University data breach exposes the personal details of 355,000 users worldwide

University data breach exposes the personal details of hundreds of thousands of staff and students all over the world. 

 

A University data breach has exposed the personal data of hundreds of thousands of staff and students. A recent news report disclosed that a data breach at the University of Kentucky was discovered during a routine annual cyber security inspection. The breach appears to have been caused by a vulnerability in a server associated with the College of Education database. According to this statement from the institution, over 355,000 email addresses were exposed with victims located not just in Kentucky, but all 50 states and at least 22 other countries around the world. The database is part of a free resource known as the Digital Driver’s License training and test taking program, used by K-12 schools and universities across the country. The university has announced that it is implementing several enhanced security measures to mitigate the situation and reduce the chances of a repeat occurrence. 

 

The database consisted mainly of names and email addresses and contained no financial or social security information. 

 

According to officials at the University, while the potential for identity theft is very low, they are still taking the incident very seriously. The impacted school districts have been notified, along with the appropriate legal and regulatory bodies. The database of approximately 355,000 users, from all over the United States as well as 22 countries around the world, contained only users’ names and numbers, with no financial, health, or social security information included. The database, which is part of a free resource program used by many schools and universities through which students have taken civic courses in recent years. 

 

The University of Kentucky has released a statement outlining several enhanced security measures they will be utilizing moving forward. 

 

The University of Kentucky has published a statement on their cyber response, outlining several enhanced security measures they will be using following this data breach. These measures include repairing the server in question, an internal audit, as well as an additional $1.5 million investment in their cyber security to be used for implementing the enhanced security measures. According to their statement, University of Kentucky intends to appoint a Chief Information Security Officer to spearhead their efforts. Their efforts include implementing multi factor authentication, implementing more firewalls as well as rapid patching of critical vulnerabilities, among other systems. 

 

Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR, Law Enforcement Directive and Data Protection Act 2018? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

Dutch DPA imposes fine

Dutch DPA imposes fine for delayed report of a data breach

Dutch DPA imposes fine on international travel agency booking.com, for their delayed action in reporting a significant data breach. 

 

Netherlands based international travel agency, Booking.com was recently hit with a fine for their delayed action in reporting a data breach. The breach was discovered on January 13, 2019, after having occurred in December of 2018. However the incident was not reported to the DPA until February 7th 2019. Data breaches must be reported to the relevant authorities within 72 hours of their discovery, making this report about 22 days late. As a result, the Dutch DPA imposed a fine of €475,000 on the company. 

 

Because booking.com is an international company with customers from a range of different countries, the investigation into the breach was international in scope. The investigation however was conducted by the Dutch DPA, due to the fact that the company is based in the Netherlands. 

 

Cyber criminals posed as booking.com staff in emails and on the phone in order to steal personal information. 

 

These cyber criminals were able to collect information by posing as booking.com staff in emails and on the telephone. This scam targeted 40 hotels in the UAE in December 2018. The phishers, by using the booking information of these customers to appear more credible when posing as booking.com staff, attempted to gather as much personal and financial information on as many customers as they could, in order to steal money from them. This data included login credentials, as well as financial information. The scope of this data breach was so wide that the criminals were able to access the data of over 4000 people, including the credit card information of over 280 people. In 97 of those cases, even the security code for the credit card was obtained.

 

Booking.com does not object to the fine imposed and has compensated their customers for the financial losses suffered as a result of the breach. 

 

Although booking.com was made aware of the breach on 13 January 2019, it was not until February 4, 2019 that they informed the affected customers. Further still, the company waited until February 8 to inform the DPA of the breach. The company has offered several solutions including financial compensation for any losses suffered by their customers. Booking.com will not lodge any objections or apply for review of the fine imposed. 

 

There has been a significant increase in cyber crimes over the past year, making enhanced security measures even more invaluable. 

 

In recent times, particularly since 2020 there has been a significant increase in personal data theft and related attempts. 2020 saw a rise of 30% more data theft than the previous year. Many individuals have personally fallen victim and suffered financial losses as a result of phishing and other forms of data theft for the purposes of accessing financial information. DPAs have remarked on the explosive increase in these cases over the last year. Enhanced security, as well as timely reporting in the event of a breach, can greatly reduce the impact that this sort of theft has on individuals. 

 

Does your company have all of the mandated safeguards in place to ensure compliance with the ePrivacy, GDPR and Data Protection Act 2018 in handling customer data? Aphaia provides ePrivacy, GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, EU AI Ethics Assessments and Data Protection Officer outsourcing. We can help your company get on track towards full compliance.

Facebook data leak

Facebook data leak affects over half a billion users worldwide

Facebook data leak results in the personal information of over half a billion users being made available publicly and free of charge. 

 

Facebook has recently been implicated in a massive data leak affecting over a half a billion users, as reported by Business Insider earlier this month. The personal data leaked was gathered during a data breach two years ago. However, in recent times, an individual has published all of this personal information in a black market online hacking forum, free of charge. It is believed that this information was previously available for sale but has since gone down in value, and is now being offered for free on a hacking forum. This data was obtained through the misuse of a feature prior to 2019 and affects approximately 533 million users, from over 100 countries. 

