Google will let enterprises store their Google Workspace encryption keys

As ubiquitous as Google Docs has become in the last year alone, a major criticism often overlooked by the countless workplaces who use it is that it isn’t end-to-end encrypted, allowing Google — or any requesting government agency — access to a company’s files. But Google is finally addressing that key complaint with a round of updates that will let customers shield their data by storing their own encryption keys.

Google Workspace, the company’s enterprise offering that includes Google Docs, Slides and Sheets, is adding client-side encryption so that a company’s data will be indecipherable to Google.

Companies using Google Workspace can store their encryption keys with one of four partners for now: Flowcrypt, Futurex, Thales, or Virtru, which are compatible with Google’s specifications. The move is largely aimed at regulated industries — like finance, healthcare, and defense — where intellectual property and sensitive data are subject to intense privacy and compliance rules.

(Image: Google / supplied)

The real magic lands later in the year when Google will publish details of an API that will let enterprise customers build their own in-house key service, allowing workplaces to retain direct control of their encryption keys. That means if the government wants that company’s data, they have to knock on their front door — and not sneak around the back by serving the key holder with a legal demand.

Google published technical details of how the client-side encryption feature works, and will roll out as a beta in the coming weeks.

Tech companies giving their corporate customers control of their own encryption keys has been a growing trend in recent years. Slack and cloud vendor Egnyte bucked the trend by allowing their enterprise users to store their own encryption keys, effectively cutting themselves out of the surveillance loop. But Google has dragged its feet on encryption for so long that startups are working to build alternatives that bake in encryption from the ground up.

Google said it’s also pushing out new trust rules for how files are shared in Google Drive to give administrators more granularity on how different levels of sensitive files can be shared, and new data classification labels to mark documents with a level of sensitivity such as “secret” or “internal”.

The company said it’s improving its malware protection efforts by now blocking phishing and malware shared from within organizations. The aim is to help cut down on employees mistakenly sharing malicious documents.

#api, #cloud-storage, #computing, #cryptography, #data-protection, #data-security, #egnyte, #encryption, #end-to-end-encryption, #finance, #google, #google-workspace, #google-drive, #healthcare, #privacy, #security, #technology, #thales

0

Cyber security training platform Immersive Labs closes $75M Series C led by Insight Partners

Immersive Labs, a platform which teaches cyber security skills corporate employees by using real, up-to-date threat intelligence in a “gamified” way, has closed a $75 million Series C funding round led by new investors Insight Partners alongside Menlo Ventures, Citi Ventures and existing investor Goldman Sachs Asset Management.

The investment will be used to scale Immersive’s offering in the US and take advantage of the new wave of interest in cyber threats caused by so many people working remotely, post-pandemic. Founded in 2017, Immersive Labs now has 200 people, with joint operations HQs in Bristol, UK, and Boston, US. It plans to raise headcount to over 600 in the next two years and establish operations in new regions throughout APAC and Europe. Immersive’s ‘Cyber Workforce Optimization’ platform claims to offer board-level metrics and benchmarking to gauge how the skills inside organizations are coping.

Immersive has now raised a total of $123m in venture funding and counts HSBC, Vodafone, and the NHS as customers. The company says it is growing at “over 100% year-on-year”.

James Hadley, CEO and founder of Immersive Labs, said: “With cyber risk becoming a problem for a growing number of business functions, cybersecurity knowledge and skills should no longer be the preserve of a few technical people hidden away in a back office. Everyone from the teams who build software, to the CEO, now need to play their part in addressing a pervasive company issue. This requires unlocking and evidencing skills in a much broader group of people.”

Ryan Hinkle, managing director at Insight Partners, said: “With significant global customer and revenue growth over the last few years, Immersive Labs has established a strong position in the fast-developing cyber skills space. With influential leadership, an innovative product in a growing market, and strong user engagement, the company is in a position to continue to lead the cyber readiness market.”

Speaking to me over an interview, Hadley added: “We chose Insight Partners because they’ve got a real strength in enterprise B2B which is where we sell to CIOs and CEOs… We want to be the next Darktrace in terms of a successful UK cybersecurity company.”

The comparison might not be that fanciful. Immersive Labs came out of the CYLON cyber accelerator, similar to Darktrace, has the same investors as Darktrace, but has in fact attracted $75m for its Series C, whereas Darktrace didn’t manage that level until Series D. Darktrace has now IPO’d in the London for £1.7bn.

Hadley, a former GCHQ security researcher and trainer, came up with the idea for the cyber skills platform while leading cyber training himself. I asked him why he thinks Immersive has managed to come up with a ‘flywheel effect’ with its platform.

“People always talk about all the cyber threats getting worse, but it really is now and it’s in the public domain. We’ve got a strong belief that cybersecurity is no longer the responsibility of the geeks in the basement. Actually, it’s business-wide. And now the tidal wave is coming. Cybercrime is going to go off the scale this year and next because companies are paying the ransoms. And as a result of that, we’re putting in analytics to measure decision-making in a crisis. It’s just resonating really well with every company regardless of CIO or vertical,” he told me.

#boston, #bristol, #ceo, #cio, #citi-ventures, #computer-security, #crime, #cybercrime, #darktrace, #data-security, #europe, #gchq, #hsbc, #immersive, #immersive-labs, #london, #menlo-ventures, #nhs, #series-c, #tc, #united-kingdom, #united-states, #vodafone

0

It’s time for security teams to embrace security data lakes

The average corporate security organization spends $18 million annually but is largely ineffective at preventing breaches, IP theft and data loss. Why? The fragmented approach we’re currently using in the security operations center (SOC) does not work.

Here’s a quick refresher on security operations and how we got where we are today: A decade ago, we protected our applications and websites by monitoring event logs — digital records of every activity that occurred in our cyber environment, ranging from logins to emails to configuration changes. Logs were audited, flags were raised, suspicious activities were investigated, and data was stored for compliance purposes.

The security-driven data stored in a data lake can be in its native format, structured or unstructured, and therefore dimensional, dynamic and heterogeneous, which gives data lakes their distinction and advantage over data warehouses.

As malicious actors and adversaries became more active, and their tactics, techniques and procedures (or TTP’s, in security parlance) grew more sophisticated, simple logging evolved into an approach called “security information and event management” (SIEM), which involves using software to provide real-time analysis of security alerts generated by applications and network hardware. SIEM software uses rule-driven correlation and analytics to turn raw event data into potentially valuable intelligence.

Although it was no magic bullet (it’s challenging to implement and make everything work properly), the ability to find the so-called “needle in the haystack” and identify attacks in progress was a huge step forward.

Today, SIEMs still exist, and the market is largely led by Splunk and IBM QRadar. Of course, the technology has advanced significantly because new use cases emerge constantly. Many companies have finally moved into cloud-native deployments and are leveraging machine learning and sophisticated behavioral analytics. However, new enterprise SIEM deployments are fewer, costs are greater, and — most importantly — the overall needs of the CISO and the hard-working team in the SOC have changed.

New security demands are asking too much of SIEM

First, data has exploded and SIEM is too narrowly focused. The mere collection of security events is no longer sufficient because the aperture on this dataset is too narrow. While there is likely a massive amount of event data to capture and process from your events, you are missing out on vast amounts of additional information such as OSINT (open-source intelligence information), consumable external-threat feeds, and valuable information such as malware and IP reputation databases, as well as reports from dark web activity. There are endless sources of intelligence, far too many for the dated architecture of a SIEM.

Additionally, data exploded alongside costs. Data explosion + hardware + license costs = spiraling total cost of ownership. With so much infrastructure, both physical and virtual, the amount of information being captured has exploded. Machine-generated data has grown at 50x, while the average security budget grows 14% year on year.

The cost to store all of this information makes the SIEM cost-prohibitive. The average cost of a SIEM has skyrocketed to close to $1 million annually, which is only for license and hardware costs. The economics force teams in the SOC to capture and/or retain less information in an attempt to keep costs in check. This causes the effectiveness of the SIEM to become even further reduced. I recently spoke with a SOC team who wanted to query large datasets searching for evidence of fraud, but doing so in Splunk was cost-prohibitive and a slow, arduous process, leading the team to explore alternatives.

The shortcomings of the SIEM approach today are dangerous and terrifying. A recent survey by the Ponemon Institute surveyed almost 600 IT security leaders and found that, despite spending an average of $18.4 million annually and using an average of 47 products, a whopping 53% of IT security leaders “did not know if their products were even working.” It’s clearly time for change.

#column, #computer-security, #crowdstrike, #cybersecurity, #data-security, #developer, #ec-column, #ec-cybersecurity, #machine-learning, #security, #splunk, #tc

0

The rise of cybersecurity debt

Ransomware attacks on the JBS beef plant, and the Colonial Pipeline before it, have sparked a now familiar set of reactions. There are promises of retaliation against the groups responsible, the prospect of company executives being brought in front of Congress in the coming months, and even a proposed executive order on cybersecurity that could take months to fully implement.

But once again, amid this flurry of activity, we must ask or answer a fundamental question about the state of our cybersecurity defense: Why does this keep happening?

I have a theory on why. In software development, there is a concept called “technical debt.” It describes the costs companies pay when they choose to build software the easy (or fast) way instead of the right way, cobbling together temporary solutions to satisfy a short-term need. Over time, as teams struggle to maintain a patchwork of poorly architectured applications, tech debt accrues in the form of lost productivity or poor customer experience.

Complexity is the enemy of security. Some companies are forced to put together as many as 50 different security solutions from up to 10 different vendors to protect their sprawling technology estates.

Our nation’s cybersecurity defenses are laboring under the burden of a similar debt. Only the scale is far greater, the stakes are higher and the interest is compounding. The true cost of this “cybersecurity debt” is difficult to quantify. Though we still do not know the exact cause of either attack, we do know beef prices will be significantly impacted and gas prices jumped 8 cents on news of the Colonial Pipeline attack, costing consumers and businesses billions. The damage done to public trust is incalculable.

How did we get here? The public and private sectors are spending more than $4 trillion a year in the digital arms race that is our modern economy. The goal of these investments is speed and innovation. But in pursuit of these ambitions, organizations of all sizes have assembled complex, uncoordinated systems — running thousands of applications across multiple private and public clouds, drawing on data from hundreds of locations and devices.

Complexity is the enemy of security. Some companies are forced to put together as many as 50 different security solutions from up to 10 different vendors to protect their sprawling technology estates — acting as a systems integrator of sorts. Every node in these fantastically complicated networks is like a door or window that might be inadvertently left open. Each represents a potential point of failure and an exponential increase in cybersecurity debt.

