Month: July 2019

Another week, another breach. This time, credit card company Capital One announced that it discovered a data breach about 10 days ago affecting around 106 million customers. It looks like part of the reason that they waited 10 days to announce it is because they were working with the FBI to get the person responsible. You can read Capital One’s version of events and information about what happened here. If you want more details about how the FBI apprehended the woman responsible for the breach and how she carried out the breach, check out this story on Krebs on Security. It has interesting details like how she was a former employee of a certain cloud service provider and how the FBI found her. It doesn’t look like any passwords or login information was compromised, but keep an eye out for communications from Capital One indicating whether your accounts were affected.

Cyber crime and the need for cybersecurity is not going anywhere any time soon. In fact, all signs indicated it is only going to be more important in the future. This recent article at CPO Magazine discusses the ways that cyber crime is growing and changing and states that digital criminals made off with $45 billion in 2018. That’s 45 billion reasons why you should make privacy and data security a priority in your life and business.

File this under “things that happen while you blink.” The ICO, the UK regulator responsible for data protection, issued an updated report on real time bidding and adtech. While the report is full of details and recommendations, these paragraphs jumped out:

When you visit a website, some of the ads you see have been specifically selected for you. As the site was loading, the website publisher auctioned a space on the page you are viewing, and an advertiser bought it because it specifically wants to reach people like you. The process can involve many companies, and happens in milliseconds. Billions of online ads are placed on webpages and apps in this way every day.

The process – known as real time bidding – relies on the potential advertiser seeing information about you. That information can be as basic as the device you’re using to view the webpage, or where in the country you are. But it can have a more detailed picture, including the websites you’ve visited, what your perceived interests are, even what health condition you’ve been searching for information about.

ICO- Update report into adtech and real time bidding, 20 June 2019

This is happening every day and without the majority of people even thinking about it. It’s another reminder why privacy is of growing importance with modern technology.

You may have seen headlines the last few days about Facebook getting fined $5 Billion related to its privacy practices and the Cambridge Analytica incident. Upon a closer look, the reports are that it is a proposed settlement between the FTC and Facebook that the FTC approved, but has not yet made public.

Despite the massive number of $5 billion, some people think that Facebook is getting a sweetheart deal. A few senators have already written a letter to the FTC asking questions about the settlement, concerned that it does not go far enough to address the privacy issues with Facebook. According to some data about Facebook’s earnings being around $16 billion, the fine would represent nearly 1/3 of that. While it is certainly an impressive number that should have some deterrent effect on other would-be privacy violators, it’s hard to know exactly whether this is enough to make a difference if it does at all. On the other hand, it is hard to call $5 billion dollars and a 1/3 of yearly revenue a sweetheart deal. In comparison, recent fines proposed for Marriott and British Airways by the ICO for violations of the GDPR topped out at roughly $230 million and 1.5% of yearly revenue. Only time will tell whether these fines will really serve as the deterrent and enforcement tool they were meant to be, but his news about FTC and Facebook is definitely something to keep an eye on in coming weeks.

It seems like every week another data breach is being disclosed. One of the latest announced breaches was web invitation service Evite. Unauthorized access of Evite data goes back to 2013 and includes personal information related to over 101 million email addresses–many of which belonged to recipients of invitations and never even used the service. Regardless of whether you used the service, it is a good reminder that you should check your accounts and passwords to determine if your data was exposed in a breach–especially since in a breach like this one, data was exposed for people who didn’t even knowingly sign up for the service.

I recommend going to haveibeenpwned.com and checking to see if your email addressed has been affected by the Evite breach or any other of the numerous breaches that have happened this year. If your email address was exposed, you should also check to see if your password has ever turned up in the haveibeenpwned database. If your email addresses and passwords show up, then it is time to change your password if you want to keep your data secure. You can even sign up to get a notification if your email address ever turns up in a breach.

While most of us probably don’t pay much attention to the laws in Europe, the nature of the internet means that what happens in one place can affect citizens around the globe. With regard to the General Data Protection Regulation (“GDPR”), the EU’s stringent new data privacy law that went into effect in May 2018, we have already seen it change the face of the web by requiring companies to disclose how they use cookies when you land on a site. Today, we see the beginning of another consequence. The ICO (the organization that enforces the GDPR) fined British Airways nearly $230 million for a data breach last year as part of a magecart credit card skimming attack. (You can read what I wrote about magecart here.) There is still a chance that the fine will change, but it shows that the GDPR is serious business. While the rules allow the fine to be up to 4% of annual turnover, this fine ends up being just about 1.5% of British Airways annual revenue. With approximately 500,000 people affected by the breach, the fine amounts to $460/person. This should serve as a stark warning that data privacy is serious business and not to be ignored.

It’s often said that it’s not a question of if you will be the victim of a cybersecurity incident, only a question of when. With the number of privacy incidents and data breaches on the rise, it looks more certain everyday that you will be affected. Have you already taken the time to analyze your or your company’s cybersecurity posture? Do you have glaring weaknesses that need to be addressed? Perhaps you have thought about it and already have a system in place that includes a backup. Have you considered how you and your employees will access that data in a backup? If you’re the decision maker at your company, are you giving your IT team the opportunity to talk to you and address their immediate concerns? These are a just a few of the things that you should be thinking about with regard to your cybersecurity. If you haven’t given this much thought yet, there’s no time like the present to start. If you need help figuring out where to start, I would be glad to help.