UK Tax Agency To Delete 5 Million Voice Files After GDPR Violation*:
- The United Kingdom’s tax authority has until June 5th to delete 5 million voice recordings that were used to provide biometric authentication for British citizens.
- The program dates back to 2017, when HM Revenue and Customs (HMRC) began asking callers to use the phrase “My voice is my password” to register their voice biometrics and verify their identities on future calls.
- Following a tip from the privacy advocate Big Brother Watch, the Information Commissioner’s Office (ICO) ruled that callers were not given the opportunity to provide consent or opt out of the biometrics program.
- That made it a violation of the European Union’s GDPR legislation that went into effect last May, which requires such explicit consent for any form of biometric authentication.
- For its part, HMRC will continue to use voice authentication, citing the security and convenience benefits of the technology.
- The agency changed its onboarding process to comply with GDPR regulations in October, and reported that 1.5 million people have already opted in to the voice registration platform.
- HMRC also indicated that it would have no trouble deleting the 5 million recordings that were gathered before its new procedures went into effect.
- Since this is HMRC’s first GDPR violation, the agency will not face any fine as a result.
- While the ruling raises obvious concerns about HMRC’s prior conduct, the ICO’s enforcement of the law is nevertheless one of the first major displays of legislative oversight as it relates to biometrics.
- It proves that privacy activists have been effective in Europe, and is likely to renew calls for similar legislation in the US, especially as major companies like Amazon and Microsoft begin to champion the cause.
*Source: Find Biometrics, May 06, 2019
How Storytelling Can Help Keep Your Company Safe*:
- When was the last time you felt a deep emotional connection to a PowerPoint slide?
- How often do you find yourself enraptured by a lecture?
- Take a moment to imagine the sheer number of corporate presentations, training sessions, and mass emails that have failed to make any lasting impression (or any impression whatsoever) on their target audiences.
- When it comes to your company's security, you really don't want to add to that number.
- Whether we're talking about gaining or maintaining an audience's attention, narrative is one of the most powerful tools you have.
- Human beings are naturally drawn to stories — they generate empathy, tension (the good kind), and emotional investment.
- They entice viewers to keep watching to see what happens next.
- And they provide coherent, digestible messages that audiences actually want to hear.
- Research by Paul J. Zak, a professor of economics, psychology, and management at Claremont Graduate University, has shown that "character-driven stories with emotional content result in a better understanding of the key points a speaker wishes to make and enable better recall of these points weeks later."
- Because stories are so reliant on the power of empathy, it's crucial to make them as relatable as possible.
- Zak explains that it's easier to convey the "transcendent purpose" of your company by "describing the pitiable situations of actual, named customers and how their problems were solved by your efforts.
- Make your people empathize with the pain the customer experienced and they will also feel the pleasure of its resolution."
- Employees also need to be reminded that even the best-known companies in the world have been the victims of major security breaches, and this can be done by telling their stories.
- For example, Equifax recently announced that US regulators are seeking damages for its massive 2017 breach, which has already cost the company hundreds of millions of dollars.
- There's a reason why the expression "cautionary tale" is so common — there's no better way to prepare people for the worst.
- In a review of the research literature on narrative and cognition published in Proceedings of the National Academy of Sciences, Michael F. Dahlstrom points out that narratives are "often associated with increased recall, ease of comprehension, and shorter reading times."
- This is because, as Dahlstrom explains, narratives "seem to offer intrinsic benefits in each of the four main steps of processing information: motivation and interest, allocating cognitive resources, elaboration, and transfer into long-term memory."
- These are all salient points for CISOs and other digital security professionals who are trying to develop and sustain a culture of security at their companies.
- What's the use in security training programs that won't be remembered a few weeks or months after they're implemented?
- This is why companies should avoid perfunctory, check-the-box security exercises like occasional information dumps from the IT department, monotonous PowerPoint presentations, and training modules that employees rush through as quickly as possible.
- Instead, they should focus on narrative-driven messaging that highlights real-life data breaches and what could have been done to prevent them.
*Source: Dark Reading, May 03, 2019
After GDPR Struggle, Are Companies Ready For The Next EU Data Law*:
- A year ago, the European Union adopted the General Data Protection Regulation, or GDPR, a piece of legislation designed to force companies to protect people’s data.
- In just a few months, another data-related EU law is coming into effect: the second “payment services directive“, or PSD2.
- The new law, which becomes mandatory on September 14, takes aim at financial firms.
- The goal: Boost competition and innovation within the industry by making banking and payments safer and more open through stronger security and data portability provisions.
- One aspect of the new law requires that companies support “strong customer authentication“; in other words, banks must reject payments that fail to verify the identity of the purchaser, in real time, through multiple steps.
- Financial firms have been ordered to use a combination of passwords or PINs along with a second factor, which could involve a text message sent to a phone number, a hardware security token, or biometrics, like a fingerprint or face scan.
- If history teaches us, somnambulism will abound.
