A new initiative intended to represent UK-based data protection officers (DPOs) has been launched to provide insight into the development of the privacy industry.
Managed by the DPO Center and the Data Protection World Forum, the index will aim to cover a range of topics including organizational strategy, resources, budgets, the response to current issues such as the COVID-19 pandemic and the importance of data protection as a single theme.
Rob Masson, chief executive of the DPO Center, said the index is intended to help shape the future of the sector, provide clarity on the key issues and ultimately deliver tangible and ongoing benefit to the industry.
Speaking on a webinar to launch the index, Masson said the intention of the index is to take a “snapshot” of the sector to give a unique picture of how the profession is maturing. Masson called the data protection sector collaborative but admitted that sometimes it is hard to gauge industry-wide opinion, and the events around the invalidation decision of Privacy Shield “show how quickly things can change.”
He said: “The intention of the index is that it is there to serve the industry in being able to give results and very detailed information about what is going on within the sector and where the important issues are, and it is there to act as a consistent and accurate guide and a barometer of opinions that are being expressed across the sector and across industries and organizations.”
He also said there is an intention to understand the issues in a more granular way, and it is “our opportunity to give the industry some sort of definite response and definitive action and guidance to how the issues in the sector are relevant to us and how they are being reacted to.”
Masson also explained that the concept is to provide a wider voice outside of the sector, as the profession continues to grow. “The profession continues to grow and it is because of the requirements and the complexity and the significance of data protection and the role of the DPO that it becomes more and more important,” he said. “We’ve seen a massive change in the last three years and seen how it is absolutely necessary for the role of the DPO to evolve and deliver more and more.”
If you are a data protection officer and you would like to join the anonymous panel that regularly contributes to the UK Data Protection Index, register here.
The UK government has failed to meet a crucial General Data Protection Regulation (GDPR) requirement in its COVID-19 Test and Trace program, putting people’s privacy rights at risk, according to the Open Rights Group (ORG).
This follows an admission by the UK’s Department of Health to the group that it has not conducted a data protection impact assessment (DPIA) – a GDPR requirement to identify and minimize data protection risks in projects that process personal information.
“The public can’t trust the program because a vital (and legally required) safety step known as a DPIA was dangerously ignored,” said the ORG in a statement.
Test and Trace was introduced in England on May 28 as part of the government’s strategy of easing COVID-19 lockdown restrictions. Under the initiative, the National Health Service (NHS) attempts to trace close recent contacts of anyone who tests positive for the virus, and if necessary, inform them that they need to self-isolate. This involves people being asked to provide sensitive data including their name, date of birth, postcode, who they live with and places they have recently visited, leading to privacy fears.
The ORG added: “The Test and Trace program has been rushed; private contractors have been employed to deliver it with large numbers of new employees. Many systems have been bolted together at short notice.
“We are doing everything we can to ensure the Test and Trace Program is made safe. That’s why we’re threatening legal action unless a proper DPIA is conducted immediately.”
In its letter to the ORG, the government said it was working with the Information Commissioner's Office (ICO) to ensure it is meeting its requirements under the GDPR.
Quoted by the BBC, a Department of Health spokesperson said: “NHS Test and Trace is committed to the highest ethical and data governance standards – collecting, using and retaining data to fight the virus and save lives, while taking full account of all relevant legal obligations.”
Jonathan Armstrong, partner at legal firm Cordery, commented: “A DPIA will be an essential element of any program like this and we know from the Facebook investigation in Ireland that a DPIA is important from a regulatory perspective.
“It is also important in establishing trust. Failing to do a DPIA becomes all the more important in this context – trust is key and any allegation that processing has taken place unlawfully destroys that trust.”
Darren Wray, CTO at Guardum, added: “The revelation that a DPIA was not performed as part of the track and trace project shows exceedingly poor governance and control. In the private sector, organizations are expected to ensure that data privacy and protection controls are a part of their business as usual processes, not something that is revisited in hindsight.”
UK consumers were targeted by a new phishing scam falsely purporting to be from leading UK supermarket Tesco, litigation firm Griffin Law has discovered.
The scam, which used a fake Facebook page as well as SMS and email communication, aimed to trick consumers into handing over their details and steal confidential and payment data.
The fraud began via an official-looking but fake Facebook page entitled ‘Tesco UK’ which shared images purporting to be from a Tesco warehouse, displaying packed boxes of HD TVs.
