate the effect of the intrusion or the unintended disclosure of people’s sensitive information is to make sure that victims are notified as soon as possible in order for them to become aware that their data has been compromised and make necessary actions.
- However, there is no federal law that prescribes when and how data breach disclosures should be carried out.
- Because of this, at least nine states, led by California, has been very proactive in passing new laws that would require companies and organizations who experienced a data breach to notify their clients and members as soon as possible
- One of the most famous of these new and expanded data breach notification laws is the California Consumer Privacy Act (CCPA), and while it gets more attention than other, eight other new legislation for data breach disclosures were passed or is being voted by different states across the U.S.
- Illinois, Maine, Maryland, Massachusetts, New Jersey, New York, Oregon, Texas, and Washington have all amended their breach notification laws to either expand their definitions of personal information or to include new reporting requirements.
- In Illinois, the Governor is expected to sign an amendment to the Personal Information Protection Act.
- The expanded law will require companies to notify the Attorney General in case a data breach happens involving at least 500 Illinois residents.
- Moreover, as part of the amendment, the Attorney General will also be allowed to report and disclose details about the breach even prior to the companies publicly disclosing them.
- Similar amendments to Massachusetts’ data breach notification law went into effect on April 11, 2019, which requires a company to offer complimentary credit monitoring for 18 months if a breach involves a resident’s Social Security number.
- To avoid delays in notifying the victims, the amended law requires the disclosure to be done on a “rolling basis.”
- Furthermore, if the data involved in the breach belongs to a third-party, the third-party has to be named in notifying victims, and the public and business are now required to inform regulators if they have “a written information security program.”
- Maryland’s Personal Information Protection Act has also been amended “(1) expands the scope of businesses covered by the law to include businesses that own, license or maintain personal information of Maryland residents; (2) prohibits a business responsible for a breach from charging the applicable data owner or licensee for information needed for notification; and (3) prohibits business from using information “relative to the breach” for purposes other than providing notification regarding the breach, protecting or securing applicable personal information, and providing notification to certain information security organization to alert and avert future breaches,” and the amendments are scheduled to take effect on October 1, 2019.
- The definition of “personal information” has also been expanded in New Jersey to include usernames, email addresses, passwords, and security questions and answers affiliated with an individual’s online account and a written or electronic notice is required for victim notification
- Similarly, in New York, Stop Hacks and Improve Electronic Data Security Act has also been expanded to include similar information as that of the amendment in New Jersey.
- Vendors must now notify any contracted “covered entity” within 10-days of discovering a breach of security in Oregon, as well as the Attorney General, if the offense involves more than 250 consumers or if the number of individuals affected is unknown.
- The victims and the Attorney General are also to be notified with a “reasonable period” not exceeding 60 days after the discovery of the breach in Texas.
- In the same note, Washington also updated its cybersecurity laws to expand the definition of ‘personal information’ and to prescribe a timeline for breach disclosure.
- All in all, the common theme in the amendments among the nine states are the expansion of the definition of ‘personal information’ which also redefines what a ‘data breach’ means and the prescription of a timeline that companies should follow in notifying victims of data compromise.
- Lastly, most of these amendment also include notifying the Attorney General in case a breach happens.
*Source: Z6Mag, June 29, 2019
Data Management Firm Exposed Client Info On Open Amazon S3 Buckets: Researchers*
- Data from Netflix, TD Bank, Ford and other companies was left exposed for an unknown period of time on publicly configured cloud storage buckets operated by data integration and management company Attunity, according to the research team that discovered the error.
- A researcher from UpGuard’s Data Breach Research team found the three publicly accessible Amazon S3 buckets last May 13.
- The oldest of the three, which contained the most sensitive information, was uploaded in September 2014; however, it is not clear if the data was publicly accessible since that time.
- UpGuard reports that Attunity quickly remedied the situation after it was alerted to the leaky buckets on May 16.
- Acquired last May by the King of Prussia, Pennsylvania-based software company Qlik, Attunity says on its website that it provides data management services to more than 2,000 enterprises and half the Fortune 500.
- Exposed Attunity customer information included various business documentation, system credentials, system information and personnel/employee information.
- In its blog post, UpGuard provided some specific examples of exposed information, including Netflix database authentication strings, a TD Bank software upgrade invoice, and a Ford project preparation slide.
- Qlik provided SC Media with the following comment: “Attunity was notified in-mid May of an issue related to internal company data stored in AWS S3 buckets. Attunity personnel responded quickly to ensure that the data was secured… Following Qlik’s acquisition of Attunity in May, and upon becoming aware of the issue, Qlik applied its security standards and best practices to the Attunity environments, including monitoring by Qlik’s 24×7 security operations center.”
*Source: SCMagazine, June 29, 2019
Italy Stings Facebook With a $1.1M Fine For Cambridge Analytica Data Misuse*
- Italy’s data protection watchdog has issued Facebook with a €1 million (~$1.1M) fine for violations of local privacy law attached to the Cambridge Analytica data misuse scandal.
- Last year it emerged that up to 87 million Facebook users had had their data siphoned out of the social media giant’s platform by an app developer working for the controversial (and now defunct) political data company, Cambridge Analytica.
- The offences in question occurred prior to Europe’s tough new data protection framework, GDPR, coming into force — hence the relatively small size of the fine in this case, which has been calculated under Italy’s prior data protection regime.
- Last year the UK’s DPA similarly issued Facebook with a £500k penalty for the Cambridge Analytica breach, although Facebook is appealing — in that case it has also highlighted the regulator not having found evidence UK users’ data was shared with Cambridge Analytica, though it clearly was processed by Kogan.
- The Italian regulator says 57 Italian Facebook users downloaded Dr Aleksandr Kogan‘s Thisisyourdigitallife quiz app, which was the app vehicle used to scoop up Facebook user data en masse — with a further 214,077 Italian users’ also having their personal information processed without their consent as a result of how the app could access data on each user’s Facebook friends.
- In an earlier intervention in March, the Italian regulator challenged Facebook over the misuse of the data — and the company opted to pay a reduced amount of €52,000 in the hopes of settling the matter.
- However the Italian DPA has decided that the scale of the violation of personal data and consent disqualifies the case for a reduced payment — so it has now issued Facebook with a €1M fine.
- At the time of writing its full decision on the case was not available.
- The Irish DPC has a full suite of open investigations into Facebook and Facebook-owned companies — covering major issues such as security breaches and questions over the legal basis it claims to process people’s data, among a number of other big tech related probes.
- The watchdog has suggested decisions on some of this tech giant-related case-load could land this summer.
*Source: TechCrunch, June 28, 2019