Week of June 10, 2019


Week of June 10, 2019

GDPR’s First Year Impact by The Numbers*:

  • It has been a year since the EU General Data Protection Regulation (GDPR) compliance deadline kicked in, and in that time the landmark privacy and cybersecurity regulatory rules have made waves worldwide among enterprises with European connections.
  • GDPR has raised the bar for privacy and security awareness at the board level, as well as assured continued increases in security and compliance spending at most large organizations in the coming years.
  • Here are some of the latest statistics that offer up signposts of where we are with GDPR at the one-year anniversary.
  • Enterprise Budgets Swell
    • One thing is certain, and it's that enterprises are funneling a lot of cash toward continued GDPR compliance efforts.
    • Forbes reporting went so far as to call GDPR a "$9 billion business shakedown," with industry sources such as IAPP and EY also reporting the average spend per organization reaching about $3 million, with half of that coming this year and beyond.
    • The spending was spread out among a range of categories, including internal people-hours, outside legal counsel, consulting, employee training, and new technology.
    • Many experts expect the long-term budgetary impacts of sustained GDPR compliance to linger.
    • The sustained spending will be particularly heavy in US companies that may not have had instituted certain privacy practices commonplace at European firms even prior to GDPR.
    • According to IDC's Ryan O' Leary, the "maximum impact" — spending on GDPR initiatives — in the US is actually expected in 2020.
    • Meanwhile, another survey conducted by Thomson Reuters at the end of last year found about 38% of compliance budgets were dedicated to GDPR.
  • Time Spent on GDPR Compliance Will Remain High
    • Sustained spending on GDPR is difficult to project due to many hidden human costs — particularly when organizations have not yet automated all of their compliance processes and data flows.
    • A study by the firm Data Grill, released earlier this month, shows that two-thirds of organizations dedicated 25 or more employees to managing GDPR, and 80% met at least a few times a month in the run-up to the deadline.
    • But much of that early effort may have been short-term stopgaps.
    • According to the survey, 70% of organizations indicated their early solutions for GDPR compliance won't scale in the future as regulatory enforcement agents step up their efforts and consumer complaints and data requests intensify.
    • Interesting, since the deadline the time spent by decision-makers sustaining GDPR compliance seems virtually unchanged compared with the time spent preparing for GDPR.
  • The Compliance and Privacy Progress Needle Still Sticking
    • Even with all of the money being spent and the people-hours dedicated to GDPR worldwide, a year later the needle on compliance and privacy progress hasn't moved much at many organizations.
    • For example, one survey by Talend found that 70% of companies can't comply with the level of data access offered to their consumers in GDPR-mandated privacy policies.
    • And the survey conducted by Thomson Reuters found that 48% of organizations worldwide are failing to meet GDPR requirements.
  • Registered Data Protection Officers Continue to Increase
    • Even though there's clearly still more work to go, the good news is that the number of data protection officers (DPOs) at organizations has grown with GDPR's mandates.
    • According to IAPP figures from this month, approximately 376,306 organizations have registered DPOs so far in 12 of 28 EU member states, leading the industry group to extrapolate an estimate of 500,000 total DPO registrations across Europe.
    • The group reports a "spike in renumeration" for all privacy professionals in the past year.
    • Registered DPOs are frequently chief privacy officers, for which IAPP reports an average salary of $220,000.
    • However, not all DPOs are cut from that cloth, and the average salary for these privacy decision makers is a much more modest $88,000.
    • This delta indicates that many junior-level DPOs may still need more training and experience to elevate their position and standing within their organizations to make an impact.
  • Enforcement Action Ramped Up Quickly
    • In the year since the deadline, the EDPB has registered 446 cross-border cases.
    • At the national SA level, there has been a total of more than 281,000 cases, including over 144,000 consumer complaints and more than 89,000 data breach notifications.
    • Of these cases, about 63% have been closed already, with 37% still ongoing, the EDPB reports.
    • The Thomson Reuters report shows that, overall, about 50% of organizations around the globe have been subject to some sort of enforcement action.
    • By IAPP figures, GDPR enforcement actions have resulted in over €56,000,000 (US$62.4 million) in fines.
  • Consumer Awareness Grows, but People are Cynical
    • The EDPB reports that the percentage of EU citizens who have heard of there being a public authority in their country who is responsible for protecting data privacy rights has increased by 20 percentage points in the past four years, with 67% of EU citizens reporting they've at least heard of GDPR.
    • At the same time, many of these European citizens are still cynical about GDPR's benefits.
    • A report by TrustArc and Ipsos shows that fewer than half of UK citizens have exercised GDPR rights, such as opting out of cookie installs or restricting company use of personal data.
    • And only about 36% say they trust companies more with their personal data since GDPR came into effect a year ago.
    • In addition, an even broader survey by Ogury found that across more than 280,000 global consumers, 55% say that since the data transparency provisions of GDPR were passed, they still don't have a better understanding of how companies use their data.

