Monthly Breach Report: February 2019 Edition
The first month of 2019 witnessed some massive breaches and pointed out to the flaws in the data security of the states. Here is a glimpse of these top breaches of January 2019.
Google has been fined approximately $57 million by French regulators for violating Europe’s tough new data privacy rules, marking the first major penalty brought against a US technology giant since the region-wide regulations came into existence in 2018.
France’s top data privacy agency, known as the CNIL, said that Google failed to wholly reveal to users as how their personal data is collected and used. Google also did not correctly obtain users’ consent for the purpose of showing them personalized ads, the watchdog agency said.
Users’ “consent” is presently set as the global default setting that fails to meet the regulator’s requirement, which companies obtain “specific” consent.
In response, Google said it is “studying the decision to determine our next steps.” Google further said, “People expect high standards of transparency and control from us. We’re deeply committed to meeting those expectations and the consent requirements of the GDPR.”
In another case, Google has also been accused of GDPR violations by consumer groups across Europe over what they claim are “deceptive practices” around its location tracking.
Oklahoma Securities Commission
A major data breach was uncovered at the Oklahoma Securities Commission that exposed an unsecured pathway leading to millions of files encompassing decades’ worth of confidential case file intelligence from the agency along with sensitive FBI investigation source materials potential hackers and scammers.
“By the best available measures of the files’ contents and metadata, the data was generated over decades, with the oldest data originating in 1986 and the most recent modified in 2016,” read a report summary released by California-based cybersecurity firm UpGuard.
UpGuard said it had uncovered the breach in December and had notified the affected government agency, the Oklahoma securities department. The exposed data was kept on a state agency server, which wasn’t properly secured with a password, making the information accessible for anyone to see and download.
One database contained about 10,000 Social Security numbers of the brokers and another contained birth information, gender, and other identifying characteristics like eye color for 100,000 brokers. The cybersecurity firm stated that it also found a database which contained information about people with AIDS who were selling life insurance benefits, including names and T cell counts.
Sensitive information of around hundreds of German politicians, celebrities, and other public figures was published online via a Twitter account in one of the largest leaks in the country’s history. The huge cache of documents included personal phone numbers, addresses, credit card details, internal party documents, and private chats. The data, including financial details, contact information, memos, and private chats, was leaked in December but was only recently spotted.
A government spokeswoman, Martina Fietz, said the leaks affected politicians of all levels including those in the European, national, and regional parliaments. “The German government is taking this incident very seriously,” she said, adding that faked documents could be among the cache.
Politicians from Germany’s far-left Linke party were the first ones to confirm that their information has been compromised, but then it increased as details from almost all parties were found to have been leaked.
A defense ministry spokesman also said the armed forces had not been affected by the breach.
Minnesota Department of Human Services
The Minnesota Department of Human Services was informed of a data breach that potentially exposed personal information of up to 3,000 people. Commissioner Tony Lourey informed the legislative leaders that the breach took place on September 28, 2018, when an employee fell for a phishing scam by clicking on a malicious link, which caused employee’s email account to send spam.
Lourey says technicians were not able to identify what kind of personal information might have been accessed, although the affected account contained data on DHS employees and clients, including their names, dates of birth, phone numbers, emails, and information on child protection cases. The information also included Social Security and driver’s license numbers as well as financial data of about 30 people.
“We respect and value the privacy of the Minnesotans we serve and sincerely regret any concern or other negative impact this incident may cause,” Lourey said in his letter to legislators.
In October 2018, the same state agency had reported that scammers compromised two state email accounts over the summer, giving them access to the private information of about 21,000 Minnesotans, although there was no evidence of the information being “viewed, downloaded, or misused.”
Keep your business out of data breach headlines with help from PKWARE. Find out how with a free demo.