Data in the News – August 2020
We’re told that the only way to ease the Coronavirus lockdown restrictions safely is to have a workable contact tracing system in place, ensuring that those showing symptoms are swiftly identified and those who have been in contact with them alerted, thereby ensuring that the virus does not again start to spread exponentially.
No one can dispute that a workable system is imperative, but is our system designed and implemented in a way which protects our right to privacy under GDPR privacy laws?
Test and Trace is a complex system with huge risk of privacy breaches – people hand over their data including their date of birth, sex, NHS number, email, telephone, Covid-19 symptoms and the contact details of those who they’ve been around. Not only the NHS but a number of private companies are involved in processing the data.
It does not appear that privacy has been central to the overarching planning of Test and Trace or to the development of discrete elements of the programme. Only under threat of judicial review by the Open Rights Group, has the Government admitted that it has conducted no overarching DPIA of the system prior to launching it on 28th May 2020. It accepts that such a DPIA was and is required, stating in its response of 15th July 2020 that this is “in the process of being finalised”.
Have you ever wondered how much your personal information goes for on the dark web? Researchers at Privacy Affairs have sifted through the listings in the internet’s seedy underbelly and created an overview of the average price tags attached to your stolen personal data.
The going prices are lower than you probably think – your credit card details, for example, can sell for a few bucks.
Called Dark Web Price Index 2020, the price breakdown of various kinds of stolen personal information shows that, for example, a cloned American Express card with PIN tops the payment card menu at US$35 a pop, while credit card details generally sell for as little as US$12-20. Meanwhile, stolen online banking credentials to accounts with a minimum balance of US$2,000 can go for US$65 on average.
The study by the consulting firm and food retail group surveyed more than 15,000 consumers across 15 European markets to try and gauge attitudes towards data sharing. The study is set in the context of increasing demands for personalised customer experience, which is offset by growing concerns around data privacy.
On average, between 20% and 25% of consumers across the region are willing to share their data, which already reflects a tentative outlook. Nevertheless, distinct variations play out with respect to country, demographic and nature of data. For instance, more consumers are willing to share data in the UK, France and Denmark than there are in Germany, the Netherlands or Belgium.
Twitter has revealed that cyber attackers stole the personal data of as many as eight of the user accounts that were hacked in July, which could include phone numbers and private messages. Hackers took over the official accounts of dozens of politicians, celebrities and high-profile business people — including democratic presidential hopeful Joe Biden, Barack Obama, Elon Musk, Jeff Bezos and Kim Kardashian — to post messages soliciting bitcoin.
Both the FBI and New York state announced investigations into the hack, which also hit the business accounts of Apple and Uber. The probes come as questions remain about whether employees were tricked into handing over access to the administrative systems or co-operated with hackers, and whether hackers are now in a position to extort the victims whose messages they accessed.
It's not just semantics. Companies that fail to understand the differences between data privacy and data security put their brands and bottom lines in jeopardy.
Ever since the September 2017 Equifax data breach that exposed the personal information of 147 million Americans, and the many other high-profile data breaches that have happened since, data security and data privacy have become pressing boardroom-level concerns.
For many outside of the infosec community, the terms 'data security' and 'data privacy' are often used interchangeably. In reality, even though they share a common goal, they are not the same, said Greg Ewing, cybersecurity partner at Potomac Law: "The difference between data privacy and data security is the difference between protecting someone's personal information and the security measures you have in place to protect all of your business' information."