An early test of the GDPR: taking on data brokers


SOPA Images via Getty Images

Major data brokers Acxiom and Oracle are among seven companies accused of violating GDPR laws on personal information privacy. Advocates hope the complaints will shed light on the opaque ways that personal data is traded through third parties online both in the EU and the US.

The General Data Protection Regulation is a sweeping personal data privacy law that came into force in late May in the EU. For the rest of the world, it’s viewed as a bellwether for whether Big Tech can be held in check when immense data leaks seem to happen with painful regularity.

Formal complaints to European regulators under the GDPR by UK non-profit Privacy International were also filed against ad-tech companies Criteo, Quantcast and Tapad as well as credit agencies Equifax (the subject of a massive breach just last year) and Experian.

“Our complaints target companies that, despite exploiting the data of millions of people, are not household names and therefore rarely have their practices challenged,” said Ailidh Callander, legal officer at Privacy International, in an email to Engadget. “These companies’ business models are premised on data exploitation.”

Data brokers aggregate personal information from other sources — for instance, websites you’ve visited or credit card records — to create a complex profile on who they think you are. That profile may include political leanings and income, and subsequently get sold to brands or social networks. Acxiom claims to have data on about 700 million people globally. Consumers often don’t hand data directly to these companies via their own websites — the way one would with, say, Facebook — which allows the data trading to operate in relative obscurity.

This alleged lack of consent is precisely what Privacy International is targeting. The non-profit also claims that these companies lack “legitimate interest” (in legal terms) for processing the personal data, which may infer political, ethnic and religious affiliations. The companies fail to comply, according to Privacy International, with the principles of “transparency, fairness, purpose limitation, data minimisation, accuracy and confidentiality and integrity” — in other words, nearly all of the new privacy law’s core foundations.

“The law has changed and these companies need to as well,” said Callander. “There is a gap between how [the] GDPR conceptualises data privacy and [how] these companies do and the onus is on them (if necessary, pushed by regulators) to close it.”

In public statements, Experian has said: “We have worked hard to ensure that we are compliant with GDPR and we continue to believe that our services meet its requirements.” Criteo has stated: “We have complete confidence in our privacy practices.”

Companies are still feeling out just how the law is going to be enforced, which is why test cases like this bear watching. Facebook and Google are among the other companies who have faced complaints so far. A spokesman from the Data Protection Commission in Ireland, where many American tech firms keep European headquarters, said the regulators have already received 2,500 breach notifications and 1,200 complaints related to the GDPR since May.

Let’s block ads! (Why?)

Link to original source

UK Regulator Fines Equifax £500,000 Over 2017 Data Breach

consumer credit reporting Equifax data breach

Atlanta-based consumer credit reporting agency Equifax has been issued a £500,000 fine by the UK’s privacy watchdog for its last year’s massive data breach that exposed personal and financial data of hundreds of millions of its customers.

Yes, £500,000—that’s the maximum fine allowed by the UK’s Data Protection Act 1998, though the penalty is apparently a small figure for a $16 billion company.

In July this year, the UK’s data protection watchdog issued the maximum allowed fine of £500,000 on Facebook over the Cambridge Analytica scandal, saying the social media giant Facebook failed to prevent its citizens’ data from falling into the wrong hands.

Flashback: The Equifax Data Breach 2017

Equifax suffered a massive data breach last year between mid-May and the end of July, exposing highly sensitive data of as many as 145 million people globally.

The stolen information included victims’ names, dates of birth, phone numbers, driver’s license details, addresses, and social security numbers, along with credit card information and personally identifying information (PII) for hundreds of thousands of its consumers.

The data breach occurred because the company failed to patch a critical Apache Struts 2 vulnerability (CVE-2017-5638) on time, for which patches were already issued by the respected companies.

Why U.K. Has Fined a US Company?

The UK’s Information Commissioner’s Office (ICO), who launched a joint investigation into the breach with the Financial Conduct Authority, has now issued its largest possible monetary penalty under the country’s Data Protection Act for the massive data breach—£500,000, which equals to around $665,000.

The ICO said that although the cyber attack compromised Equifax systems in the United States, the company “failed to take appropriate steps” to protect the personal information of its 15 million UK customers.