We have an unprecedented opportunity and responsibility to update the architectural foundations of our digital infrastructure and pay off our cybersecurity debt. To accomplish this, two critical steps must be taken.

First, we must embrace open standards across all critical digital infrastructure, especially the infrastructure used by private contractors to service the government. Until recently, it was thought that the only way to standardize security protocols across a complex digital estate was to rebuild it from the ground up in the cloud. But this is akin to replacing the foundations of a home while still living in it. You simply cannot lift-and-shift massive, mission-critical workloads from private data centers to the cloud.

There is another way: Open, hybrid cloud architectures can connect and standardize security across any kind of infrastructure, from private data centers to public clouds, to the edges of the network. This unifies the security workflow and increases the visibility of threats across the entire network (including the third- and fourth-party networks where data flows) and orchestrates the response. It essentially eliminates weak links without having to move data or applications — a design point that should be embraced across the public and private sectors.

The second step is to close the remaining loopholes in the data security supply chain. President Biden’s executive order requires federal agencies to encrypt data that is being stored or transmitted. We have an opportunity to take that a step further and also address data that is in use. As more organizations outsource the storage and processing of their data to cloud providers, expecting real-time data analytics in return, this represents an area of vulnerability.

Many believe this vulnerability is simply the price we pay for outsourcing digital infrastructure to another company. But this is not true. Cloud providers can, and do, protect their customers’ data with the same ferocity as they protect their own. They do not need access to the data they store on their servers. Ever.

To ensure this requires confidential computing, which encrypts data at rest, in transit and in process. Confidential computing makes it technically impossible for anyone without the encryption key to access the data, not even your cloud provider. At IBM, for example, our customers run workloads in the IBM Cloud with full privacy and control. They are the only ones that hold the key. We could not access their data even if compelled by a court order or ransom request. It is simply not an option.

Paying down the principal on any kind of debt can be daunting, as anyone with a mortgage or student loan can attest. But this is not a low-interest loan. As the JBS and Colonial Pipeline attacks clearly demonstrate, the cost of not addressing our cybersecurity debt spans far beyond monetary damages. Our food and fuel supplies are at risk, and entire economies can be disrupted.

I believe that with the right measures — strong public and private collaboration — we have an opportunity to construct a future that brings forward the combined power of security and technological advancement built on trust.

#cloud-computing, #cloud-infrastructure, #cloud-management, #colonial-pipeline, #column, #cybersecurity, #cyberwarfare, #data-security, #developer, #encryption, #opinion, #security, #software-development, #tc

0

UK PM Boris Johnson’s Tories guilty of spamming voters

The governing party of the UK has been fined £10k by the national data protection watchdog for sending spam.

The Information Commissioner’s (ICO) Office has sanctioned the Conservative Party following an investigation triggered by complaints from 51 recipients of unwanted marketing emails sent in the name of prime minister, Boris Johnson.

The emails in question were sent during eight days in July 2019 after Johnson had been elected as Party leader (and also therefore became UK PM) — urging the recipients to click on a link that directed them to a website for joining the Conservative Party.

Direct marketing is regulated in the UK by PECR (the Privacy and Electronic Communications Regulations) — which requires senders to obtain individual consent to distribute digital marketing missives.

But the ICO’s investigation found that the Conservative Party lacked written policies addressing PECR and appeared to be operating under the misguided assumption that their “legitimate interests” overrode the legal requirements related to sending this type of direct marketing.

The Party had also switched bulk email provider — during which unsubscribe records were apparently lost. But ofc that’s not an excuse for breaking the law. (Indeed, record-keeping is a core requirement of UK data protection law, especially since the EU General Data Protection Regulation was transposed into national law back in 2018.) And the ICO found the Tories were unable to adequately explain what had gone wrong.

In another damningly twist, the Conservative Party had been subject to what the ICO calls “detailed engagement” at the time it was spamming people.

This was a result of wider action by the regulator, looking into the ecosystem and ethics around online political ads in the wake of the Cambridge Analytica scandal — and the Party had already been warned of inadequate standards in its compliance with data protection and privacy law. But it went ahead and spammed people anyway. 

So while ‘only’ 51 complaints were received by the ICO from individual recipients of Boris Johnson’s spam, the ICO found the Tories could not fully demonstrate they had the proper consents for over a million (1,190,280) direct marketing emails sent between July 24 and 31 2019. (The ICO takes that view that at least 549,030 of those, which were send to non-Party members, were “inherently likely” to have the same compliance issues as were identified with the emails sent to the 51 complainants.)

Moreover, the Party continued to have scant regard for the law as it spun up its spam engines ahead of the 2019 General Election — which saw Johnson gain a landslide majority of 80 seats in a winter ballot.

“During the course of the Commissioner’s investigation, the Party proceeded to engage in an industrial-scale direct marketing email exercise during the 2019 General Election campaign, sending nearly 23M emails,” the ICO notes. “This generated a further 95 complaints to the Commissioner, which are likely to have resulted from the Party’s failure to address the compliance issues identified in the Commissioner’s investigation into the July 2019 email campaign and the wider audit of the Party’s processing of personal data.”

Its report also chronicles “extensive delays” by the Conservative Party in responding to its requests for information and clarification — so while it was not found to have obstructed the investigation the regulator does write that its conduct “cannot be characterised as a mitigating factor”.

While the ICO penalty is an embarrassing slap for Boris Johnson’s Tories, a data audit of all the main UK political parties it put out last year spared no blushes — with all parties found wanting in how they handle and safeguard voter information.

However it’s only the Conservatives’ fast and loose attitude toward people’s data and privacy online that could have contributed to them being able to consolidate power at the last election.

#boris-johnson, #cambridge-analytica, #computing, #conservative-party, #data-protection, #data-protection-law, #data-security, #digital-marketing, #email, #european-union, #general-data-protection-regulation, #general-election, #leader, #marketing, #spamming, #tc, #united-kingdom

0

EU bodies’ use of US cloud services from AWS, Microsoft being probed by bloc’s privacy chief

Europe’s lead data protection regulator has opened two investigations into EU institutions’ use of cloud services from U.S. cloud giants, Amazon and Microsoft, under so called Cloud II contracts inked earlier between European bodies, institutions and agencies and AWS and Microsoft.

A separate investigation has also been opened into the European Commission’s use of Microsoft Office 365 to assess compliance with earlier recommendations, the European Data Protection Supervisor (EDPS) said today.

Wojciech Wiewiórowski is probing the EU’s use of U.S. cloud services as part of a wider compliance strategy announced last October following a landmark ruling by the Court of Justice (CJEU) — aka, Schrems II — which struck down the EU-US Privacy Shield data transfer agreement and cast doubt upon the viability of alternative data transfer mechanisms in cases where EU users’ personal data is flowing to third countries where it may be at risk from mass surveillance regimes.

In October, the EU’s chief privacy regulator asked the bloc’s institutions to report on their transfers of personal data to non-EU countries. This analysis confirmed that data is flowing to third countries, the EDPS said today. And that it’s flowing to the U.S. in particular — on account of EU bodies’ reliance on large cloud service providers (many of which are U.S.-based).

That’s hardly a surprise. But the next step could be very interesting as the EDPS wants to determine whether those historical contracts (which were signed before the Schrems II ruling) align with the CJEU judgement or not.

Indeed, the EDPS warned today that they may not — which could thus require EU bodies to find alternative cloud service providers in the future (most likely ones located within the EU, to avoid any legal uncertainty). So this investigation could be the start of a regulator-induced migration in the EU away from U.S. cloud giants.

Commenting in a statement, Wiewiórowski said: “Following the outcome of the reporting exercise by the EU institutions and bodies, we identified certain types of contracts that require particular attention and this is why we have decided to launch these two investigations. I am aware that the ‘Cloud II contracts’ were signed in early 2020 before the ‘Schrems II’ judgement and that both Amazon and Microsoft have announced new measures with the aim to align themselves with the judgement. Nevertheless, these announced measures may not be sufficient to ensure full compliance with EU data protection law and hence the need to investigate this properly.”

Amazon and Microsoft have been contacted with questions regarding any special measures they have applied to these Cloud II contracts with EU bodies.

The EDPS said it wants EU institutions to lead by example. And that looks important given how, despite a public warning from the European Data Protection Board (EDPB) last year — saying there would be no regulatory grace period for implementing the implications of the Schrems II judgement — there hasn’t been any major data transfer fireworks yet.

The most likely reason for that is a fair amount of head-in-the-sand reaction and/or superficial tweaks made to contracts in the hopes of meeting the legal bar (but which haven’t yet been tested by regulatory scrutiny).

Final guidance from the EDPB is also still pending, although the Board put out detailed advice last fall.

The CJEU ruling made it plain that EU law in this area cannot simply be ignored. So as the bloc’s data regulators start scrutinizing contracts that are taking data out of the EU some of these arrangement are, inevitably, going to be found wanting — and their associated data flows ordered to stop.

To wit: A long-running complaint against Facebook’s EU-US data transfers — filed by the eponymous Max Schrems, a long-time EU privacy campaigners and lawyer, all the way back in 2013 — is slowing winding toward just such a possibility.

Last fall, following the Schrems II ruling, the Irish regulator gave Facebook a preliminary order to stop moving Europeans’ data over the pond. Facebook sought to challenge that in the Irish courts but lost its attempt to block the proceeding earlier this month. So it could now face a suspension order within months.

How Facebook might respond is anyone’s guess but Schrems suggested to TechCrunch last summer that the company will ultimately need to federate its service, storing EU users’ data inside the EU.

The Schrems II ruling does generally look like it will be good news for EU-based cloud service providers which can position themselves to solve the legal uncertainty issue (even if they aren’t as competitively priced and/or scalable as the dominant US-based cloud giants).

Fixing U.S. surveillance law, meanwhile — so that it gets independent oversight and accessible redress mechanisms for non-citizens in order to no longer be considered a threat to EU people’s data, as the CJEU judges have repeatedly found — is certainly likely to take a lot longer than ‘months’. If indeed the US authorities can ever be convinced of the need to reform their approach.

Still, if EU regulators finally start taking action on Schrems II — by ordering high profile EU-US data transfers to stop — that might help concentrate US policymakers’ minds toward surveillance reform. Otherwise local storage may be the new future normal.

