Courts Reining In What it Means to be a “Hacker” Under the Computer Fraud and Abuse Act (CFA)

The Computer Fraud and Abuse Act (“CFAA”) is an anti-hacker statute that prohibits unauthorized access, or the exceeding of authorized access, of computers connected to interstate commerce

How to avoid a €100 million data fine in Europe

A law approved by the European Parliament on Wednesday and aimed at protecting citizens’ privacy comes with sweeping penalties for breaches—up to €100 million (US$139 million) or 5 percent of global annual turnover, whichever is larger. The European Data Protection Regulation will apply not only to European companies, but any company that does business in the European Union.

State inspectors should probe financial watchdog chief for data theft

The Board of Audit and Inspection of Korea began an inspection of the country`s financial watchdog agency Wednesday over a large-scale theft of customer information from some of local financial institutions

Thames Valley police face fine for officers' £800-a-head claims scam

A police force faces a fine from the information commissioner and compensation claims from thousands of motorists after an officer stole accident victims' details from a police computer and sold them on to personal injury solicitors

Loyaltybuild reopens for business after huge data breach

The company at the centre of the biggest data breach ever dealt with in Ireland has recommenced trading and said it had invested €500,000 in new security systems after the criminal attack last year

Telstra fined, warned after new privacy breach

TELSTRA has been fined $10,200 and warned over privacy breaches after an information leak exposed almost 16,000 of its customers’ private data online. In a joint investigation by the federal Privacy Commissioner and the communications watchdog, Telstra was found to have breached the Privacy Act by exposing online the data of some 15,775 Telstra customers, including 1257 silent line customers, when the telco giant failed to adequately protect the information. The breach, discovered in May last year, meant that private customer data including names, telephone numbers and home and business addresses could be found through simple Google searches. The information was available online between February 2012 and May 2013 and included information from Telstra customers from the period 2006-2009. Telstra advised that there were at least 166 unique downloads of these records. In its investigation, the Office of the Australian Information Commissioner (OAIC) found that Telstra breached the National Privacy Principles (NPP) by: failing to take reasonable steps to ensure the security of the personal information it held; failing to take reasonable steps to destroy or permanently de-identify the personal information it held and; by disclosing personal information other than for a permitted purpose.

E-toll site not hacked, claims Sanral

The South African National Roads Agency (Sanral) has denied it suffered a widely-reported breach, or leaked any personal information. E-mails from Sanral have made this claim in the wake of multiple breaches of its user data, and repeated calls for the agency to alert its customers that their data may have been compromised. ITWeb has received copies of e-mail correspondence allegedly between Sanral and an e-toll user in which the user requested clarification on the agency's security breaches and asked whether his details had been exposed.Sanral's responses included this statement: "Please be advised that we have not received any communication with regards to a security breach, hence we have no knowledge of a breach thereof […] Your details are safe, because we have international best practice security systems in place." Another e-mail states: "Please be advised that your account details are safe. Note that the e-toll system has international best practice security systems in place; including protective measures to ensure that road user e-toll account details remain secure." Sanral refused to answer queries asking it to confirm or deny the statement or its claims. The agency, which has failed to respond to several queries from ITWeb journalists in recent weeks, sent a terse message stating it will no longer respond to media queries. The message, sent on behalf of Sanral spokesman Vusi Mona, states: "In light of your publication admitting to hacking into our system, Sanral will no longer cooperate with ITWeb as you are dealing with us in bad faith." ITWeb, in the course of routine investigation into the previous breaches, took steps to confirm the Web site flaws existed and were vulnerable, and had ensured Sanral, and any users involved, were appropriately notified. Aside from that tacit admission that it knew ITWeb had reported on several breaches, the suggestion it has no knowledge of a breach is a surprising U-turn. Several executives, including spokesman Vusi Mona, previously acknowledged the attacks, describing the agency as being the victim of "cyber attacks" and "deliberate exploitation".Sanral also previously said it would take legal action in the wake of the cyber attack, but did not explain who it would seek recourse from. "Sanral is currently investigating options available to it," it said at the time.