According to Griffin Law, the accompanying message said: “We have around 500 TVs in our warehouse that are about to be binned as they have slight damage and can’t be sold. However, all of them are in fully working condition, we thought instead of binning them we’d give them away free to 500 people who have shared and commented on this post by July 18.”
Unsuspecting users who then enthusiastically shared the post helped it to spread before receiving an email offering them the chance to ‘claim their prize.’ A button in the message linked victims to a landing page to enter their name, home address, telephone number and bank account details.
Griffin Law stated that at least 100 consumers have reacted to the Facebook page or received an email. The original fake Tesco Facebook page is now listed as ‘content unavailable.’
Tim Sadler, CEO, Tessian, said: “As the lines between people in our ‘known’ network and our ‘unknown’ networks blur on social media feeds and in our inboxes, it becomes incredibly difficult to know who you can and can’t trust. Hackers prey on this, impersonating a trusted brand or person to convince you into complying with their malicious request and they will also prey on people’s vulnerabilities.
“They know people are struggling financially during this [COVID-19] pandemic, so the offer of a free TV could be very attractive. However, as the saying goes, if it looks too good to be true...it probably is! Question the legitimacy of these messages and always verify the request or offer before clicking on the link.”
Two Uber drivers are taking the platform to court, arguing that it has failed to meet its GDPR obligations to reveal detailed profiling data about them and how it is used, according to reports.
The case will be launched today by the UK-based App Drivers and Couriers Union in the district court in Amsterdam, where the ride hailing giant’s European operations are headquartered.
The drivers, also based in the UK, want to know how the data and algorithms are used by the firm to make silent automated decisions about their jobs.
It is argued that only with greater transparency can gig economy workers like these challenge potential workplace discrimination and unfair treatment, and exercise important powers of collective bargaining over work and pay.
The kind of data they’re after includes information on any inappropriate driver behavior, late arrivals or missed ETAs, driver cancellations and other info on reliability, behavior and location, according to The Guardian.
“This is about the distribution of power. It’s about Uber exerting control through data and automated decision-making and how it is blocking access to that,” the drivers’ lawyer, Anton Ekker, is quoted as saying.
“The app decides millions of times a day who is going to get what ride: who gets the nice rides; who gets the short rides, but this is not just about Uber. The problem is everywhere. Algorithms and data give a lot of control but the people who are subject to it are often no longer aware of it.”
Uber argued in a statement that it works hard to provide personal data to individuals who request it, but that sometimes it either doesn’t exist or disclosing it would infringe the privacy rights of others.
“Under the law, individuals have the right to escalate their concerns by contacting Uber’s data protection officer or their national data protection authority for additional review,” it added.
Concerns have been raised in the past that national data protection authorities don’t have the in-house technical expertise or legal resources to challenge major tech companies with investigations.
Nearly one million records containing the personal information of online students have been leaked after cloud misconfigurations by five e-learning platforms, according to WizCase.
The VPN comparison site found four misconfigured and unencrypted AWS S3 buckets and one unsecured Elasticsearch server, compromising the details of countless e-learners, including many children, as well as their parents and teachers.
The personal information (PII) exposed included full names, home and email addresses, ID numbers, phone numbers, dates of birth and course/school information.
WizCase warned users of potential follow-on identity fraud, phishing attacks, stalking and blackmail.
“As many users whose data was leaked aren’t active on the sites anymore, they’re less likely to realize these companies still have their information,” it added.
“However, it’s still possible that their data can be used to aid in various types of online crimes. These dangers are even bigger since many of the users affected by the leaks are children and young people.”
The affected companies include Escola Digital, a Brazilian site that leaked 15MB of data, amounting to 75,000 records, although many came from 2016 and 2017.
South African site MyTopDog exposed over 800,000 records via a misconfigured S3 bucket, including documents related to business partner Vodacom School.
Kazakhstan-based Okoo leaked 7200 records via an Elasticsearch server, while US sites Square Panda (15,000) and Playground Sessions (4100) round-out the affected platforms.
WizCase urged users who may have had their data exposed in this way to regularly check for unusual activity on their accounts, to be extra cautious when receiving unsolicited emails and never to give out PII over the phone.
These incidents are widespread across virtually all industries, although the online learning sector has been booming of late thanks to COVID-related school closures across much of the world.
Earlier this month, WizCase revealed five dating apps in the US and Asia that had exposed millions of customer records through misconfigured Elasticsearch servers, MongoDB databases and AWS buckets.
