Sep 22, 2020 | Consultancy, Data Protection, GDPR, Information Security, Management Consultancy, Privacy
I’ve been collating findings from many online sessions and updates this year, and keep a log of latest findings, recommendations and case studies as I attend them. Here are some pointers to adapt your organisation to the latest guidance being shared by privacy and information security professionals. (more…)
May 12, 2020 | Data Protection, GDPR
Hungary has suspended some elements of GDPR as part of its strategy for dealing with the Covid-19 pandemic. Having declared a state of emergency on 11th March, the authorities have been able to do this because they can govern by decree.
The decree suspending parts of GDPR was issued on 4th May, and also applies to Hungary’s own data protection laws.
Privacy News Online reports that specifically, authorities don’t need to provide notice about the gathering and storage of information if they are acting for the purposes of “coronavirus case prevention, recognition, exploration, as well as prevention of further spreading.”
Furthermore, citizens “no longer have the right to request access or erasure of their personal information and the government has given itself longer to respond to freedom of information requests.”
Lexology reports in greater detail that:
The government decree stipulates that data controllers’ measures under articles 15 to 22 of the GDPR as pertaining to personal data processed for the purpose of preventing, recognising and investigating the COVID-19 disease and stopping its spread are suspended until the termination of the state of emergency.
This is a concerning turn of events considering that the state of emergency has been made indefinite. Usually, a state of emergency would only last for fifteen days in Hungary and would need to be renewed by Parliament.
However, it was extended on 31st March and there is now no set end to it, allowing Hungarian Prime Minister, Viktor Orbán, to rule entirely by decree.
Suspending parts of GDPR in Hungary is therefore worrying to see. The law is relatively young and was viewed as a major step forward in protecting the rights and freedoms of EU citizens, but Hungary is already attempting to step back from it.
How Hungary’s relationship with GDPR will evolve after the pandemic has passed remains to be seen – but even then, there’s no guarantee that the declared state of emergency will come to an end.
Do you want to find out more about GDPR and your obligations under the law? Click here to contact us and discover how we can help you improve your compliance.
Apr 22, 2020 | Data Protection, GDPR
The popular Android app store Aptoide has apparently been breached, with millions of users having their data stolen by a hacker.
Aptoide is a third-party app store, meaning it isn’t operated by Google or provided by a smartphone manufacturer, and claims to have over 150 million users, 7 billion downloads, and 1 million apps.
However, its popularity has now made it a target for a hacker, who has seemingly stolen the details of 39 million users and published 20 million of those online.
According to ZDNet:
The leaked information, which ZDNet obtained a copy with the help of data breach monitoring service Under the Breach, contains information on users who registered or used the Aptoide app store app between July 21, 2016, and January 28, 2018.
Data leaked today that can be classified as “personal identifable information” includes details such as the user’s email address, hashed password, real name, sign-up date, sign-up IP address, device details, and date of birth (if provided).
Other details also include technical information such as account status, sign-up tokens, developer tokens, if the account was a super admin, or referral origin.
You can read the full article at ZDNet here.
Aptoide has subsequently taken steps to improve its security systems, and in a statement on their website stated:
We are working tirelessly to understand how this happened and already have a few leads. We feel deeply ashamed and would like to apologize sincerely. The security of our users is a priority for us, and we have always tried to implement policies that make Aptoide a safe environment.
Besides continuous training, we have hired external companies to audit our infra-structure and perform penetration testing. It was not enough, though. We have failed to keep some of the user data safe.
Besides providing updated information as we have it, we will also have an internal discussion on how to better store and protect user data moving forward.
Read the statement in full here.
While you should always be careful about using third party apps, Aptoide has generally been considered one of the more secure and it’s clear that they are taking positive steps in the wake of this breach to protect users and learn from the experience.
However, this also demonstrates the importance of not reusing usernames and passwords across multiple platforms. Any users doing so whose data was stolen will now find themselves at risk if they used the same credentials elsewhere.
If you’re concerned about how your organisation should respond to a data breach of this sort, contact us today to get our expert advice.
Mar 16, 2020 | Data Protection, GDPR
The Information Commissioner’s Office (ICO) has issued guidance around data protection and coronavirus, recognising the “unprecedented challenges” we face during the pandemic.
On the whole, the ICO is taking a commonsense approach. They state that measures taken should be proportionate: “if something feels excessive from the public’s point of view, then it probably is.”
Here’s a short summary of the guidance provided by the ICO on data protection and coronavirus:
- The ICO understands that data protection standards may not be as high during this time because resources are being diverted away from compliance work. Organisations won’t be penalised if they need to adapt their usual practices.
- Data protection laws do not prevent people working from home, which many will do during the pandemic. The same security measures should be considered for homeworking as at the workplace.
- Staff should be informed about cases of coronavirus at your organisation. Individuals do not need to be named, however; provide no more information than is necessary.