Data breach: asylum seeker claims she was told to sign waiver

A Chinese asylum seeker at Villawood detention centre says an immigration department officer threatened to force her on to a plane for deportation if she did not sign a document waiving the department’s responsibility for harm she may suffer if she was returned to China after a massive data breach

Statista Says Around 50,000 Users Are Impacted by Data Breach

On Saturday, we learned that statistics company Statista suffered a data breach. The company has responded to my inquiry about the incident and provided additional details. It turns out that roughly 50,000 users are impacted by the data breach. The incident was discovered after spam emails started landing in email addresses that were used by the company only internally. After the spam emails were spotted, the company reviewed its systems and discovered the intrusion, Statista representatives told me in an emailed statement. The company’s representatives say that since the relaunch in December 2013, they’ve been using “512-bit encryption with salt.” However, the passwords of those who signed up before this date were stored in the Statista database as MD5 hashes. As many experts will tell you, MD5 passwords can be easily cracked. Statista has sent out two types of notifications: one for customers whose passwords were encrypted with MD5, and one for those whose passwords cannot be cracked. The company has reset the passwords of users whose accounts were not properly protected. Users who have registered an account more recently are not required to change their passwords, but they can do so, if they wish to, as a precaution. Statista customers whose passwords have been exposed are advised to change all their passwords in case they’ve used the same one for multiple online services. Also, since Statista has been getting spam emails, it’s likely that all of the 50,000 users whose email addresses have been exposed are receiving unsolicited emails. Users should act with caution if they come across suspicious emails in their inbox.

Asylum seeker data breach triggers court battles

The federal government will be forced to simultaneously fight dozens of court appeals later this month following a privacy breach, with about 40 asylum seekers preparing to launch appeals against their deportation in the Federal Circuit Court. The asylum seekers are among the 10,000 who had their personal details revealed when the Department of Immigration and Border Protection (DIBP) inadvertently released their names and addresses in a mass data breach on its website. By Monday, 36 asylum seekers will have lodged individual court applications from detention centres in Sydney, Western Australia and Darwin, claiming the data breach puts them at risk of persecution in their home countries and they should automatically be given permanent protection. More than a dozen asylum seekers already have matters listed in Sydney on March 19. It is understood that number will quickly grow, and moves are under way to combine them into a class action.Some asylum seekers have claimed that the department asked them to sign waivers stating that they would not hold the department responsible for any harm that came to them after they were deported to their home country. The principle of non-refoulement, which stresses that asylum seekers should not be returned to known harm, is the cornerstone of the Refugee Convention, to which Australia is a signatory. Edmund Rice Centre researcher John Sweeney – who has visited asylum seekers preparing to challenge their looming deportation, including some who claim to have been given the waiver – said deporting asylum seekers to suspected harm constituted refoulement. He said some had been issued with deportation notices after their personal details had been leaked online. "This is absolutely bizarre," Dr Sweeney said. "They have an absolute right not to be returned to danger ... They can't sign it away and Australia's asked them to do so." Guardian Australia revealed last month that the personal details of 10,000 asylum seekers – including names, addresses, ages, home countries and boat arrival information – had been revealed on the DIBP website. The department has regularly warned the media that publishing any personal or identifying details of asylum seekers could lead to their claim being successful because of any danger they could now face by returning to their home country. In a letter, a group of asylum seekers in Villawood spoke of their fears of being pressured to return by the Department of Immigration. "We are a group of weak people and our fate rests in the hands of immigration," they wrote. "We don't know in the face of so much pressure how long we can hold on." A spokeswoman for Immigration Minister Scott Morrison said: "Individual claims are assessed on their merits, taking into account any factors considered relevant to their claim. "I am advised that the department is putting in place arrangements to notify those who may have been affected by the data breach. "All staff working in detention facilities are required to act with professionalism when dealing with asylum seekers."