#amazon, #aws, #cloud, #cloud-services, #data-protection, #data-protection-law, #data-security, #eu-us-privacy-shield, #europe, #european-commission, #european-data-protection-board, #european-union, #facebook, #lawyer, #max-schrems, #microsoft, #privacy, #surveillance-law, #united-states, #wojciech-wiewiorowski

0

Security startup Tessian, which uses AI to fight social engineering, trousers $65M

In the latest chunky funding round out of Europe, UK-based email security startup, Tessian, has closed $65 million in Series C funding. The startup applies machine learning to build individual behavior models for enterprise email use that aims to combat human error by flagging problematic patterns which could signify risky stuff is happening — such as phishing or data exfiltration.

The Series C round was led by March Capital. Existing investors Accel, Balderton Capital, Latitude and Sequoia Capital also participated, along with new investor Schroder Adveq.

The latest financing brings Tessian’s total raised to-date to $120M+, and values the company at $500M, it said today.

The 2013 founded startup last raised back in January 2019 when it closed a $40M Series B (news that was scooped by former TCer, Steve O’Hear). Prior to that it grabbed a $13M Series A in mid 2018.

Tessian has around 350 global customers at this stage, across the legal, financial services, healthcare and technology sectors — name-checking the likes of Affirm, Arm, Investec and RealPagem among them.

Over the past year there has been much coverage of the security risks associated with the pandemic-sparked remote working boom, as scores of white collars workers started logging on from home — expanding the attack surface area which enterprises needed to manage.

It’s a risk that’s been good for Tessian’s business: The startup says it tripled its Fortune 500-level customer base last year — “as enterprises required a solution that could protect them against human layer security threats”, as it puts it.

It says the new funding will go on expanding its platform’s capabilities; helping companies replace their secure email gateways and legacy data loss prevention solutions; and on growing its team (it plans to triple headcount in short order with a particular focus on growing its sales team in North America).

The Series C funds will also support a plan to expand beyond email to offer security protections for other interfaces such as messaging, web and collaboration platforms — which it says is on the cards “soon”.

Commenting on the round in a statement, Jamie Montgomery, co-founder and managing partner at March Capital said: “Human activity — whether inadvertent or malicious — is the leading cause of data breaches. In Tessian, we found a best-in-class solution that automatically stops threats in real-time, without disrupting the normal flow of business. It is rare to hear such overwhelmingly positive feedback from CISOs and business users alike. We came to the same conclusion; Tessian is rapidly emerging as the leader in human layer security for the enterprise.”

A number of UK-based AI security startups have been building momentum in recent years, with others like Red Shift and Senseon also getting traction by applying machine learning to tackle risks.

In April, Cambridge-based Darktrace — a category pioneer — led the pack by floating on the London Stock Exchange where it saw its shares pop 32% in the IPO debut.

While, last year, the UK government pledged to ramp up R&D spending on AI as part of a major defense spending hike.

#artificial-intelligence, #balderton-capital, #computer-security, #darktrace, #data-security, #europe, #fundings-exits, #information-technology, #machine-learning, #march-capital, #north-america, #recent-funding, #schroder-adveq, #security, #sequoia-capital, #startup-company, #startups, #tessian, #united-kingdom

0

Zocdoc says ‘programming errors’ exposed access to patients’ data

Zocdoc says it has fixed a bug that allowed current and former staff at doctor’s offices and dental practices to access patient data because their user accounts weren’t properly decommissioned.

The New York-based company revealed the issue in a letter to the California attorney general’s office, which requires companies with more than 500 residents of the state affected by a security lapse or breach to disclose the incident.

Zocdoc, which lets prospective patients book appointments with doctors and dentists, said that it gives each medical or dental practice usernames and passwords for its staff to access appointments made through Zocdoc, but that “programming errors” — essentially a software bug in Zocdoc’s own systems — “allowed some past or current practice staff members to access the provider portal after their usernames and passwords were intended to be removed, deleted or otherwise limited.”

The letter confirmed that patient data stored in Zocdoc’s portal could have been accessed, including a patient’s name, email address, phone number, and the times and dates of their appointments, but also other data that may have been shared with the practice — such as insurance details, Social Security numbers and details of the patient’s medical history.

But Zocdoc said payment card numbers, radiological or diagnostic reports, and medical records were not taken, since it does not store this data.

In an email, Zocdoc spokesperson Sandra Glading said that the company discovered the bug in August 2020, but “due to the complexity of the code, it took a significant amount of investigation to determine which, if any, practices and users were affected and how.” The company said it provided notice to the California’s attorney general’s office “as soon as was practicable.”

Zocdoc said it has “detailed logs that can detect exploitation of any data, including any potential exploitation of this vulnerability,” and that after a review of those logs and other investigative work, “we have no indication, at this time, that any personal information was misused in any way.”

Around 6 million users access Zocdoc a month, the company said.

If this incident sounds vaguely familiar, it’s because this was a near-identical security issue to one Zocdoc reported in 2016. A letter filed at the time cited similar “programming errors” that allowed staff at medical providers to improperly access patient data.

#computer-security, #data-security, #new-york, #password, #security, #zocdoc

0

European Parliament amps up pressure on EU-US data flows and GDPR enforcement

European Union lawmakers are facing further pressure to step in and do something about lackadaisical enforcement of the bloc’s flagship data protection regime after the European Parliament voted yesterday to back a call urging the Commission to start an infringement proceeding against Ireland’s Data Protection Commission (DPC) for not “properly enforcing” the regulation.

The Commission and the DPC have been contacted for comment on the parliament’s call.

Last summer the Commission’s own two-year review of the General Data Protection Regulation (GDPR) highlighted a lack of uniformly vigorous enforcement — but commissioners were keener to point out the positives, lauding the regulation as a “global reference point”.

But it’s now nearly three years since the regulation begun being applied and criticism over weak enforcement is getting harder for the EU’s executive to ignore.

The parliament’s resolution — which, while non-legally binding, fires a strong political message across the Commission’s bow — singles out the DPC for specific criticism given its outsized role in enforcement of the General Data Protection Regulation (GDPR). It’s the lead supervisory authority for complaints brought against the many big tech companies which choose to site their regional headquarters in the country (on account of its corporate-friendly tax system).

The text of the resolution expresses “deep concern” over the DPC’s failure to reach a decision on a number of complaints against breaches of the GDPR filed the day it came into application, on May 25, 2018 — including against Facebook and Google — and criticises the Irish data watchdog for interpreting ‘without delay’ in Article 60(3) of the GDPR “contrary to the legislators’ intention – as longer than a matter of months”, as they put it.

To date the DPC has only reached a final decision on one cross-border GDPR case — against Twitter.

The parliament also says it’s “concerned about the lack of tech specialists working for the DPC and their use of outdated systems” (which Brave also flagged last year) — as well as criticizing the watchdog’s handling of a complaint originally brought by privacy campaigner Max Schrems years before the GDPR came into application, which relates to the clash between EU privacy rights and US surveillance laws, and which still hasn’t resulted in a decision.

The DPC’s approach to handling Schrems’ 2013 complaint led to a 2018 referral to the CJEU — which in turn led to the landmark Schrems II judgement last summer invalidating the flagship EU-US data transfer arrangement, Privacy Shield.

That ruling did not outlaw alternative data transfer mechanisms but made it clear that EU DPAs have an obligation to step in and suspend data transfers if European’s information is being taken to a third country that does not have essentially equivalent protections to those they have under EU law — thereby putting the ball back in the DPC’s court on the Schrems complaint.

The Irish regulator then sent a preliminary order to Facebook to suspend its data transfers and the tech giant responded by filing for a judicial review of the DPC’s processes. However the Irish High Court rejected Facebook’s petition last week. And a stay on the DPC’s investigation was lifted yesterday — so the DPC’s process of reaching a decision on the Facebook data flows complaint has started moving again.

A final decision could still take several months more, though — as we’ve reported before — as the DPC’s draft decision will also need to be put to the other EU DPAs for review and the chance to object.

The parliament’s resolution states that it “is worried that supervisory authorities have not taken proactive steps under Article 61 and 66 of the GDPR to force the DPC to comply with its obligations under the GDPR”, and — in more general remarks on the enforcement of GDPR around international data transfers — it states that it:

Is concerned about the insufficient level of enforcement of the GDPR, particularly in the area of international transfers; expresses concerns at the lack of prioritisation and overall scrutiny by national supervisory authorities with regard to personal data transfers to third countries, despite the significant CJEU case law developments over the past five years; deplores the absence of meaningful decisions and corrective measures in this regard, and urges the EDPB [European Data Protection Board] and national supervisory authorities to include personal data transfers as part of their audit, compliance and enforcement strategies; points out that harmonised binding administrative procedures on the representation of data subjects and admissibility are needed to provide legal certainty and deal with crossborder complaints;

The knotty, multi-year saga of Schrems’ Facebook data-flows complaint, as played out via the procedural twists of the DPC and Facebook’s lawyers’ delaying tactics, illustrates the multi-layered legal, political and commercial complexities bound up with data flows out of the EU (post-Snowden’s 2013 revelations of US mass surveillance programs) — not to mention the staggering challenge for EU data subjects to actually exercise the rights they have on paper. But these intersecting issues around international data flows do seem to be finally coming to a head, in the wake of the Schrems II CJEU ruling.

The clock is now ticking for the issuing of major data suspension orders by EU data protection agencies, with Facebook’s business first in the firing line.

Other US-based services that are — similarly — subject to the US’ FISA regime (and also move EU users data over the pond for processing; and whose businesses are such they cannot shield user data via ‘zero access’ encryption architecture) are equally at risk of receiving an order to shut down their EU-US data-pipes. Or else having to shift data processing for these users inside the EU.

US-based services aren’t the only ones facing increasing legal uncertainty, either.

The UK, post-Brexit, is also classed as a third country (in EU law terms). And in a separate resolution today the parliament adopted a text on the UK adequacy agreement, granted earlier this year by the Commission, which raises objections to the arrangement — including by flagging a lack of GDPR enforcement in the UK as problematic.

On that front the parliament highlights how adtech complaints filed with the ICO have failed to yield a decision. (It writes that it’s concerned “non-enforcement is a structural problem” in the UK — which it suggests has left “a large number of data protection law breaches… [un]remedied”.)

It also calls out the UK’s surveillance regime, questioning its compatibility with the CJEU’s requirements for essential equivalence — while also raising concerns about the risk that the UK could undermine protections on EU citizens data via onward transfers to jurisdictions the EU does not have an adequacy agreement with, among other objections.

