Tag Archive for: prove

Recent Hacks Prove Need to Educate More Cybersecurity Professionals


(TNS) — The recent hack at MGM Resorts International last week points to a need for more cybersecurity professionals, an expert says, and the importance of training professionals in Massachusetts.

Steven Zuromski, chief information officer and vice president of information technology at Bridgewater State University, said Monday that the breach should serve as a reminder to consumers to monitor their finances for unexplained charges or new accounts.

Zuromski said a hacker group known as Blackcat or AlphaV has taken responsibility for the attack on MGM, using common methods of phishing and social engineering. The hackers gleaned information from an MGM employee’s LinkedIn account and used that knowledge to impersonate the individual and convince MGM employees to take steps that left the computer systems vulnerable.


“And wreak serious havoc over there for more than a week,” Zuromski said. “It appears to be pretty widespread.”

Widespread enough that Zuromski worries that consumer and account data might have been stolen. “If these actors were able to get this far,” he said. “MGM needs to be thinking very carefully about what data might have been exfiltrated.”

Last week, Caesars Entertainment told stock regulators that hackers stole Social Security numbers and driver’s license numbers of its loyalty program in a recent data breach.

On Monday, MGM executives briefed the Massachusetts Gaming Commission on cybersecurity issues at their Springfield casino, eight days after hackers damaged MGM’s computer systems companywide.

The discussion was kept to a closed-door executive session, just as commissioners did last week when they got an initial rundown on the hack.

STATE’S NEW RULES

Meantime, the Massachusetts Gaming Commission will host a roundtable Tuesday with the state’s sports betting operators to discuss implementation of new personal data rules the commission approved last month, according to spokesman Thomas Mills.

Those rules govern how the state’s in-person and mobile sports betting operators — a list that includes MGM — can collect and store personal data. The rules forbid them from…

Source…

GDPR Penalties Prove Why Compliance Isn’t Enough—And Why Companies Need Clarity

The legal uncertainty created by the General Data Protection Regulation (GDPR) is becoming so common, it’s starting to go unnoticed. In yet another recent example, Poland’s data protection authority (DPA), UODO (“Urząd Ochrony Danych Osobowych” in Polish), fined a European company over €220,000 for failing to comply with a GDPR requirement that companies provide individuals with privacy notices. While it hasn’t drawn considerable attention, this case could have considerable implications for many other European companies. The sanction cuts through expectations that data protection authorities (DPAs) will play a constructive role of both regulators and advisors under the GDPR, and it illustrates that the need to clarify the European privacy law is ever more urgent.

Bisnode, a European digital marketing company that specializes in data analytics, had collected and processed personal data from publicly available registers on six million individuals to provide creditworthiness scores to banks. The company used its access to the email addresses of about 679,000 users to inform them of the processing of their personal data—to which, out of a sample of 90,000 users, only 10 percent objected. But the operational costs of sending letters to the remaining 5.7 million users whose emails were unavailable would amount to €8 million of postal charges, an estimate which did not even include the related administrative costs. As a result, the company decided to publish a general statement on its website to alert the remaining data subjects. However, the Polish DPA decided that Bisnode did not go far enough in upholding its obligations under the GDPR.

The decision to sanction this company is misguided and sets a worrying precedent for two reasons. First, this penalty is a direct consequence of the privacy law’s vague provisions and misleading language, which EU policymakers must urgently clarify. Under Article 14 of the GDPR, organizations collecting and processing personal data must provide privacy notices directly to data subjects. But this obligation does not apply in case providing this information is “impossible, or would involve a disproportionate effort.” The Polish company thought it had fulfilled its obligations under the GDPR, as the exorbitant cost of reaching out to the remaining users could trigger this exception. But while accepting the company’s calculations, UODO regulators did not assess that €8 million would constitute a sufficiently “disproportionate effort.” What is more, because the GDPR is not prescriptive about how companies must provide users with information, UODO claimed that the law does not oblige them to inform users specifically via registered post. Hence UODO considered that a public statement was insufficient because the company could have used other solutions such as sending SMS messages, even though Bisnode did not have telephone numbers for everyone and the costs of doing so would have been high.

Second, this decision calls for a clarification of the role of DPAs under the GDPR. The company had taken a number of proactive steps to comply with the GDPR, yet UODO saw it as nothing more than proof that it was aware of its obligations and thus had intentionally violated them. DPAs should not impose penalties when there is ambiguity in the rules and companies are making an honest effort to comply. Instead, DPAs should play the role of educators so as to facilitate companies’ complex journey towards compliance. Before imposing penalties, they should take into account whether companies acted in good faith when establishing compliance strategies, the extent to which they have implemented compliance procedures internally, and the degree of interpretability of the provisions in question.

Many EU companies have yet to comply with the privacy law and do not expect that they ever will. EU policymakers should realize that the privacy law’s strict and complex requirements may be the main reason why. But the Polish decision shows that compliance may not even be enough. Companies cannot interpret unclear regulations, so they will continue to face unpredictable decisions. Even if a company appeals a decision, it will take time before the final outcome establishes jurisprudence.

EU policymakers and data protection authorities should focus on clarifying the legislation, specifying the technical requirements to provide information, and take into account the costs and difficulties compliance may impose on companies in some cases. Otherwise European businesses will continue to face difficulties interpreting and complying with the GDPR.

Eline Chivot is a senior policy analyst at the Center for Data Innovation, based in Brussels. Daniel Castro is the director of the Center for Data Innovation and vice president of the Information Technology and Innovation Foundation.

Permalink | Comments | Email This Story

Techdirt.

North Korea UN ambassador demands US prove Wannacry ransomware attack claim

  1. North Korea UN ambassador demands US prove Wannacry ransomware attack claim  Fox News
  2. NoKor’s UN ambassador demands US to prove ransomware claim  Inquirer.net
  3. North Korea UN ambassador demands US prove ransomware claim  The Telegram
  4. Full coverage

Ransomware – read more

Useless WannaCry security apps prove you shouldn’t download in a panic – TechRadar


TechRadar

Useless WannaCry security apps prove you shouldn't download in a panic
TechRadar
You've probably heard of WannaCry – it's a piece of ransomware that has infected medical computer systems, big business databases and many other platforms. It's not on your Android phone though – so don't download any apps claiming to protect your …

and more »

android ransomware – read more