With up to 60 million customers affected, the recent security breach at North America’s largest hardware store, The Home Depot, once again proves that even some of the largest retailers have not implemented business processes that ensure the timely detection and communication, if not prevention, of such incidents. This post sheds a light on their dire consequences for consumers and what lawmakers in the U.S. and the E.U. intend to do about it.
Category Andreas Leupold, Comments, English, Europe, European Union, North America, United States · Tagged with compensatory and punitive damages, credit card monitoring services, data breach notification, data breaches, Data Security and Breach Notification Act (United States), data security breaches, European Data Protection Board, European Data Protection Regulation, Federal Trade Commission, fingerprint authentication, FTC, GDPR, incident discovery and reporting, National Institute of Standards and Technology, New Hampshire, NIST, security breaches, technical and organizational measures, technological protection measures, The Home Depot
As the EU is about to enact a General Data Protection Regulation that will introduce a general obligation to notify personal data breaches for all companies doing business in Europe or directing it towards EU-based customers, we provide the reader with 8 of the most important aspects related to the implementation of this new obligation.
Category Andreas Leupold, Comments, English, EU Law, Europe, European Union, Outlines · Tagged with adverse effect, breach notification process, Chief Information Officer, Chief Privacy Officer, Chief Security Officer, CIO, CPO, CSO, data breaches, data controllers, data processors, data protection authorities, data protection officer, data security breaches, EU Directive 2002/58/EC, EU Directive 2009/136/EC, European Data Protection Board, GDPR, General Data Protection Regulation, incident discovery and reporting system, intelligence agencies, national supervisory authorities, obligation to report, personal data breach, technological protection measures, without undue delay
Posted by Armando Becerra on October 8, 2013 · 4 Comments
On January 14, 2013, the UK Information Commissioner’s Office imposed Sony PlayStation Network a monetary penalty of GBP 250,000 for its serious breach of the UK Data Protection Act – a penalty Sony eventually decided not to appeal in July. The penalty comes after the company was hacked in April 2011, compromising the personal information of millions of its customers. In this article, I highlight why the ICO made a brilliant move and interpretation of the Act.
Category Armando Becerra, Comments, English, Europe, European Union, United Kingdom · Tagged with accountability, data breach, data security breaches, Information Commissioner’s Office, monetary penalty, Sony PlayStation Network, UK Data Protection Act of 1998, vulnerability
Posted by anniecbai on September 22, 2013 · Leave a Comment
Recent massive data breaches lead us to discuss the movement for new thinking, new strategies and new leadership amongst IT security. In the new paradigm, flat-out prevention is no longer the goal. Companies need to pursue nuanced risk-management decisions that protect yet allow them to do business.
Category Annie C. Bai, English, Europe, European Union, Germany, Opinions · Tagged with Anonymous, BYOD, cybersecurity, cyberthreat, data breach, data security, Federal Office for Information Security (Germany), hackers, insider data breach, IT security, OVH, risk management, security breach, spearphishing, Ubuntu, Vodafone, Vodafone Deutschland
Posted by anniecbai on July 8, 2013 · Leave a Comment
Government data breaches are very much a parochial problem in the U.K., causing indignation in widespread locales. In its recently published Annual Report for 2012/13, the Information Commissioner’s Office (ICO) states that data leaks by local authorities are a priority area for the data protection body. The ICO receives both individual complaints and declarations of self-reported data breaches from public and private entities.
Category Annie C. Bai, Comments, English, Europe, European Union, United Kingdom · Tagged with council data breach, data breach self-reporting, data breaches, data leaks, depersonalized data, Excel data breaches, FOI, Freedom of Information, government data breaches, ICO, individual data protection complaints, Information Commissioner’s Office, local authorities, local government, public sector organizations, self-reported data breaches, sensitive personal data, United Kingdom
Posted by anniecbai on June 8, 2013 · 1 Comment
Government data breaches run the gamut, but recently we are hearing about years-old security vulnerabilities that are not discovered by the government agencies themselves, but by outsiders. Plus, a review of the broad numbers regarding U.S. government data breaches of the past four years.
Category Annie C. Bai, Comments, English, North America, United States · Tagged with Adobe ColdFusion, computer security incident, contractor cybersecurity problem, cyber detection, cybersecurity, cybersecurity attacks, data breaches, data loss, data security, data vulnerabilities, database activity monitoring, Department of Homeland Security., employee privacy awareness, employee privacy training, Federal Information Security Management Act of 2002, government data breach, government-held personal information, hacking, hacktivists, National Archives and Records Administration, network protection, personal information, personally identifiable information, phishing, physical security measures, PII, segmentation measures, side-channel attack, Social Security Number, State of Washington, third-party discovery, third-party vulnerability, Transportation Security Administration, TSA, Unisys, United States, Washington State
In a world where a residential fire occurs every 79 seconds, a laptop is stolen every 53 seconds and a hard drive crashes every 15 seconds, citizens are crying out for help. Do not fear, the Backup Battalion is here! Watch how these super-powered information protectors defend the planet from data-munching monsters and cloud-thrashing titans. Interested in joining the team? Then gather your favorite pair of spandex and read on!