The Commission put a four year lifespan on the UK’s adequacy deal — meaning there will be another major review ahead of any continuation of the arrangement in 2025.

It’s a far cry from the ‘hands-off’ fifteen years the EU-US ‘Safe Harbor’ agreement stood for, before a Schrems challenge finally led to the CJEU striking it down back in 2015. So the takeaway here is that data deals that allow for people’s information to leave Europe aren’t going to be allowed to stand unchecked for years; close scrutiny and legal accountability are now firmly up front — and will remain in the frame going forward.

The global nature of the Internet and the ease with which data can digitally flow across borders of course brings huge benefits for businesses — but the resulting interplay between different legal regimes is leading to increasing levels of legal uncertainty for companies seeking to take people’s data across borders.

In the EU’s case, the issue is that data protection is regulated within the bloc and these laws require that protection stays with people’s information, no matter where it goes. So if the data flows to countries that do not offer the same safeguards — be that the US or indeed China or India (or even the UK) — then that risk is that it can’t, legally, be taken there.

How to resolve this clash, between data protection laws based on individual privacy rights and data access mandates driven by national security priorities, has no easy answers.

For the US, and for the transatlantic data flows between the EU and the US, the Commission has warned there will be no quick fix this time — as happened when it slapped a sticking plaster atop the invalidated Safe Harbor, hailing a new ‘Privacy Shield’ regime; only for the CJEU to blast that out of the water for much the same reasons a few years later. (The parliament resolution is particularly withering in its assessment of the Commission’s historic missteps there.)

For a fix to stick, major reform of US surveillance law is going to be needed. And the Commission appears to have accepted that’s not going to come overnight, so it seems to be trying to brace businesses for turbulence…

The parliament’s resolution on Schrems II also makes it clear that it expects DPAs to step in and cut off risky data flows — with MEPs writing that “if no arrangement with the US is swiftly found which guarantees an essentially equivalent and therefore adequate level of protection to that provided by the GDPR and the Charter, that these transfers will be suspended until the situation is resolved”.

So if DPAs fail to do this — and if Ireland keeps dragging its feet on closing out the Schrems complaint — they should expect more resolutions to be blasted at them from the parliament.

MEPs emphasize the need for any future EU-US data transfer agreement “to address the problems identified by the Court ruling in a sustainable manner” — pointing out that “no contract between companies can provide protection from indiscriminate access by intelligence authorities to the content of electronic communications, nor can any contract between companies provide sufficient legal remedies against mass surveillance”.

“This requires a reform of US surveillance laws and practices with a view to ensuring that access of US security authorities to data transferred from the EU is limited to what is necessary and proportionate, and that European data subjects have access to effective judicial redress before US courts,” the parliament adds.

It’s still true that businesses may be able to legally move EU personal data out of the bloc. Even, potentially, to the US — depending on the type of business; the data itself; and additional safeguards that could be applied.

However for data-mining companies like Facebook — which are subject to FISA and whose businesses rely on accessing people’s data — then achieving essential equivalence with EU privacy protections looks, well, essentially impossible.

And while the parliament hasn’t made an explicit call in the resolution for Facebook’s EU data flows to be cut off that is the clear implication of it urging infringement proceedings against the DPC (and deploring “the absence of meaningful decisions and corrective measures” in the area of international transfers).

The parliament says it wants to see “solid mechanisms compliant with the CJEU judgement” set out — for the benefit of businesses with the chance to legally move data out of the EU — saying, for example, that the Commission’s proposal for a template for Standard Contractual Clauses (SCCs) should “duly take into account all the relevant recommendations of the EDPB“.

It also says it supports the creation of a tool box of supplementary measures for such businesses to choose from — in areas like security and data protection certification; encryption safeguards; and pseudonymisation — so long as the measures included are accepted by regulators.

It also wants to see publicly available resources on the relevant legislation of the EU’s main trading partners to help businesses that have the possibility of being able to legally move data out of the bloc get guidance to help them do so with compliance.

The overarching message here is that businesses should buckle up for disruption of cross-border data flows — and tool up for compliance, where possible.

In another segment of the resolution, for example, the parliament calls on the Commission to “analyse the situation of cloud providers falling under section 702 of the FISA who transfers data using SCCs” — going on to suggest that support for European alternatives to US cloud providers may be needed to plug “gaps in the protection of data of European citizens transferred to the United States” and “reduce the dependence of the Union in storage capacities vis-à-vis third countries and to strengthen the Union’s strategic autonomy in terms of data management and protection”.

#brexit, #china, #cloud, #data-mining, #data-protection, #data-protection-commission, #data-security, #encryption, #eu-us-privacy-shield, #europe, #european-data-protection-board, #european-parliament, #european-union, #facebook, #general-data-protection-regulation, #google, #india, #ireland, #lawsuit, #max-schrems, #noyb, #privacy, #safe-harbor, #surveillance-law, #twitter, #united-kingdom, #united-states

0

Facebook loses last ditch attempt to derail DPC decision on its EU-US data flows

Facebook has failed in its bid to prevent its lead EU data protection regulator from pushing ahead with a decision on whether to order suspension of its EU-US data flows.

The Irish High Court has just issued a ruling dismissing the company’s challenge to the Irish Data Protection Commission’s (DPC) procedures.

The case has huge potential operational significance for Facebook which may be forced to store European users’ data locally if it’s ordered to stop taking their information to the U.S. for processing.

Last September Irish data watchdog made a preliminary order warning Facebook it may have to suspend EU-US data flows. Facebook responding by filing for a judicial review and obtaining a stay on the DPC’s procedure. That block is now being unblocked.

We understand the involved parties have been given a few days to read the High Court judgement ahead of another hearing on Thursday — when the court is expected to formally lift Facebook’s stay on the DPC’s investigation (and settle the matter of case costs).

The DPC declined to comment on today’s ruling in any detail — or on the timeline for making a decision on Facebook’s EU-US data flows — but deputy commissioner Graham Doyle told us it “welcomes today’s judgment”.

Its preliminary suspension order last fall followed a landmark judgement by Europe’s top court in the summer — when the CJEU struck down a flagship transatlantic agreement on data flows, on the grounds that US mass surveillance is incompatible with the EU’s data protection regime.

The fall-out from the CJEU’s invalidation of Privacy Shield (as well as an earlier ruling striking down its predecessor Safe Harbor) has been ongoing for years — as companies that rely on shifting EU users’ data to the US for processing have had to scramble to find valid legal alternatives.

While the CJEU did not outright ban data transfers out of the EU, it made it crystal clear that data protection agencies must step in and suspend international data flows if they suspect EU data is at risk. And EU to US data flows were signalled as at clear risk given the court simultaneously struck down Privacy Shield.

The problem for some businesses is that there may simply not be a valid legal alternative. And that’s where things look particularly sticky for Facebook, since its service falls under NSA surveillance via Section 702 of the FISA (which is used to authorize mass surveillance programs like Prism).

So what happens now for Facebook, following the Irish High Court ruling?

As ever in this complex legal saga — which has been going on in various forms since an original 2013 complaint made by European privacy campaigner Max Schrems — there’s still some track left to run.

After this unblocking the DPC will have two enquiries in train: Both the original one, related to Schrems’ complaint, and an own volition enquiry it decided to open last year — when it said it was pausing investigation of Schrems’ original complaint.

Schrems, via his privacy not-for-profit noyb, filed for his own judicial review of the DPC’s proceedings. And the DPC quickly agreed to settle — agreeing in January that it would ‘swiftly’ finalize Schrems’ original complaint. So things were already moving.

The tl;dr of all that is this: The last of the bungs which have been used to delay regulatory action in Ireland over Facebook’s EU-US data flows are finally being extracted — and the DPC must decide on the complaint.

Or, to put it another way, the clock is ticking for Facebook’s EU-US data flows. So expect another wordy blog post from Nick Clegg very soon.

Schrems previously told TechCrunch he expects the DPC to issue a suspension order against Facebook within months — perhaps as soon as this summer (and failing that by fall).

In a statement reacting to the Court ruling today he reiterated that position, saying: “After eight years, the DPC is now required to stop Facebook’s EU-US data transfers, likely before summer. Now we simply have two procedures instead of one.”

When Ireland (finally) decides it won’t mark the end of the regulatory procedures, though.

A decision by the DPC on Facebook’s transfers would need to go to the other EU DPAs for review — and if there’s disagreement there (as seems highly likely, given what’s happened with draft DPC GDPR decisions) it will trigger a further delay (weeks to months) as the European Data Protection Board seeks consensus.

If a majority of EU DPAs can’t agree the Board may itself have to cast a deciding vote. So that could extend the timeline around any suspension order. But an end to the process is, at long last, in sight.

And, well, if a critical mass of domestic pressure is ever going to build for pro-privacy reform of U.S. surveillance laws now looks like a really good time…

“We now expect the DPC to issue a decision to stop Facebook’s data transfers before summer,” added Schrems. “This would require Facebook to store most data from Europe locally, to ensure that Facebook USA does not have access to European data. The other option would be for the US to change its surveillance laws.”

Facebook has been contacted for comment on the Irish High Court ruling.

Update: The company has now sent us this statement:

“Today’s ruling was about the process the IDPC followed. The larger issue of how data can move around the world remains of significant importance to thousands of European and American businesses that connect customers, friends, family and employees across the Atlantic. Like other companies, we have followed European rules and rely on Standard Contractual Clauses, and appropriate data safeguards, to provide a global service and connect people, businesses and charities. We look forward to defending our compliance to the IDPC, as their preliminary decision could be damaging not only to Facebook, but also to users and other businesses.”

#data-protection, #data-security, #digital-rights, #dpc, #eu-us-privacy-shield, #europe, #european-data-protection-board, #european-union, #facebook, #human-rights, #ireland, #lawsuit, #max-schrems, #nick-clegg, #noyb, #policy, #privacy, #safe-harbor, #united-states

0

Disqus facing $3M fine in Norway for tracking users without consent

Disqus, a commenting plugin that’s used by a number of news websites and which can share user data for ad targeting purposes, has got into hot water in Norway for tracking users without their consent.

The local data protection agency said today it has notified the U.S.-based company of an intent to fine it €2.5 million (~$3M) for failures to comply with requirements in Europe’s General Data Protection Regulation (GDPR) on accountability, lawfulness and transparency.

Disqus’ parent, Zeta Global, has been contacted for comment.