The Timken Company notifying 5,000 associates after data exposed on insecure server

Ohio-based The Timken Company, a global steel and bearing manufacturer and supplier, is notifying current and former associates and job applicants of a data security breach that occurred on January 30 and was discovered February 19. The breach occurred when a file containing personal information was stored on a server normally used for interchange of non-confidential information with third parties. Personal information in the file included names, addresses, dates of birth, Social Security numbers, and results of employment hearing screening. A letter to those affected signed by company officers Donald L. Walker and Daniel E. Muller informed recipients that there had been one unauthorized access to the file on January 30, but the company had no evidence of any misuse of the information. Recipients were offered a year of credit monitoring with Experian ProtectMyID.

Wintec shuts web site after security breach

She wanted to apply for a parking permit - instead Wintec student Bronwyn Fleet got the details of people who already had. The second-year student visited the application site in the student portal in January and was astounded when a list including names, contact numbers and car registration numbers appeared on the screen. It was fixed after complaints but yesterday Ms Fleet's classmate reported the same problem. Wintec has taken action by removing the system from its portal until it can be assured it is secure. It is investigating the issue. The institute of technology plans to inform affected students and the office of the Privacy Commissioner. Ms Fleet first saw the parking permit list during the week of January 20. "I was not interested in entering my details on that website, because I didn't want them out there for the world to see," she said. "My concern was really about security . . . if I had a stalker I could be in a bit of trouble." She went straight to Student Services and showed them on their computer, she said. It was still visible the next morning so her friend contacted Wintec, who took it down the same day, Ms Fleet said. "We just thought all good because people make mistakes." So she entered her details, got her permit and thought no more of it until another classmate yesterday complained of the same situation. Ms Fleet investigated and could see the list again by clicking on a drop-down menu - as could anyone with a password for the Wintec intranet, she said. Having strangers know her cellphone number and the type of car she drove was "not cool". Wintec communications director Erin Andersen said an investigation into the underlying issues was under way. The parking permit booking system had been removed from the student portal "until we are assured this will not occur again". "We are treating this seriously, and the privacy of our students. Once we have ascertained how many students this has affected, we will notify them of the breach of privacy, its nature, what information has been disclosed, and what we can do to assist them. "We will also be notifying the Officer of the Privacy Commissioner of this," she said. After the first notification on January 24 Wintec investigated immediately, she said, and removed access to a view which showed other student names, student ID, phone and car registration numbers. The system reverted to the correct view of just the applicant's details but yesterday's notification of a similar problem showed there was more to the issue, she said.

Loan firm promises probe after papers found in street

RED-faced bosses have apologised after papers outlining debts owed to a high-interest loan company by South Tynesiders were found discarded in the street

FSS rejects request for data theft probe

The Financial Supervisory Service (FSS) has rejected a consumer group’s request to examine the extent of damage consumers suffered from recent data theft cases involving major financial firms here. The decision has triggered protests from victims. In early February, the Financial Consumer Agency asked the regulator to probe the banks and credit card firms concerned, claiming that the data leaks occurred due to their negligence. It also demanded measures to ensure that all victims get full compensation. The FSS, however, said it won’t investigate individual compensation issues. “We are already examining the theft cases. The banks and card firms will be punished depending on the results,” an FSS official said. “However, the probe will not be expanded into individual breach cases.” Cho Nam-hee, head of the advocacy group, criticized the FSS for neglecting to enhance consumers’ rights. “It was more than a month ago that we requested a probe into the data leaks. It now says it won’t accept our demand,” Cho said. “We simply don’t understand why the FSS is reluctant to address complaints from victims and resolve compensation issues. That’s disappointing.” The organization has also been active in protecting victims of fraudulent bond sales by Tongyang Group. The FSS earlier accepted its request for a probe into the fraud case. “The data theft cases affected the lives of many more people than the Tongyang case. The regulator should listen to the voices of the data theft victims,” Cho said. “The latest cases show financial firms are only obsessed with making money while paying little attention to protecting personal information about their customers.” Hundreds of people recently filed a class-action suit against the financial firms, demanding compensation. The firms include Standard Chartered Bank Korea, Citibank Korea, KB Kookmin Card, Lotte Card and NH NongHyup Bank.