Cybercrime offenses reported by individuals and businesses have risen 23% over the past year, according to the Office for National Statistics (ONS).
The UK government body explained that 26,215 incidents were referred to the National Fraud Intelligence Bureau (NFIB) by Action Fraud in the year ending March 2020.
The year-on-year increase was driven by a large uptick in the two highest-volume “computer misuse” types reported to Action Fraud. “Hacking – social media and email” saw a 55% increase from 12,894 offenses, and “computer viruses/malware” incidents soared by 61% to reach 6745 cases.
The double-digit increase in reported cybercrime came in spite of improvements to “internal case review processes” and an online reporting tool at Action Fraud in October 2018 which meant some offenses previously categorized as computer misuse are now being properly identified as fraud, ONS said.
On that note, when fraud is added to computer misuse, there was an increase of just 12% in cases reported to the NFIB over the period.
The ONS claimed that its Crime Survey for England and Wales (CSEW) is a more accurate indicator of true levels of cybercrime in the region as it includes incidents that go unreported to the police. However, it only captures incidents reported by individuals.
“In the year ending March 2020, CSEW-estimated computer misuse offences did not change from the previous year, remaining at around 900,000 offences,” it noted. Fraud reported to the survey also remained pretty static, at 3.7 million cases.
George Glass, head of threat intel at Redscan, argued that the data behind the ONS report is still beset by quality issues.
“I still think this latest Crime in England and Wales report paints an inaccurate picture of computer misuse and online fraud cases in the UK. Action Fraud has been branded not fit for purpose for its failures to review reports from scam victims,” he added.
“This is the reason that the reporting system has now been overtaken by the NCSC. You only need to look at the huge numbers of reports of COVID-19 related scams to know that the situation is far worse than represented by these latest statistics.”
Twitter has revealed the true extent of this week's large-scale cyber-attack that saw the accounts of multiple celebrities compromised.
The social media giant said a total of 130 accounts were targeted as part of a major cybersecurity incident that took place two days ago.
Following the attack, what appeared to be a Bitcoin scam was tweeted from the hijacked accounts of some of the world's most famous public figures, including former US president Barack Obama, Kanye West, Bill Gates, and former US vice president Joe Biden.
The fraudulent tweet posted from the highjacked accounts made it appear as though the victim was planning to give back to their community by making a financial donation. The post invited the victim's followers to give $1,000 in the next 30 minutes, tempting them with the lure that their donation would be doubled by the account's owner.
At first the attackers tweeted about the supposed charity drive from Bitcoin-related accounts, but it quickly spread to the accounts of public figures, including Elon Musk and Kim Kardashian West, and to the corporate accounts of Uber and Apple.
Spotted by many as an obvious scam, the Bitcoin charitable donation tweet fooled hundreds of Twitter users and earned the cyber-attackers over $100k.
In an effort to contain the attack, Twitter temporarily blocked all verified users from tweeting.
According to Twitter, the successfully compromised accounts represented a "small subset" of the total number of accounts the attackers had in their crosshairs.
The company has launched an investigation into the incident but has so far been unable to determine whether any private data was stolen. Such information could include the content of direct messages.
Providing an update to the situation via its official support account, Twitter stated: "We're working with impacted account owners and will continue to do so over the next several days. We are continuing to assess whether non-public data related to these accounts was compromised."
An investigation into the cyber-attack has been launched by the Federal Bureau of Investigation. It is believed that whoever was responsible was able to bypass account security protections by somehow gaining access to Twitter's own internal administration tools.
German law has been deemed inadequate at protecting the constitutional right of German citizens to privacy.
The federal Constitutional Court in Karlsruhe ruled that the extent to which the German police can access people's internet and cell phone data was unconstitutional and that the country's privacy laws need to be revised.
Currently, German law enforcement agencies investigating crimes or working to prevent terror attacks are permitted to access names, addresses, birth dates, and IP addresses from telecom companies, hospitals, and hotels without the approval of a judge. However, they are not allowed to access data regarding an individual's connections to other people.
The ruling comes after campaigners voiced a challenge to the country's existing privacy laws, requesting that German police should only be allowed to access phone and internet data if a crime is suspected and in the event of a specific danger.
Proving that the wheels of justice really do turn slowly, the first of two lawsuits created to challenge the police's access to data was filed to the court back in 2013. The suit, which was backed by 6,000 people, was brought by European Pirate party politicians Katharina Nocun and Patrick Breyer.