The ICO investigation revealed “multiple failures” at the company like keeping users’ personal information longer than necessary, which resulted in:

  • 19,993 UK customers had their names, dates of birth, telephone numbers and driving license numbers exposed.
  • 637,430 UK customers had their names, dates of birth and telephone numbers exposed.
  • Up to 15 million UK customers had names and dates of birth exposed.
  • Some 27,000 Britishers also had their Equifax account email addresses swiped.
  • 15,000 UK customers also had their names, dates of birth, addresses, account usernames and plaintext passwords, account recovery secret questions, and answers, obscured credit card numbers, and spending amounts stolen by hackers.

Breach Was Result of Multiple Failures at Equifax

The ICO said that Equifax had also been warned about a critical Apache Struts 2 vulnerability in its systems by the United States Department of Homeland Security (DHS) in March 2017, but the company did not take appropriate steps to fix the issue.

Initially, it was also reported that the company kept news of the breach hidden for a month after its internal discovery, giving three senior executives at Equifax time to sell almost $2 million worth of its shares, though the company denied such claims.

Since the data breach happened before the EU’s General Data Protection Regulation (GDPR) took effect in May 2018, the maximum fine of £500,000 imposed under the UK’s old Data Protection Act 1998 is still lesser.

The penalty could have been much larger had it fallen under GDPR, wherein a company could face a maximum fine of 20 million euros or 4 percent of its annual global revenue, whichever is higher, for such a privacy breach.

In response to the ICO’s penalty, Equifax said that the company has fully cooperated with the ICO throughout the investigation that it is “disappointed in the findings and the penalty.”

Equifax received the Monetary Penalty Notice from the ICO on Wednesday and can appeal the penalty.

Let’s block ads! (Why?)

Link to original source

Equifax faces £500,000 fine in the UK over massive data breach


Andrew Harrer/Bloomberg via Getty Images

UK officials have slapped Equifax with a £500,000 (US$660,000) fine for failing to protect up to 15 million citizens’ personal data. The Information Commissioner’s Office (ICO) has announced its verdict after almost a year-long investigation with the Financial Conduct Authority. Together, they looked into the massive Equifax breach that affected 146 million people around the world. Cybercriminals infiltrated the consumer credit reporting agency’s systems by using an exploit on its website to gain access to people’s names, addresses, birthdates, SSNs, as well as tax and driver’s license information.

According to the ICO, Equifax UK’s parent company in the US — the one infiltrated by cyberattackers — processed data on its behalf. It has come to the conclusion that the company’s UK division failed to make sure that its American counterpart was protecting UK citizens’ information properly. Authorities have also found “significant problems with [the company’s] data retention, IT system patching and audit procedures.” Further, they’ve discovered that the US Department of Homeland Security warned Equifax about a critical vulnerability back in March 2017, and it didn’t take steps to patch the flaw the hackers ultimately exploited.

The agencies’ investigators divided the affected subjects in the country into different categories: the ones that were most affected (19,993 people) had their names, birthdays, phone numbers and driver’s licenses stolen. Meanwhile, the first three types of information were exposed for 637,430 subjects. In all, 15 million UK citizens had their names and birthdates exposed, but those unfortunate enough to fall under the first type are clearly the most vulnerable to identity theft.

While £500,000 is chump change for a company like Equifax despite all its financial setbacks since the breach came to light, that’s the largest fine authorities can issue, seeing the event happened before GDPR was implemented. Information Commissioner Elizabeth Denham explained:

“The loss of personal information, particularly where there is the potential for financial fraud, is not only upsetting to customers, it undermines consumer trust in digital commerce. This is compounded when the company is a global firm whose business relies on personal data.

We are determined to look after UK citizens’ information wherever it is held. Equifax Ltd has received the highest fine possible under the 1998 legislation because of the number of victims, the type of data at risk and because it has no excuse for failing to adhere to its own policies and controls as well as the law.”

Update (09/20/18 8:54AM ET): An Equifax spokesperson has reached out with the company’s official statement:

“We have received the Monetary Penalty Notice from the Information Commissioner’s Office (ICO) on Wednesday afternoon and are considering the detailed points made. Equifax has cooperated fully with the ICO throughout its investigation, and we are disappointed in the findings and the penalty.

As the ICO makes clear in its report, Equifax has successfully implemented a broad range of measures to prevent the recurrence of such criminal incidents and it acknowledges the strengthened procedures which are now in effect.

The criminal cyberattack against our US parent company last year was a pivotal moment for our company. We apologise again to any consumers who were put at risk. Data security and combatting criminal digital activity is an ongoing battle for all organisations that requires continued innovation and attention. We have acted and continue to act to make things right for consumers. They will always be our priority.”

Let’s block ads! (Why?)

