ABC’s of Privacy This Week-April 24

Applause

• ICO lists privacy considerations for COVID-19 tracking tech

According to recent reports, the U.K. Information Commissioner’s Office has produced a list of privacy considerations for organizations as they use technology to track COVID-19. The questions, presented by Information Commissioner Elizabeth Denham, included whether any personal data collected is necessary and how privacy is built into the “processor technology.”
For more info: https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2020/04/combatting-covid-19-through-data-some-considerations-for-privacy/

• OPC releases COVID-19 assessment framework

The Office of the Privacy Commissioner of Canada, commonly known as the OPC, has released an assessment framework designed to help government institutions respond to the COVID-19 pandemic while ensuring public health initiatives respect the privacy principles found in Canadian law.

The principles include using de-identified and aggregated data when possible and for any proposed measure to combat the pandemic to have a clear legal basis.
For more info: https://www.priv.gc.ca/en/opc-news/news-and-announcements/2020/an_200417/

• European Commission issues guidance on COVID-19 apps

The European Commission has recently announced its guidance on data protection for apps aimed at combating the COVID-19 pandemic. The Commission has explained requirements for app development before applying the direction, which was released with the EU toolbox for contact tracing apps. Commissioner for Justice Didier Reynders spoke about how the guidance supports the safe development of apps and protects the citizens’ data.
For more info: https://ec.europa.eu/commission/presscorner/detail/en/ip_20_669

Data Breaches

• 23M usernames, passwords leaked

According to ZDNet, usernames and passwords of almost 23 million Webkinz children’s game players were leaked by an anonymous hacker.The hacker posted a part of the game’s database containing 22,982,319 usernames and passwords on a hacking forum. A Webkinz spokesperson said that although they had information about such an attack, they did not know that the hacker had succeeded.

Webkinz claims to have added more security measures while assessing all the points of entry into their data post the discovery of the breach.
For more info: https://www.zdnet.com/article/hacker-leaks-23-million-usernames-and-passwords-from-webkinz-childrens-game/

• Hartford Healthcare patient data compromised in the breach

Infosecurity Magazine reports, a Hartford HealthCare data breach compromised approximately 2,651 patients’ personal information on 14th February 2020.Hartford HealthCare, which serves Connecticut & Rhode Island, revealed that the attackers had accessed names, birth dates, and clinical and health insurance information after compromising two employee email accounts. The compromised data also included a Social Security number for 23 patients.
For more info: https://www.infosecurity-magazine.com/news/hartford-healthcare-data-breach/

• Misconfigured server exposes Clearview AI’s internal data

According to Tech Crunch, a misconfigured server exposed facial recognition company Clearview AI’s internal files. SpiderSilk, a Dubai-based cybersecurity firm, found the database, which also included some of the company’s keys and credentials used to access its cloud storage buckets. Hoan Ton-That, the founder of Clearview AI, said, no “personally identifiable information, search history or bio metric identifiers,” were exposed.
For more info: https://techcrunch.com/2020/04/16/clearview-source-code-lapse/

• Cruise passengers’ personal information breached

According to CBC News, the personal information of 247 Canadian passengers aboard a Holland America Line cruise ship amid the COVID-19 outbreak was breached.Global Affairs Canada revealed that it had mistakenly emailed an attachment to all Canadian passengers that contained each of their addresses, birthdates, email addresses, phone numbers, and passport numbers.

One of the passengers, Wendy Mitchell, has filed a complaint against Global Affairs Canada with the Office of the Privacy Commissioner of Canada.
For more info: https://www.cbc.ca/news/business/zaandam-cruise-privacy-breach-canadians-1.5531124

• Organizations assisting COVID-19 response targeted in a ransomware attack

Financial Post reports, a pair of Canadian organizations, assisting in response to COVID-19 were targeted in a ransomware attack. The U.S cybersecurity organization Palo Alto Networks first reported the attack, the report said that the hackers targeted the computer files of “several individuals associated with a Canadian government health organization actively engaged in COVID-19 response efforts, and a Canadian university conducting COVID-19 research.”
For more info: https://business.financialpost.com/technology/canadian-coronavirus-response-workers-targeted-in-ransomware-attack-u-s-firm

Current News

• Facebook, LinkedIn, Zoom sued over data-sharing claims

Law360 reports, a class-action lawsuit has been brought against Facebook, LinkedIn, and Zoom, alleging that personal information from Zoom user accounts was shared with the social networking sites. In their complaint to the U.S. District Court for the Central District of California, the plaintiffs alleged that the data sharing was executed by “willfully and intentionally using a recording device to record and eavesdrop” on conversations.
For more info: https://www.law360.com/cybersecurity-privacy/articles/1263127/facebook-linkedin-sued-for-eavesdropping-on-zoom-users?nl_pk=b12ded73-5191-4353-b2be-0dc6455be823&utm_source=newsletter&utm_medium=email&utm_campaign=cybersecurity-privacy

• 500K Zoom users’ credentials for sale on the dark web

According to the DailyMail, more than 500,000 Zoom users’ credentials, including email addresses and passwords, as well as host keys that allow users to enter meetings, were found for sale in a hacker forum for less than a penny each. Since then, Zoom has claimed to hire intelligence firms to investigate the incident, lock compromised accounts, and ask users to change their passwords. Zoom is reportedly also considering implementing additional solutions.
For more info: https://www.dailymail.co.uk/sciencetech/article-8218723/More-500-000-Zoom-user-credentials-sold-dark-web-PENNY-each.html