- Three months after GDPR went into effect, one oft-cited study found that out of 103 GDPR-applicable businesses, about 70% failed to comply with one of the law’s basic mandates: supplying personal data within a month to a consumer who requests a copy.
- That sluggish response certainly does not bode well for companies facing down the new rules’ deadline.
*Source: Fortune, May 07, 2019
Cybercriminals Favour Targeting Top Executives, Small Businesses Money: Verizon Data Breach Report*:
- Verizon published last week the 12th edition of its Data Breach Investigation Report (DBIR) based on real-world data from 41,686 confirmed security incidents and 2,013 data breaches spanning 86 countries worldwide.
- C-Level executives are 12 times more likely to be the target of security incidents, and 9 times more likely to be target of data breaches than in last year’s report.
- 43% of all breaches occurred at small businesses
- Financial gain remains the #1 driver of all data breaches
- Cyber-espionage represents 25% of all breaches
- Ransomware attacks are still going strong, accounting for 24% of the malware incidents analysed and is the #2 most-used malware type
- Outsider threats remain dominant (69% of breaches) with insiders accounting for 34%
- Compromise of web-based email accounts using stolen credentials is rising and now seen in 60% of all attacks involving hacking a web-based application
- More than half (56%) of data breaches took months or longer to discover
- Although it seems that no matter what defensive measures security professionals put in place, attackers are able to circumvent them, here are few "simple" things that companies and users can do to prevent the most common cyber attacks:
- Use 2-factor authentication with any user-facing cloud-based application like webmail
- Make sure that all hardware systems (servers, PCs, smartphones...) and software used inside the organization are updated to the latest version
- Think twice before clicking on a link, especially if you're on your mobile device, as social attacks including phishing and pretexting are effective ways to steal credentials
*Source: Forbes, May 11, 2019
Turkey Fines Facebook $280,000 Over Data Breach*:
- Turkey's Personal Data Protection Authority has fined Facebook 1.65 million Turkish liras ($280,000) over data breach.
- About 300,000 users in Turkey may have been affected by the data breach that exposed their personal photos in September last year.
- According to the Turkish watchdog, Facebook failed to timely intervene to take proper technical and administrative measures during the 12-day existence of the bug last September.
- According to a statement from Facebook in December, the company had discovered a photo API bug that allowed third-party applications to access the photos of Facebook users, reports Xinhua news agency.
- At the time, Facebook said that the bug "might have exposed the non-public photos of 6.8 million users to around 1,500 apps built by 876 developers", reports ZDnet.
- The watchdog said it decided to fine the social network for failing to react in a timely manner and fix the bug, but also for neglecting to notify Turkish authorities of the incident.
- The Turkish watchdog is also investigating Facebook for a September 2018 data breach, when unknown hackers exploited three bugs to steal the personal details of 50 million users -- later adjusted to 30 million.
- In March, Facebook disclosed yet another security incident, admitting to storing hundreds of millions of users' passwords in plaintext, along with plaintext passwords for millions of Instagram accounts.
- In the US, Facebook is facing a hefty fine from the Federal Trade Commission over data privacy scandals. Facebook expects the fine to be in the range of $3-5 billion and has kept aside $3 billion in legal expenses related to the investigation.
*Source: Business Standard, May 11, 2019
Equifax Sets Aside Nearly $700 Million For Expected Data Breach Payouts*:
- It’s been nearly two years since Equifax first revealed that it had suffered a massive data breach that exposed the personal information of 148 million U.S. consumers to hackers, but the fallout from the breach is nowhere near over.
- Earlier this week, the state of Ohio announced that it is suing Equifax over the breach, and earlier this year, Equifax said that it is expecting punishment from the Consumer Financial Protection Bureau and the Federal Trade Commission over the breach.
- Equifax is also facing investigations from nearly every state, several other federal regulators, and authorities in Canada and the U.K, plus more than 1,000 lawsuits over the breach.
- And Friday, Equifax revealed how much it’s expecting to pay out to deal with all of those issues.
- As part of its first quarter earnings release, Equifax CEO Mark Begor disclosed that the company set aside $690 million during the first quarter that includes the losses it expects to take in connection with a “potential global resolution of the consumer class action cases and the investigations by certain federal and state regulators.”
- According to the company, the accrual of $690 million is for “certain legal proceedings and investigations related to the 2017 cybersecurity incident,” and does not include the company’s legal and professional services expenses.
- Overall, the company recorded $786.8 million in the first quarter for data breach costs.
- That amount also includes $82.8 million of technology and data security costs; $12.5 million of legal and investigative fees; and $1.5 million of product liability costs.
- In total, Equifax said that the data breach has cost the company a total of $1.35 billion so far, including incremental technology and data security costs, and an accrual for losses associated with legal proceedings and investigations.
- But the company notes that the $690 million it set aside may not be enough to cover its pending settlements, fines, etc.
- According to Equifax, at the time of the breach, the company had $125 million in cybersecurity insurance coverage.
- The company has long since received the maximum reimbursement of $125 million on that insurance policy.
*Source: HousingWire, May 10, 2019