Link to original source

Equifax slapped with UK’s maximum penalty over 2017 data breach

Credit rating giant Equifax has been issued with the maximum possible penalty by the UK’s data protection agency for last year’s massive data breach.

Albeit, the fine is only £500,000 because the loss of customer data occurred when the UK’s prior privacy regime was in force — rather than the tough new data protection law, brought in via the EU’s GDPR, which allows for maximum penalties of as much as 4% of a company’s global turnover for the most serious data failures.

So, again, Equifax has managed to dodge worse consequences over the 2017 breach, despite the hack resulting from its own internal process failings after it failed to patch a server that was known to be vulnerable for months — thereby giving hackers a soft-spot to attack and swipe data on 147 million consumers.

Personal information that was lost or compromised in the 2017 Equifax breach included names and dates of birth, addresses, passwords, driving licence and financial details.

The UK data protection regulator is involved because up to 15 million UK citizens’ data was also breached in the attack. And while the hack compromised Equifax’s US systems, the UK citizens’ data was being processed in the US.

The UK’s Information Commissioner’s Office (ICO) said today that the UK arm of Equifax failed to take adequate steps to ensure its US parents was protecting this data.

Reporting the result of its investigation, the ICO said Equifax contravened five out of eight data protection principles of the Data Protection Act 1998 — including, failure to secure personal data; poor retention practices; and lack of legal basis for international transfers of UK citizens’ data.

“Equifax Ltd has received the highest fine possible under the 1998 legislation because of the number of victims, the type of data at risk and because it has no excuse for failing to adhere to its own policies and controls as well as the law,” said information commissioner Elizabeth Denham in a statement. “We are determined to look after UK citizens’ information wherever it is held.”

“The loss of personal information, particularly where there is the potential for financial fraud, is not only upsetting to customers, it undermines consumer trust in digital commerce. This is compounded when the company is a global firm whose business relies on personal data,” she added.

The regulator’s investigation, carried out in parallel with the UK’s financial regulator, the Financial Conduct Authority, revealed multiple failures at the credit reference agency.

The ICO says it found that measures that should have been in place to manage personal information were “inadequate and ineffective”, and there were also “significant problems” with data retention, IT system patching, and audit procedures.

It flags the fact that the US Department of Homeland Security had warned Equifax Inc about a critical vulnerability as far back as March 2017, noting that “sufficient steps to address the vulnerability were not taken meaning a consumer facing portal was not appropriately patched”.

“Many of the people affected would not have been aware the company held their data; learning about the cyber attack would have been unexpected and is likely to have caused particular distress,” added Denham, emphasizing the reasons for the ICO to issue the maximum possible penalty for the breach.

The ICO also recently issued Facebook with the same level of fine for allowing user data on up to 87 million Facebook users to be scraped by a third party app which used it to try to build voter targeting models, selling this as a service to a political consultancy involved in US elections.

“Multinational data companies like Equifax must understand what personal data they hold and take robust steps to protect it,” she continued. “Their boards need to ensure that internal controls and systems work effectively to meet legal requirements and customers’ expectations. Equifax Ltd showed a serious disregard for their customers and the personal information entrusted to them, and that led to today’s fine.”

Equifax has responded with disappointment to the ICO’s decision. In a statement responding to the ICO’s ruling, a company spokesperson said: “We have received the Monetary Penalty Notice from the Information Commissioner’s Office (ICO) on Wednesday afternoon and are considering the detailed points made. Equifax has cooperated fully with the ICO throughout its investigation, and we are disappointed in the findings and the penalty.

“As the ICO makes clear in its report, Equifax has successfully implemented a broad range of measures to prevent the recurrence of such criminal incidents and it acknowledges the strengthened procedures which are now in effect. The criminal cyberattack against our US parent company last year was a pivotal moment for our company. We apologise again to any consumers who were put at risk.

“Data security and combatting criminal digital activity is an ongoing battle for all organisations that requires continued innovation and attention. We have acted and continue to act to make things right for consumers. They will always be our priority.”

The company points to a number of changes it says it has made in response to the incident to strengthen its policies and processes, and also highlights ongoing investments in infrastructure and corporate governance procedures, including hiring additional IT staff, which are intended to improve the resilience of its systems to hack attacks.

However it does concede that the breach itself was the result of internal process failings, given that a file containing historical consumer information which should have been deleted was not.

And the key point here is that the ICO’s decision is based on scrutinising exactly what happened that led to the breach occurring.