Datatilsynet said it acted following a 2019 investigation in Norway’s national press — which found that default settings buried in the Disqus’ plug-in opted sites into sharing user data on millions of users in markets including the U.S.

And while in most of Europe the company was found to have applied an opt-in to gather consent from users to be tracked — likely in order to avoid trouble with the GDPR — it appears to have been unaware that the regulation applies in Norway.

Norway is not a member of the European Union but is in the European Economic Area — which adopted the GDPR in July 2018, slightly after it came into force elsewhere in the EU. (Norway transposed the regulation into national law also in July 2018.)

The Norwegian DPA writes that Disqus’ unlawful data-sharing has “predominantly been an issue in Norway” — and says that seven websites are affected: NRK.no/ytring, P3.no, tv.2.no/broom, khrono.no, adressa.no, rights.no and document.no.

“Disqus has argued that their practices could be based on the legitimate interest balancing test as a lawful basis, despite the company being unaware that the GDPR applied to data subjects in Norway,” the DPA’s director-general, Bjørn Erik Thon, goes on.

“Based on our investigation so far, we believe that Disqus could not rely on legitimate interest as a legal basis for tracking across websites, services or devices, profiling and disclosure of personal data for marketing purposes, and that this type of tracking would require consent.”

“Our preliminary conclusion is that Disqus has processed personal data unlawfully. However, our investigation also discovered serious issues regarding transparency and accountability,” Thon added.

The DPA said the infringements are serious and have affected “several hundred thousands of individuals”, adding that the affected personal data “are highly private and may relate to minors or reveal political opinions”.

“The tracking, profiling and disclosure of data was invasive and nontransparent,” it added.

The DPA has given Disqus until May 31 to comment on the findings ahead of issuing a fine decision.

Publishers reminded of their responsibility

Datatilsynet has also fired a warning shot at local publishers who were using the Disqus platform — pointing out that website owners “are also responsible under the GDPR for which third parties they allow on their websites”.

So, in other words, even if you didn’t know about a default data-sharing setting that’s not an excuse because it’s your legal responsibility to know what any code you put on your website is doing with user data.

The DPA adds that “in the present case” it has focused the investigation on Disqus — providing publishers with an opportunity to get their houses in order ahead of any future checks it might make.

Norway’s DPA also has some admirably plain language to explain the “serious” problem of profiling people without their consent. “Hidden tracking and profiling is very invasive,” says Thon. “Without information that someone is using our personal data, we lose the opportunity to exercise our rights to access, and to object to the use of our personal data for marketing purposes.

“An aggravating circumstance is that disclosure of personal data for programmatic advertising entails a high risk that individuals will lose control over who processes their personal data.”

Zooming out, the issue of adtech industry tracking and GDPR compliance has become a major headache for DPAs across Europe — which have been repeatedly slammed for failing to enforce the law in this area since GDPR came into application in May 2018.

In the UK, for example (which transposed the GDPR before Brexit so still has an equivalent data protection framework for now), the ICO has been investigating GDPR complaints against real-time bidding’s (RTB) use of personal data to run behavioral ads for years — yet hasn’t issued a single fine or order, despite repeatedly warning the industry that it’s acting unlawfully.

The regulator is now being sued by complainants over its inaction.

Ireland’s DPC, meanwhile — which is the lead DPA for a swathe of adtech giants which site their regional HQ in the country — has a number of open GDPR investigations into adtech (including RTB). But has also failed to issue any decisions in this area almost three years after the regulation begun being applied.

Its lack of action on adtech complaints has contributed significantly to rising domestic (and international) pressure on its GDPR enforcement record more generally, including from the European Commission. (And it’s notable that the latter’s most recent legislative proposals in the digital arena include provisions that seek to avoid the risk of similar enforcement bottlenecks.)

The story on adtech and the GDPR looks a little different in Belgium, though, where the DPA appears to be inching toward a major slap-down of current adtech practices.

A preliminary report last year by its investigatory division called into question the legal standard of the consents being gathered via a flagship industry framework, designed by the IAB Europe. This so-called ‘Transparency and Consent’ framework (TCF) was found not to comply with the GDPR’s principles of transparency, fairness and accountability, or the lawfulness of processing.

A final decision is expected on that case this year — but if the DPA upholds the division’s findings it could deal a massive blow to the behavioral ad industry’s ability to track and target Europeans.

Studies suggest Internet users in Europe would overwhelmingly choose not to be tracked if they were actually offered the GDPR standard of a specific, clear, informed and free choice, i.e. without any loopholes or manipulative dark patterns.

#advertising-tech, #belgium, #data-protection, #data-security, #disqus, #europe, #european-commission, #european-union, #gdpr, #general-data-protection-regulation, #ireland, #norway, #personal-data, #privacy, #programmatic-advertising, #united-kingdom, #zeta-global

0

There is no cybersecurity skills gap, but CISOs must think creatively

Those of us who read a lot of tech and business publications have heard for years about the cybersecurity skills gap. Studies often claim that millions of jobs are going unfilled because there aren’t enough qualified candidates available for hire.

I don’t buy it.

The basic laws of supply and demand mean there will always be people in the workforce willing to move into well-paid security jobs. The problem is not that these folks don’t exist. It’s that CIOs or CISOs typically look right past them if their resumes don’t have a very specific list of qualifications.

In many cases, hiring managers expect applicants to be fully trained on all the technologies their organization currently uses. That not only makes it harder to find qualified candidates, but it also reduces the diversity of experience within security teams — which, ultimately, may weaken the company’s security capabilities and its talent pool.

At Netskope, we take a different approach to staffing for security roles. We know we can teach the cybersecurity skills needed to do the job, so instead, there are two traits we consider more important than specific technical expertise: One is a hunger to learn more about security, which suggests the individual will take the initiative to continuously improve their skills. The other is possession of a skill set that no one else on our security team has.

Overemphasis on technical skills creates an artificial talent shortage

To understand why I believe our approach has helped us build a stronger security team, think about the long-term benefits of hiring someone with a specific security skill set: How valuable will that exact knowledge be in several years? Probably not very.

The problem is not that these folks don’t exist. It’s that CIOs or CISOs typically look right past them if their resumes don’t have a very specific list of qualifications.

Even the most basic security technologies are incredibly dynamic. In most companies, the IT infrastructure is currently in the midst of a massive transition from on-premises to cloud-based systems. Security teams are having to learn new technologies. More than that, they are having to adopt an entirely new mindset, shifting from a focus on protecting specific pieces of hardware to a focus on protecting individuals and applications as their workloads increasingly move outside the corporate network.

#ceo, #column, #computer-security, #cybersecurity, #data-security, #ec-column, #ec-cybersecurity, #information-technology, #labor, #security, #startups

0

Passwordstate users warned to ‘reset all passwords’ after attackers plant malicious update

Click Studios, the Australian software house that develops the enterprise password manager Passwordstate, has warned customers to reset passwords across their organizations after a cyberattack on the password manager.

An email sent by Click Studios to customers said the company had confirmed that attackers had “compromised” the password manager’s software update feature in order to steal customer passwords.

The email, posted on Twitter by Polish news site Niebezpiecznik early on Friday, said the malicious update exposed Passwordstate customers over a 28-hour window between April 20-22. Once installed, the malicious update contacts the attacker’s servers to retrieve malware designed to steal and send the password manager’s contents back to the attackers. The email also told customers to “commence resetting all passwords contained within Passwordstate.”

Click Studios did not say how the attackers compromised the password manager’s update feature, but emailed customers with a security fix.

The company also said the attacker’s servers were taken down on April 22. But Passwordstate users could still be at risk if the attacker’s are able to get their infrastructure online again.

Enterprise password managers let employees at companies share passwords and other sensitive secrets across their organization, such as network devices — including firewalls and VPNs, shared email accounts, internal databases, and social media accounts. Click Studios claims Passwordstate is used by “more than 29,000 customers,” including in the Fortune 500, government, banking, defense and aerospace, and most major industries.

Although affected customers were notified this morning, news of the breach only became widely known several hours later after Danish cybersecurity firm CSIS Group published a blog post with details of the attack.

Click Studios chief executive Mark Sanford did not respond to a request for comment outside Australian business hours.

Read more:

#aerospace, #banking, #computer-security, #cybercrime, #data-security, #major, #malware, #password, #password-manager, #phishing, #security

0

Who’s funding privacy tech?

Privacy isn’t dead, as many would have you believe. New regulations, stricter cross-border data transfer rules and increasing calls for data sovereignty have helped the privacy startup space grow thanks to an uptick in investor support.

This is how we got here, and where investors are spending.

The rise of privacy tech

With strict privacy laws such as GDPR and CCPA already listing big-ticket penalties — and a growing number of countries following suit — businesses have little option but to comply. It’s not just bigger, established businesses offering privacy and compliance tech; brand-new startups are filling in the gaps in this emerging and growing space.

“For the last decade, privacy tech was trumpeted as one of the next ‘big things’ for investors, but never delivered. Startup business models were too academic, complex and did not appeal to VCs, or crucially, consumers were used to getting free web services,” Gilbert Hill, chief executive at Tapmydata, told Extra Crunch.

Some privacy companies — including privacy hardware companies — are chasing profits and less focused on hustling for outside investment.

Today, privacy is big business. Crunchbase lists 207 privacy startups (as of April 2021) that have together raised more than $3.5 billion over hundreds of individual rounds of funding. The number of privacy companies rockets if you take into account enterprise privacy players. Crunchbase currently has 809 listed under the wider “privacy” category.

The latest Privacy Tech Vendor Report 2021 names 356 companies exclusively dealing in enterprise privacy technology solutions, up from 304 companies a year earlier.

“Since 2017, the privacy landscape underwent a metamorphosis,” the report said. “The emergence of the California Consumer Privacy Act, Brazilian General Data Protection Law and other privacy laws around the world have forced organizations to adhere to a new array of compliance requirements, and in response, the demand for privacy tech grew exponentially.”

That also presents an opportunity for investors.

Increasing investments

Privacy tech was catching the attention of investors even before the recent wave of new privacy laws came into effect. The sector amassed nearly $10 billion in investment in 2019, according to Crunchbase, compared to just $1.7 billion in 2010. Investments remained active in 2020, despite the pandemic.

Case in point: In December, enterprise privacy and compliance firm OneTrust announced a $300 million Series C funding. The deal valued the 4-year-old privacy tech firm at $5.1 billion, making it one of the first modern privacy unicorns. Three months later, it extended its Series C funding, with SoftBank Vision Fund 2 and Franklin Templeton pumping in another $210 million.