- There’s no need to collect significantly more health data about your employees. While you have an obligation to protect their health, you should not collect more information than you need and can take a commonsense approach to this.
- Rather than attempting to handle things internally, a better approach may be to ask people to consider and follow government advice – for example, calling the NHS on 111 if they have visited a badly affected country or are showing symptoms of the virus.
- It’s fine to share employee health data with the authorities if necessary – although it’s unlikely you’ll need to do so.
You can read the full guidance from the ICO here.
This is certainly a difficult time for people and organisations, but on the matter of data protection and coronavirus, it’s important to be sensible. Don’t take unnecessary measures; make sure that your response is proportionate.
If you have any more questions about this or any other subject relating to data protection, get in touch with us today and our consultants will provide all the advice you need.
Mar 9, 2020 | Data Protection, GDPR, Information Security
900,000 people have been hit by a Virgin Media data breach in which a database containing personal details was accessible over the internet for 10 months.
The database contained details including email addresses, home addresses, and phone numbers, which were being stored for marketing purposes.
Virgin Media have stated that the breach took place due to the database being “incorrectly configured” by a member of staff. There was no hacking or malicious intent behind the breach, although it was also apparently accessed “on at least one occasion” by an unknown and unidentified user.
Zoe Kleinman, Technology Reporter at BBC News, stated that:
The fact that Virgin Media’s database hasn’t been actively hacked is reassuring for customers, but while the details are light, it sounds like human error is to blame and that is rather embarrassing for a tech firm.
Ten months is a long time for all that data to have just been sitting there, waiting to be found.
And while no passwords or bank details were among it, there’s an awful lot of contact information for a cyber-criminal to work with. Phishing expeditions – when someone tries to get financial information out of a victim by pretending to be a company with a legitimate reason for contact – are not particularly sophisticated, but they are effective for those caught off-guard, and can be a lucrative source of income.
It’s unclear whether this was yet another case of unsecured data being stored on a cloud service that’s easily searchable if you know how. There have been dozens of examples of this lately, including just this week a database of the personal details of people using train station wi-fi around the UK.
Virgin Media has apologised and really, there’s very little practical advice to offer in the light of this kind of breach, beyond the usual protocol of staying alert to any messages requesting personal information or access to any kind of finance.
You can read the full article on this story from the BBC, with Kleinman’s commentary, by clicking here.
This Virgin Media data breach is the latest in a series, from various organisations, which have seen databases left unsecured online. For example, a Microsoft database containing 250 million details was left exposed in December, as we reported here.
This is a worrying trend, and shows that these databases should be configured carefully by people who know the proper procedures and are fully trained and knowledgeable about cybersecurity.
Virgin Media has taken steps to close access the database, contact the ICO, and notify those affected by the breach, with advice about how to protect themselves from potential repercussions. While these are all positive steps, there’s no doubt that significant errors have been made and this breach could easily have been avoided.
If you want advice on how to protect user data, get in contact with our GDPR consultants today for invaluable, expert advice.
Mar 3, 2020 | Data Protection, GDPR, Information Security
Home Office breaches of GDPR took place 100 times between 30th March and 31st August 2019, a report from the Independent Chief Inspectorate of Borders and Immigration (ICIBI) has found.
The breaches took place in relation to the EU Settlement Scheme, which accepts applications from EU citizens so that they can remain in the UK after Brexit. They included unauthorised disclosure of information, documents being sent to the wrong person, and passports being misplaced.
According to an article from Infosecurity, the breaches also saw “23 documents misplaced by a postal company in July” and an incident in April where “240 email addresses were exposed after a Home Office employee forgot to put them in the BCC field when sending a bulk email”.
The article states the following from the ICIBI report:
“The information provided to inspectors regarding data breaches was concerning, not least the increase in breaches each month between April and July 2019 (with a slight dip in August 2019), albeit most of those to the end of June were due to a postal company rather than EUSS staff or processes,” it concluded.
“Data breaches damage public confidence, and applicants will blame the Home Office, whether or not this is fair. It is therefore important for the Home Office to do everything it can to keep breaches to a minimum.”
The response from the Home Office was that its data protection measures and procedures are improving:
“We are also in discussion with the heads of security, integrity and data protection to ensure our processes are aligned to GDPR compliance,” it replied to the ICIBI. “Bulk email processes have changed so there will be no errors going forward.”
The ICIBI also suggested that the problems it uncovered should be easy enough to fix.
“Most appear to have involved document handling errors and these should be easiest to prevent with clear instructions and good organization,” it said.
You can read the full article from Infosecurity here.
This demonstrates that human error is a big problem when it comes to data protection. As we learned at PrivSecLondon last month, it is responsible for 60% of all breaches.
This can and should be countered with training for all employees, at both the lowest and highest levels. A culture shift is also needed across organisations in order to keep up with evolving legislation.
If you want to make sure your employees are up-to-date and know their obligations under GDPR, check out our Staff Training offers, which are available in both in-person and online formats.