GDPR.Report provides the latest news, information and advice on cybercrime and data protection from thought leaders and sector experts, specifically aimed at small-to-medium size businesses (SMEs). A division of Data Protection World Forum Ltd.
The major names in global technology are “lawyering up” as they prepare to face mounting legal threats for violations of international data privacy law, the Irish Times has heard.
Ireland’s Data Protection Commissioner, Helen Dixon, explained to the Sunday Business Post in a recent interview that leading tech companies in the US were starting to behave in a more “combative” manner, as European regulators get to the business end of data breach proceedings under the EU’s General Data Protection Regulation (GDPR).
Ms Dixon described there being an “edge” to the dialogues coming from both sides of the fence.
“It is very intensive and certainly, as it concerns the investigations, it is probably characterisable as more combative,” she added.
European Data Protection Summit welcomes CEO and co-founder of TokenEx, Alex Pezold.
Coming to central London on June 3rd 2019, European Data Protection Summit is a one-day event that gives business owners and IT professionals the answers they need to data protection concerns in an increasingly privacy-conscious world.
Introducing Alex Pezold, CEO & co-founder, TokenEx
A global industry specialist, Alex leverages two decades’ experience gained at the forefront of IT security. Holding a BA in Management of Information Systems and an MA in Computer Science, Alex has operated in senior information security roles at organisations including the US Department of Commerce, NetEffects, and FishNet Security.
He worked at True Digital Security as the firm’s Director of Business Development, before co-founding cloud-based security company, TokenEx in June 2010. His areas of specialisation include risk management, compliance, data security, network security, application security and tokenisation.
Alex’s talk at European Data Protection Forum will look at how organisations can meet data protection compliance obligations in an increasingly privacy-focused world.
Shifting priorities in a privacy-driven world
As the General Data Protection Regulation continues to inspire regulatory change in overseas governments, businesses worldwide are starting to realise the importance of taking data privacy seriously. We spoke to TokenEx about how companies are adapting in this time of flux.
Q) What are the main challenges facing organisations today in galvanising data subjects’ privacy?
The primary challenge facing most organisations is simply knowing where a data subject’s personal data is stored and processed within the organisation. Developing data inventories and process flows is essential. You can’t protect what you don’t know you have.
A subsequent hurdle is reluctance to embrace appropriate technical controls to protect personal data due to the perceived negative impact on business operations and enablement. All too often, techniques for de-identifying personal data that preserve underlying business utility, such as pseudonymisation, are overlooked.
Pseudonymisation, which is synonymous with tokenisation, is a powerful way of implementing privacy-by-design without sacrificing business utility.
Q) What lessons can organisations learn from the last 12 months as they bid to shore up privacy?
Focusing on “perimeter” IT security solutions to protect sensitive data is not enough. Attacks on organisations continue to increase with a number of high profile data breaches occurring in the last 12 months.
It is critical to take a data-centric approach to devalue and de-identify the personal data your organisation holds. You can’t guarantee a breach won’t occur but you can absolutely minimise the impact of one.
Q) Are there typical weak spots in organisations where privacy is more at risk?
A common weak spot for most organisations is data transfers with third parties. If you are the data controller, you are responsible for the data you share with processors or joint controllers. Ensure those organisations understand their privacy obligations and their obligations are clearly defined in your contracts.
Q) Does improving privacy rely more on developing technologies or the working cultures of a company’s people?
Technology can never overcome a culture that doesn’t prioritise privacy.
Coming to 133 Houndsditch on June 3rd, European Data Protection Summit will bring over 800 DPOs together with security professionals and business leaders to provide a day of advice, learning and networking for all data protection stakeholders.
Other speakers include:
Sheila FitzPatrick, President & Founder at Fitzpatrick Associates
Max Schrems, Founder at NOYB
Tamara Ballard, Data Protection Lawyer at Channel 4
Edward Hanson-Assan, Associate DPO at Knight Frank
Abigail Dubiniecki, Data Privacy Specialist at My Inhouse Lawyer
To register for European Data Protection Summit, click here.
Slack users have been advised to upgrade their applications following a vulnerability.
Slack, the work collaboration app, has issued a security update following a vulnerability in its systems that could allow attackers to modify the location where downloaded files are stored.
Tenable researcher, David Wells discovered a download hijack vulnerability in Slack Desktop version 3.3.7 for Windows. The flaw could have allowed “a remote attacker to submit a masqueraded link in a slack channel, that “if clicked” by a victim, would silently change the download location setting of the slack client to an attacker owned SMB share,” Wells said.