The plaintiffs complained that German police were routinely given access to data including PIN numbers and email passwords from a variety of sources when investigating relatively minor crimes.
Nocun and Breyer said that the sweeping access to users’ private data permissible under German law risked the creation of “a new secret police of the internet that can ransack and scan our most intimate thoughts.”
The Constitutional Court ruled that investigators can be given access to the data of users in principle, but that it needs to happen in a way that doesn't impinge on a citizen's right to privacy.
Following the court's ruling, the German government must now obey an order to reform the nation's Telecommunications Act by the conclusion of 2021. The Act was last revised in 1996.
Revision of the Act is likely to impact how a newly enshrined law designed to combat far-right extremism is upheld. The law requires Facebook, Twitter, and YouTube to report hate speech to police and delete harmful content within 24 hours of its being posted.
The US Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) has given all government agencies 24 hours to fix a critical vulnerability in Windows Server.
An emergency directive was issued yesterday instructing agencies to deploy patches or mitigations by 2pm EDT today to resolve the CVE-2020-1350 vulnerability, also known as SIGRed.
The flaw is a remote code execution vulnerability that exists in how Windows Server is configured to run the Domain Name System (DNS) Server role.
An unauthenticated attacker can exploit the vulnerability by sending malicious requests to a Windows DNS server. The attacker could then run arbitrary code in the context of the Local System Account.
According to the emergency directive, "CISA has determined that this vulnerability poses unacceptable significant risk to the Federal Civilian Executive Branch and requires an immediate and emergency action."
A software update to mitigate this critical flaw in Windows Server operating systems was released on July 14 by Microsoft. Now CISA is ordering all government agencies to apply the fix to every Windows Server running the DNS role and to submit an initial status report by 2pm EST on Monday, July 20.
To Lamar Bailey, director of security research and development at Tripwire, the urgency of CISA's directive is understandable.
“CVE-2020-1350 (SIGRed) is one of the most serious vulnerabilities disclosed this year," commented Bailey. "It scores a CVSS score of 10."
CISA said it is "unaware of active exploitation of this vulnerability," but Bailey believes that even if this is the case, the situation could change in the immediate future.
"It is plausible to believe this is currently being exploited in the wild or will be very soon," said Bailey. "It is time to burn the midnight oil and get this patched ASAP.”
CISA's actions come after experts warned of the dangers of SIGRed earlier this week. Gill Langston, head security nerd at SolarWinds MSP, urged administrators to tackle the vulnerability as a "number one priority" after the patch was released on Tuesday.
US government agencies have until 2pm EST on Friday, July 24 to submit a completion report, confirming that the vulnerability has been neutralized.
Businesses should prepare for the post Privacy Shield era now, and get binding corporate rules (BCR) and standard contractual clauses (SCC) in place for their own data protection.
Speaking on a conference call after the earlier decision around Privacy Shield being declared invalid, Cordery partners Andre Bywater and Jonathan Armstrong called the announcement “among the most eagerly awaited” in the field of data protection.
Bywater advised listeners that it is worth them doing some due diligence “to see who they are sending data to so they are fully protected.” He said he had not expected Privacy Shield to be invalidated, and it has been declared invalid due to concerns around US domestic law and the access and use of European residents’ data.
With it appearing unlikely that there will be any type of grace period, he recommended putting in SCCs where there is an issue. An SCC is an obligation imposed on both the exporter and the importer of data between the EU and third countries to ensure that data transfer arrangements protect the rights and freedoms of data subjects.
Armstrong said it may be the case that SCCs are “probably the only game in town for people” and depending on national challenges, we “could end up with the nightmare where some authorities accept SCCs and some do not.”
Armstrong explained that he does not expect a new and improved version of the Privacy Shield, and while there are more groups that have brought challenges, he is not convinced there would be any short term solution. “We are in a different world post-GDPR, and there are more powers to enforce, so Data Protection Authorities (DPAs) have to step up,” he said. He also argued that any new version of Privacy Shield would “be likely to have more teeth as a result.”
Asked by Infosecurity if BCRs are a better option, Armstrong said they have a different foundation in GDPR and are specifically there to transfer data, but this cannot be done overnight and a sponsoring DPA will need to be found to approve it and take it to other regulators, and that process could take eight to nine months minimum. “It is not a quick fix and you will need interim plans,” he said.