#china, #consumer-privacy, #data-security, #ec-cybersecurity, #general-data-protection-regulation, #privacy, #privacy-technology, #social-media

0

Facebook faces ‘mass action’ lawsuit in Europe over 2019 breach

Facebook is to be sued in Europe over the major leak of user data that dates back to 2019 but which only came to light recently after information on 533M+ accounts was found posted for free download on a hacker forum.

Today Digital Rights Ireland (DRI) announced it’s commencing a “mass action” to sue Facebook, citing the right to monetary compensation for breaches of personal data that’s set out in the European Union’s General Data Protection Regulation (GDPR).

Article 82 of the GDPR provides for a ‘right to compensation and liability’ for those affected by violations of the law. Since the regulation came into force, in May 2018, related civil litigation has been on the rise in the region.

The Ireland-based digital rights group is urging Facebook users who live in the European Union or European Economic Area to check whether their data was breach — via the haveibeenpwned website (which lets you check by email address or mobile number) — and sign up to join the case if so.

Information leaked via the breach includes Facebook IDs, location, mobile phone numbers, email address, relationship status and employer.

Facebook has been contacted for comment on the litigation.

The tech giant’s European headquarters is located in Ireland — and earlier this week the national data watchdog opened an investigation, under EU and Irish data protection laws.

A mechanism in the GDPR for simplifying investigation of cross-border cases means Ireland’s Data Protection Commission (DPC) is Facebook’s lead data regulator in the EU. However it has been criticized over its handling of and approach to GDPR complaints and investigations — including the length of time it’s taking to issue decisions on major cross-border cases. And this is particularly true for Facebook.

With the three-year anniversary of the GDPR fast approaching, the DPC has multiple open investigations into various aspects of Facebook’s business but has yet to issue a single decision against the company.

(The closest it’s come is a preliminary suspension order issued last year, in relation to Facebook’s EU to US data transfers. However that complaint long predates GDPR; and Facebook immediately filed to block the order via the courts. A resolution is expected later this year after the litigant filed his own judicial review of the DPC’s processes).

Since May 2018 the EU’s data protection regime has — at least on paper — baked in fines of up to 4% of a company’s global annual turnover for the most serious violations.

Again, though, the sole GDPR fine issued to date by the DPC against a tech giant (Twitter) is very far off that theoretical maximum. Last December the regulator announced a €450k (~$547k) sanction against Twitter — which works out to around just 0.1% of the company’s full-year revenue.

That penalty was also for a data breach — but one which, unlike the Facebook leak, had been publicly disclosed when Twitter found it in 2019. So Facebook’s failure to disclose the vulnerability it discovered and claims it fixed by September 2019, which led to the leak of 533M accounts now, suggests it should face a higher sanction from the DPC than Twitter received.

However even if Facebook ends up with a more substantial GDPR penalty for this breach the watchdog’s caseload backlog and plodding procedural pace makes it hard to envisage a swift resolution to an investigation that’s only a few days old.

Judging by past performance it’ll be years before the DPC decides on this 2019 Facebook leak — which likely explains why the DRI sees value in instigating class-action style litigation in parallel to the regulatory investigation.

“Compensation is not the only thing that makes this mass action worth joining. It is important to send a message to large data controllers that they must comply with the law and that there is a cost to them if they do not,” DRI writes on its website.

It also submitted a complaint about the Facebook breach to the DPC earlier this month, writing then that it was “also consulting with its legal advisors on other options including a mass action for damages in the Irish Courts”.

It’s clear that the GDPR enforcement gap is creating a growing opportunity for litigation funders to step in in Europe and take a punt on suing for data-related compensation damages — with a number of other mass actions announced last year.

In the case of DRI its focus is evidently on seeking to ensure that digital rights are upheld. But it told RTE that it believes compensation claims which force tech giants to pay money to users whose privacy rights have been violated is the best way to make them legally compliant.

Facebook, meanwhile, has sought to play down the breach it failed to disclose in 2019 — claiming it’s ‘old data’ — a deflection that ignores the fact that people’s dates of birth don’t change (nor do most people routinely change their mobile number or email address).

Plenty of the ‘old’ data exposed in this latest massive Facebook leak will be very handy for spammers and fraudsters to target Facebook users — and also now for litigators to target Facebook for data-related damages.

#data-protection, #data-protection-commission, #data-security, #digital-rights, #digital-rights-ireland, #europe, #european-union, #facebook, #gdpr, #general-data-protection-regulation, #ireland, #lawsuit, #litigation, #personal-data, #privacy, #social, #social-media, #tc, #twitter

0

Grocery startup Mercato spilled years of data, but didn’t tell its customers

A security lapse at online grocery delivery startup Mercato exposed tens of thousands of customer orders, TechCrunch has learned.

A person with knowledge of the incident told TechCrunch that the incident happened in January after one of the company’s cloud storage buckets, hosted on Amazon’s cloud, was left open and unprotected.

The company fixed the data spill, but has not yet alerted its customers.

Mercato was founded in 2015 and helps over a thousand smaller grocers and specialty food stores get online for pickup or delivery, without having to sign up for delivery services like Instacart or Amazon Fresh. Mercato operates in Boston, Chicago, Los Angeles, and New York, where the company is headquartered.

TechCrunch obtained a copy of the exposed data and verified a portion of the records by matching names and addresses against known existing accounts and public records. The data set contained more than 70,000 orders dating between September 2015 and November 2019, and included customer names and email addresses, home addresses, and order details. Each record also had the user’s IP address of the device they used to place the order.

The data set also included the personal data and order details of company executives.

It’s not clear how the security lapse happened since storage buckets on Amazon’s cloud are private by default, or when the company learned of the exposure.

Companies are required to disclose data breaches or security lapses to state attorneys-general, but no notices have been published where they are required by law, such as California. The data set had more than 1,800 residents in California, more than three times the number needed to trigger mandatory disclosure under the state’s data breach notification laws.

It’s also not known if Mercato disclosed the incident to investors ahead of its $26 million Series A raise earlier this month. Velvet Sea Ventures, which led the round, did not respond to emails requesting comment.

In a statement, Mercato chief executive Bobby Brannigan confirmed the incident but declined to answer our questions, citing an ongoing investigation.

“We are conducting a complete audit using a third party and will be contacting the individuals who have been affected. We are confident that no credit card data was accessed because we do not store those details on our servers. We will continually inform all authoritative bodies and stakeholders, including investors, regarding the findings of our audit and any steps needed to remedy this situation,” said Brannigan.


Know something, say something. Send tips securely over Signal and WhatsApp to +1 646-755-8849. You can also send files or documents using our SecureDrop. Learn more

#amazon, #boston, #california, #chicago, #cloud-computing, #cloud-infrastructure, #cloud-storage, #computer-security, #computing, #data-breach, #data-security, #ecommerce, #food, #instacart, #los-angeles, #mercato, #new-york, #security, #technology, #united-states, #velvet-sea-ventures

0

Risk startup LogicGate confirms data breach

Risk and compliance startup LogicGate has confirmed a data breach. But unless you’re a customer, you probably didn’t hear about it.

An email sent by LogicGate to customers earlier this month said on February 23 an unauthorized third-party obtained credentials to its Amazon Web Services-hosted cloud storage servers storing customer backup files for its flagship platform Risk Cloud, which helps companies to identify and manage their risk and compliance with data protection and security standards. LogicGate says its Risk Cloud can also help find security vulnerabilities before they are exploited by malicious hackers.

The credentials “appear to have been used by an unauthorized third party to decrypt particular files stored in AWS S3 buckets in the LogicGate Risk Cloud backup environment,” the email read.

“Only data uploaded to your Risk Cloud environment on or prior to February 23, 2021, would have been included in that backup file. Further, to the extent you have stored attachments in the Risk Cloud, we did not identify decrypt events associated with such attachments,” it added.

LogicGate did not say how the AWS credentials were compromised. An email update sent by LogicGate last Friday said the company anticipates finding the root cause of the incident by this week.

But LogicGate has not made any public statement about the breach. It’s also not clear if the company contacted all of its customers or only those whose data was accessed. LogicGate counts Capco, SoFi, and Blue Cross Blue Shield of Kansas City as customers.

We sent a list of questions, including how many customers were affected and if the company has alerted U.S. state authorities as required by state data breach notification laws. When reached, LogicGate chief executive Matt Kunkel confirmed the breach but declined to comment citing an ongoing investigation. “We believe it’s best to communicate developments directly to our customers,” he said.

Kunkel would not say, when asked, if the attacker also exfiltrated the decrypted customer data from its servers.

Data breach notification laws vary by state, but companies that fail to report security incidents can face heavy fines. Under Europe’s GDPR rules, companies can face fines of up to 4% of their annual turnover for violations.

In December, LogicGate secured $8.75 million in fresh funding, totaling more than $40 million since it launched in 2015.


Are you a LogicGate customer? Send tips securely over Signal and WhatsApp to +1 646-755-8849. You can also send files or documents using our SecureDrop. Learn more

#amazon, #amazon-web-services, #blue-cross-blue-shield, #capco, #cloud, #cloud-computing, #cloud-storage, #computer-security, #computing, #data-breach, #data-security, #europe, #health-insurance, #securedrop, #security, #security-breaches, #sofi, #united-states

0

Cybersecurity training startup Hack The Box raises $10.6M Series A led by Paladin Capital

Cybersecurity training startup Hack The Box, which emerged originally from Greece, has raised a Series A investment round of $10.6 million, led by Paladin Capital Group and joined by Osage University Partners, Brighteye Ventures, and existing investors Marathon Venture Capital. It will use the funding to expand. Most recently it launched Hack The Box Academy.

Started in 2017, Hack The Box specializes in using ‘ethical hacking’ to train cybersecurity techniques. Users are given challenges to “attack” virtual vulnerable labs in a simulated, gamified, and test environment. This approach has garnered over 500,000 platform members, from beginners to experts, and brought in around 800 organizations (such as governments, Fortune 500 companies, and academic institutions) to improve their cyber-adversarial knowledge.

Haris Pylarinos, Hack The Box Co-Founder and CEO said: “Everything we do is geared around creating a safer Internet by empowering corporate teams and individuals to create unbreakable systems.”

Gibb Witham, Senior Vice President, Paladin Capital Group commented: “We’re excited to be backing Hack The Box at this inflection point in their growth as organizations recognize the increasing importance of an adversarial security practice to combat constantly evolving cyber attacks.”

