Tag:Data

1
Equifax data breach: 143 million records exposed but senior executives not told immediately?
2
Gartner: Worldwide spending on information security to reach $93 billion in 2018
3
EMPLOYEES CELEBRATE CHIP PARTY: Embedding RFID Chips – would you agree to this?
4
Draft law proposes security assessment of data exported out of China
5
Baseball team pays a big price for hacking
6
Alarming number of Enterprise Cloud Services aren’t enterprise ready
7
SAP criticises impending EU data protection laws
8
Government committed to introducing Mandatory Data Breach Notification laws
9
OAIC releases draft guide for conducting big data activities
10
Nissan shakes like a LEAF and disables app after car hacking potential exposed

Equifax data breach: 143 million records exposed but senior executives not told immediately?

By Cameron Abbott and Olivia Coburn

Equifax has joined Yahoo on the podium for the award no one wants: suffering one of the largest data breaches in history.

Equifax, one of the three largest US credit reporting agencies, announced last week that it suffered a cybersecurity incident potentially impacting 143 million US consumers –  a figure comprising of roughly 55 per cent of Americans aged 18 years or older. Some UK and Canadian residents are also affected.

Read More

Gartner: Worldwide spending on information security to reach $93 billion in 2018

By Cameron Abbott and Olivia Coburn

Global spending on information security products and services will reach $86.4 billion this year, according to US-based technology research and advisory firm Gartner, Inc.

This figure is an increase of 7 per cent over 2016, and is expected to grow to $93 billion in 2018.

Read More

EMPLOYEES CELEBRATE CHIP PARTY: Embedding RFID Chips – would you agree to this?

By Cameron Abbott and Olivia Coburn

On 1 August 2017, employees of a Wisconsin-based technology company enjoyed a “Chip Party” – but not the salty kind.  21 of Three Square Market’s 85 employees agreed to allow their employer to embed radio frequency identification chips in their bodies. We are familiar with the Internet of Things, is this the Internet of People?

Three Square Market (known as 32M) highlighted the convenience of microchipping their employees, reporting that they will be able to use the RFID chip to make purchases in the company break room, open doors, access copy machines and log in to their computers.

Read More

Draft law proposes security assessment of data exported out of China

By Cameron Abbott and Allison Wallace

The Cyberspace Administration of China has released a draft law that would impose an annual security assessment on firms exporting data out of China.

The proposed legislation would apply to any business which transfers more than 1000 gigabytes of data, or which affects more than 500,000 users, and is the latest of several safeguards announced in recent times against threats such as hacking and terrorism.

Under the draft law, economic, technological or scientific data whose transfer would post a threat to public or security interests would be banned, and there would be extra scrutiny of sensitive geographic data.

Businesses would also have to obtain the consent of users before transmitting it overseas.

The draft law follows another passed in November 2016 which formalised a range of controls over firms that handle data in industries the Chinese government labels critical to national interests.

Baseball team pays a big price for hacking

By Cameron Abbott and Allison Wallace

You may not have followed this but the America’s Major League Baseball (MLB) St Louis Cardinals had an employee who accessed the Astros’ system around 60 times over two years, gaining access with a password similar to that used by a Cardinals colleague who left the club to work for the Astros in 2011.  (Also a little lesson there about password management one would think.)

Anyway Correa was last year fined nearly USD280,000, and sentenced to 46 months in Federal prison.  Enough said.  Read More

Alarming number of Enterprise Cloud Services aren’t enterprise ready

By Cameron Abbott and Allison Wallace

A new report has revealed 95% of cloud services used by enterprises aren’t enterprise ready.

The January 2017 Netskope Cloud Report reveals a staggering 82% don’t encrypt data at rest, 66 per cent don’t specify in their terms that the customer owns their own data, and 42% don’t allow administrators to enforce password controls.

Of malware found in cloud services, backdoors were the most common (43.2%), with others including adware (9.8%), Javascript malware (8.1%) and ransomware (7.4%).

The report also shows an increase in the use of cloud services – with an average of 1031 cloud services in use per enterprise, up from 977 in the previous quarter. The retail, restaurant and hospitality industry was the biggest user of cloud services (1193), followed by financial services, banking and insurance (1132).