*Source: Dark Reading, May 31, 2019


Hackers Can Now Bypass Two-Factor Authentication with a New Kind of Phishing Scam*:

  • Two-factor authentication, the added security step that requires people enter a code sent to their phone or email, has traditionally worked to keep usernames and passwords safe from phishing attacks.
  • However, security experts have demonstrated an automated phishing attack that can cut through that added layer of security—also called 2FA—potentially tricking unsuspecting users into sharing their private credentials.
  • The attack was first demonstrated at the Hack in the Box Security Conference in Amsterdam last month.
  • A video of the presentation was posted on You Tube on June 2, bringing renewed attention to how hackers are getting better at penetrating extra layers of security, despite people using stronger tools, like 2FA.
  • The hack employs two tools, called Muraena and NecroBrowser, which work in tandem to automate the attacks.
  • The two tools work together like the perfect crime duo.
  • Think of Muraena as the clever bank robber, and NecroBrowser as the getaway driver.
  • Muraena intercepts traffic between the user and the target website, acting as a proxy between the victim and a legitimate website.
  • Once Muraena has the victim on a phony site that looks like a real login page, users will be asked to enter their login credentials, and 2FA code, as usual.
  • Once the Muraena authenticates the session’s cookie, it is then passed along to NecroBrowser, which can create windows to keep track of the private accounts of tens of thousands of victims.
  • A demonstration of the attack was also released on GitHub, an open source coding site, to provide developers an opportunity to see how it works.
  • Despite this hack, 2FA is still considered a best security practice—far better than the alternative of simply relying on a username and strong password, according to security experts.
  • The researchers say that universal second factor is a strong solution, when available.
  • A U2F key is a secondary, physical device that can be plugged into a computer port as an additional way of verifying a person’s identity after they enter their username or password.

*Source: Fortune, June 04, 2019


Quest Diagnostics Breach: Nearly 12 Million Customers Data May Have Been Compromised

  • Quest Diagnostics, one of the country's largest providers of diagnostic testing, said information on nearly 12 million customers may have been compromised due to a data breach.
  • The Secaucus-based diagnostic testing company confirmed that there was a data security incident involving AMCA, a billing collections vendor, said Wendy Bost, a spokeswoman for Quest Diagnostics.
  • Although the breach did not happen at Quest Diagnostics, AMCA provides services to Optum360, which in turn provides payment services to Quest Diagnostics, Bost said.
  • In a filing with the Securities and Exchange Commission, Quest Diagnostics said that AMCA informed the company that there had been unauthorized access on AMCA's web payment page and that information from Quest Diagnostics and Optum360 customers may have been compromised.
  • The information stored on AMCA's affected system includes credit card numbers, bank account information, medical information and personal information, including Social Security numbers, the SEC filing says.
  • As of Monday, AMCA had not provided Quest Diagnostics or Optum360 complete information about the security breach, including specific information and individuals affected, Bost said in a statement.
  • AMCA first notified Quest Diagnostics on May 14 of a potential breach, the filing says.
  • On May 31, AMCA told Quest Diagnostics that the potentially compromised data included as many as 11.9 million Quest patients.
  • In response to the breach, Quest Diagnostics has suspended sending collection requests to AMCA, the statement said.
  • The company has also sent out notifications to affected health plans, the statement said.
  • AMCA said it hired an external forensics firm to investigate the breach and moved its web payment portal services to a third-party vendor.