Looking forward, Armstrong said that had Facebook still completed data transfers last night, it could have problems and this could be an overall concern for social media companies. “Most organizations have got to react today or tomorrow and have a plan, it will not be foolproof and include communications and FAQs,” he said.
“There may be some political fudge, and there may be a ‘keep calm and carry on’ message from (vice-president of the European Commission for Values and Transparency) Vera Jourova, as she has bigged-up privacy rights and this is a difficult political tightrope for her and enforcement will be proportionate to give her a chance to create a plan, but aggrieved individuals and pressure groups are not as patient as a regulator could be.”
Bywater said regulators will be taking a much closer look at SCCs and may ask to see them and see where you transfer data, “so take a closer look at what you have in place as this is not something that will go away.”
A new enforcement body could have the power to ban, recall or destroy insecure consumer IoT products, according to the latest government plans.
The UK is looking to take a global lead on IoT security with proposed legislation first published at the start of the year.
In an update yesterday it revealed that a new body would be set up to enforce the law, with powers to: temporarily ban sales while a product is tested, permanently ban insecure products and serve recall notices.
Under the proposals, it could also be granted the power to apply for a court order to confiscate or destroy a dangerous product or issue fines against the manufacturer.
Earlier in the year, the government revealed that the law will mandate three main security requirements for all smart gadgets sold in the UK.
These are: unique device passwords which are not resettable to factor defaults, a public point of contact at the manufacturer to report bugs to and clearly visible information stating the minimum length of time updates will be available for.
It remains to be seen how the UK would actually enforce a ban on the sale of non-compliant IoT kit, especially products manufactured abroad and sold online, as most are.
That hasn’t stopped the government trumpeting its efforts as a leader in this area: it claimed to have been instrumental in helping to develop the recently announced global ETSI standard for consumer smart devices.
The government is now requesting feedback from industry stakeholders to help it shape the final enforcement approach.
“Consumer IoT devices are increasingly delivering on their potential to improve consumers’ lives, with smart speakers, activity trackers and smart kitchen appliances a few notable examples,” said techUK CEO Julian David. “However, poor security practices have consistently slowed the adoption of these devices, acting as a barrier to UK citizens reaping the benefits of the latest innovations and products.”
More than 260,000 actors have had their personal data exposed thanks to yet another misconfigured cloud server.
Researchers at SafetyDetectives led by Anurag Sen discovered the unprotected Elasticsearch server, which contained 1GB of data, amounting to 9.5 million records.
It apparently belonged to New Orleans-based casting agency MyCastingFile.com, which has recruited actors for Terminator movies, TV show True Detective and other productions.
The “talent profiles” found in the trove included full names, residential and email addresses, phone numbers, dates of birth, height and weight, photographs and vehicle information.
In total, over 260,000 members had their data exposed in this way, including potentially actors under the age of 18, according to SafetyDetectives.
It warned that the leaked email addresses and personal data could be used to send convincing phishing emails impersonating MyCastingFile, in order to trick users into clicking through on malware downloads.
“Photographs provided by users can be harnessed to conduct scams involving facial recognition such as identity fraud, as well as being used to create multiple illegitimate profiles, to carry out what’s known as ‘catfishing’ — the act of luring someone into a relationship by means of a fictional online persona,” it added.
It’s believed the database was exposed since May 31 2020, but the researchers said the issue was fixed following their disclosure.
Pravin Kothari, founder and CEO of cloud security vendor CipherCloud, argued that avoiding misconfigurations in the cloud is increasingly challenging.
“These issues most frequently revolve around a lack of visibility into faulty controls, not a lack of effort,” he added.
“Perhaps the biggest hurdle, even greater than monitoring for risky configurations, as in this case, relates to better management of cloud data itself. We find that organizations are moving so fast to embrace cloud apps and infrastructure that they cannot maintain visibility into all the issues of data protection and access required to prevent subsequent breaches.”
The UK has accused Russia of interfering in the 2019 General Election by spreading online leaked government documents revealing negotiations with the US on trade.
A statement from the foreign secretary Dominic Raab branded the practice “completely unacceptable.
“On the basis of extensive analysis, the government has concluded that it is almost certain that Russian actors sought to interfere in the 2019 general election through the online amplification of illicitly acquired and leaked government documents,” it noted.
The documents, which eventually ended up in the hands of former Labour leader Jeremy Corbyn, detailed how the NHS was being used by the US as a bargaining chip in post-Brexit trade talks.
