I’ve been collating findings from many online sessions and updates this year, and keep a log of latest findings, recommendations and case studies as I attend them. Here are some pointers to adapt your organisation to the latest guidance being shared by privacy and information security professionals. (more…)
Universities and charities in the UK, US, and Canada have all been affected by a hack that hit software supplier Blackbaud.
Over 20 universities and charities have stated they were affected after Blackbaud – a supplier of administration and financial software – was hacked back in May, with personal data being held for ransom.
Blackbaud agreed to pay the ransom, despite this being against the advice of most law enforcement agencies. Most worryingly, however, it took a long time to inform those affected.
Questions are being asked about why Blackbaud took weeks to inform its customers of the hack.
Under General Data Protection Regulation (GDPR), companies must report a significant breach to data authorities within 72 hours of learning of an incident – or face potential fines.
The UK’s Information Commissioner’s Office [ICO], as well as the Canadian data authorities, were informed about the breach last weekend – weeks after Blackbaud discovered the hack.
How Blackbaud has approached the hack is extremely worrying, especially given how sensitive data was stolen including “phone numbers, donation history and events attended”.
There is no guarantee that the hackers destroyed this data despite the ransom being paid, and the length of time Blackbaud took to deal with this issue has left those affected unable to take steps to prevent themselves.
If you want advice on how to handle these kind of situations and your data protection procedures, get in touch with us today for our expert advice.
Hungary has suspended some elements of GDPR as part of its strategy for dealing with the Covid-19 pandemic. Having declared a state of emergency on 11th March, the authorities have been able to do this because they can govern by decree.
The decree suspending parts of GDPR was issued on 4th May, and also applies to Hungary’s own data protection laws.
Privacy News Online reports that specifically, authorities don’t need to provide notice about the gathering and storage of information if they are acting for the purposes of “coronavirus case prevention, recognition, exploration, as well as prevention of further spreading.”
Furthermore, citizens “no longer have the right to request access or erasure of their personal information and the government has given itself longer to respond to freedom of information requests.”
The government decree stipulates that data controllers’ measures under articles 15 to 22 of the GDPR as pertaining to personal data processed for the purpose of preventing, recognising and investigating the COVID-19 disease and stopping its spread are suspended until the termination of the state of emergency.
This is a concerning turn of events considering that the state of emergency has been made indefinite. Usually, a state of emergency would only last for fifteen days in Hungary and would need to be renewed by Parliament.
However, it was extended on 31st March and there is now no set end to it, allowing Hungarian Prime Minister, Viktor Orbán, to rule entirely by decree.
Suspending parts of GDPR in Hungary is therefore worrying to see. The law is relatively young and was viewed as a major step forward in protecting the rights and freedoms of EU citizens, but Hungary is already attempting to step back from it.
How Hungary’s relationship with GDPR will evolve after the pandemic has passed remains to be seen – but even then, there’s no guarantee that the declared state of emergency will come to an end.
Do you want to find out more about GDPR and your obligations under the law? Click here to contact us and discover how we can help you improve your compliance.
A Covid-19 tracking app might be a key part of halting the spread of the pandemic, but there remain privacy concerns about the project.
A new legal report has stated that any centralised system for contact tracing would lead to “significantly greater interference with users’ privacy and require greater justification”, although a decentralised system – while potentially less effective – would be more proportionate and lawful.
According to The Guardian:
It is not yet known whether use of the app would be mandatory or voluntary. “A mandatory smartphone app would be a significant measure, both legally and culturally,” the lawyers said. “Our view is that there would need to be a clear and detailed legal basis for a mandatory system, set out in specific legislation.”
Sharing data held by healthcare organisations and private companies to assist in combating the Covid-19 pandemic may create “a number of legal problems… resulting in potential illegality”, the legal opinion says.
“Given the nature of the data likely to be shared, the government will need to undertake a data protection impact assessment (DPIA) prior to the processing of any personal data,” it adds. “The results of that DPIA should be made public. Those steps may be in progress, but we are not aware of them having been completed thus far.”
On plans for immunity certificates, the report adds: “Such a step would engage a number of fundamental rights under [human rights] and EU/UK legislation concerning the right to privacy and protection of personal data. Any proposals would require very substantial evidential justification to show that they are necessary and proportionate. We are unsure if such evidence could be provided.”
The issue with making the Covid-19 tracking app voluntary, however, is that it may also render it ineffective. A study has found that 56% of the UK population, amounting to approximately 80% of all smartphone users, must use it if the virus is to suppressed.
This could be problematic. When a similar Covid-19 tracking app was introduced in Singapore, only 12% of the population made use of it, leading to another lockdown on 7th April after another spike in cases.
Carrying out a DPIA is a requirement for any new system, and the government should be open and honest about how it intends to store and process the data which is collected.
With the app due to be trialled this week on the Isle of Wight, it’s clear that there are still many privacy concerns surrounding it which need to be addressed. But with the Welsh chief medical officer recently stating that people would be willing to give up some of their freedoms to tackle the pandemic, it remains to be seen whether these concerns will be addressed.
The popular Android app store Aptoide has apparently been breached, with millions of users having their data stolen by a hacker.
Aptoide is a third-party app store, meaning it isn’t operated by Google or provided by a smartphone manufacturer, and claims to have over 150 million users, 7 billion downloads, and 1 million apps.
However, its popularity has now made it a target for a hacker, who has seemingly stolen the details of 39 million users and published 20 million of those online.
According to ZDNet:
The leaked information, which ZDNet obtained a copy with the help of data breach monitoring service Under the Breach, contains information on users who registered or used the Aptoide app store app between July 21, 2016, and January 28, 2018.
Data leaked today that can be classified as “personal identifable information” includes details such as the user’s email address, hashed password, real name, sign-up date, sign-up IP address, device details, and date of birth (if provided).
Other details also include technical information such as account status, sign-up tokens, developer tokens, if the account was a super admin, or referral origin.
Aptoide has subsequently taken steps to improve its security systems, and in a statement on their website stated:
We are working tirelessly to understand how this happened and already have a few leads. We feel deeply ashamed and would like to apologize sincerely. The security of our users is a priority for us, and we have always tried to implement policies that make Aptoide a safe environment.
Besides continuous training, we have hired external companies to audit our infra-structure and perform penetration testing. It was not enough, though. We have failed to keep some of the user data safe.
Besides providing updated information as we have it, we will also have an internal discussion on how to better store and protect user data moving forward.
While you should always be careful about using third party apps, Aptoide has generally been considered one of the more secure and it’s clear that they are taking positive steps in the wake of this breach to protect users and learn from the experience.
However, this also demonstrates the importance of not reusing usernames and passwords across multiple platforms. Any users doing so whose data was stolen will now find themselves at risk if they used the same credentials elsewhere.
If you’re concerned about how your organisation should respond to a data breach of this sort, contact us today to get our expert advice.