*Source: North, June 03, 2019


Checkers Breach Underscores Continued POS Dangers

  • Attackers compromised and installed point-of-sale (POS) malware on devices at more than 100 stores in the Checkers and Rally's restaurant chain, allowing them to collect payment-card information from customers for months — and, in some cases, years, the company said in a statement released this week.
  • The attack highlights how POS devices continue to be a viable target for cybercriminals if the merchant, hardware maker, and payment services provider have not all adopted the Europay-Mastercard-Visa (EMV) security standard.
  • While EMV is an effective defense against most payment device malware, many retailers have not upgraded to hardware that is EMV-capable, says Josh Platt, principal threat researcher at Flashpoint.
  • Customers at a minimum of 104 Checkers and Rally's locations were affected by the latest breach, according to parent company Checkers Drive-In Restaurants, which only recently became aware of the breach.
  • The company retained security consultants to investigate the attacks and determine the length of time that each location had been compromised.
  • At least one location had the malware installed in December 2015, according to data provided by the company.
  • The attack also underscores how merchants that have not upgraded to EMV put themselves — and their customers' information — at risk.
  • Merchants are quickly adopting devices that comply with the security specification, but almost half of transactions were not protected: In 2018, 54% of card-present transactions used EMV, up from 41% the prior year, according to EMV Co., the organization promoting and managing the specification.
  • POS terminals that use EMV technology encrypt and tokenize credit card information, preventing malware on the card reader from intercepting the data.
  • As retailers have adopted the EMV security standard, attacks at the point of sale have become less common.
  • While details of the Checkers breach have not been released, often retailers use special editions of Microsoft Windows for retail environments that are not kept up to date.

*Source: Dark Reading, May 31, 2019


Hackers Stole A Border Agency Database of Traveler Photos

  • In its rush to gather biometric data from travelers in the US, Customs and Border Protection has apparently neglected basic safeguards to protect it.
  • One of its subcontractors was recently breached, leaving photos of travelers and license plates in the hands of hackers.
  • The Washington Post first reported the incident, whose full scope remains unclear.
  • But the hack has raised sharp questions about the agency’s already controversial push for biometrics.
  • Facial recognition scans have become more routine at airports; CBP wants it in the top 20 US airports by 2021.
  • CBP declined to name the breached subcontractor to The Post, but apparently sent the news outlet a Microsoft Word document titled “CBP Perceptics Public Statement.”
  • The Word file strongly suggests that Tennessee-based Perceptics, which makes license plate readers and has a decades-long relationship with CBP, is the vendor in question.
  • That makes even more sense when you consider that a hacker calling themselves “Boris Bullet-Dodger” dumped hundreds of gigabytes of data stolen from Perceptics on the dark web in May.
  • It’s unclear if that breach, first reported by The Register, is the same as the one CBP copped to Monday.
  • The former became public on May 23; CBP says it found out that its database had been compromised over a week later.
  • Perceptics did not respond to a request for comment. But regardless of which specific vendor the breach stems from, the upshot is the same.
  • CBP has given precious little information about how many people were impacted, a troubling lack of disclosure.
  • It’s not even clear exactly what type of data—and whether it extends to biometrics beyond photos—the database contained.
  • While CBP says "none of the image data has been identified on the Dark Web or internet,” the dump of hacked Perceptics data just a few short weeks ago doesn’t give much confidence that this breach is contained or will stay that way.
  • In short, the only people who know the full scope of this breach are CBP, an unnamed subcontractor, and whoever pulled off the hack.
  • Without more clarity on the contents of the database in question, it’s hard to say for sure in terms of the impact on an individual level.
  • That CBP itself wasn’t directly hacked doesn’t make the situation any better.
  • In fact, it arguably makes things worse; the agency let a third-party access incredibly sensitive data and didn’t ensure that appropriate security measures were in place.
  • That it treats an image database of private citizens with the same lack of care that it does a Microsoft Word doc should set off very loud alarm bells.
  • The breach also comes at a time when facial recognition regulation has garnered bipartisan support, after years of going relatively unchecked in both the public and private sectors.
  • It may be too late for the victims of this data breach, but it’s past time to help limit the damage before the next hack comes along.

*Source: Wired, June 06, 2019


Get in Touch With Us!

Are you interested in receiving more information about our products? Do you have questions about sensitive data security? Would you like a demo? Complete the details below and one of our specialists will get in touch with you.

We love to help our customers solve their data security problems. Please tell us about what you are trying to accomplish, details about your environment, and any other information that will help us understand your needs better.

scroll top