As the coronavirus crisis affects the world, there has been a sharp rise in working from home and, as a result, the use of video conferencing platforms such as Zoom. But Zoom has also come under fire for numerous privacy and security issues.
As reported by Help Net Security, some of these issues include:
All of these issues raise the question of how safe it is to use Zoom. However, it is important to note that since coming under increased scrutiny in the last few weeks, Zoom has been working to address many of these issues, as Help Net Security has reported:
Most importantly, Zoom Video Communications’s CEO Eric Yuan publicly pledged that, for the next 90 days the company will temporarily stop working on new features and shift all their engineering resources to focus on trust, safety, and privacy issues.
He apologized for the company failing short of the community’s privacy and security expectations, said that many of the issues were due to the fact that Zoom was built primarily for enterprise customers (large institutions with full IT support).
You can read the full article from Help Net Security here.
It’s a positive step to see a company working towards better security and privacy measures, but although Yuan has argued they “did not design the product with the foresight that, in a matter of weeks, every person in the world would suddenly be working, studying, and socializing from home”, the problems should nonetheless have been addressed before.
The chief question here is whether it’s safe to use Zoom. You should always be careful about using any platform on which you can share data, and on the whole, there are more secure services available.
Are you concerned about data privacy issues during the coronavirus crisis? Contact us today to get our expert, professional advice.
The Information Commissioner’s Office (ICO) has issued guidance around data protection and coronavirus, recognising the “unprecedented challenges” we face during the pandemic.
On the whole, the ICO is taking a commonsense approach. They state that measures taken should be proportionate: “if something feels excessive from the public’s point of view, then it probably is.”
Here’s a short summary of the guidance provided by the ICO on data protection and coronavirus:
- The ICO understands that data protection standards may not be as high during this time because resources are being diverted away from compliance work. Organisations won’t be penalised if they need to adapt their usual practices.
- Data protection laws do not prevent people working from home, which many will do during the pandemic. The same security measures should be considered for homeworking as at the workplace.
- Staff should be informed about cases of coronavirus at your organisation. Individuals do not need to be named, however; provide no more information than is necessary.
- There’s no need to collect significantly more health data about your employees. While you have an obligation to protect their health, you should not collect more information than you need and can take a commonsense approach to this.
- Rather than attempting to handle things internally, a better approach may be to ask people to consider and follow government advice – for example, calling the NHS on 111 if they have visited a badly affected country or are showing symptoms of the virus.
- It’s fine to share employee health data with the authorities if necessary – although it’s unlikely you’ll need to do so.
You can read the full guidance from the ICO here.
This is certainly a difficult time for people and organisations, but on the matter of data protection and coronavirus, it’s important to be sensible. Don’t take unnecessary measures; make sure that your response is proportionate.
If you have any more questions about this or any other subject relating to data protection, get in touch with us today and our consultants will provide all the advice you need.
900,000 people have been hit by a Virgin Media data breach in which a database containing personal details was accessible over the internet for 10 months.
The database contained details including email addresses, home addresses, and phone numbers, which were being stored for marketing purposes.
Virgin Media have stated that the breach took place due to the database being “incorrectly configured” by a member of staff. There was no hacking or malicious intent behind the breach, although it was also apparently accessed “on at least one occasion” by an unknown and unidentified user.
Zoe Kleinman, Technology Reporter at BBC News, stated that:
The fact that Virgin Media’s database hasn’t been actively hacked is reassuring for customers, but while the details are light, it sounds like human error is to blame and that is rather embarrassing for a tech firm.
Ten months is a long time for all that data to have just been sitting there, waiting to be found.
And while no passwords or bank details were among it, there’s an awful lot of contact information for a cyber-criminal to work with. Phishing expeditions – when someone tries to get financial information out of a victim by pretending to be a company with a legitimate reason for contact – are not particularly sophisticated, but they are effective for those caught off-guard, and can be a lucrative source of income.
It’s unclear whether this was yet another case of unsecured data being stored on a cloud service that’s easily searchable if you know how. There have been dozens of examples of this lately, including just this week a database of the personal details of people using train station wi-fi around the UK.
Virgin Media has apologised and really, there’s very little practical advice to offer in the light of this kind of breach, beyond the usual protocol of staying alert to any messages requesting personal information or access to any kind of finance.
You can read the full article on this story from the BBC, with Kleinman’s commentary, by clicking here.
This Virgin Media data breach is the latest in a series, from various organisations, which have seen databases left unsecured online. For example, a Microsoft database containing 250 million details was left exposed in December, as we reported here.
This is a worrying trend, and shows that these databases should be configured carefully by people who know the proper procedures and are fully trained and knowledgeable about cybersecurity.
Virgin Media has taken steps to close access the database, contact the ICO, and notify those affected by the breach, with advice about how to protect themselves from potential repercussions. While these are all positive steps, there’s no doubt that significant errors have been made and this breach could easily have been avoided.
If you want advice on how to protect user data, get in contact with our GDPR consultants today for invaluable, expert advice.
Home Office breaches of GDPR took place 100 times between 30th March and 31st August 2019, a report from the Independent Chief Inspectorate of Borders and Immigration (ICIBI) has found.
The breaches took place in relation to the EU Settlement Scheme, which accepts applications from EU citizens so that they can remain in the UK after Brexit. They included unauthorised disclosure of information, documents being sent to the wrong person, and passports being misplaced.
According to an article from Infosecurity, the breaches also saw “23 documents misplaced by a postal company in July” and an incident in April where “240 email addresses were exposed after a Home Office employee forgot to put them in the BCC field when sending a bulk email”.
The article states the following from the ICIBI report:
“The information provided to inspectors regarding data breaches was concerning, not least the increase in breaches each month between April and July 2019 (with a slight dip in August 2019), albeit most of those to the end of June were due to a postal company rather than EUSS staff or processes,” it concluded.