Passport email gaffe latest in series of privacy slips

Hundreds of passport applicants have had their email addresses shared with other applicants in another government privacy botch-up. About 400 people applying online for passports were yesterday sent an email informing them of a system outage on the Department of Internal Affairs website. However, each recipient could see the email addresses - many of which revealed names - of all the other applicants the message was sent to. Among them was Auckland man Oisin Frost, 43, who told the Herald he was "not particularly fussed" by the blunder "but I could understand if some people were". After a series of privacy blunders at the ACC, Ministry of Social Development and Earthquake Commission, Government Chief Information Officer Colin McDonald ordered a review of the state sector's vulnerability to privacy breaches. The State Services Commission also called in senior managers to underline the need to improve data handling.However Mr Frost said: "It doesn't seem they've moved far enough in the right direction." Internal Affairs general manager of identity and passports David Philp acknowledged the department had breached the privacy of the affected applicants due to human error. "We realised we had made the error immediately after it occurred and took action to deal with it. "We are certain that beyond the email address no other personal details have been disclosed. "We are extremely disappointed that this issue has occurred and will be reviewing the process to make sure it does not happen again. "We have written to each affected applicant and apologised for the privacy breach." Mr Philp said the department took privacy issues very seriously. A spokesman for the Privacy Commission said the organisation had been notified by department about the email breach.Privacy breaches August 2011: An ACC staffer accidentally emails former National Party insider Bronwyn Pullar information about 6700 claimants. October 2012: Blogger Keith Ng reveals private records including vulnerable children's care home addresses and medical prescriptions are available through public computer kiosks at Work and Income branches. March 2013: Details of 80,000 earthquake claims mistakenly emailed to a blogger by an EQC staffer.

Personal data of 12 million KT customers stolen: police

SEOUL/INCHEON, March 6 (Yonhap) -- Personal information of some 12 million customers of KT Corp. was found to have been leaked after the mobile carrier's website was compromised by hackers, local police said Thursday. The number of victims accounts for nearly three-fourths of KT's 16 million clients. Three people, including a telemarketer, were arrested in connection with the case, the Incheon Metropolitan Police Agency said. The leaked information included victims' names, resident registration numbers, places of employment and bank account details. Police believe the suspects began stealing the data last February, with up to 300,000 pieces of information being stolen in a single day. They reportedly made 11.5 billion won (US$10.8 million) by using the information to sell mobile phones. A duo of hackers identified only by their surnames Kim and Jung, ages 29 and 38, allegedly broke into the computer system of the telecom firm by logging onto its Web page using a program of their own creation that allowed them to extract information by randomly inserting nine-digit verification numbers, police said. KT said in an official statement it will make efforts to minimize possible damages to customers, adding that the company will cooperate with the police to uncover the details of the incident.

Data theft PC Sugra Hanif dismissed from police force

A police officer has been dismissed from her job after her conviction for stealing and selling details of accident victims

KCOM caught in yet ANOTHER customer privacy snafu

Hull-based telco KCOM has coughed to another privacy clanger - this time admitting to wrongly sharing some of its customers' email addresses with other subscribers

UK: Admiral remaining vigilant after Aviva data breach

Katie Marriner reports an update to the Aviva insider data leak case: Admiral has said it is actively working with claims teams to mitigate the risk of a potential data breach after Aviva sacked two employees for giving customer data to claims farming companies

Thousands of university academic union members made public

The names and details of thousands of university academic union members have been accidentally made public

Next Planned Sessions