Red card for privacy. Update on the Medibank breach. GAO report shows rise in personal data leaks at DoD. Twitter shake-up raises security concerns.
With a glance.
- Of penalty kicks and privacy.
- Update on the Medibank breach.
- GAO report shows rise in personal data leaks at DoD.
- Twitter shake-up raises security concerns.
Of penalty kicks and privacy.
As we noted yesterday, the Qatar World Cup kicks off in just a few days, and cyber experts are warning participants to be cautious in the face of potential cyber threats linked to the event. As the Wall Street Journal reports, it will be the first FIFA World Cup to be held in the Middle East, and the first in a conservative Muslim country. Two million visitors are expected to gather within a radius of just thirty-five miles around the city of Doha, and with Qatar an authoritarian monarchy with a history of human rights abuses, the culture clash has already created some friction. Although Qatar has a privacy framework, it is not recognized by the EU as providing user protection comparable to Europe’s regulations. The French data protection authority CNIL has advised participants on how to protect themselves against spyware or cyber fraud. “Ideally, you should travel with an empty smartphone … or an old phone that has been reset,” a CNIL spokesperson told POLITICO. “Special care should be taken with images, videos or digital works that could put you in trouble with the laws of the country you are visiting.”
Thousands of surveillance cameras equipped with facial recognition technology will keep a close eye on the events. They are ostensibly for the safety of players and fans, but security experts are cautious. The UK Information Commissioner’s Office says it is aware of media reports about this case and we will assess the potential impact on the privacy rights of UK citizens. If anyone is concerned about how their data has been handled, they can make a complaint to the ICO.”
Visitors traveling to Qatar for the event must download two mobile apps – the official World Cup app Hayya and the Covid-tracking app Ehteraz – and experts say the platforms give Qatari authorities liberal access to users’ data. Tom Lysemose Hansen, CTO and co-founder of app security firm Promon, told The Register, “Ehteraz is able to install an encrypted file that claims to have a unique ID, QR code, infection status, configuration parameters and proximity data for other devices using the app. essentially, it is clear that the app is taking data from the end user for more reasons than what is expressed by the given consent button.” Germany’s data protection agency BfDI told The Register it is working with the German Foreign Ministry and the German Federal Office for Information Security to investigate the two apps. The CNIL advises device owners to “restrict online connection to services that require authentication to a strict minimum,” keep the phone with them at all times and use a strong password.
Richard Bird, CSO at Traceable AI, suggests the benefits of watching the matches from home:
“With all the noise about the apps being marketed in Qatar for the World Cup, no one in cyber security should be shocked that these applications are full of tracking and surveillance capabilities. Personal freedoms are not respected or treated the same everywhere in the world, and if you feel threatened or concerned about Qatar’s stance on allowing the use of these types of apps, then frankly, don’t go to the World Cup. I’m not suggesting that what Qatar is doing is appropriate, I’m just saying that we should stop suggesting that technological freedoms replace situational awareness. The situation in Qatar is that privacy for both residents and visitors is not a concern for the government or the state-backed companies in that region.
“For tourists traveling to Qatar, the answer to maintaining privacy and security really boils down to one of two options. The first? Stay at home and watch the World Cup in your living room or local bar or pub. The second? Like any CISO operating across a global footprint know you’re taking a burner phone to Qatar, or China, or Russia.If you balk at the idea of having to pay extra for security and privacy, it’s doubtful that security or privacy is really that important to you on a personal level. In many nations, privacy and security come at a high price. To expect these nations to act differently simply because we expect technology rights and privileges to be respected is naive.”
Neil Jones, director of cybersecurity evangelism at Egnyte, recommends a burner phone if you plan to travel to see in person.
“Recent research indicates that up to 75% of the world’s population will be covered by modern privacy regulations by the end of 2024. Most of these regulations are designed to protect consumers from having their personally identifiable information (PII) or protected health information (PHI) shared without their specific authorization. However, the situation with the FIFA World Cup apps presents an interesting dilemma – soccer fans cannot attend the events unless they download apps that provide COVID-19 tracking features and even track their geographic location and access their device data. If hacked, the information would be a treasure trove for potential cyber attackers.
“If you plan to travel to the event, I would strongly recommend purchasing a burner phone, if the privacy-limiting features cannot be disabled. Additionally, all users should consider the following when downloading and accessing new applications: 1) If requested , allow only the minimum permissions for the application to work on your device. 2) Strongly consider restricting other users’ access to see your geographic location. 3) Do not allow the application to make calls on your behalf or change your device’s data. 4) Consider deleting event-related applications when the events are concluded.”
Update on the Medibank breach.
In the latest news about the data breach of Medibank, Australia’s leading insurance provider, Medibank chairman Mike Wilkins defended the company’s decision not to meet the demands of the ransomware group responsible for the attack. “Based on extensive advice from cybercrime experts, we formed the view that there was a limited chance that paying the ransom would secure the return of customers’ data and prevent it from being published,” Mr Wilkins told ABC Australia. “In fact, the advice we’ve received is that paying the ransom could have had the opposite effect and encouraged criminals to extort our customers directly, putting more people at risk by making Australia a bigger target.” Medibank CEO David Koczkar says the company has begun reaching out to the 480,000 customers affected by the breach.
GAO report shows rise in personal data leaks at DoD.
The US Government Accountability Office (GAO) released a report on Monday analyzing the data breaches experienced by the Department of Defense (DoD), FCW reports. While cyber intrusions and disruptions are down from 3,880 in 2015 to just 948 last year, data breaches involving personally identifiable information have more than doubled, reaching 1,891 reported cases last year. The report also notes that while the DoD has guidelines for assessing the risk of a personal data breach and informing affected individuals, it is unclear whether these guidelines are being followed. Out of a sample of breaches that occurred between 2017-2020, GAO found that DoD only contacted 18% of individuals designated to be notified of a breach within the ten-day requirement, and that thirty reported breaches did not fully warrant a risk assessment were performed. For its part, the DoD says it is developing a new breach reporting system that will have a built-in risk assessment module, and it is expected to be implemented early in fiscal year 2023.
Twitter shake-up raises security concerns.
The recent purchase of Twitter by Elon Musk has led to major changes for the company. As Bloomberg reports, Musk fired roughly 3,700 of Twitter’s workforce, including the social media chief data protection officer, Damien Kieran. The move has sparked security fears, and Ireland’s Data Protection Commission, which is Twitter’s European privacy watchdog, met with company representatives in Dublin to discuss next steps. The DPA is monitoring the situation “closely”, and Grant Doyle, the DPA’s deputy chief, says the company has appointed Renato Monteiro as its acting data protection officer in Kieran’s absence.