Hack The Box competes with Offensive Security, Immersive Labs,   
INE, and eLearnSecurity (acquired by INE).

Hack The Box is using a SaaS business model. In the B2C market it provides monthly and annual subscriptions that provide unrestricted access to the training content and in the B2B market, it provides bi-annual and annual licenses which provide access to dedicated adversarial training environments with value-added admin capabilities.

#brighteye-ventures, #computer-security, #cyberwarfare, #data-security, #europe, #greece, #hack, #immersive-labs, #marathon-venture-capital, #paladin-capital-group, #tc, #vice-president

0

Answers being sought from Facebook over latest data breach

Facebook’s lead data protection regulator in the European Union is seeking answers from the tech giant over a major data breach reported on over the weekend.

The breach was reported on by Business Insider on Saturday which said personal data (including email addresses and mobile phone numbers) of more than 500M Facebook accounts had been posted to a low level hacking forum — making the personal information on hundreds of millions of Facebook users’ accounts freely available.

“The exposed data includes the personal information of over 533M Facebook users from 106 countries, including over 32M records on users in the US, 11M on users in the UK, and 6M on users in India,” Business Insider said, noting that the dump includes phone numbers, Facebook IDs, full names, locations, birthdates, bios, and some email addresses.

Facebook responded to the report of the data dump by saying it related to a vulnerability in its platform it had “found and fixed” in August 2019 — dubbing the info “old data” which it also claimed had been reported on in 2019. However as security experts were quick to point out, most people don’t change their mobile phone number often — so Facebook’s trigger reaction to downplay the breach looks like an ill-thought through attempt to deflect blame.

It’s also not clear whether all the data is all ‘old’, as Facebook’s initial response suggests.

There’s plenty of reasons for Facebook to try to downplay yet another data scandal. Not least because, under European Union data protection rules, there are stiff penalties for companies that fail to promptly report significant breaches to relevant authorities. And indeed for breaches themselves — as the bloc’s General Data Protection Regulation (GDPR) bakes in an expectation of security by design and default.

By pushing the claim that the leaked data is “old” Facebook may be hoping to peddle the idea that it predates the GDPR coming into application (in May 2018).

However the Irish Data Protection Commission (DPC), Facebook’s lead data supervisor in the EU, told TechCrunch that it’s not abundantly clear whether that’s the case at this point.

“The newly published dataset seems to comprise the original 2018 (pre-GDPR) dataset and combined with additional records, which may be from a later period,” the DPC’s deputy commissioner, Graham Doyle said in a statement.

“A significant number of the users are EU users. Much of the data appears to been data scraped some time ago from Facebook public profiles,” he also said.

“Previous datasets were published in 2019 and 2018 relating to a large-scale scraping of the Facebook website which at the time Facebook advised occurred between June 2017 and April 2018 when Facebook closed off a vulnerability in its phone lookup functionality. Because the scraping took place prior to GDPR, Facebook chose not to notify this as a personal data breach under GDPR.”

Doyle said the regulator sought to establish “the full facts” about the breach from Facebook over the weekend and is “continuing to do so” — making it clear that there’s an ongoing lack of clarity on the issue, despite the breach itself being claimed as “old” by Facebook.

The DPC also made it clear that it did not receive any proactive communication from Facebook on the issue — despite the GDPR putting the onus on companies to proactively inform regulators about significant data protection issues. Rather the regulator had to approach Facebook — using a number of channels to try to obtain answers from the tech giant.

Through this approach the DPC said it learnt Facebook believes the information was scraped prior to the changes it made to its platform in 2018 and 2019 in light of vulnerabilities identified in the wake of the Cambridge Analytica data misuse scandal.

A huge database of Facebook phone numbers was found unprotected online back in September 2019.

Facebook had also earlier admitted to a vulnerability with a search tool it offered — revealing in April 2018 that somewhere between 1BN and 2BN users had had their public Facebook information scraped via a feature which allowed people to look up users by inputting a phone number or email — which is one potential source for the cache of personal data.

Last year Facebook also filed a lawsuit against two companies it accused of engaging in an international data scraping operation.

But the fallout from its poor security design choices continue to dog Facebook years after its ‘fix’.

More importantly, the fallout from the massive personal data spill continues to affect Facebook users whose information is now being openly offered for download on the Internet — opening them up to the risk of spam and phishing attacks and other forms of social engineering (such as for attempted identity theft).

There are still more questions than answers about how this “old” cache of Facebook data came to be published online for free on a hacker forum.

The DPC said it was told by Facebook that “the data at issue appears to have been collated by third parties and potentially stems from multiple sources”.

The company also claimed the matter “requires extensive investigation to establish its provenance with a level of confidence sufficient to provide your Office and our users with additional information” — which is a long way of suggesting that Facebook has no idea either.

“Facebook assures the DPC it is giving highest priority to providing firm answers to the DPC,” Doyle also said. “A percentage of the records released on the hacker website contain phone numbers and email address of users.

“Risks arise for users who may be spammed for marketing purposes but equally users need to be vigilant in relation to any services they use that require authentication using a person’s phone number or email address in case third parties are attempting to gain access.”

“The DPC will communicate further facts as it receives information from Facebook,” he added.

At the time of writing Facebook had not responded to a request for comment about the breach.

Facebook users who are concerned whether their information is in the dump can run a search for their phone number or email address via the data breach advice site, haveibeenpwned.

According to haveibeenpwned’s Troy Hunt, this latest Facebook data dump contains far more mobile phone numbers than email addresses.

He writes that he was sent the data a few weeks ago — initially getting 370M records and later “the larger corpus which is now in very broad circulation”.

“A lot of it is the same, but a lot of it is also different,” Hunt also notes, adding: “There is not one clear source of this data.”

 

#computer-security, #data-breach, #data-security, #european-union, #facebook, #gdpr, #general-data-protection-regulation, #social-media, #tc, #troy-hunt, #united-kingdom

0

Hack takes: A CISO and a hacker detail how they’d respond to the Exchange breach

The cyber world has entered a new era in which attacks are becoming more frequent and happening on a larger scale than ever before. Massive hacks affecting thousands of high-level American companies and agencies have dominated the news recently. Chief among these are the December SolarWinds/FireEye breach and the more recent Microsoft Exchange server breach. Everyone wants to know: If you’ve been hit with the Exchange breach, what should you do?

To answer this question, and compare security philosophies, we outlined what we’d do — side by side. One of us is a career attacker (David Wolpoff), and the other a CISO with experience securing companies in the healthcare and security spaces (Aaron Fosdick).

Don’t wait for your incident response team to take the brunt of a cyberattack on your organization.

CISO Aaron Fosdick

1. Back up your system.

A hacker’s likely going to throw some ransomware attacks at you after breaking into your mail server. So rely on your backups, configurations, etc. Back up everything you can. But back up to an instance before the breach. Design your backups with the assumption that an attacker will try to delete them. Don’t use your normal admin credentials to encrypt your backups, and make sure your admin accounts can’t delete or modify backups once they’ve been created. Your backup target should not be part of your domain.

2. Assume compromise and stop connectivity if necessary.

Identify if and where you have been compromised. Inspect your systems forensically to see if any systems are using your surface as a launch point and attempting to move laterally from there. If your Exchange server is indeed compromised, you want it off your network as soon as possible. Disable external connectivity to the internet to ensure they cannot exfiltrate any data or communicate with other systems in the network, which is how attackers move laterally.

3. Consider deploying default/deny.

#backup, #column, #computer-security, #data-protection, #data-security, #ec-column, #ec-cybersecurity, #ec-how-to, #security, #tc

0

FatFace tells customers to keep its data breach ‘strictly private’

Clothing giant FatFace had a data breach, but doesn’t want you to tell anyone about it.

The company sent an email to customers this week disclosing that it first detected a breach on January 17. A hacker made off with the customer’s name, email and postal address, and the last four-digits of their credit card. “Full payment card information was not compromised,” the notice reiterated.

But despite going out to thousands of customers, the email said to “keep this email and the information included within it strictly private and confidential,” an entirely unenforceable request.

Under the U.K. data protection laws, a company must disclose a data breach within 72 hours of becoming aware of an incident, but there are no legal requirements on the customer to keep the information confidential. It didn’t take long for the company to face flack from the public. The company didn’t have much to say in response, asking instead to “DM us with any questions.”

In a statement sent via crisis communications firm Kekst CNC, FatFace said: “The notification email was marked private and confidential due to the nature of the communication, which was intended for the individual concerned. Given its contents, we wanted to make this clear, which is why we marked it private and confidential.” (FatFace declined to attribute the statement to a named spokesperson.)

TechCrunch obtained a near-identical email sent to its staff from a former employee who asked not to be named. The email to employees was largely the same as the customer email, but warned that staff may have had their bank account information and their National Insurance numbers — the U.K. equivalent of Social Security — compromised.

FatFace confirmed “a select number of employees, former employees and customers and providing appropriate guidance and support,” but would not say specifically how many customers and employees were affected by the breach.

#computer-security, #computing, #crisis-communications, #cybercrime, #data-breach, #data-security, #email, #information-technology, #security, #spokesperson, #united-kingdom

0

Vulcan Cyber raises $21M Series B for its vulnerability remediation platform

Tel Aviv-based Vulcan Cyber, a cybersecurity startup that helps businesses prioritize and fix security vulnerabilities, today announced that it has raised a $21 million Series B funding round led by Dawn Capital. Wipro Ventures and existing investors YL Ventures and Ten Eleven Ventures also participated in this round. The company says it will use the new funding to roll out new remediation solutions and launch a free risk-based vulnerability management platform under the Vulcan Free monicker.

With this new round, Vulcan Cyber’s total funding to date is now $35 million. The company says it saw 500% growth in annual recurring revenue and new customer account metrics in 2020, with each user typically having between 10 and 100 users on the platform.

Image Credits: Vulcan Cyber

The company’s emphasis has always been on not just warning its customers about potential vulnerabilities but also helping them prioritize them based on the severity of the risk and the threat to a company’s business assets. Security teams, after all, are often overwhelmed by alerts and not every vulnerability a scanner represents is a high-priority risk for a business. The promise of Vulcan Cyber’s platform is that it helps these teams figure out where to best focus their resources.

While the funding is the headline news today, Vulcan’s new free offering is also worth a closer look.

