Free tools and resources for Data Protection Officers!

Category Archives for "Security"

Google rolled out secure data sharing tool

Google has rolled out the open-source tool to help organizations work together with confidential data sets while raising the bar for privacy. Private Join and Compute helps solve problem of securely sharing sensitive data with other parties.

Using this cryptographic protocol, two parties can encrypt their identifiers and associated data, and then join them. They can then do certain types of calculations on the overlapping set of data to draw useful information from both datasets in aggregate. v

Source: Google Online Security Blog: Helping organizations do more without collecting more data

Human error still the major cause of data breaches

More than half of all executives (53%) and nearly three in 10 Small Business Owners (28%) who suffered a breach, reveal that human error or accidental loss by an external vendor/source was the cause of the data breach, according to a Shred-it survey conducted by Ipsos.

The report found that nearly half of all executives (47%) and one in three SBOs (31%) say human error or accidental loss by an employee/insider was the cause.

Source: Human error still the cause of many data breaches – Help Net Security

Users must receive specific and helpful information in case of a data breach

No generic information may be provided to users in case of a data breach, whilst specific guidance must be made available on how to prevent unlawful use of one’s personal data – in particular identity thefts.

This is the decision issued by the Italian Supervisory Authority (Garante per la protezione dei dati personali) against one of Italy’s leading email service providers following the proceeding initiated after the company had notified the Garante of a data breach.

Source: Italian SA: Users must receive specific, helpful information in case of a data breach

Lithuanian DPA launches investigation into D-Link

In response to publicly available information, the Lithuanian data protection authority – State Data Protection Inspectorate – launched an self-initiated inquiry into the allegedly inappropriate processing of personal data by D-Link.

It is feared that D-Link equipment user passwords, browsing history or other information can be accessed by third countries’ servers through D-Link’s devices, allowing profiling and identification of consumers.

State Data Protection Inspectorate also noted that D-Link’s processing activity potentially amounts to a violation of the General Data Protection Regulation’s (GDPR) transparency principle.

Source: State Data Protection Inspectorate Launches D-Link Research | State Data Protection Inspectorate

Cybersecurity certification gets an EU revamp

A new EU Regulation on cybersecurity promises a more coordinated approach across Europe. The new law will set up a framework for the establishment of European cybersecurity certification schemes.

The intention is to prevent “certification shopping” based on different levels of stringency among member states. Certification will be voluntary initially, but regular assessments will be carried out to determine whether certification of particular products or services should become compulsory.

Source: Cybersecurity certification gets an EU revamp

Hackers are stealing personal medical data to impersonate your doctor

While personally identifiable information — full names, social security numbers, home addresses, dates of birth, credit card numbers — can be exploited by criminals to commit identity fraud, the theft of medical information can have equally serious impact on victims.

How hackers exploit medical data? Administrative paperwork — like medical licenses — to forge a doctor’s identity sells on the dark web for around $500.  Insurance provider’s login information can be used to steal victim’s identity to claim insurance. Forging health insurance cards, prescriptions, and drug labels with an intention to carry drugs through the airport. Using hacked personal health information against individuals who have health issues for extortion and other crimes.

Source: Hackers are stealing personal medical data to impersonate your doctor

Germany mulls giving end-to-end chat app encryption

Government officials in Germany are reportedly mulling a law to force chat app providers to hand over end-to-end encrypted conversations in plain text on demand.

Ministry of the Interior wants a new set of rules that would require operators of services like WhatsApp, Signal, Apple iMessage, and Telegram to cough up plain-text records of people’s private enciphered chats to authorities that obtain a court order.

Source: Germany mulls giving end-to-end chat app encryption das boot: Law requiring decrypted plain-text is in the works • The Register

Amazon now lets you tell Alexa to delete your voice recordings

You’ll now be able to say, “Alexa, delete everything I said today.”

Amazon stores recordings of every request you’ve made to an Alexa device (theoretically, to help improve the voice recognition service and other features). Despite this being largely unnecessary, Amazon doesn’t provide a way to disable the long-term storage of voice recordings or have them deleted on a regular basis.

Full article: Amazon now lets you tell Alexa to delete your voice recordings – The Verge

Vulnerability versus incident

The news is filled with stories nearly every day of things going awry in technical systems: security, privacy, abuse, ethics and more.

Yet one of the most important distinctions — the difference between a vulnerability and an incident — is often overlooked. In short, a vulnerability holds the potential for harm; an incident is where harm has occurred.

Full article: Tech talk: Vulnerability versus incident

Employees are almost as dangerous to business security as hackers and cybercriminals

Non-malicious insiders are among the top three threat actors, according to an ISACA report. Employee mistakes and system errors are a larger threat to data security than hackers or insiders, one report found, while 75% of IT professionals say they are vulnerable to insider threats, another survey said.

Top three threat actors to businesses:

  1. Cybercriminals (32%)
  2. Hackers (23%)
  3. Non-malicious insiders (15%)

Source: Employees are almost as dangerous to business security as hackers and cybercriminals

1 2 3 95