© R3 CyberSecurity
USERS: PRIVACY AND SECURITY POLICIES
Jordi Bonete // 11 October 2018
Privacy and security policies have been a hot topic in recent months. Therefore, the alarm of many of our customers has jumped. This is due to news related to information processing and data theft.
In this article, we will explain why the care of information is more important than ever. Also, we will mention some examples of the most talked about controversies so far this year.
“Information is power” is a very hackneyed phrase, but no less true. The more information an organization has about its clients, the greater the capacity to understand them. And it is in the middle of the era of digitalization when this access to data multiplies exponentially. Everything we do is traceable and from that traceability more information can be acquired. Companies know this and consider this data as one of their core assets. Without information there is no knowledge and without knowledge there is no success.
What kind of medias companies use to obtain this desired good?
To obtain this information there are two ways: the legal and transparent towards the user. Provided that your express consent is requested (and previously informed of the treatment that will be given to your data); and the dark and invasive, which takes advantage of security failures or violates the regulations to obtain such precious raw material.
Unfortunately, the second mode, the most usual one or that users would like.
Companies such as Facebook, Instagram and WhatsApp have adopted positions of “take it or leave it” to avoid regulation.
This is how some companies violate the GDPR, which allows any data processing whenever this is necessary for the provision of the service, but not when it is used additionally for advertising or its sale. In which case, users should be able to choose freely (without risk of having their account removed or blocked).
CASE: British Airways
The data of 380,000 credit cards of British Airways users were exposed after being hacked the website and mobile application of the airline.
The study prepared by the security firm IriskIQ explained how the theft originated in the modification of twenty-two lines of text command in a Java library. Which was located on the servers of the airline.
The airline is thus facing a fine of up to 897 million pounds, or 4 percent of the turnover of its parent company, if the regulators show that it did not do enough to keep its customers’ data safe.
For the union GMB, the ruling was a consequence of the cuts applied in the company in recent times. Which involved, among others, the elimination of 700 employees and the outsourcing of the IT department.
The twisted, in the case of BA, is that previously they were involved in a controversy in social networks. Whereby, the community manager urged users who wanted to make complaints about the company to provide information such as their full name, passport number, expiration date and other identification information, supposedly to comply with the GDPR.
Dara Khosrowshahi, CEO of UBER, reported that the company’s database was hacked by cyber attackers in 2016. Exposing and affecting more than 57 million users.
The company maintained the confidentiality of the case for one year, without notifying what happened; thus violating the client’s privacy and security policies, since by law he had a legal obligation to inform.
However; It is worth mentioning that during this period of time, the company to eradicate its error contacted the company HackerOne. HackerOne helped prevent hackers from publishing the information in the deepweb.
The data compromised in the theft included; names, email addresses, and telephone numbers of clients worldwide.
CASE: Cambridge Analytica
How did they get millions of private data?
developer and creator of “This is your digital life”, a personality test in application format that was used by Cambridge Analytica to obtain data through Facebook. More than 265,000 users accepted the privacy policies and filled out the test. Which consented to the permission to access personal information and the network of friends, without the consent of the latter. The application reached 80 million users and Cambridge Analytica was made with a huge DB.
With this volume of data, and violating privacy policies and use of the social network, political announcements were generated. Mostly, aimed at promoting the presidential campaign of Donald Trump and the Brexit of the United Kingdom. In addition, according to Facebook policies, the data collected on your platform can only be used for the same application purposes. That is, they can not be transferred or sold and are for academic use only.
“(…) This code is not part of any of Inbenta’s products. Nor is it present in any of our other implementations. TicketMaster directly applies the script to your payment page, without notifying our team. If we had known that the custom script was being used in this way, we would have discouraged it, since it carries a greater risk of vulnerability. (Jordi Torras, Director General e Inbenta, 2018)
Once the source of the error was located, TicketMaster decided to notify internationally those clients that could be affected by the failure. In the face of any counterproductive, the e-mail indicated the security measures that should be followed by the possible affected persons.
As a user , What kind I do?
Privacy policies are our right as a user and must be respected. So far we have only seen Mr. Zuckerberg apologize and explain the changes he made a posteriori, having knowledge of what was happening in his social network. This has not convinced neither the professionals of the sector nor the users, since in spite of knowing of the practices of Cambridge Analytica, it allowed that the same one continued operating and being publicized in its social network and it did not put any sanction to the company.
As a user, the only thing we can do is join the campaign launched by the OCU (www.misdatossonmios.org) which urges Facebook Spain users to denounce collectively and claim compensation for improper use of our data.
Share it with your friends!
From R3 Cybersecurity we believe that only we own our data and we have the power to decide what to do with them or who to market them.
CON LA CONFIANZA DE
ÚNETE AL EQUIPO
Conoce todas las oportunidades profesionales que te permitirán alcanzar tus metas personales.