Category English, Infographics, North America, Online Backup Geeks, United States · Tagged with backup, backup failure, computer virus, data loss, destruction, hardware failure, human error, Microsoft, NASA, Pixar, software corruption, T-Mobile, theft
Posted by anniecbai on April 26, 2013 · 1 Comment
What is really happening on the ground with data breaches globally? The Verizon “2013 Data Breach Investigations Report” aggregates and analyzes data from over 47,000 data security incidents and 621 confirmed data breaches. Read this summation to acquaint yourself with the Report’s telling details, unexpected correlations and promising strategies for detection and prevention.
Category Annie C. Bai, Central America, English, Europe, European Union, Latin America, News, North America, Outlines, Reports & Surveys, South America · Tagged with attack methods, authentication-based attacks, cyber espionage, data at rest, data attacks, data breach targets, data breaches, data in transit, data security breaches, data security incidents, external parties, external threat, hacking, hacktivism, insider breaches, insiders, internal actors, internal threat, intrusions, IT security, malware, network intrusions, organized crime, outside actors, political espionage, single-factor password, social engineering, state-affiliated action, systemic weaknesses, targeted assets, threat actions, threat actors, threat detection, threat vectors, threatened assets, threats, Verizon, vulnerability
The European Commission published recently a Proposal for a Regulation on personal data protection. If adopted, it would repeal the 1995 Data Protection Directive. The Proposal includes a new data security framework: both the data controller and the data processor would have to implement appropriate technical and organizational measures in order to ensure that data is secure; a personal data breach would have to be reported within 24 hours to the supervisory authority, and also, without undue delay, to the data subject if the breach would adversely affect his personal data or privacy. We comment some of the pending issues.
Category Cédric Laurant, Comments, English, EU Law, Europe, European Union, France, Marie-Andrée Weiss, United States · Tagged with appropriate technological protection measures, damage to reputation, data breach notification, data breach notification delay, data breaches, data protection, Data Protection Authority, data protection by default, Data Protection Directive, data protection impact assessment, data security, data security breaches, data subject, delegated acts, e-Privacy Directive, encryption, EU Data Protection Regulation, EU Directive 2009/136/EC, EU Directive 95/46/EC, European Commission, Law of July 29 1881 (France), libel, Michigan Identity Theft Protection Act 452 of 2004, New York Gen. Bus. Law § 899-aa, personal data, privacy by design, publication, security breaches, supervisory authority, technical and organizational measures, U.S. Federal Trade Commission
The European Union is working on a revised set of rules for its data protection framework. The concept and principles of “privacy by design” has been incorporated in this draft. We will assess how data masking can be considered an effective data security measure and whether data masking fulfills privacy by design principles. Data masking is not encryption. It is a technique that provides for the replacement of real data with fictitious but realistic data in test environments.
Category Cédric Laurant, English, Europe, European Union, Joseph Santangelo, North America, Notes, United States · Tagged with advanced data masking, anonymization, basic data masking, data anonymization, data breaches, data masking, data protection, data protection by default, data security breaches, de-identification, encryption, EU General Data Protection Regulation, European Data Protection Supervisor, obfuscation, PbD, personal data, privacy by design, privacy professionals, privacy-protective technology, provisioning systems, redaction, scheduling systems, security breaches, sensitive information, technical and organizational measures, United States, US Federal Trade Commission
The Home Depot Data Breach
Posted by "Security Breaches" Administrator on September 23, 2014 · Leave a Comment
With up to 60 million customers affected, the recent security breach at North America’s largest hardware store, The Home Depot, once again proves that even some of the largest retailers have not implemented business processes that ensure the timely detection and communication, if not prevention, of such incidents. This post sheds a light on their dire consequences for consumers and what lawmakers in the U.S. and the E.U. intend to do about it.
Rate this:
Category Andreas Leupold, Comments, English, Europe, European Union, North America, United States · Tagged with compensatory and punitive damages, credit card monitoring services, data breach notification, data breaches, Data Security and Breach Notification Act (United States), data security breaches, European Data Protection Board, European Data Protection Regulation, Federal Trade Commission, fingerprint authentication, FTC, GDPR, incident discovery and reporting, National Institute of Standards and Technology, New Hampshire, NIST, security breaches, technical and organizational measures, technological protection measures, The Home Depot