Forged legal requests result in data breach at Meta and Apple

Apple Inc. and Meta Platforms have fallen victim to forged legal requests from hackers, resulting in data breaches. 

 

Apple Inc. and the parent company of Facebook, Meta Platforms Inc., provided customer data to hackers who pretended to be law enforcement officials, according to this report from Bloomberg. Apple and Meta provided hackers with basic subscriber details, including the customer’s address, phone number and IP address in mid-2021, in response to forged “emergency data requests.” Normally, data requests are only provided with a search warrant or subpoena signed by a judge. However, in the case of emergency requests a court order is not required. Snap Inc. also received a forged legal request from the same hackers, but it is unknown at the moment whether or not the company provided data in response. According to cybersecurity researchers, the suspected hackers sending these forged requests are minors located in the U.K. and the U.S. City of London Police recently arrested seven people in connection with an investigation into the Lapsus$ hacking group, the leader of which has been suspected of orchestrating this breach. Hackers affiliated with a cybercrime group known as “Recursion Team” are also believed to be behind some of the forged legal requests, which were sent to companies throughout 2021. The probe is ongoing. 

 

Emergency requests, which typically do not require a signed order from a judge, were used to illegally obtain information from these companies.

 

In cases of criminal investigations, law enforcement around the world routinely asks social media platforms for information about users. In the US for example, these requests usually include a signed order from a judge. Emergency requests however, do not require a judge to sign off on them, as they are intended to be used in cases of imminent danger. Meta spokesman Andy Stone said in a statement, “We review every data request for legal sufficiency and use advanced systems and processes to validate law enforcement requests and detect abuse. We block known compromised accounts from making requests and work with law enforcement to respond to incidents involving suspected fraudulent requests, as we have done in this case.” Meta also states on its website, “In emergencies, law enforcement may submit requests without legal process. Based on the circumstances, we may voluntarily disclose information to law enforcement where we have a good faith reason to believe that the matter involves imminent risk of serious physical injury or death.” 

 

The forged legal requests were sent via email from compromised law enforcement accounts. 

 

The systems for requesting data from companies include special email addresses and/ or company portals. Fulfilling the legal requests can be complicated due to the sheer number of law enforcement agencies worldwide. Various jurisdictions have varying laws concerning the process of requesting and releasing user data. Companies such as Meta and Snap operate their own portals to receive legal requests from law enforcement, but still accept requests by email and monitor requests frequently. Apple accepts legal requests for user data at an apple.com email address, ensuring that it is transmitted from the official email address of the requesting agency, according to Apple’s legal guidelines. The issue is that in some cases, compromising the email domains of law enforcement around the world is relatively simple, as the login information for these accounts is available for sale on online criminal marketplaces. 

Does your company have all of the mandated safeguards in place to ensure the safety of the personal data you collect or process? Aphaia can help. Aphaia also provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

Bank Millennium fined €80,000 by Polish DPA for failure to report a breach

Bank millennium fined €80,000 by Polish DPA for failure to report, and sufficiently inform data subjects of a breach.

 

Recently, a fine was imposed on Bank Millennium by the Polish DPA for a data breach which the bank failed to report, and about which they failed to sufficiently inform the affected customers. The supervisory authority was informed of the breach when a complaint was made against the bank for documents which contained personal data, and which were misplaced by a courier service, according to this report from the EDPB. The correspondence which was lost contained information including customers’ name, personal identification number, registered address, bank account numbers, as well as identification numbers assigned to the bank’s customers. While the customers, who went on to file a complaint, were informed of the data breach, the information provided to them was not sufficient according to the requirements of the GDPR.

 

Bank Millennium considered the breach to be of medium severity and therefore did not think  it necessary to inform any more than it did.

 

Depending on the severity of a data breach, there are different steps which need to be taken with regard to reporting a data breach. Bank Millennium, perceiving the threat of this data breach to be at a medium level, did not see it necessary to inform the Polish DPA of the breach. They also gave customers limited information on how their data may have been compromised. According to the DPA, the information given to customers was insufficient and did not meet the standard required by the GDPR. The Polish DPA stated that they could have provided guidance to the data controller in this instance, regarding how much information would need to be conveyed to the affected data subjects, had they been informed of the data breach.

 

Bank Millennium was fined €80,000 as a result of their failure to report a data breach.

 

The Polish DPA fined Bank Millennium a total of €80,000 for this violation of data protection law, and ordered the bank to communicate the breach to the persons affected by the breach in the manner set out in the GDPR. The Polish DPA considered the fact that during the proceedings the bank still failed to fulfill its obligations, as well as the gravity of the breach. In addition, the Supervisory Authority found the bank’s level of cooperation during the proceedings unsatisfactory. This fine is intended to serve a repressive function and serve as a deterrent to other banks and various organizations who may not be as vigilant with fulfilling their data protection obligations.