Cybersecurity pros have used open-source vulnerability scanners like Nessus for almost two decades. More recently, vulnerability management programs have used risk-based vulnerability management tools to prioritize scan results to determine specific risk to the business and focus the remediation effort. The scan and prioritize functions are fundamental, necessary elements of any mature remediation program,” Yaniv Bar-Dayan, Vulcan Cyber’s CEO and co-founder said about the new free offering. “But now the industry has a free vulnerability prioritization engine to complement the scanners. This round of funding allows us to provide the Vulcan Free service to the cybersecurity industry to help businesses achieve cyber hygiene. This move shifts the economics of our market and will push CISOs and CIOs to dedicate more budget and resources not just on simple scan and prioritize paper pushing, but on driving actual remediation outcomes. We hope this will help the industry get fix done more effectively.”

With this new free offering, Vulcan’s freemium portfolio now includes Vulcan Free, which provides some of the company’s core prioritization and vulnerability management features, and its existing free vulnerability intelligence database.

#computer-security, #cybersecurity, #cyberwarfare, #data-security, #dawn-capital, #hacking, #recent-funding, #security, #software-testing, #startups, #tc, #tel-aviv, #ten-eleven-ventures, #vulcan-cyber, #vulnerability, #wipro-ventures, #yl-ventures

0

Indian state government website exposed COVID-19 lab test results

A security flaw in a website run by the government of West Bengal in India exposed the lab results of at least hundreds of thousands of residents, though likely millions, who took a COVID-19 test.

The website is part of the West Bengal government’s mass coronavirus testing program. Once a COVID-19 test result is ready, the government sends a text message to the patient with a link to its website containing their test results.

But security researcher Sourajeet Majumder found that the link containing the patient’s unique test identification number was scrambled with base64 encoding, which can be easily converted using online tools. Because the identification numbers were incrementally sequenced, the website bug meant that anyone could change that number in their browser’s address bar and view other patients’ test results.

The test results contain the patient’s name, sex, age, postal address, and if the patient’s lab test result came back positive, negative, or inconclusive for COVID-19.

Majumder told TechCrunch that he was concerned a malicious attacker could scrape the site and sell the data. “This is a privacy violation if somebody else gets access to my private information,” he said.

Two COVID-19 lab test results, but with details redacted, to show what kind of data has been exposed.

Two redacted COVID-19 lab test results exposed as a result of a security vulnerability on the West Bengal government’s website. (Screenshot: TechCrunch)

Majumder reported the vulnerability to India’s CERT, the country’s dedicated cybersecurity response unit, which acknowledged the issue in an email. He also contacted the West Bengal government’s website manager, who did not respond. TechCrunch independently confirmed the vulnerability and also reached out to the West Bengal government, which pulled the website offline, but did not return our requests for comment.

TechCrunch held our report until the vulnerability was fixed or no longer presented a risk. At the time of publication, the affected website remains offline.

It’s not known exactly how many COVID-19 lab results were exposed because of this security lapse, or if anyone other than Majumder discovered the vulnerability. At the time the website was pulled offline at the end of February, the state government had tested more than 8.5 million residents for COVID-19.

West Bengal is one of the most populated states of India, with about 90 million residents. Since the start of the pandemic, the state government has recorded more than 10,000 coronavirus deaths.

It’s the latest of several security incidents in the past few months to hit India and its response to the coronavirus pandemic.

Last May, India’s largest cell network Jio admitted a security lapse after a security researcher found a database containing the company’s coronavirus symptom checker, which Jio had launched months earlier.

In October, a security researcher found Dr Lal PathLabs left hundreds of spreadsheets containing millions of patient booking records — including for COVID-19 tests — on a public storage server that was not protected with a password, allowing anyone to access sensitive patient data.


Send tips securely over Signal and WhatsApp to +1 646-755-8849. You can also send files or documents using SecureDrop.

#coronavirus, #covid-19, #cybersecurity, #dark-web, #data-security, #government, #india, #jio, #online-tools, #privacy, #security

0

Base Operations raises $2.2 million to modernize physical enterprise security

Typically when we talk about tech and security, the mind naturally jumps to cybersecurity. But equally important, especially for global companies with large, multinational organizations, is physical security – a key function at most medium-to-large enterprises, and yet one that to date, hasn’t really done much to take advantage of recent advances in technology. Enter Base Operations, a startup founded by risk management professional Cory Siskind in 2018. Base Operations just closed their $2.2 million seed funding round, and will use the money to capitalize on its recent launch of a street-level threat mapping platform for use in supporting enterprise security operations.

The funding, led by Good Growth Capital and including investors like Magma Partners, First In Capital, Gaingels and First Round Capital founder Howard Morgan, will be used primarily for hiring, as Base Operations looks to continue its team growth after doubling its employe base this past month. It’ll also be put to use extending and improving the company’s product, and growing the startup’s global footprint. I talked to Siskind about her company’s plans on the heels of this round, as well as the wider opportunity and how her company is serving the market in a novel way.

“What we do at Base Operations is help companies keep their people in operation secure with ‘Micro Intelligence,’ which is street-level threat assessments that facilitate a variety of routine security tasks in the travel security, real estate and supply chain security buckets,” Siskind explained. “Anything that the Chief Security Officer would be in charge of, but not cyber – so anything that intersects with the physical world.”

Siskind has first-hand experience about the complexity and challenges that enter into enterprise security, since she began her career working for global strategic risk consultancy firm Control Risks in Mexico City. Because of her time in the industry, she’s keenly aware of just how far physical and political security operations lag behind their cybersecurity counterparts. It’s an often-overlooked aspect of corporate risk management, particularly since in the past it’s been something that most employees at North American companies only ever encounter periodically, when their roles involve frequent travel. The events of the past couple of years have changed that, however.

“This was the last bastion of a company that hadn’t been optimized by a SaaS platform, basically, so there was some resistance and some allegiance to legacy players,” Siskind told me. “However, the events of 2020 sort of turned everything on its head, and companies realized that the security department ,and what happens in the physical world, is not just about compliance – it’s actually a strategic advantage to invest in those sort of services, because it helps you maintain business continuity.”

The COVID-19 pandemic, increased frequency and severity of natural disasters, and global political unrest all had significant impact on businesses worldwide in 2020, and Siskind says that this has proven a watershed moment in how enterprises consider physical security in their overall risk profile and strategic planning cycles.

“[Companies] have just realized that if you don’t invest and how to keep your operations running smoothly in the face of rising catastrophic events, you’re never going to achieve the the profits that you need, because it’s too choppy, and you have all sorts of problems,” she said.

Base Operations addresses this problem by taking available data from a range of sources and pulling it together to inform threat profiles. Their technology is all about making sense of the myriad stream of information we encounter daily – taking the wash of news that we sometimes associate with ‘doom-scrolling’ on social media, for instance, and combining it with other sources using machine learning to extrapolate actionable insights.

Those sources of information include “government statistics, social media, local news, data from partnerships, like NGOs and universities,” Siskind said. That data set powers their Micro Intelligence platform, and while the startup’s focus today is on helping enterprises keep people safe, while maintaining their operations, you can easily see how the same information could power everything from planning future geographical expansion, to tailoring product development to address specific markets.

Siskind saw there was a need for this kind of approach to an aspect of business that’s essential, but that has been relatively slow to adopt new technologies. From her vantage point two years ago, however, she couldn’t have anticipated just how urgent the need for better, more scalable enterprise security solutions would arise, and Base Operations now seems perfectly positioned to help with that need.

#artificial-intelligence, #computer-security, #cryptography, #data-security, #enterprise, #first-round-capital, #funding, #law-enforcement, #machine-learning, #magma-partners, #malware, #mexico-city, #real-estate, #risk-management, #saas, #security, #security-guard, #social-media, #startup, #tc

0

Israeli startup CYE raises $100M to help companies shore up their cyber-defenses

Cybersecurity startup CYE has raised $100 million in a new growth round, led by investment firm EQT and with participation from 83North.

CYE was founded in 2012 by Reuven Aronashvili to help companies shore up their security posture. It does this in large part by conducting offensive operations against their customers — with their explicit consent — to find weaknesses in their network defenses before malicious hackers do. The company also provides incident response and security consultants, as well as its flagship product, Hyver, which helps companies assess their entire network and assets.

It’s a bet that’s working: CYE says it has been profitable since it was founded, and has customers in the Fortune 500. The company has presence in London, and recently opened a New York office.

CYE’s chief marketing officer Sharon Argov told TechCrunch that the company will use the $100 million investment to expand its operations, invest in research and development, sales and marketing, and plans to double its 80-person workforce.

Aronashvili said in remarks that the company is “laser-focused on building a company that fundamentally changes the way organizations approach cybersecurity, enabling them to accurately assess the most urgent threats to their business.”

#computer-security, #computing, #cryptography, #cybercrime, #data-protection, #data-security, #eqt, #laser, #london, #malware, #new-york, #security, #technology

0

MetroMile says a website bug let a hacker obtain driver’s license numbers

Car insurance startup MetroMile said it has fixed a security flaw on its website that allowed a hacker to obtain driver’s license numbers.

The San Francisco-based insurance startup disclosed the security breach in its latest 8-K filing with the U.S. Securities and Exchange Commission.

MetroMile said a bug in the quote form and application process on the company’s website allowed the hacker to “obtain personal information of certain individuals, including individuals’ driver’s license numbers.” It’s not clear exactly how the form allowed the hacker to obtain driver’s license numbers or how many individuals had their driver’s license numbers obtained.

The disclosure added: “Metromile immediately took steps to contain and remediate the issue, including by releasing software fixes, notified its insurance carrier, and has continued its ongoing operations. Metromile is working diligently with security experts and legal counsel to ascertain how the incident occurred, identify additional containment and remediation measures, and notify affected individuals, law enforcement, and regulatory bodies, as appropriate.”

Rick Chen, a spokesperson for MetroMile, said that the company has so far confirmed that driver’s license numbers were accessed, but that the “investigation is still ongoing.”

MetroMile has not disclosed the security incident on its website or its social channels. Chen said the company plans to notify affected individuals of the incident.

News of the security incident landed as the company confirmed a $50 million investment from former Uber executive Ryan Graves, who will also join the company’s board. It comes just weeks after the auto insurance startup announced it was planning to go public via a special-purpose acquisition company — or SPAC — in a $1.3 billion deal.

#articles, #automotive, #computer-security, #computing, #data-security, #driver, #executive, #insurance, #law-enforcement, #metromile, #ryan-graves, #san-francisco, #security, #security-breaches, #startup-company, #u-s-securities-and-exchange-commission, #uber

0