Raab avoided accusing the Kremlin of directly stealing the documents, which The Guardian claimed “are thought to have been obtained via a government special adviser’s personal email account.”
However, they were allegedly disseminated online by alleged Russian actors. They were posted first on Reddit last October by a user named “Gregoriator,” and then via Twitter by a user with the same name.
Social media analysts at Graphika reportedly claimed the spelling and grammatical mistakes in those posts are common to Russian language speakers, and the amplification techniques used are also said to be straight out of the Kremlin playbook.
The timing of Raab’s statement could be significant, as it comes ahead of a long-awaited intelligence report into whether Russia has influenced the democratic process in the UK, including the EU referendum.
Prime Minister Boris Johnson and senior ministers have long dismissed such claims and Johnson has delayed the report’s release for many months.
“Today’s government claim is an attempt to divert attention from the threat to the NHS and the Tory party links to Russian oligarchs expected to be revealed in the long-buried parliamentary Russia report,” said former Labour leader Corbyn yesterday.
The news comes as the National Cyber Security Center yesterday revealed that Russian hackers were actively attempting to steal IP related to US, UK and Canadian efforts to find a COVID-19 vaccine.
More than half of Canadians have fallen victim to a cybercrime, according to a new report by the Cybersecure Policy Exchange (CPX) at Ryerson University in Toronto.
In the report Advancing a Cybersecure Canada: Introducing the Cybersecure Policy Exchange, the CPX revealed that 57% of Canadians say that they have been a victim of a cybercrime.
This percentage is a significant increase from 2017, when, according to an Accenture survey, just 36% of Canadians reported being the target of a cybercrime attempt.
The findings came from a survey of 2000 Canadians conducted in mid-May 2020 that sought to understand the experiences, choices and priorities of the public toward their online safety.
Of the five types of cybercrime listed in the survey, the most commonly encountered was ransomware or an unintentionally installed or downloaded computer virus or piece of malware, with the former being experience by 8% of respondents and the latter by 31%.
Data breaches proved problematic for more than a quarter of those surveyed, with 28% reporting that their personal information had been exposed through a cybersecurity incident of this nature.
While the majority of those surveyed had not experienced a hack of an online account, 22% had fallen victim to this particular cybercrime. A malicious email or spoofed website had managed to deceive 13% of those surveyed.
With the publication of the report, the initiative hopes to stimulate a national debate around cybersecurity and digital privacy.
“We need urgent national policies that protect our security and digital privacy, while ensuring equal access for all,” said one of the report authors, Charles Finlay.
CPX maintains that there is an urgent need to address the security and privacy risks and vulnerabilities facing Canadians online.
“To do so, our governments, our public and private institutions, and all Canadians, must demonstrate leadership, to ensure that we create and implement balanced public policy that will drive innovation while responsibly protecting Canadians,” stated the authors of the report.
Online retail giant Amazon and tech leaders Microsoft and Google are reportedly being sued for allegedly violating a biometric privacy law in the state of Illinois.
Cases against the companies were brought on Tuesday by two residents of the Prairie State, Steven Vance and Tim Janecyk.
The plaintiffs allege that the three companies obtained a database from IBM that contained 100 million faceprint pictures scraped from the photo-hosting site Flickr.
IBM's Diversity in Faces database was released in January last year. The database was coded to describe the appearance of each subject and touted as a step toward eradicating bias in facial recognition.
Images added to the database were reportedly taken from Flickr without obtaining the consent of the individuals whose faces were photographed.
Collecting or storing scans of a consumer's facial geometry without their written consent is outlawed in Illinois under the Biometric Information Privacy Act, passed in 2008. Vance and Janecyk say their images were included in the data set without their consent, despite the fact that they identified themselves as residents of Illinois.
In four separate class-action lawsuits filed in two different states, the duo alleges that Amazon, Microsoft, Google parent Alphabet, and software company FaceFirst violated Illinois law by obtaining the IBM database "to improve the fairness and accuracy" of their own facial recognition technologies and products.
According to the suit, the defendants "chose to use and profit from biometric identifiers and information scanned from photographs that were uploaded from Illinois; managed via Illinois-based user accounts, computers and mobile devices, and/or created in Illinois.
"In doing so, [the defendants] exposed Illinois residents and citizens to ongoing privacy risks within Illinois, knowing that [their] conduct would injure those residents and citizens within Illinois."