This would allow all future downloads to be uploaded to the attackers own file server, until the victim manually changes the setting. Furthermore attackers could inject malicious code into the link, and once clicked the victim’s machine would be compromised.
Wells said in his blog post:
“Using this attack vector, an insider could exploit this vulnerability for corporate espionage, manipulation, or to gain access to documents outside of their purview.”
Spokesperson from Slack said:
“Slack investigated and found no indication that this vulnerability was ever utilized, nor reports that its users were impacted. As always, users are encouraged to upgrade their apps and clients to the latest available version.”
Stack Overflow, the developer knowledge sharing site has disclosed a security breach.
Originally when discovered the VP of Engineering at Stack Overflow, Mary Ferguson announced that hackers had gained access to its internal network and that no evidence was found of customers’ accounts or data had been hacked.
However in an updated announcement, Mary Ferguson disclosed that privileged web requests had been made by the attacker that could have returned sensitive information including names, emails and IP addresses for 250 public network users.
“Between May 5 and May 11, the intruder contained their activities to exploration. On May 11, the intruder made a change to our system to grant themselves a privileged access on production. This change was quickly identified and we revoked their access network-wide, began investigating the intrusion, and began taking steps to remediate the intrusion.
“As part of our security procedures to protect sensitive customer data, we maintain separate infrastructure and networks for clients of our Teams, Business, and Enterprise products and we have found no evidence that those systems or customer data were accessed. Our Advertising and Talent businesses were also not impacted by this intrusion.”
Stack Overflow has terminated all unauthorised access to the system and an extensive audit of all logs and databases are being conducted.
“We will provide more public information after our investigation cycle concludes,” Ferguson added.
Mobile app fraud has significantly increased with hidden ads, spoofing, background ad activity and measurement manipulation being the common types of mobile app fraud.
Research from DoubleVerify’s Fraud Lab, identified that the total number of fraudulent app has increased by 159% from 2017 to 2018. With 57% of fraudulent mobile apps categorised as “Games” and “Tools & Utilities” In comparison to 2017, fraudulent apps were detected 1.6x more in 2018.
As advertisers spend billions on advertising, mobile fraud increases exponentially. According to eMarketer, an estimate of $87 billion will be spent on mobile ad spending in 2019, which fraudsters will take advantage of.
Roy Rosenfeld, head of DoubleVerify’s Fraud Lab said in a statement:
“With ad spend increasingly concentrated in mobile – and particularly mobile app, fraudsters are redoubling their efforts to take advantage.
“It’s critical that brands understand these risks, in order to allocate spend accordingly and install appropriate safeguards for their digital investments.”
Privacy & security teams must work hand in glove but in many cases organisational silos still exist.
As a result of this convergence of privacy and security we are delighted to announce a new portfolio of PrivSec events; PrivSec Dublin, PrivSec New York, PrivSec London.
If 2018 was ‘the year of privacy’ thanks in part to the introduction of the General Data Protection Regulation (GDPR) we are now entering the age of PrivSec.
Facebook, Apple and Google have all put privacy ‘centre stage’ in 2019 and Apple CEO, Tim Cook has gone on record saying;
“Everyone has a right to the security of their data and security is at the heart of all data privacy and privacy rights.”
This convergence will have major implications on how organisations of all sizes think about and manage privacy and security.
PrivSec events will bring together global thought leaders, end users and vendors to:
Privacy and Security teams need to work together closely – but in many organisations silos still exist.
PrivSec Dublin will bring together privacy and security teams for a two-day conference that champions collaboration, progression and innovation.
Taking place at the Convention Centre Dublin, the city’s leading conference and exhibition venue, PrivSec Dublin is located just a short walk from Silicon Docks, home to many of Dublin’s leading tech companies.
Dublin has established itself as a tech and IT hub, and may soon be the only English speaking capital in the EU.
The number of tech giants with European Headquarters in Ireland has positioned the country at the forefront of the tech industry.
PrivSec Dublin will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.
PrivSec Dublin is the first in a series of similar significant conferences that will also include; PrivSec New York (November 2019) & PrivSec London (February 2020)
A new maritime centre has been launched to galvanise cyber security in the Singapore region.
The new centre opened yesterday, and is run by ST Engineering from its base in Ang Mo Kio. Experts say it will strengthen the city-state’s Maritime and Port Authority (MPA) in its stance against online crime on a global level.
