PC PORTAL

Experienced. Trusted. Solutions.

GDPR

By

Security roundup: August 2019

Every month, we dig through cybersecurity research, trends, advice and news for our readers. This month: pwning an entire country, data protection developments, and why anonymised data could still add up to your identity.

Bulgarian rhapsody

As data breaches go, four million records barely registers on the scale these days but this one was different. Attackers breached Bulgaria’s National Revenue Agency and extracted personal information about 70 per cent of the country’s citizens. “It is safe to say that the personal data of practically the whole Bulgarian adult population has been compromised.” The BBC was quoting Vesselin Bontchev, a cybersecurity researcher and assistant professor at the Bulgarian Academy of Sciences.

The haul included people’s names, addresses, social security numbers and, in some cases, income levels. It also contained information from other government agencies that shared data with each other. Some of the data has since turned up online in hacker trading forums. Many Bulgarians reportedly live in fear of falling victim to scammers, although the NRA has denied this is a risk.

The breach became public after someone claiming to be responsible emailed local media with a link to the leaked data. The message, which apparently originated from a Russian email address, also labelled Bulgaria’s cybersecurity “a parody”. The tax agency claimed in a statement that the information amounts to around 3 per cent of its databases. Bulgarian authorities arrested three men who work for, ironically enough, a cybersecurity consultancy. The charges are for a form of terrorism.

More details are still emerging as we were writing this newsletter, but one thing seems clear. The story gives fresh ammunition to privacy campaigners who warn against trusting governments to protect citizens’ personal data.

Data protection developments: the latest

This month’s GDPRoundup (we’re copyrighting that) takes a trip between the sublime and the ridiculous. First, the EU Data Protection Board, which oversees consistent application of the General Data Protection Regulation across Europe, recently published its annual report for 2018. It includes the practical application of guidelines; the group’s recommendations and best practice; binding decisions; and the levels of data protection of natural persons in the EU.

Points of interest in the report include the EDPB’s plans near term and longer term. Over this year and next, it will consider issues like data subjects’ rights, the concepts of controller and processor, and legitimate interests. Looking further ahead, it plans to evaluate emerging technologies and related developments, including connected vehicles, blockchain, AI and digital assistants, video surveillance, search engine delisting, and data protection by design and by default. The report is free to download here.

Meanwhile, the UK Information Commission has published its draft data sharing code of practice. It’s a practical guide for organisations about how to share personal data while staying compliant with data protection legislation.

Some organisations could clearly do with advice about lots of aspects of GDPR, especially a tendency towards over-enforcing the rules. “In my experience, some organisations are hiding behind the GDPR,” BH Consulting COO Valerie Lyons told the Irish Independent. Poor understanding of the regulation, and inadequate staff training as a result, is to blame. “They are missing out on opportunities where they could be helping their customers because it’s easier to say no,” Valerie said.

Taking GDPR interpretation to extremes

We promised ridiculous, so try this: you won’t find visitor books at Ireland’s most popular heritage sites this summer. Tourists can no longer scrawl signatures or messages at locations like Kilmainham Gaol, Dublin Castle, the Hill of Tara or the Rock of Cashel. The Office of Public Works ordered the books’ removal because of, wait for it, data protection concerns.

The OPW took the view that visitors were recording personal data in the books, which were out of view of staff. Conversely, one privacy expert took the view that this was “insanity” and an “overly literal” interpretation of the regulations.

We can de-anonymise it for you wholesale

Staying with our privacy-themed roundup, here’s a worrying development. Researchers have discovered a way to identify people by reassembling pieces of information that should have rendered them anonymous.

The GDPR’s Article 28 expressly refers to anonymisation as a way to reduce the risk to sensitive personal information. For example, data controllers might use this de-identification approach when sharing large data sets as part of medical research. But a team of scientists from Imperial College London and Université Catholique de Louvain developed a machine learning program that proved wildly successful at beating this technique. As The New York Times reported, the algorithm could identify 99.98 per cent of Americans from almost any available data set with as few as 15 attributes, such as gender, ZIP code or marital status.

