Facebook faces its second privacy-related fine in Europe, with the most recent action taken by the Italian Competition Authority. Facebook was hit with two fines, totaling 10 million Euros (about $11.3 million), for violating Italy’s Consumer Code.
The Italian Competition Authority (ICA) found that Facebook violated several articles of the statute by misleading consumers about how their data would be used. These include Articles 21 and 22. The ICA found that Facebook doesn’t explicitly inform people when they register that their information will be used for commercial purposes.
Read more about the new privacy-related fine for Facebook on Threatpost.
Uber was fined a combined $1.17 million by British and Dutch authorities for a 2016 data breach that exposed the personal details of millions of customers.
The U.K.’s Information Commissioner’s Office (ICO) announced a £385,000 fine ($491,284) against the ride-sharing company for “failing to protect customers’ personal information during a cyber attack” in October and November of 2016. The Dutch Data Protection Authority imposed its own €600,000 ($679,257) penalty for the same incident. The 2016 cyberattack allowed hackers to access the personal details of 2.7 million Uber customers in the U.K. and 174,000 in the Netherlands.
A German privacy regulator has issued its first GDPR fine after a hacker stole unencrypted data on hundreds of thousands of customers of a local chat app. The Baden-Württemberg Data Protection Authority (LfDI) fined Knuddels just €20,000 ($22,700) despite the firm having stored user passwords and emails in plain text.
As a result, hackers were able to make off with 330,000 legitimate credentials, publishing them in September 2018 on Pastebin and Mega. The breach itself is thought to have been much bigger, with over 800,000 email addresses and over 1.8 million passwords stolen, although only 330,000 have been confirmed.
GDPR is now six months old – it’s time to take an assessment of the regulation’s impact so far. At first blush it would appear very little has changed. There are no well-publicized actions being taken against offenders. No large fines levied. So does this mean its yet another regulation that will be ignored? Actually nothing could be farther from the truth.
GDPR is a much-evolved form of European regulation allowing data subjects to file suits against data collectors whom they believe are violating their rights. The day GDPR came into law complaints were filed by data subjects against Facebook and Google. This battle is going to be fought in 28 EU countries courts much sooner than in their Data Protection commissioners ministries who enforce the law and handout fines for violations.
Predictions are tough, but even more so in the chaotic world of cyber security. The threat landscape is huge, offensive and defensive technologies are evolving rapidly, and nation-state attacks are increasing in terms of scope and sophistication. This cyber “fog of war” makes it hard to see or assess every trend.
Despite this, it is still possible to make some reasonably accurate predictions based on current developments. CSO therefore asked CSO staff and contributors to tell about the biggest events or trends they anticipate for the next 12 months.
Read about the 9 major cyber security predictions for 2019 on CSO.
Security behaviors are poor across most industry sectors in Europe and the Unites States regardless of the employees attitudes towards security. In the largest study on security culture to date, the Norwegian software company CLTRe AS reveals data from more than 20,000 employees, across seven languages.
The Security Culture Report 2018 revealed that poor security behavior is evident in most industry sectors, with the real estate sector being consistently worse in cybersecurity culture than any other sector, while security culture in the Finance sector is better than in any other sector.
PCI DSS version 3.2.1 replaces version 3.2 to account for effective dates and SSL/early TLS migration deadlines that have passed. No new requirements are added in PCI DSS 3.2.1. PCI DSS 3.2 remains valid through 31 December 2018 and will be retired as of 1 January 2019.
“This update is designed to eliminate any confusion around effective dates for PCI DSS requirements introduced in 3.2, as well as the migration dates for SSL/early TLS,” said PCI SSC Chief Technology Officer Troy Leach. “It is critically important that organizations disable SSL/early TLS and upgrade to a secure alternative to safeguard their payment data.”
Learn more about PCI DSS version 3.2.1 and how it is different from version 3.2 on Help Net Security.
A new research study from SMU’s Darwin Deason Institute for Cyber Security finds that executives are changing the way they manage and invest in cybersecurity, moving away from limited, reactive approaches and adopting systemic risk management frameworks that combine hardware, software and operations protocols to mitigate cyber risk.
Read about the new study by SMU’s Darwin Deason Institute which reveals that business executives are changing the way they manage and invest in cyber security on Phys.
Survey Finds Businesses Freezing Compliance Budgets, Despite Growing Regulatory Burden — Nearly half of businesses have static compliance budgets and rely on labour-intensive manual processes, despite 72% of organisations now viewing compliance as a priority.
72% of businesses view regulatory compliance as a high priority, but despite this more than half (53%) have cut or frozen their budgets for compliance and risk management, according to a new survey conducted by SureCloud, a supplier of Cloud-based Governance, Risk and Compliance (GRC) solutions and security services.
Read more about the new survey by SureCloud which reveals that nearly half of the businesses have frozen their risk management and compliance budget on Top Tech News.
Read what according to Amrit Williams are best practices for ensuring compliance in the age of cloud computing on Help Net Security :
When was the last time you heard someone utter the sentence, “I’m looking forward to the audit next week.” Most likely, never. Since its invention, the word “audit” has struck … well, if not terror, then certainly groans in the individuals responsible for ensuring the resources being audited are compliant with appropriate regulations. The fact is that compliance is still largely a manual set of processes, even though the regulatory landscape is continually more complex. Finding and hiring enough qualified compliance people is difficult and, ultimately, doesn’t scale well.