Although operational since November 2018, the development is part of a wider Singapore programme to enhance maritime security by improving early detection systems and enhancing analysis processes to respond quicker and more effectively to cyber-attacks.
ST Engineering cyber-security systems president, Lau Thiam Beng underlined how the centre’s scalability and modular engineering meant new tech upgrades could be integrated with ease to help combat evolving risks on the cyber-crime landscape.
MPA chairman, Niam Chiang Meng, said:
“As the world’s busiest transshipment hub, it is important that we safeguard our maritime and port critical infrastructure to prevent a major disruption to port operations and delivery of services.”
Mr Meng underlined how the new centre will collaborate on data links with the MPA’s port operations control hub which supervises the navigational security of waterborne transport in the seas around Singapore.
MPA operations technology director, David Foo said that officials hope the first stage of the future Tuas port will be finalised by 2021. The port should bring port operations control and maritime cyber-security functionality together.
In justification for the new centre, Mr Foo pointed to the escalating number of cyber-attack threats in the maritime sphere, and the increasing levels of disruption they are causing.
In 2017, a ransomware cyber-attack on AP Moller-Maersk led to the container shipping firm losing up to US$300 million in revenue.
Mr Foo said:
“Cyber-attacks can also endanger the navigational safety of a ship and, of course, the lives on board.”
He went on to explain how the new centre would enable the MPA to conduct 24/7 operations to provide a far prompter and more thorough response to computer threats.
Results of a new data protection compliance study show that companies in North America still have a long way to go to get up to speed with evolving data privacy laws.
The study took into account organisational efforts to align with the EU’s General Data Protection Regulation. Of the companies surveyed, 50% said they failed to meet the GDPR’s deadline of 25th May 2018, while 70% said that their business infrastructures simply couldn’t adapt to cutting-edge legislation.
The results make for disconcerting reading as America’s businesses prepare for the arrival of the California Consumer Protection Act, which comes into effect on January 1st 2020.
Co-founder and CEO of privacy compliance specialists, DataGrail, Daniel Barber, said:
“The interesting thing here was that, in preparing to become GDPR ready, a lot of the companies tried to build something in-house to try to scramble, if you will, to become GDPR ready.”
Most of those polled said they felt at least seven months would be needed to prepare for the GDPR, while 71% said they could get their houses in order to comply with the California Consumer Privacy Act.
Mr Barber said that the research results illustrate how “most companies still rely on piecemeal technology solutions and manual processes, when they should be turning to privacy management solutions purpose-built for privacy regulations.
“Companies will need to integrate and operationalise their privacy management to avoid the time-consuming and error-prone manual processes to comply with these regulations,” he added.
The report found that the complexity of the GDPR was the source of most of the challenges to compliance. Other obstacles stemmed from insufficient time and human resources available to strategise and implement compliance programmes.
Facebook has taken down hundreds of the social network’s accounts because of a sophisticated campaign of “inauthentic behaviour” predominantly targeting users in Africa.
The fraudulent accounts frequently published material to broadcast political data, with elections results in a number of countries involved in the phoney messages, Facebook said.
An Israeli firm has also been banned from Facebook after investigations into the situation. The action comes as Facebook feels the pressure within the international community to do more about the content that it publishes and to shore up security and privacy on the popular social media platform.
After Donald Trump became the 45th president of the United States three years ago, Mark Zuckerberg’s firm began an audit of its accounts to determine user authenticity. It subsequently announced the removal of 265 accounts that were traced back to Israel.
Fake news was also found to be spread by users in Nigeria, Senegal, Togo, Angola, Niger and Tunisia, while Latin America and South East Asia also showed signs of activity.
Facebook’s head of cybersecurity policy, Nathaniel Gleicher, wrote in a blog post:
“The people behind this network used fake accounts to run pages, disseminate their content and artificially increase engagement.
“They also represented themselves as locals, including local news organisations, and published allegedly leaked information about politicians,” he added.
Gleicher also said that a probe of some of the goings on led investigators back to Israeli firm, Archimedes Group
“This organisation and all its subsidiaries are now banned from Facebook, and it has been issued a cease and desist letter,” Gleicher said.
Around $812,000 (£634,941) was spent by the fraudsters behind the fake accounts, much of which went on advertising between December 2012 and April 2019.
The campaigns were carried out across political elections in five of the six targeted African countries, while Tunisia prepares to hold elections later in 2019.
Facebook has come under fire to control misinformation, specifically linked to political news, since the Cambridge Analytica scandal which hit the headlines in early 2018.a