A Nevada Law That Fines Companies for Selling Private Data Is About to Go Into Effect

 

  • A privacy bill, signed into law this May, requires website operators to respond to requests from consumers and halt the sale of their personal information within 60 days—or potentially face strict fines.
  • The law, passed as Senate Bill 220, was modeled after the California Consumer Privacy Act (CCPA).
  • Companies are still permitted to exchange personally identifiable information (PII) with their own business affiliates.
  • California’s idea of PII is also somewhat broader, encompassing essentially any information that could be reasonably linked to a particular individual or household.
  • Conversely, the Nevada law describes particular examples of information considered private, such as a consumer’s name, address, telephone number, Social Security number, and so on.
  • Violators may be subject to injunctions and civil penalties of up to $5,000 per violation.
  • The laws are a direct response by state lawmakers to sweeping privacy violations in recent years; from the litany of scandals at Facebook to the massive data breach at Equifax in 2017.
  • The U.S. Congress has so far failed to pass any comprehensive legislation to protect American consumers’ data, despite public outcry and a series of record-breaking fines from regulators.
  • Tech companies have stepped up pressure on Congress to enact a national privacy law, arguing that the patchwork of state-level policies is expensive and too burdensome to follow.
  • Privacy advocates say, however, that any law that makes it through Congress will be considerably weaker than those crafted by states.

*Source: Gizmodo, September 23, 2019

 

Malindo Air identifies employees of e-commerce contractor behind data breach

 

  • Two rogue employees of e-commerce services provider GoQuo have been blamed for a security breach that compromised the personal data of Malindo Air and Thai Lion Air passengers, which was hosted on Amazon Web Services’ cloud platform.
  • The Malaysian and Thai airlines are subsidiaries under Indonesia’s low-cost carrier group, Lion Air.
  • The two former employees were based at GoQuo’s development centre in India and “improperly accessed and stole” personal data of the airlines’ customers, said Malindo Air in the latest of a series of statements regarding the breach.
  • Stressing that all its systems were “fully secured”, it further noted that the data leak had been “contained” and reiterated that no payment details were compromised in the breach. It also initiated an auto-rest of all its customers’ passwords.
  • Personal data compromised in the breach included the passenger’s date of birth, passport number, and mobile number.
  • Malindo Air said the incident was “not related” to the security of its data infrastructure or that of its cloud provider, Amazon Web Services (AWS).
  • The Malaysian airliner said it was working with all relevant agencies regarding the breach, including the Malaysian Personal Data Protection Commissioners and National Cyber Security Agency.
  • The carrier did not say how many customers were impacted by the security breach, but various reports put the number between 21 million and 30 million, including Thai Lion Air passengers.
  • Commenting on the breach, HackerOne’s IT head Aaron Zander said: “Leaving a server exposed without any protection is one of the most basic and embarrassing security failings, but these breaches still continue to happen across the board. When it comes to securing the data of ever more informed consumers, the basics of security need to be covered at a minimum.
  • “When moving such data to a cloud environment, maintaining an understanding who is accessing what and when is key so the risk of unauthorised access is minimised.

*Source: ZDnet, September 24, 2019

Google wins “right to be forgotten” case in Europe

 

  • Google and free speech advocates won a major victory in the European Court of Justice (ECJ) on Tuesday.
  • The European Union’s top court ruled that Google does not have to comply with Europe’s “right to be forgotten” policy on a global scale. “The right to the protection of personal data is not an absolute right, but must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality,” the ECJ said in a press release.
  • “In addition, the balance between the right to privacy and the protection of personal data, on the one hand, and the freedom of information of internet users, on the other, is likely to vary significantly around the world.”
  • France’s data-protection authority, the CNIL, subsequently told Google that once it accepts a delisting, it must remove results from all domains, including those outside Europe and Google.com.
  • In its ruling Tuesday, the ECJ said that search engine operators are not required to carry out a de-referencing on all versions of its search engine.
  • However, the ECJ also said search engine operators are required to carry out that de-referencing on the versions of their search engine corresponding to all EU member states.
  • They must also put in place measures discouraging internet users from gaining access, from any EU states, to the links in question which appear on versions of that search engine outside the EU.
  • “The Court emphasizes that, in a globalised world, internet users’ access — including those outside the EU — to the referencing of a link referring to information regarding a person whose centre of interests is situated in the EU is likely to have immediate and substantial effects on that person within the EU itself, so that a global de-referencing would meet the objective of protection referred to in EU law in full,” the ECJ’s press release said.

