Cybersecurity Challenges – PrivSec London 2020

Cybersecurity Challenges – PrivSec London 2020

There were a lot of insightful talks from the PrivSec London conference last week – here’s our pick of some of the most important points on the topic of cybersecurity.


Representatives from Microsoft provided some real eye-openers, such as: everyone’s passwords may almost certainly be compromised. This is why it’s so necessary to enable Multi-Factor Authentication on everything you can – otherwise you’re at real risk!

Meanwhile, 60% of data breaches are due to human error. E-learning as staff training for compliance is often quickly forgotten and doesn’t change behaviour – only 23% positively impacted employees – so training needs to be aligned with people’s business needs and personal values and ethics, and team meetings need to be held soon after it to decide what to change. Culture comes from the bottom up, not top down; leadership needs to be distributed not hierarchical as nobody can keep up with all the changes across these areas.

From a different session, a cybersecurity consultant said that 90% of cybersecurity issues that lead to him being called in are caused upstream in other systems and configuration/patching issues plus poor Information Security procedures and standards, yet the ever-spiralling (and very ineffective) cybersecurity spending in companies is misdirected downstream at the impacts of that. He almost always finds serious negligence by lunchtime on day one when starting with a new client.

There are huge skills gaps in cybersecurity – 1-2 million jobs going unfilled – and far too few women are getting into that area for many reasons, which doesn’t improve the success of the sector either.

Achieving GDPR compliance while using AI, Big Data and Location data is really difficult, and it’s hard to get genuine user knowledge of and consent for the future uses that might be made of that data and to fulfil user rights demands around that data. In fact, even anonymised versions of these kinds of data can often be de-anonymised by the uses companies put this data to. Locations-enabled apps gather all kinds of data about you and often share that information without your knowledge.


Our thanks to the following guest speakers at PrivSec London 2020:

  • Steve Wright, Partner, Privacy Culture Ltd, previously DPO for Bank of England, also John Lewis and Unilever previously
  • Baroness Neville-Rolfe, EU Committee member
  • Sheila Firtzpatrick, Fitzpatrick & Associates
  • Dave Horton, Solutions Engineer at OneTrust
  • Shaab Al-Baghdadi, OnlineDPO; Emily Johnson, Microsoft, Bill Karazsia, Fortive; Joao Torres Barreiro, Wills Towers Watson;
  • Charlie Wijsman, Accenture Global Data Privacy Lead
  • Damine Larrey, Microsoft; Dominic Johnston, Epiq Global; Damian Murphy, Lighthouse Global
  • Alberto Quesada, Global Head of Group Data Management, BNP Paribas
  • John Richardson, DMA, and formerly the Telephone Preference Service; Giorgia Vulcan, EU Privacy Counsel for the EU DPO Office, Coca-Cola; Or Lechner, Luminati Networks; Marie Bradley, Adam & Eve; Magali Fey, Anonos
    Ben Hawes, Benchmark initiative
  • Joan Keevil, Professional e-Learning Expert, SAI Global
  • David Clarke, Founder, GDPR Technology Forum; Beth Brookner, Privacy Counsel and Data Protection Officer, GVC Ladbrokes Coral; Steve Windle, Incident Response Lead for Europe & Latin America, Accenture; Cosimo Monda, Director, Maastricht European Centre on Privacy and Cybersecurity; Simon Hall, Privacy Consultant & DPO Coach, AwarePrivacy
  • Stuart Aston, National Security Officer, Microsoft
  • Greg Van Der Gaast, Head of Information Security, University of Salford
  • Meera Narendra, Journalist, Data Protection World Forum; Dr Shavana Musa, Legal Consultant and Academic, The University of Manchester;  Victoria Guilloit, Partner, Privacy Culture; Ally Pinkerton, Group Head of Information Security Governance & Assurance, Group Information Security Office, Bupa
250m entries exposed in Microsoft data breach

250m entries exposed in Microsoft data breach

A Microsoft data breach left a customer database exposed online last month, with 250 million entries involved. Microsoft revealed that the database, which stored anonymised user analytics, was left without protection between 5th December and 31st December.

The information on the database included email addresses, IP addresses, and details of support cases. While Microsoft stated that the majority these records didn’t contain personal user information, these details could still be used maliciously.

According to a report from ZDNet.com:

The database was spotted and reported to Microsoft by Bob Diachenko, a security researcher with Security Discovery.

 

The leaky customer support database consisted of a cluster of five Elasticsearch servers, a technology used to simplify search operations, Diachenko told ZDNet today. All five servers stored the same data, appearing to be mirrors of each other.

 

Diachenko said Microsoft secured the exposed database on the same day he reported the issue to the OS maker, despite being New Year’s Eve.

 

“I have been in touch with the Microsoft team helping and supporting them to properly investigate it,” Diachenko told ZDNet.

You can read the full article from ZDNet by clicking here.

While this is a worrying security breach, the positive news is that Microsoft have responded it well – and reports that it “found no malicious use” of the data.

The company not only worked immediately to plug the breach on New Year’s Eve, but has also already begun notifying users who had been affected by it. This hopefully means that the impact should be minimal.

Unsure how your organisation ought to respond to a data breach? Our GDPR Consultants can help – get in touch with us today for our professional expertise!

Microsoft facial recognition database breached data protection laws

Microsoft facial recognition database breached data protection laws

microsoft logo - microsoft facial recognition databaseThe Microsoft facial recognition database has been taken down by the company after suggestions that it breached data protection laws such as GDPR.

Containing over 10 million images of approximately 100,000 people, the database was originally intended for academic use. This would have acceptable because images are permitted for reuse under the Creative Commons licence.

However, it recently became apparent that the Microsoft facial recognition database was being used for commercial purposes as well. IBM, Panasonic, and others were all making use of it.

Verdict reported:

Jake Moore, cybersecurity specialist at ESET, welcomed the decision to remove the Microsoft facial recognition database, but warned it might be too late prevent misuse.

 

“To have this amount of personal data in one place is, of course, going to become a target for some,” he said. “Sadly, facial recognition still contains a lower than hoped for hit rate but, more importantly, can contain bias and prejudices when used in conjunction with machine learning.

 

“Such bias as racial profiling can sometimes be used in vast databases such as these, so it is good to hear this has been deleted before being further used.”

You can read Verdict’s full breakdown of this story here: https://www.verdict.co.uk/microsoft-facial-recognition-database-gdpr/

While it’s clear that Microsoft had no ill intentions here, it’s likely that the database was nevertheless in breach of GDPR. This is because the images were being used without the consent of the users.

And although Microsoft has acted swiftly to rectify the situation, it seems likely that the data will still be available on the dark web and in other places on the internet, meaning that much of the damage may have already been done.

If you’re concerned about the data protection processes and systems at your own organisation, Activa Consulting can help. Get in touch with us today to find out about our range of services and offers, designed to make you compliant with GDPR!