How a company has acted since a security crisis will be taken into consideration, as part of the overall picture, but having shut the barn door after the horse has bolted is only going to get so much credit vs the reasons for the barn door not being properly secured in the first place. And that’s as it should be given the point of data protection legislation is to encourage companies to prioritize security, not overlook it.

In the Equifax decision the ICO writes: “The Commissioner has also taken into account her underlying objective in imposing a monetary penalty notice, namely to promote compliance with the DPA [data protection act]. She considers that, given the nature, seriousness and potential consequences of the contravention arising in this case, that objective would not be adequately served by an unduly lenient penalty.”

Let’s block ads! (Why?)

Link to original source

Alibaba’s Ant Financial denies stealing from Equifax

Ant Financial has denied claims that it covertly raided Equifax the U.S. credit firm that was hit by a hack last year — to grab information, including code, confidential data and documents to help recruit staff for its own credit scoring service.

The Alibaba affiliate, which is valued at over $100 billion, launched Sesame Credit in China in 2015, and a report this week from The Wall Street Journal suggests that it leaned heavily on Equifax to do so. Ant Financial hired China-born Canadian David Zou from Equifax and the Journal claims that Zou looked up employee information to gauge potential hires and squirreled away confidential documents via his personal email account.

Ant was said to have offered Chinese staff at Equifax lucrative raises — reportedly tripling their salaries — with a focus on those who “provided instructions on specific Equifax information… if they jumped ship.” Apparently, however, only Zou did.

Zou, for this part, denies the claims. He said he looked up Equifax team members to help with work on his project in Canada, and forward information to his email account in order to continue his work when he went home.

Ant Financial went a step further with its own denial — from the firm’s statement:

Ant Financial did not use Equifax intellectual property or trade secrets, including code, algorithms or methodology in the development of our credit rating product. Ant Financial has found absolutely no evidence of Equifax software, data or code having been transferred to our systems.

We did not directly or indirectly encourage potential job applicants to obtain Equifax intellectual property or trade secrets. This would be a violation of Ant Financial’s Code of Business Conduct and we would take immediate action against any employee found engaging in this behavior. Further, we have specific agreements with our third-party recruiters that prohibit them from violating intellectual property rights of any parties. If any recruiter is found to have conducted such activities, we will stop accepting candidate referrals from them and may take legal action against them.

Ant said the Journal’s report is “full of innuendo based on disjointed facts and coincidence in timing.”

Beyond Ant, the report claims Equifax firm was also concerned when an unnamed Chinese firm swapped members of its delegation in the run-up to a meeting, a tactic that is apparently common among potential cases of espionage.

The company had been in contact with the FBI, but ultimately Equifax decided against pushing the matter. The Journal’s report also suggested that federal investigators backed down because they sensed that Equifax didn’t believe it had information that Chinese spies would be keen to get hold of. In addition, it hadn’t lost consumer information. Ultimately, of course, that leaked out when the firm was hacked last year.

“The story not only promotes hostility against a specific company, but also paints an overall narrative that maligns Chinese companies as a whole, and further promotes culturally divisive perceptions of ethnic Chinese people in America,” Ant said in its statement, which is attributed to the company’s general counsel, Leiming Chen.

Let’s block ads! (Why?)

Link to original source

Sonatype raises $80 million to build out Nexus platform

Sonatype, a cybersecurity-focused open-source company, has raised $80 million from investment firm TPG.

The company said the financing will help extend its Nexus platform, which it touts as an enterprise ready repository manager and library, which among other things tracks code and helps to keep everything in the devops pipeline up-to-date and secure.

It’s that kind of technology that Sonatype says can prevent another Equifax -style breach of over 147 million consumers’ data. Earlier this year, the company found over dozens of Fortune Global 100 companies that downloaded outdated and vulnerable versions of Apache Struts, which Equifax failed to patch or update.

Sonatype’s chief executive Wayne Jackson his company can help prevent those type of breaches.

“We monitor literally millions of open source commits per day,” he told TechCrunch. “Last year hundreds of billions of components were downloaded by software developers, 12 percent of which had known security defects.”

The funding will go to extend the company’s Nexus platform, Jackson said.

The company said it’s had an 81 percent increase in year-over-year sales in the first-half of the year, and 1.5 million users added to its flagship Nexus platform since January. In all, the company has more than 10 million software developers and 1,000 enterprises on Nexus worldwide.

Sonatype’s last round of funding was in 2016, led by Goldman Sachs, snagging $30 million.

Let’s block ads! (Why?)

Link to original source