The lawsuit against FaceFirst was filed in the Central District of California, while the complaint against Google parent Alphabet was brought in federal court in the Northern District of California. Suits against Amazon and Microsoft were filed in the Western District of Washington.
Vance and Janecyk brought a case against IBM earlier this year for allegedly breaking the same Illinois privacy law when they created the database. That case is pending in Illinois' federal district court.
The Federal Bureau of Investigation has issued a warning to air travelers to be wary of bogus US airport websites when booking flights online.
Cyber-supervisory special agent Conal Whetten spoke to members of the press on Wednesday to raise awareness regarding the creation of a number of websites cleverly faked to look like the real deal.
Whetten said these spoofed domains, which grow increasingly sophisticated as cyber-criminals hone their skills for mimicry, posed a real threat for travelers, airports and the aviation industry as a whole.
By establishing a malicious domain that appears to feature an organization’s logo, font, color scheme, and writing style, cyber-criminals are frequently able to fool users into thinking that they are on a site that is authentic and safe to use.
“They do this to steal personal and business data,” explained Whetten, “and US airports are an attractive target for cyber-actors because there is a rich environment of business and personal information.”
The malicious lookalike websites are created with domain names that are virtually the same as the site they are impersonating, often with just one character altered. This subtle difference can easily go undetected.
According to Whetten, criminals create these fake domains to spread malware capable of compromising a user’s personal or business data. The theft of this data can ultimately lead to identity theft and financial loss.
“They can use your social media lists to scam your friends and family, even order fraudulent purchases from online businesses, ultimately leaving you with the bill,” said Whetten.
The threat doesn’t stop once tickets have been booked, with criminals banking on airport users reaching for an IoT device at the airport to pass the time before they fly.
“Cyber-actors can capitalize on this sector by creating spoof domains and Wi-Fi networks, which can trick both passengers and airport operators into interacting with malicious websites or emails,” said Whetten.
The agent advised users to disable or remove all unnecessary software protocols and portals and to use multi-factor authentication where possible.
Describing just how widespread this particular cybercrime is, Whetten said: “Over 96% of companies suffer from domain spoofing attacks in one form or another.”
Three-quarters (75%) of UK data protection officers (DPOs) anticipate the Covid-19 lockdown will cause difficulties in meeting data compliance obligations, potentially leading to large fines, according to a study by Guardum.
In the survey, 72% of DSOs expect a backlog of data subject access requests (DSARs) upon returning to the office, while 3% are concerned there will be a “mountain” of DSARs to complete when they go back.
Additionally, 30% of DPOs believe there will be a massive increase in DSARs over the next six months. Furloughed or laid off employees during the pandemic will be a major driver of this growth according to 73% of respondents, while one in five said it will be the biggest single factor.
Under GDPR rules, if requested, organizations must provide data subjects with a copy of their personal data within 30 days or face the prospect of a maximum fine of up to €20 million or 4% of turnover from the Information Commissioners Office (ICO).
The findings suggest that HR personnel will face substantial data compliance challenges once the UK government’s furlough scheme ends in October. Under the scheme, the government pays a portion of the wages of employees who would otherwise lose their jobs during the crisis. It is expected that as the scheme is wound down, however, many of these workers will be made redundant.
Rob Westmacott, co-founder of Guardum, commented: “HR personnel will soon find themselves at the sharp end in dealing with large DSAR volumes raised by disgruntled former employees. If DSAR volumes reach the record levels DPOs expect then firms will struggle to meet their 30-day turn-around obligations using conventional manual processes.
“DSAR requests can be time consuming and costly: maintaining the privacy of any third parties means that the process of redaction will become impossible to manage effectively without some form of automation.”
The report also found that 46% of all DSARs received by mid to large-sized organisations are from employees or contractors, while one-third (33%) comes through legal representation, with ex-employees making up 15% of this portion.
State-sponsored hackers are actively targeting organizations involved with the development of a COVID-19 vaccine.
According to the NCSC, the threat group APT29, which has been named 'Cozy Bear' and is believed to be associated with Russian intelligence, has been targeting UK, US and Canadian vaccine research and development organizations.
Paul Chichester, director of operations at the NCSC, condemned the attacks, calling them “despicable” and working against those doing vital work to combat the coronavirus pandemic.
“Working with our allies, the NCSC is committed to protecting our most critical assets and our top priority at this time is to protect the health sector,” he said. “We would urge organizations to familiarize themselves with the advice we have published to help defend their networks.”
