Thursday Thoughts – 26th November 2021
This week’s Thursday Thoughts features risks to online retail providers, malware being distributed on crypto currency chat forums and a DDoS attack on Blizzard’s Battle.net service.
Amazon have announced that the UK will soon be unable to pay using Visa, Russia introduce new legislation requiring an “in country” representative if a company has more than 500,000 daily users in Russia. I’ve included a few details of the US’s latest Tech Black List which includes Chinese Quantum Computing companies and baring other nations from nuclear and ballistic missile programs.
Closer to home the ICO has issued an opinion on Adtech which is worth a read and I’ve included the usual list of fines from around Europe during the last month to give an indication of what the authorities are currently looking at. For those who are interested in such matters I’ve added a couple of “Dates for the Diary” for events that might be of interest.
Blog of the Week
Wizer - How Multi-Factor Authentication Can Save You
But first - why this is the first Thursday Thoughts for November
Sorry for the absence of Thursday Thoughts this month. November is always a busy time for me because I am a Poppy Appeal Collector and give talks about the Veteran experience to local schools. What always strikes me as I stand outside with my box of Poppies and collection pot is how genuinely supportive everyone is and how much they appreciate our Veterans. My response to each person who says “you’re the first poppy collector I’ve seen” is that collectors are very thin on the ground especially now the majority of veterans are over 75. We have a very small team in Altrincham (covering Alty, Hale, Broadheath and Hale Barns) but there are only about 10 of us to help the coordinator dropping off pots to schools, shops and businesses, checking the manning of collection points in Tesco, Sainsbury, Asda, Waitrose and Booths as well as replenish empty boxes and supporting the hardy “outside collectors” 3 in Altrincham and 1 in Hale. I was especially grateful this year to Tom, Vince, Helen and Steve who helped out at the drop of a hat. An early plug for next year if anyone else has time next year all offers of help will be gratefully received. You will find the Altrincham Poppy Appeal twitter account at @appeal_poppy.
Online retail is the latest target for cybercriminals
As the majority of consumers moved their shopping habits on line as a result of the pandemic retailers rushed to offer an on line platform. These platforms are the latest target for cybercrimimals as they look for easy ways to gather customer data. So a timely reminder for retailers with an online presence to remember to toughen your protection as Black Friday will no doubt signal an increased volume of cyberattacks.
Malware campaign targeting crypto, NFT, and DeFi users
Since may this year cybercriminals have been dropping trojans through crypto-themed chats and channels. The threat actors post or send private messages to victims on public Discord channels with a with a crypto-focused audience. Targetting thigs such as new NFT drops or cryptocurrency discussions, inviting victims to download a game or an app or in some cases impersonating existing software projects like the “Mines of Dalarna” game. You can read more here: https://www.bleepingcomputer.com/news/security/discord-malware-campaign-targets-crypto-and-nft-communities/
Blizzard suffers A DDoS attack
Blizzard announced that a DDoS campaign was preventing users from playing Call of Duty, Warzone, Hearthstone etc on Blizzard’s Battle.net online service yesterday. Services have now resumed but it is not clear if the attack ended naturally or if the company’s security measures stopped it in its tracks.
Amazon plans to stop accepting Visa
Amazon has announced that because of “the continued high cost of payments” it plans to stop UK customers from paying for items on Visa credit cards. This is apparently because Visa now charges an extra 1.5% for “cross border card payments” because the EU cap on such fees no longer applies to the UK. Some speculate that the ban is really a move to get users to move over to Amazon’s own brand cards.
Russia instructs major tech firms to open offices in the country
As a result of a new Federal Law all foreign companies who have more than 500,000 daily users in Russia are now required to have representation in the country. This means 13 major tech firms including Apple, Google Facebook, Pinterest and Tik Tok will need to to ensure that they comply. Although exactly what is meant by “representation” is unclear the likely consequences of failure to comply could be restrictions on activities, banning advertising or even removing the business from Russian search results. Some believe that this is so that the Russian Government can “get it’s hands” on a representative of the tech firm if it does not like what is being done on the platform.
Chinese Quantum Computing firms blacklisted
The US has prohibited several Chinese Companies who deal with quantum computing from doing business in the US on national security grounds. The US believes that the companies are helping the Chinese military develop it’s quantum computing programme in the areas of counter-stealth and counter-submarine applications and encryption. Other companies on the list include 3 Pakistani companies who are banned from activities related to nuclear and ballistic missile programs and a number of firms from Japan, and Singapore.