 

 

 

 

Does your company have all of the mandated safeguards in place to ensure the safety of the personal data to collect or process? Aphaia can help. Aphaia also provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

Bulk email data breach results in a fine from the ICO

Bulk email data breach results in a fine from the ICO, as a data controller possibly revealed identities and assumable health status of recipients.

 

A recent data breach by a Scottish charity – HIV Scotland, has resulted in a fine from the ICO. A bulk email was sent out to 105 recipients which included patient advocates for people living in Scotland with HIV. Of those 105 email addresses, 65 of them identified people by name. The breach was the result of a staff member incorrectly using the blind carbon copy feature, and instead sending the bulk email in a way that allowed all recipients emails to be shown. From the data disclosed, assumptions could be made about a person’s HIV status.

 

Health data is considered particularly sensitive, and as a result, this error was taken very seriously by the ICO. Ken MacDonald, head of ICO regions was quoted as saying “All personal data is important but the very nature of HIV Scotland’s work should have compelled it to take particular care. This avoidable error caused distress to the very people the charity seeks to help.” He went on to add “I would encourage all organisations to revisit their bulk email policies to ensure they have robust procedures in place.”

 

 

It was found that the charity was still using a less secure method of sending bulk emails, seven months after acquiring a system which allows bulk emails to be sent more securely.

 

Due to the charity’s own acknowledgment of the risks associated with bulk messages being sent using the blind carbon copy or BCC feature in most email applications, the organisation procured a more secure system of sending emails. However, seven months later, the organisation continued to use the less secure, BCC feature. This, compounded by inadequate staff training, as well as an inadequate data protection policy led to this data breach, and by extension, several infringement of the UK GDPR and the corresponding fine.

 

 

The organisation was fined £10,000 under the Data Protection Act 2018 for infringements of Articles 5(1)(f) and 32(1) and (2) of the UK GDPR.

 

The ICO has issued a fine to the data controller, HIV Scotland for £10,000. In deciding on the amount of the fine, the ICO considered the charity’s size and its representations regarding its financial position. The February 2020 data breach is considered an infringement of the UK GDPR Articles 5(1)(f) and 32(1) and (2). Article 5(1)(f) requires that personal data is “processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).” Article 32 of the UK GDPR addresses the importance of secure processing.

 

 

The ICO is urging organisations and businesses to be mindful of their email practices in light of this situation.

 

In light of this situation,  the ICO recently released a statement urging businesses and organisations to evaluate or reevaluate their practices with regard to sending correspondence to large groups of clients or other individuals. Data protection law requires that organisations responsible for personal data ensure they have the appropriate technical and organisational measures in place to ensure the security of personal data.

 

 

Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR, Law Enforcement Directive and Data Protection Act 2018? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

University data breach exposes the personal details of 355,000 users worldwide

University data breach exposes the personal details of hundreds of thousands of staff and students all over the world. 

 

A University data breach has exposed the personal data of hundreds of thousands of staff and students. A recent news report disclosed that a data breach at the University of Kentucky was discovered during a routine annual cyber security inspection. The breach appears to have been caused by a vulnerability in a server associated with the College of Education database. According to this statement from the institution, over 355,000 email addresses were exposed with victims located not just in Kentucky, but all 50 states and at least 22 other countries around the world. The database is part of a free resource known as the Digital Driver’s License training and test taking program, used by K-12 schools and universities across the country. The university has announced that it is implementing several enhanced security measures to mitigate the situation and reduce the chances of a repeat occurrence. 

 

The database consisted mainly of names and email addresses and contained no financial or social security information. 

 

According to officials at the University, while the potential for identity theft is very low, they are still taking the incident very seriously. The impacted school districts have been notified, along with the appropriate legal and regulatory bodies. The database of approximately 355,000 users, from all over the United States as well as 22 countries around the world, contained only users’ names and numbers, with no financial, health, or social security information included. The database, which is part of a free resource program used by many schools and universities through which students have taken civic courses in recent years. 

 

The University of Kentucky has released a statement outlining several enhanced security measures they will be utilizing moving forward. 

 

The University of Kentucky has published a statement on their cyber response, outlining several enhanced security measures they will be using following this data breach. These measures include repairing the server in question, an internal audit, as well as an additional $1.5 million investment in their cyber security to be used for implementing the enhanced security measures. According to their statement, University of Kentucky intends to appoint a Chief Information Security Officer to spearhead their efforts. Their efforts include implementing multi factor authentication, implementing more firewalls as well as rapid patching of critical vulnerabilities, among other systems. 

 

Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR, Law Enforcement Directive and Data Protection Act 2018? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.