APT29 typically conducts widespread scanning in an effort to obtain authentication credentials to access systems. “In recent attacks targeting COVID-19 vaccine research and development, the group conducted basic vulnerability scanning against specific external IP addresses owned by the organizations,” the NCSC reported. “The group then deployed public exploits against the vulnerable services identified.”
The NCSC’s advisory claimed the group uses a variety of tools and techniques, including spear-phishing and custom malware known as 'WellMess' and 'WellMail.' WellMess is lightweight malware designed to execute arbitrary shell commands, upload and download files. The malware supports HTTP, TLS and DNS communications methods.
WellMail is a lightweight tool designed to run commands or scripts with the results being sent to a hardcoded Command and Control (C2) server. Similar to WellMess, WellMail uses hard-coded client and certificate authority TLS certificates to communicate with C2 servers.
The NCSC has been supported by partners at the Canadian Communication Security Establishment (CSE), the US Department for Homeland Security (DHS) Cybersecurity Infrastructure Security Agency (CISA) and the National Security Agency (NSA).
John Hultquist, senior director of intelligence analysis for Mandiant Threat Intelligence, said it was no surprise that cyber-espionage capabilities are being used to gather intelligence on a cure, as “COVID-19 is an existential threat to every government in the world.”
He said: “The organizations developing vaccines and treatments for the virus are being heavily targeted by Russian, Iranian, and Chinese actors seeking a leg-up on their own research. We’ve also seen significant COVID-related targeting of governments that began as early as January.
“Despite involvement in several high-profile incidents, APT29 rarely receives the same attention as other Russian actors because they tend to quietly focus on intelligence collection. Whereas GRU actors have brazenly leaked documents and carried out destructive attacks, APT29 digs in for the long term, siphoning intelligence away from its target.”
Data and ransomware protection provider Arcserve today announced the appointment of award-winning tech veteran Ivan Pittaluga as its new chief technology officer (CTO).
Pittaluga brings a proven record of leading advances in service delivery and transformational technology in the high-tech space to the role. As Arcserve’s new CTO, he will oversee the strategy and development of the company’s portfolio of backup, disaster recovery, continuous availability, migration and archiving solutions.
“The world of data protection is rapidly evolving, fueled by unprecedented challenges from a larger data attack surface and increasingly prevalent cyber-threats,” said Tom Signorello, CEO at Arcserve.
“The addition of Ivan will accelerate our market-first solutions to these, and other business continuity challenges, with his recognized history of driving organizational change and delivering technology that changes the way companies do business.”
Pittalauga previously served as vice-president of data protection and governance for Veritas Technologies and has held senior engineering positions at Symantec, Commvault, Legato Systems (Dell EMC) and Mastercard.
“We’re living in a digitized economy, and enterprises today can no longer risk exposing their data to cyber-threats or loss,” said Pittaluga. “Equally important are the new forms of data and environments that will emerge from rapid innovation in the cloud – all of which will need comprehensive protection. Arcserve’s 30-year experience and foresight to anticipate market shifts uniquely positions it for an exciting chapter of innovation, which I’m pleased to be a part of.”
Mobile operator EE, part of the BT Group, has today announced the launch of its new Digital Identity platform designed to help protect customers against becoming victims of fraud.
The platform offers a series of online identity checks that guard against fraud in real time, making customer transactions safer and supporting banking partners in the UK to detect SIM swapping fraud and prevent further fraudulent activities.
The platform’s ‘Sim Swap’ checker allows businesses to know when a customer’s SIM was last changed, as a recent change could indicate potential fraud. That data is then used to block financial transactions from taking place until further identity checks are carried out.
A ‘Call Divert’ feature allows for the confirmation that no call diversions have been put in place on a phone number (a key sign that sim swapping fraud has taken place) whilst the platform can also help prevent fraudulent online account sign ups with its ‘Know Your Customer’ product. This grants businesses the ability to confirm a user’s identity by cross-checking new customer data with data held in the EE databases to see if a phone has been reported lost or stolen.
Christian Thrane, managing director of consumer marketing at BT, said: “At BT and EE, we are committed to innovating to help protect customers from fraud and are already working closely with a number of industries, including banking, eCommerce and gaming, to protect millions of transactions every day. We are continuing to move into new sectors to help prevent even more fraudulent activity, so consumers across the UK can be confident in the safety of their online experiences.”