January 25, 2019

Helping your business stay abreast and make sense of the critical stories in digital risk, cyber security and privacy.

The round-up: 

“The award for the first significant violation of GDPR goes to ….. <drum roll> …. Google!”. In our latest news wrap, we look at how Google – perhaps to no-one’s surprise – was first to be hit with a major fine under GDPR. But the search giant isn’t copping it quietly. We also watch with interest as Apple’s Tim Cook and Australia’s big banks jostle for the mantle of biggest privacy advocates.

Key articles: 

Google to appeal €50 million GDPR fine

Summary: Google will appeal a €50 million fine by French regulators for violating General Data Protection Regulation (GDPR). The regulator claims Google did not properly ask its users for consent on how to use their personal data.

Key risk takeaway: As the first major penalty under GDPR and reportedly the largest issued for a privacy breach in Europe, the fine by French data privacy authority CNIL reminds us of the importance of compliance against privacy regulations. In particular, the ruling sheds light on how regulators will practically enforce GDPR. Google was found to have run afoul of the regulations on the basis of violating provisions around consent and transparency. In terms of the former, the requirement that users sign up for a Google account for optimal levels of service was considered ‘forced consent. On the transparency front, the regulator deemed that essential information about how Google uses customer data was unnecessarily difficult to access. In appealing, Google argued it had worked hard to address both transparency and consent in its processes. While the fine may not be significant in light of Google’s annual revenue, it could nonetheless herald changes to the business models of technology companies. Austrian privacy advocates NYOB – whose complaint prompted CNIL’s investigation into Google – this week lodged further privacy complaints against Google, Amazon, Apple, Netflix, and Spotify.

Tags: #privacy #GDPR #regulations #compliance

Nearly 773 million email addresses leaked, spelling trouble for people who re-use passwords

Summary: Nearly 773 million email addresses and almost 22 million unique passwords have been discovered online and on hacking forums.

Key risk takeaway: As with any news of leaked credentials, this story is a reminder for businesses to educate staff about not re-using passwords across multiple services (on the basis that hackers will attempt to use credentials found in this collection to access other services). The leak of so-called Collection #1 has been followed with news of the release of four subsequent collections of credentials to the dark web. Organisations can use the Have I Been Pwned service to identify if any of their accounts have been compromised and reset passwords for those users. The leak also offers a reminder of the value of using multi-factor authentication for key services.

Tags: #databreach #securityawareness #passwords #multifactorauthentication

Adware, cryptomining targeting Aussie businesses

Summary: Australia is in the top ten of nations with the most malware detections affecting businesses, according to new research.

Key risk takeaway: Measuring and mitigating cyber risk is largely the process of identifying the key threats for your organisation and ensuring effective controls exist against those threats. This report – from researchers at Malwarebytes – indicates that malware is a high priority threat for most Australian businesses, a finding that correlates with analysis by the Office of the Australian Information Commissioner (OAIC). The OAIC’s most recent quarterly report on data breaches found 57% of breaches were due to malicious or criminal attacks, which include incidents due to malware and ransomware. Malware controls can span the gamut of protective, detective and responsive measures, and encompass both technical and organisational measures. For instance, they can include endpoint protection, network segregation, data loss prevention as well as training users to identify phishing emails.

Tags: #cyberriskmeasurement #malware #controls

You Deserve Privacy Online. Here’s How You Could Actually Get It

Summary: Apple CEO Tim Cook’s privacy crusade continues with a recent TIME magazine op-ed that calls for federal privacy legislation in the US, and issues a strong warning about the role of data brokers in the economy.

Key risk takeaway: In our recent post exploring what 2019 has in store, we foreshadowed the ascendancy of privacy as a public issue and likely moves by companies to use it as a competitive differentiator. Tim Cook’s proactive pronouncements on privacy fit this trend, and holding such a position could be of increasing importance to all organisations that operate in this data-driven economy. Cook’s calls for the Federal Trade Commission to take a stronger role mirror moves in Australia, where the consumer watchdog – the Australian Competition and Consumer Commission – will likely have a stronger voice on privacy this year.

Tags: #privacy #trust

Banks slam weak privacy, security settings for consumer data and open banking

Summary: Australia’s banks have warned of privacy and security risks relating to the Federal Government’s plans to introduce an open banking regime, underpinned by a Consumer Data Right.

Key risk takeaway: This story reflects what will be a growing tension for Australian businesses – managing intensifying concerns about privacy and security while also needing to facilitate more open access and sharing of data to support innovation and competition. Australia’s banks, via the Australian Banking Association, argue security risks relating to the government’s proposal for transferable consumer data have been downplayed or underestimated – as the Federal Government looks to introduce legislation to drive forward these initiatives. All modern businesses should seek to understand the implications of these national data-related initiatives on their operations and risk posture, and proactively advocate on behalf of their industry and customers as these frameworks take shape.

Tags: #outreach #data #privacy

AWS can now carry protected Australian government data

Summary: Amazon Web Services (AWS) has been certified to carry protected Australian government data, joining Microsoft as the second large-scale multinational cloud provider to be added to the government’s certified provider list.

Key risk takeaway: Managing the security considerations of transitioning to the cloud is one of the major digital risk trends for businesses today (along with privacy, cyber security and supplier risk). Government can be an exemplar for industry on management of cyber risk, and its cloud certification process reflects the importance of any business assessing potential cloud providers against a set of security requirements, principles and policies.

Tags: #cloudrisk #security #digitalrisktrends

US issues emergency cyber security directive as Iran-linked hackers strike during shutdown

Summary: The US has issued an emergency cyber security directive in response to an ongoing attack attributed to Iran-linked hackers. The attackers successfully redirected web and email traffic intended for civilian government agencies by altering domain name system (DNS) records, making them point to servers they controlled.

Key risk takeaway: The attackers gained access to US agencies’ administrative accounts to make DNS changes, a method analysts have also observed against governments and telecommunications providers around the world. This serves as a reminder for any organisation to have strong processes in place to protect its critical user accounts. This includes ensuring strong and unique passwords (a task made easier through use of password managers) and using multi-factor authentication. The Australian Government has also issued advice on hardening DNS infrastructure.

Tags: #credentials #security #government