“Data breaches damage public confidence, and applicants will blame the Home Office, whether or not this is fair. It is therefore important for the Home Office to do everything it can to keep breaches to a minimum.”
The response from the Home Office was that its data protection measures and procedures are improving:
“We are also in discussion with the heads of security, integrity and data protection to ensure our processes are aligned to GDPR compliance,” it replied to the ICIBI. “Bulk email processes have changed so there will be no errors going forward.”
The ICIBI also suggested that the problems it uncovered should be easy enough to fix.
“Most appear to have involved document handling errors and these should be easiest to prevent with clear instructions and good organization,” it said.
You can read the full article from Infosecurity here.
This demonstrates that human error is a big problem when it comes to data protection. As we learned at PrivSecLondon last month, it is responsible for 60% of all breaches.
This can and should be countered with training for all employees, at both the lowest and highest levels. A culture shift is also needed across organisations in order to keep up with evolving legislation.
If you want to make sure your employees are up-to-date and know their obligations under GDPR, check out our Staff Training offers, which are available in both in-person and online formats.
At the PrivSec London conference on the 4th and 5th February, we enjoyed hearing how leading professionals in our field are tackling the many shared challenges of doing business under the changing needs of the 2020s.
Here are some final thoughts from the event’s keynote speaker, Baroness Neville-Rolfe, and from ourselves…
Baroness Neville-Rolfe (Member, European Union Committee, and a former minister under David Cameron, who was heavily involved in negotiating GDPR) said that data is the “oil equivalent” of an extraordinary digital revolution.
This revolution is now affecting almost everything on the planet. The effects are impossible to predict, but like other revolutions, this one started slowly and is now picking up speed.
There were some interesting official statements made by government, EU, or other regulators which indicate:
- There’s an ever-growing concern about the harms of online activity (such as for young people, from fraud, and so on), which is being reflected in legislation and official guidances across the world.
- China’s big tech companies are catching up with the major US firms.
- The UK may be particularly exposed to cybersecurity threats.
- The management of risk has gone up the corporate agenda.
- EU rules provide a framework to recognise the reciprocity between the data standards of different countries, and the UK will fall inside that alignment thanks to our adherence to GDPR in the new Data Protection Act 2018.
Overall, PrivSec London 2020 was an extremely informative conference. The key things that we learned are:
- A culture shift is needed in most companies in order to keep up with changing legislation and guidelines. This includes planning for privacy and cybersecurity, getting buy-in across an entire organisation by explaining it in the business terms of each department, and only using data for transparent, legitimate reasons.
- Security and privacy are not the same thing, and pointing enquiries about privacy to security protocols is insufficient. It’s impossible to buy ‘compliance in a box’ as a solution to GDPR, which raised people’s awareness of the legal bases for processing data.
- Cybersecurity is a serious issue; the majority of passwords may already be leaked, and Multi-Factor Authentication is a necessity. Most problems are caused upstream by system and configuration issues or poor procedures, but most money is being directed downstream at the consequences, and there are huge skill gaps in the field.
What we can do for you about all this – check out our offers to find out how we can help you with your data protection programme:
- GDPR Consultancy and Project Management – From start to finish, we will help manage your data protection programme and provide all the advice you need to become compliant.
- GDPR Gap Analysis – Identify potential risks quickly and affordably, and set out clear recommendations of what will need to be done in order to comply with the law.
- Data Protection Officers as a Service – As well as helping implement the necessary changes in your business for GDPR, we may be able to help you save money managing your data protection and securing your reputation with your customers.
- Data Protection Staff Training – We can provide in-person or online support to teach your staff and contractors anything from the very basics of GDPR to the more advanced areas of the regulation.
Our thanks to the following guest speakers at PrivSec London 2020:
- Steve Wright, Partner, Privacy Culture Ltd, previously DPO for Bank of England, also John Lewis and Unilever previously
- Baroness Neville-Rolfe, EU Committee member
- Sheila Firtzpatrick, Fitzpatrick & Associates
- Dave Horton, Solutions Engineer at OneTrust
- Shaab Al-Baghdadi, OnlineDPO; Emily Johnson, Microsoft, Bill Karazsia, Fortive; Joao Torres Barreiro, Wills Towers Watson;
- Charlie Wijsman, Accenture Global Data Privacy Lead
- Damine Larrey, Microsoft; Dominic Johnston, Epiq Global; Damian Murphy, Lighthouse Global
- Alberto Quesada, Global Head of Group Data Management, BNP Paribas
- John Richardson, DMA, and formerly the Telephone Preference Service; Giorgia Vulcan, EU Privacy Counsel for the EU DPO Office, Coca-Cola; Or Lechner, Luminati Networks; Marie Bradley, Adam & Eve; Magali Fey, Anonos
Ben Hawes, Benchmark initiative
- Joan Keevil, Professional e-Learning Expert, SAI Global
- David Clarke, Founder, GDPR Technology Forum; Beth Brookner, Privacy Counsel and Data Protection Officer, GVC Ladbrokes Coral; Steve Windle, Incident Response Lead for Europe & Latin America, Accenture; Cosimo Monda, Director, Maastricht European Centre on Privacy and Cybersecurity; Simon Hall, Privacy Consultant & DPO Coach, AwarePrivacy
- Stuart Aston, National Security Officer, Microsoft
- Greg Van Der Gaast, Head of Information Security, University of Salford
- Meera Narendra, Journalist, Data Protection World Forum; Dr Shavana Musa, Legal Consultant and Academic, The University of Manchester; Victoria Guilloit, Partner, Privacy Culture; Ally Pinkerton, Group Head of Information Security Governance & Assurance, Group Information Security Office, Bupa