SAP criticises impending EU data protection laws

By Cameron Abbott and Allison Wallace

SAP has expressed concerns over the implications of the landmark EU data privacy regulations, saying the penalties that will be imposed are too high, and could impede the development of Europe’s start-up culture.

The data privacy regulation will be implemented in May 2018, and includes fines for EU companies up to 4 per cent of their global revenues if they commit a significant breach of data privacy.

In an interview with the Financial Times, SAP’s head of products and innovation, Bernd Leukert said he believes the penalties are too high, and put companies at risk of losing their entire revenue if they commit multiple breaches.

Mr Leukert said he also fears that the EU regulations were not properly aligned with laws in other jurisdictions, such as the US.

Government committed to introducing Mandatory Data Breach Notification laws

By Cameron Abbott and Rebecca Murray

After much delay, a spokesperson for Attorney-General, George Brandis has said the government is committed to introducing the Mandatory Data Breach Notification laws this year. We will be sure to look out for it during the next term of Parliament. You can find more information on the proposed scheme and its regulatory impact on the Attorney General’s Department consultation for Serious Data Breach Notification webpage.

 

OAIC releases draft guide for conducting big data activities

By Cameron Abbott and Simon Ly

Last week the OAIC released their consultation draft Guide to big data and the Australian Privacy Principles, with feedback on the Guide open until 26 July 2016.

The main purpose of the Guide is to facilitate big data activities while protecting personal information (being information or an opinion about an identified individual, or an individual who is reasonably identifiable). The Guide addresses issues such as notice and consent, retention minimisation and use limitation in regards to such data. Whilst not legally binding, the Guide will be referred to by the Privacy Commissioner in undertaking its functions under the Privacy Act.

One of the key aspects dealt with in the Guide is that entities should consider undertaking big data activities on an anonymised manner by de-identifying personal information. If so, this has the favourable outcome that such data will not be considered personal information so accordingly less onerous obligations apply under the Privacy Act to such data. Of course, if this is the case it also lessens the chance that personal information will be compromised should a data breach occur (speaking of which, we note OAIC’s April 2016 guide to deal with data breaches). However, in our experience most of our clients want to analyse and then drill down to take actions or campaigns in relation to a then identified group of customers.

The Guide also highlights how big data interacts with the APPs as well as discussing other related concepts, such as “privacy by design” frameworks. For more information, you can access the OAIC’s consultation draft Guide here.

Nissan shakes like a LEAF and disables app after car hacking potential exposed

By Cameron Abbott and Meg Aitken

Lock you doors…oh wait, that won’t protect you. Australian security researchers, Troy Hunt and Scott Helme have exposed a security flaw in Nissan’s Connect app which allows certain features of the manufacturer’s best-selling electric car, the ‘LEAF’, to literally be controlled by someone else on the other side of the world.

Hunt and Helme recently discovered that the app did not require any owner identification information in order to link with and control LEAF cars. All that was required was the Vehicle Identification Number (VIN), which is conveniently displayed on the chassis of the vehicle.

OK, so hackers couldn’t actually steer the car, but they could command the climate control and telematics to access driving data about trip durations, raising privacy concerns. Further, given that the LEAF is an electric powered vehicle, being able to access the climate controls could potentially allow a hacker to drain the battery and leave a driver stranded.

Car companies are racing to embrace the internet of things, and privacy and security seems to be taking a back seat. While there is no doubt that connected car technology boasts exciting functionality for drivers, it is not without road bumps, and we are once again reminded of the dangerous potential presented by interconnected devices. With a bit of luck, Nissan’s scare will see the automotive industry get in the driver’s seat towards developing a better appreciation of the risks associated with these devices and how they can be mitigated.

Nissan has now reportedly disabled the NissanConnect app and plans to release a new version once these security concerns are rectified. According to Hunt’s blog post, it took Nissan more than a month to take the app offline after he reported the security vulnerabilities.

Read Troy Hunt’s blog post on the discovery here.

Copyright © 2024, K&L Gates LLP. All Rights Reserved.