Facebook’s Latest Breach Illustrates The Limits Of GDPR

Another week, another security failure at Facebook. This week’s “bug” allowed the private photos of up to 6.8 million users to be improperly accessible to up to 1,500 different applications built by 876 different developers for nearly two weeks before the company noticed the security lapse and fixed it. Once again the company is merely “sorry this happened” but offering no compensation to those users whose trust it violated.

As Facebook racks up security failure after security failure, it raises the question of why users should continue to trust it with their data. Moreover, the company’s two month wait to notify data protection authorities after it discovered the breach, in spite of GDPR’s 72-hour notification requirement, reminds us that GDPR is far more limited than the public understands.

Read more about the latest Facebook breach on Forbes.

Uber fined nearly $1.2 million by British and Dutch authorities for 2016 data breach

Uber was fined a combined $1.17 million by British and Dutch authorities for a 2016 data breach that exposed the personal details of millions of customers.

The U.K.’s Information Commissioner’s Office (ICO) announced a £385,000 fine ($491,284) against the ride-sharing company for “failing to protect customers’ personal information during a cyber attack” in October and November of 2016. The Dutch Data Protection Authority imposed its own €600,000 ($679,257) penalty for the same incident. The 2016 cyberattack allowed hackers to access the personal details of 2.7 million Uber customers in the U.K. and 174,000 in the Netherlands.

Read more about this story on CNBC.

European consumer groups want regulators to act against Google tracking

Consumer agencies in the Netherlands, Poland and five other European Union countries asked privacy regulators to take action against Google for allegedly tracking the movements of millions of users in breach of the bloc’s new privacy law.

Google is already facing a lawsuit in the United States for allegedly tracking phone users regardless of privacy settings. The consumer groups, which included those in the Czech Republic, Greece, Norway, Slovenia and Sweden, filed complaints with their respective national data protection authorities, based on research by their Norwegian counterpart.

Read more about the complaints that could result in astronomical fines for Google under the General Data Protection Regulation (GDPR) on Reuters.

German Regulator Fines Firm for GDPR Failings

A German privacy regulator has issued its first GDPR fine after a hacker stole unencrypted data on hundreds of thousands of customers of a local chat app. The Baden-Württemberg Data Protection Authority (LfDI) fined Knuddels just €20,000 ($22,700) despite the firm having stored user passwords and emails in plain text.

As a result, hackers were able to make off with 330,000 legitimate credentials, publishing them in September 2018 on Pastebin and Mega. The breach itself is thought to have been much bigger, with over 800,000 email addresses and over 1.8 million passwords stolen, although only 330,000 have been confirmed.

Read more about this story on Infosecurity Magazine.

GDPR’s impact: The first six months

GDPR is now six months old – it’s time to take an assessment of the regulation’s impact so far. At first blush it would appear very little has changed. There are no well-publicized actions being taken against offenders. No large fines levied. So does this mean its yet another regulation that will be ignored? Actually nothing could be farther from the truth.

GDPR is a much-evolved form of European regulation allowing data subjects to file suits against data collectors whom they believe are violating their rights. The day GDPR came into law complaints were filed by data subjects against Facebook and Google. This battle is going to be fought in 28 EU countries courts much sooner than in their Data Protection commissioners ministries who enforce the law and handout fines for violations.

Read more about the GDPR’s impact so far on Help Net Security.

Hackers Exploit Flaw in GDPR Compliance Plugin for WordPress

A critical security flaw affecting a GDPR compliance plugin for WordPress has been exploited in the wild to take control of vulnerable websites, users have been warned. The WordPress GDPR Compliance plugin, which has over 100,000 active installations, is designed to help the administrators of websites become compliant with the EU’s General Data Protection Regulation (GDPR).

Malicious hackers discovered recently that the plugin is affected by some flaws that can be exploited to hijack vulnerable websites. According to researchers in Defiant’s Wordfence team, the vulnerabilities can be exploited by unauthenticated attackers to obtain privileged access to targeted websites.

Read more about the vulnerabilities of the plugin on SecurityWeek.

Facebook could face $1.63bn fine under GDPR over latest data breach

Facebook could face potentially billions in fines under GDPR for the latest data breach which impacted roughly 50 million accounts. It took mere hours before class-action lawsuits were filed against Facebook for failing to protect user data.

Businesses in the EU are held accountable under the General Data Protection Regulation (GDPR), which came into effect May 25. If Facebook is found to be in breach of GDPR for failing to adequately protect user data over this incident, the company faces a fine of up to €20 million or 4 percent of annual global turnover, whichever is higher. Based on Facebook’s financial results for the last fiscal year, the fine could be up to $1.63 billion.

Read more about this developing story on ZDNet.

UK issues first-ever GDPR notice in connection to Facebook data scandal

The United Kingdom has issued the first GDPR notice in relation to the Facebook data scandal which saw the data of up to 87 million users harvested and processed without their consent.

The UK’s Information Commissioner’s Office (ICO) has recently imposed the maximum fine of £500,000 under the terms of the Data Protection Act 1998 on Facebook for the social media giant’s role in the scandal. Canadian firm AggregateIQ, linked to the Facebook & Cambridge Analytica data scandal, may now receive a fine of up to €20 million, or four percent of annual global turnover, under the EU’s General Data Protection Regulation (GDPR), which came into force on May 25th of this year.

Read more about the first-ever GDPR-related notice on ZDNet.

GDPR Is Coming Soon … and Companies Aren’t Ready

When the European Union’s General Data Protection Regulation (GDPR) takes effect on May 25, 2018, it will affect global companies in a significant way. The initiative establishes specific requirements for how organizations must handle personal data touching E.U. citizens—even businesses that aren’t physically located in Europe.

Read/see the slideshow explaining why businesses are still not ready for the upcoming GDPR data protection regime in European Union on CIO Insight.

Merging GDPR compliance and cyber-risk management

In preparing for the impending implementation of the EU General Data Protection Regulation, many organizations today are elevating cyber-risk to the top of the corporate agenda, a new cyber-risk perception survey has found.

Read about the new report by Marsh titled GDPR Preparedness: An Indicator of Cyber Risk Management which found that many companies are using the European Union’s new data protection regulation to beef up their cyber-risk management on Compliance Week.