IT Security Updates Issue 2

Major tech giants aren’t “respecting” the GDPR, the ICO is offering grant funding for ‘innovative’ research into data privacy, Ticketmaster subject to ICO investigation after major breach and more…

BEUC argues tech giants’ privacy policies fail to “respect GDPR”

The European Consumer Organisation (BEUC) along with a team of researchers from the European University Institute, in Florence, published a study arguing that leading tech companies – Microsoft, Facebook and Amazon as prime examples – are flaunting the values of the GDPR by using ambiguity to create privacy statements that are “potentially problematic” due to the use of unclear language. The head of BEUC, Monique Goyens, stated:

“A little over a month after the GDPR became applicable, many privacy policies may not meet the standard of the law. This is very concerning. It is key that enforcement authorities take a closer look at this.”

Examples, provided by BEUC, include Google’s “we collect information about your activity in our services, which we use to do things like recommend a YouTube video you might like.” The BEUC argue that this is “unclear” as it does not specific the full use of the data within the Google ecosystem.

ICO launch second round of grant funding for “innovative privacy solutions”

The Information Commissioner’s Office has launched its second round of grant funding for organisations exploring data privacy in order to source and promote robust and independent data privacy information solutions. The purpose of the scheme is to award grants worth £20,000-£100,000 to help explore data privacy that have “real world solutions that are of clear benefit to the people of the UK.” The head of the ICO, Elizabeth Denham, stated:

“Information rights are evolving all the time and it is fair to say that a lot has happened since we launched the inaugural grants programme a year ago. The introduction of the GDPR and the new Data Protection Act 2018, along with high-profile cases and incidents, have meant that privacy issues and concerns about how people’s personal information is used have probably never been more prominent.”

Last year’s successful cohort was even mentioned by the UN Special Rapporteur on the Right to Privacy was argued that the “relevance” of the programme and the project funded highlighted the growing concern individual have over their data and its use by businesses and government alike.

Ticketmaster Hack – 40,000 UK Customers Data Lost

The giant online ticketing emporium, Ticketmaster, was the victim of a massive data breach which was a result of numerous failures – including the monitoring of subcontractors. The hack, according to Wired Magazine, was identified by Monzo, the start-up app-based banking service, who noticed a correlation between fraudulent activity and Ticketmaster purchases. Yet, when the company approached Ticketmaster, the giant ticketing platform did nothing. The ICO are investigating and have released a statement:

“Organisations have a legal duty to ensure that people’s personal information is held securely. We have been made aware of an issue concerning Ticketmaster and will be making enquiries. We will look at when the incident happened and when it was discovered as part of our work and this will inform whether it is dealt under the 1998 or 2018 Data Protection Act.”

Depending on when the company discovered this breach, the company that made $1.8 billion in revenues could be hit by a massive GDPR fine, yet if the breach was discovered before the GDPR came into effect, the net fine could be minimal.

Islington Council breach Payment Card Industry code of conduct

Islington, a council in London, could have breached the Payment Cards Industry (PCI) Security Standards Council’s rules on data security standards. The council sent email requests with Word application forms for payment of local parking permits. The council told the BBC, “We have begun an internal investigation into the process of applying for and paying for parking bay suspensions. In the short term, we have removed that form from our website.”

The Microsoft Word document – the parking pay suspension form – required residents to fill in address details and card payment information. This archaic model was even queried by the Local Government Association who couldn’t identify any other council using such out-dated means of payment collation.

The rules outlined by the PCI state that card payment data shouldn’t be stored on third-party sources – such as email. This is because if the data is leaked then the individual would be held liable by the bank for transmitting their personal financial data via a third party. These rules are set by PCI who represent major financial organisations, like Mastercard, American Express and Visa. The GDPR also enhances individuals’ rights when handling such sensitive information.

Businesses with BYOD rules could face ‘inadvertent’ data breach fines

Researchers at Northeastern University have found several ‘alarming’ privacy holes within popular Android apps – these include taking and distributing photos and screenshots without the users’ express knowledge. The research paper evaluated nearly 18,000 apps in the Google Play marketplace and they reported that some apps would take screenshots whilst others would covertly record conversations.

The researchers noted:

“Our study revealed several alarming privacy risks in the Android app ecosystem, including apps that over-provision their media permissions and apps that share image and video data with other parties in unexpected ways, without the user’s knowledge or consent.”

These findings highlight a worrying reality for IT leadership within a fast-changing digital landscape. The Bring Your Own Device (BYOD) landscape has epitomised the ‘new’ workplace that millions of people experience. Yet, apps downloaded by users, interacting with your organisation’s data via email or other sources, could result in your business being breached.

One way of alleviating the worry surrounding this growing reality is to retaliate by providing staff with mobile security solutions – some organisations are providing staff with mobile subscriptions to security apps that help to improve device security – companies like BlackBerry and IBM are leaders in digital mobile security.

Until next time …