 

The personal data leaked does not include login information, however the details included contain enough information to facilitate impersonation or fraud. 

 

The personal data affected includes information like full names, identification credentials, locations, dates of birth, email addresses, and phone numbers. The information does not include financial information or health information. It is also said that login information is not included in the data, however, the information put out there could potentially be used for hacking. Security experts say that this information could be used to impersonate individuals and commit fraud. Facebook’s Product Management Director, Mike Clark says that this information was not obtained through hacking, but rather by scraping it from the platform, much like what happened with Facebook in their 2016 Cambridge Analytica fiasco. 

 

The Facebook data leak had resulted in information which was once available for sale in January, now published free of charge on a hacking forum. 

 

The data was first discovered in January, on a hacking forum where an individual or entity advertised an automated bot which could provide certain user data from Facebook. At the time this data was confirmed to be legitimate. However, since then the data has been publicized and is now available for free in a low level hacking forum. This information was discovered earlier this month by Alon Gal, the chief technology officer of the cybercrime intelligence firm, Hudson Rock. 

Facebook reports that the vulnerability which led to the data scraping has since been rectified, and that the company does not intend to notify the individual users affected by this leak. 

 

Facebook officials want to assure the public that the platform’s vulnerability which led to the 2019 data breach has since been rectified. The social media company has not notified the over 533 million users who were affected by this data breach, and according to company officials, they do not intend to do so. Facebook’s spokesman said the social media company was not confident that it had full visibility on which users would need to be notified. They also considered the fact that users could do nothing to fix the issue as well as claims that the data was already publicly available in their defense for not notifying users.

 

“One needs to understand that, under GDPR, data breaches of such nature need to be notified to data protection authorities and very likely to the affected users as well” comments Dr Bostjan Makarovic, Aphaia’s Managing Partner.

 

Does your company have all of the mandated safeguards in place to ensure compliance with the ePrivacy, GDPR and Data Protection Act 2018 in handling customer data? Aphaia provides ePrivacy, GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, EU AI Ethics Assessments and Data Protection Officer outsourcing. We can help your company get on track towards full compliance.

Polish DPA fined university

Polish DPA fined university for failing to issue a data breach notification

The Polish DPA has fined a university for neglecting to notify the authority as well as affected persons after a data breach.

In June of 2020, the Polish DPA was notified of a data breach at a medical university. According to the complaint received, during the university’s examinations held towards the end of May 2020, students were identified via videoconference. Following the examinations, these recordings were available not only to the students being examined, but also to others who had access to the system. In addition, any third party could have access to the examination recordings, and by extension, the examined students’ personal data presented during the identification process, by using a direct link. 

 

While information in the complaint indicated a high risk to the rights and freedoms of those persons affected, the data controller disagreed.

 

The information contained in the complaint indicated that the incident may have presented a high risk to the rights and freedoms of those persons who took the examination. UODO wrote to the university for further clarification, however, the data controller replied in writing, arguing that the incident presented a very low risk to the rights and freedoms of the affected persons and therefore it was not necessary to notify the authority in connection with this data breach. The university also indicated that the system was modified after the incident, to ensure that the recorded examinations were not mistakenly shared. In addition, the controller indicated that it had identified the persons who downloaded the examination file and informed them of their responsibility in having access to this data. 

 

While the Polish DPA acknowledged the efforts made by the controller to secure the data moving forward, the authority maintains that notifications were necessary. 

 

The UODO has taken the stance that the university, as the data controller in this situation is responsible for the data, and not the individuals who downloaded the files, and that due to this controller’s negligence, this breach occurred, posing a high threat to the rights and freedoms of the affected students. While the authority acknowledged that the modifications to the e-learning platform being used for the examinations will serve to protect students’ data, by preventing these files from being downloaded, the UODO believes that notification still should have been made to the authority as well as the students affected. 

 

The UODO believes that the controller has inaccurately assessed the risk associated with this data breach, and as a result failed to meet its obligations.

 

The Polish DPA found that after the data breach had occurred, the controller failed to meet its obligations to notify both the supervisory authority and the persons affected by the breach. These notifications become necessary when, due to the breach, there is a high risk to the rights or freedoms of the persons affected. The authority believes that the  controller had incorrectly assessed the risk involved. In its decision, UODO has also indicated that it does not matter, as the controller claims, that the file with the course of the examination was downloaded only by a limited number of persons, as there really is no assurance that it will not eventually be made available further to unauthorized persons.

 

The Polish DPA fined the University over EUR 5 850 for neglecting their obligation for notification over several months.

 

The University has incurred a fine of almost 6,000 Euros. The President of the Office took into account, not only neglecting to notify the DPA and the affected students, but also the duration of the breach (from the breach to the issuing of the decision several months passed), the deliberate inaction of the controller after being informed that notifications were necessary, and the lack of cooperation on the part of the controller with the authority, despite the letters sent and the proceedings initiated. The imposition of this should also serve as a preventive function, as it shows that one cannot neglect their obligations as controllers in connection with a personal data protection breach.

 

Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR and Data Protection Act 2018 in handling customer data? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance.