Third party exhibitions. Data collection and authorization. Fix issues.
In one look.
- Britain’s Labor Party is the victim of a third-party data incident.
- Australia’s Information Commissioner’s Office finds fault with a company’s data collection.
- Health care offenses in the United States.
- An uncorrected flaw exposes data to the University of Colorado.
- Healthcare training platform suffers from exposed AWS S-3 compartments.
Labor Party suffers third party data incident.
The UK Labor Party has disclosed it has suffered a data incident, possibly the effect of a ransomware attack on a third party that manages the information of the game. While an investigation to determine what data has been affected is still ongoing, the Party states, “We understand that the data includes information provided to the Party by its members, registered supporters and affiliates and others who have provided their information to the Party. ” The Guardian Remarks that the Party currently consists of around 430,000 members and collects contact information and basic financial data like direct debit information. It is not clear at this point whether the attack was intended to target Party data, or whether the Labor Party was just collateral damage, although Sky News said early evidence points to a ransomware attack. This is not the first data breach for Labor Party members, as it is one of many entities affected by last year’s ransomware attack on cloud computing company Blackbaud.
Clearview AI has ordered to cease operations in Oz.
After determining that the American facial recognition software company Clearview AI was collecting data from Australians without their consent, the Office of the Australian Information Commissioner (OAIC) decided that Clearview could no longer collect images from websites and had to destroy the Australian data already collected, CRN Australia reports. Clearview uses photos retrieved from social media in its facial recognition process, and OAIC says their methods violate Australian privacy laws. Information Commissioner Angelene Falk said Clearview’s techniques pose “a significant risk of harm to individuals, including vulnerable groups such as children and victims of crime, whose images may be searched in Clearview AI’s database… The covert collection of this type of sensitive information is unreasonably intrusive. and unfair. The company does not agree with the decision and will ask the Administrative Appeals Tribunal to review the decision. Mark Love, a lawyer for Clearview in Australia, said: jurisdiction … Clearview AI has not broken any law, nor has it interfered with the privacy of Australians. Clearview AI does not do business in Australia (and) does not have Australian users. “
Health Care Gaps in the United States.
Further evidence that the healthcare sector is being targeted by threat actors, several US medical providers have reported recent incidents. GovInfoSecurity reports that Community Medical Centers, a group of nonprofit health centers in the state of California, suffered a cyberattack that potentially exposed the personal information and protected the health data of at least 656,000 people. In neighboring Nevada, the Las Vegas Cancer Center revealed a Labor Day weekend ransomware attack that likely affected thousands of patients. Across the country, the Cumberland Times-News reports that the Office of Civil Rights of the US Department of Health and Human Services investigate the upsurge in ransomware attacks in the state of Maryland. Former FBI Supervisory Officer Jason G. Weiss, currently of law firm Faegre Drinker Biddle & Reath, told GovInfoSecurity: Growing up and becoming bigger, more serious and more intrusive … It’s time to act now. ”
A software vendor violation affects the University of Colorado.
Remaining in the United States, the University of Colorado Boulder (CU Boulder) began notifying thousands of former and current students of a data breach that could have exposed their data. Safety Info Magazine Explain that the incident was the result of an uncorrected flaw in the software provided to the school’s Information Technology (OIT) office by Atlassian Corporation Plc, an Australian software company that supplies products to development teams software. Atlassian released a patch for the flaw on August 25, but CU Boulder says the ILO is still preparing to implement the upgraded software when the breach occurred. The school says the majority of the 30,000 potentially compromised people are former students or staff. No social security number or financial data has been compromised, but the information affected includes student ID numbers, addresses, dates of birth, phone numbers, and gender.
Comment on Facebook’s removal from facial recognition.
Paul Bischoff, privacy advocate at Comparitech, sent us a comment on Meta (formerly Facebook) and his decision to ditch facial recognition. He thinks the company is doing the right thing:
“Facebook is taking a step in the right direction by abandoning facial recognition. Facebook hasn’t really clarified why it’s removing facial recognition, but it could preemptively plan for new regulations and legal precedents regarding the technology. Clearview.AI, which has just been ordered to remove facial recognition data collected from Australians, is a prime example.
“Removing facial recognition improves user privacy in a number of ways. One of the ways that means Facebook will get rid of what is arguably the largest database of face models in the world. Whether law enforcement or a other authority would approach Facebook and force it to identify someone in a photo taken by a security camera, for example, Facebook could no longer do so. In addition, users can no longer use Facebook’s facial recognition to identify and track down the people in the photos. ”
“Earlier this year, Comparitech published its analysis of the 100 most populous countries in the world for their use of facial recognition technology in government, police, airports, schools, banks, workplaces, as well as on buses and trains.
Student data exposed by a medical training organization.
VPNMentor reports find great data exposure at Phlebotomy Training Specialists, a platform that connects people seeking phlebotomy certifications with training centers in multiple states in the United States. ZDNet said the data included nearly two hundred thousand files representing some 157 GB of data.
Troy Gill, Senior Director of Threat Intelligence at Zix | AppRiver, wrote to comment on the attractiveness of the healthcare and education and training sectors for criminals:
“The healthcare and education sectors continue to be a prime target for cybercriminals who find new ways to obtain the endless sensitive information of patients and students due to the organization’s demands to store such information. data. In the case of a US medical school, a server without authentication checks left the Personally Identifiable Information (PII) of thousands of students exposed.
“This is a great reminder for organizations to review their security solutions and assess their current authentication practices to ensure that they are developing the most secure habits to protect themselves and the sensitive data they they stock up against bad actors. It is critical that authentication controls are not only in place, but that organizations go one step further by deploying two-factor authentication (2FA). The implementation of 2FA offers an additional layer of security by requiring users to confirm their identity, most often via a unique code sent to the phone, email address or via an authenticator app, after having entered their username and password. It is increasingly easier for cybercriminals to break even the most complex password, which is why the implementation of 2FA is essential. not recycled between services.
“To avoid simple mistakes that can lead to attacks and data theft, organizations should also make a habit of deploying regular security audits to identify vulnerabilities and other suspicious behavior, allowing them to ensure that sensitive data are regularly backed up. “