ICO calls for companies to eliminate adtech privacy risks
Digital advertising emerged so quickly as a result of the e-commerce boom that it didn’t really have time to put the individual’s privacy at the forefront of everything it does. Just by looking at the cookie banners for companies (especially media organisations) we can see that they collect and share our personal information with hundreds, if not thousands of companies. Individuals are often not aware that this is happening and in too many cases they are not given the opportunity to deny consent. The ICO believes this must change and has called up the likes of Google and other companies who design new digital advertising technologies to do better. You can read their opinion here: https://ico.org.uk/media/about-the-ico/documents/4019050/opinion-on-data-protection-and-privacy-expectations-for-online-advertising-proposals.pdf
Dates for the Diary
Data Protection World Forum
I am looking forward to a number of presentations at the online Privsec Global Forum next week. Not least the implications of working overseas, 'When Good Data Goes Bad: How to Shine a Light on Sensitive, Toxic, and Risky Data’ and securing your supply chain. If you are interested there is still time to register. You can find more information on what topics will be covered here: https://www.grcworldforums.com/privsec/privsec-global/agenda/full-agenda
Skills for Growth
The “Skills for Growth“ session at BLOC Bruntwood Auditorium (Manchester) on January 27 2022 will talk all things digital. If you are looking for “an insight into the key skills, support and opportunities available to SMEs interested in exploring a digital future” this is the event for you. It’s free and you can register for tickets here: http://ow.ly/kFv350GVV1I
Fines
Bulgaria
The Bulgarian DPA fined a bank €380 for the unlawful transfer of personal data to a third party.
Cyprus
The Cypriot DPA fined WS WiSpear Systems Ltd €925,000 for collecting data from individuals without their knowledge as part of tests and presentations of technologies.
France
The French DPA fined RATP (Paris public transport) €400,000 for keeping the number of strike days exercised by staff in files which were used to support promotion decisions. The CNIL concluded that the total number of days absent was sufficient for this purpose and therefore RATP had violated the principle of data minimization as well as failing to implement appropriate technical and organizational measures.
Netherlands
The Dutch DPA fined airline Transavia €400,000 following a data breach in 2019 in which a hacker was able to download the personal data (including medical data) of 83,000 people.
Poland
The Polish DPA fined Bank Millennium €78,000 after a data breach in which correspondence sent via a courier service was lost. It contained names, PESEL number, address, account and identification numbers. The bank did not report the incident to the DPA or data subjects.
Spain
€1,000 to a neighbourhood community for failing to display adequate information in signs about a video surveillance system.
€2,000 to Aniversalia Networks for failing to display a GDPR compliant privacy policy on its website.
€3,000 to Fuensanta for “Insufficient cooperation with supervisory authority” after it failed to provide information requested by the DPA to help with an investigation.
€3,000 to a company for failure to provide sufficient information to data subjects about the processing of data gathered for appointment bookings.
Vodafone
This month Vodafone received 3 fines in Spain and one in Romania:
Spain - €40,000 for transferring an individual’s cell phone to a third party without consent causing the individual to be charged for use of the third parties systems.
Spain €40,000 (voluntary payment original fine €50,000) for sending text messages about a debt for a property where the individual didn’t live (a system error).
Spain €30,000 (voluntary payment original fine €50,000) for sending invoices and debits on a bank account for the payment of Vodafone services that the individual had not requested. The charges were the result of fraud and although Vodafone had cancelled the contract outstanding invoices were not cancelled.
Romania € 2,900 for a data breach where there had been unauthorized access to the personal data 70 individuals (use of incorrect email addresses and unauthorized access by employees to customer data without their request).
Blog of the Week
Wizer - How Multi-Factor Authentication Can Save You
With the prevalence of WhatsApp, Facebook and Linked in hacking this timely reminder from Wizer on how to enable multi-factor authentication on most SM platforms. Because if you haven’t done it and your account gets hacked the cybercriminals will almost certainly enable it for you! So then you won’t be able to reset your password and recover your account and if you have to actually get help from social media platforms it’s likely to take weeks. Share this link with your contacts so they can protect their accounts: https://www.wizer-training.com/blog/quick-guide-to-multi-factor-authentication