Search This Blog

Showing posts with label Cyber Law. Show all posts

GDPR privacy law exploited to reveal personal data

About one in four companies revealed personal information to a woman's partner, who had made a bogus demand for the data by citing an EU privacy law.

The security expert contacted dozens of UK and US-based firms to test how they would handle a "right of access" request made in someone else's name.

In each case, he asked for all the data that they held on his fiancee.

In one case, the response included the results of a criminal activity check.

Other replies included credit card information, travel details, account logins and passwords, and the target's full US social security number.

University of Oxford-based researcher James Pavur has presented his findings at the Black Hat conference in Las Vegas.

It is one of the first tests of its kind to exploit the EU's General Data Protection Regulation (GDPR), which came into force in May 2018. The law shortened the time organisations had to respond to data requests, added new types of information they have to provide, and increased the potential penalty for non-compliance.

"Generally if it was an extremely large company - especially tech ones - they tended to do really well," he told the BBC.

"Small companies tended to ignore me.

"But the kind of mid-sized businesses that knew about GDPR, but maybe didn't have much of a specialised process [to handle requests], failed."

He declined to identify the organisations that had mishandled the requests, but said they had included:

- a UK hotel chain that shared a complete record of his partner's overnight stays

- two UK rail companies that provided records of all the journeys she had taken with them over several years

- a US-based educational company that handed over her high school grades, mother's maiden name and the results of a criminal background check survey.

Mr Pavur has, however, named some of the companies that he said had performed well.

Putin signed the law on the isolation of the Russian Internet (Runet)

On May 1, Putin signed a law on the isolation of the Runet. Thus, Russia will have its own Internet. And it will happen this year. Roskomnadzor (The Federal Service for Supervision of Communications, Information Technology and Mass Media) and other agencies are currently preparing relevant regulatory documents and technical means that will make the Internet in Russia autonomous and controllable.

Since 2014, relations between Russia and Western countries began to deteriorate rapidly. It became obvious that in the event of further escalation of the conflict, the Western partners of the Russian Federation can extend the policy of sanctions on any sphere of public life, including IT.

The threat of disconnecting Russia from the global Internet became real in 2018 when the US developed and approved a cybersecurity strategy. According to it, Russia and Russian hackers declared one of the main threats to US cybersecurity. The text of the strategy states that the United States intends to punish those who represent a threat to US cybersecurity.

In addition to Russia, North Korea, China and Iran are enemies in the new US cybersecurity strategy. Two of these countries have already created their own sovereign Internet.

According to the Russian authorities, the main goal of the new law is to ensure the functioning of the Internet, even if someone decides to disconnect the Russian Federation from the relevant servers.

In accordance with the new law, all operators will be required to install additional equipment that should ensure the operation of the Internet throughout Russia without problems. Many experts already believe that, the cost of the Internet for Russian citizens will grow by 10-20% because of this decision.

The new law determines that Roskomnadzor assumes all the authority for managing networks in case of threats to the Russian Internet. In addition, Roskomnadzor has the right to directly block websites with prohibited information.

Recently it turned out that one law on the isolation of the Russian Internet was not enough. Now the Government is developing a new bill. All networks in Russia want to be divided into three levels: local, regional and all-Russian. The connection to foreign networks will be only at the all-Russian level and connection to the global Internet will be prohibited at the local and regional level.

The law on the isolation of the Runet will come into force in November 2019. The State financed about 30 billion rubles ($ 460 000 000) for its execution. Critics of the law believe that it will introduce total censorship in Russia, and most importantly is that the Internet in Russia will become slower and more expensive.