*Source: Zdnet, September 24, 2019

More than 70% of hospital data breaches compromise information that puts patients at risk of identity theft

  • About 159 million patients had sensitive information like Social Security numbers or credit card numbers compromised in a hospital data breach in the past 10 years.
  • According to a research paper published in the Annals of Internal Medicine Monday, 94% of all patients affected by a healthcare data breach since October 2009 had their sensitive demographic information, such as Social Security numbers or financial data like banking account numbers, compromised during the breach.
  • Researchers from Michigan State University and Johns Hopkins University studied 1,461 breaches of protected health information over the past 10 years to examine for the first time the types of information that were compromised in these breaches.
  • Ongoing healthcare data breaches have eroded patients’ trust in the ability of providers and health plans to protect their data.
  • A recent Harvard T.H. Chan School of Public Health and Politico survey showed that only 17% of patients have a “great deal” of faith that their health plan will protect their data, and only 24% trust their hospital to keep their data safe.
  • The researchers looked at 1,461 breaches reported by 1,388 entities to the U.S. Department of Health and Human Services since October 2009. All of the breaches involved at least one piece of demographic information, the analysis found.
  • The researchers zeroed in on the most sensitive information within those three categories that could likely be exploited for identity or financial fraud.
  • For example, while demographic information includes patient names, email addresses, phone numbers and other personal identifiers, researchers classified Social Security numbers, driver’s license numbers and dates of birth as particularly sensitive demographic information.
  • About two-thirds of hospital data breaches (66%), or 964 breaches in the past 10 years, compromised patients’ sensitive demographic information such as Social Security numbers or driver’s license numbers.
  • A total of 513 breaches (35%) compromised service or financial information. Of those breaches, 186, or 13%, affecting 49 million patients compromised sensitive financial information like credit cards.
  • The combination of those categories represents 1,042 unique breaches. That means 71% of the breaches affecting 159 million patients exposed sensitive demographic or financial information that could be exploited for identity or financial fraud. That’s 94% of the 169 million patients affected by a healthcare data breach in the past 10 years.
  • Two percent of the breaches affecting 2.4 million patients comprised sensitive medical information, potentially threatening their clinical privacy.

*Source: fiercehealthcare September 23, 2019

Airbus hit by series of cyber attacks on suppliers

 

  • European aerospace giant Airbus has been hit by a series of attacks by hackers who targeted its suppliers in their search for commercial secrets, security sources told AFP, adding they suspected a China link.
  • There have been four major attacks on Airbus in the last 12 months, according to two security sources involved in investigating the hacking.
  • The group has long been considered a tempting target because of the cutting-edge technologies that have made it one of the world’s biggest commercial plane manufacturers, as well as a strategic military supplier.
  • Hackers targeted British engine-maker Rolls-Royce and the French technology consultancy and supplier Expleo, as well as two other French contractors working for Airbus that AFP was unable to identify.
  • Romain Bottan of the aerospace security specialist BoostAerospace said the attacks showed that hackers were seeking out weak links in the chain to compromise Airbus’s systems.
  • The other attacks used the same methods, with the first of them detected at a British subsidiary of Expleo, formerly known as Assystem, as well as Rolls-Royce, which provides engines for Airbus planes.
  • None of the sources who spoke to AFP could formally identify the perpetrators of the attacks, pointing to the extreme difficulty in obtaining evidence and identification in any cyber attack.
  • Many state-backed and independent hackers are known to use tools to disguise their tracks, or they may leave clues intended to confuse investigators or lead them to blame someone else.
  • But the sources said they suspected Chinese hackers were responsible, given their past track record of stealing sensitive commercial information and the existence of a motive.
  • Several sources said they believed a group of hackers linked to the Chinese Communist Party, known as APT10, could be behind the attacks.
  • But another source pointed to another group of Chinese hackers known as JSSD, which are believed to operate under the regional security ministry in the coastal state of Jiangsu.
  • The attacks show up the vulnerability of Airbus to intrusions via its global supplier network, and the value of its technology to foreign countries.
  • “If someone wanted to slow down production, they can quickly identify the critical supplier, the single sources, which are unique in their role,” one expert said.
  • Belgian aerospace design and manufacturing firm ASCO had a major IT meltdown earlier this year caused by malware, and it took a month to restore its systems, one source said.

 

*Source: France24, September 26, 2019

NY files suit against Dunkin’ Donuts over security breaches

 

  • Dunkin’ Donuts violated state law by not notifying almost 20,000 customers, including more than 2,000 in New York, about cyberattacks on their accounts in 2015 and inadequately warning more than 300,000 customers in 2018 about another attack, the New York state attorney general said Thursday in announcing a lawsuit.

  • “Dunkin’ failed to protect the security of its customers,” Attorney General Letitia James said in a statement. “And instead of notifying the tens of thousands impacted by these cybersecurity breaches, Dunkin’ sat idly by, putting customers at risk.”

  • According to the lawsuit, filed in state Supreme Court in Manhattan, the company knew in 2015 that a series of attacks had been made on customers’ online accounts, with attackers able to steal money customers had stored for use at Dunkin’ stores. But it said the company didn’t inform the customers or fully investigate.

  • The suit also accuses Dunkin’ of keeping customers in the dark about the full extent of 2018 cyberattacks, by only intimating attempts had been made to access accounts but not that accounts had been breached.

  • Dunkin’ Brands Inc. strongly pushed back against James’ contention.

  • “There is absolutely no basis for these claims by the New York Attorney General’s Office. For more than two years, we have fully cooperated with the AG’s investigation into this matter, and we are shocked and disappointed that they chose to move ahead with this lawsuit given the lack of merit to their case,” Dunkin’ chief communications officer Karen Raskopf said in an emailed statement.

  • She said in connection to the 2015 incident, an investigation had been conducted and showed that no customer account had been wrongfully accessed and there was no reason to inform customers. 

*Source: BostonHerald, September 26 2019