The researchers noted in the journal Nature Communications: “Our results suggest that even heavily sampled anonymized datasets are unlikely to satisfy the modern standards for anonymization set forth by GDPR and seriously challenge the technical and legal adequacy of the de-identification release-and-forget model.” Helpfully, the researchers also developed a free online tool that lets people check whether their individual characteristics could identify them.

Links we liked

Sound the trumpets: BH Consulting features in top 50 recommended infosec blogs. MORE

They grow up so fast: NoMoreRansom.org turns three, with 108m reasons to celebrate. MORE

Send this up the chain of command. Feds say CEO fraud nets scammers $8.7m a day. MORE

It must be true if the boss says so. Cybersecurity is the ‘biggest threat’ to global economy. MORE

A roadmap for improving security awareness programmes, courtesy of SANS. MORE

Here’s a look behind the UK NCSC’s efforts to ward off attacks. MORE

The Irish Government and National Cyber Security Centre join Have I Been Pwned. MORE

The kill switch that saved the internet from WannaCry: an in-depth report. MORE

Chaos engineering: the next evolution of pen testing. MORE

The Law Enforcement Directive (‘LED’) is a parallel piece of EU legislation to GDPR. MORE

 

The post Security roundup: August 2019 appeared first on BH Consulting.

By

Nine lessons for strong incident response and recovery in a data breach

Data breaches are rarely out of the headlines, but the recent proposed fines against BA and Marriott will have pushed this risk back to the forefront for many businesses. Like many security threats, breaches are nothing new; we’ve covered this subject on our blog many times in the past.

A data breach can take many forms; it can involve an employee losing a laptop or mobile device that contains data about an organisation’s employees or customers. It might involve a criminal infiltrating IT systems to steal payment card numbers or bank account details. When the data involved is personally identifiable information, the General Data Protection Regulation comes into play. Under GDPR, organisations must report a breach to the data protection supervisory authority within 72 hours. A look through our archives netted us a valuable haul of nine lessons from past breaches that can help to guide you in forming an incident response plan.

Lesson 1: pay attention to security alerts

Let’s start back in March 2014. News of the now-infamous breach at the US retailer Target was still fresh, having happened the previous November. The security breach resulted in the loss of 40 million payment card details, as well as 70 million other personal records. The kicker? Not long before, Target had installed a network monitoring tool costing a cool $1.6 million. However, operators dismissed its early alerts that could have averted or at least mitigated the subsequent breach. Side note: back in those heady days, data breaches were still things that happened to other people. Our blog quoted the security expert Neira Jones, who confidently predicted that a retailer in the UK or Europe would suffer a data breach before long.

Lesson 2: scammers read the news, too

Fast forward to summer 2015 and the high-profile breach at Ashley Madison. The website’s interesting business model – encouraging extra-marital affairs – meant the loss of more than 30 million personal records had an extra sting. Apart from launching a thousand double entendres (we may have been guilty of a few ourselves), Ashley Madison catapulted the issue of data breaches firmly into the public consciousness. As it turned out, that proved to be a double-edged sword. As our blog writer Lee Munson noted, scammers often take advantage of the publicity surrounding a large breach. He warned companies to watch out for “spam email, identity theft, carefully crafted phishing emails and even potential blackmail attempts”.

Lesson 3: check password re-use

Later that year, four security breaches came to light in one single week. The victims were Experian, Patreon, and Australian retailers Kmart and David Jones. In our blog, we advised being aware of how information can be used against victims. For example, if someone’s password was compromised in one of those breaches, it’s worth checking whether they use the same passwords on other websites.

Lesson 4: check for vulnerability to SQL injection attacks

Soon after, the Chinese toy company Vtech revealed that an unauthorised party had accessed more than six million accounts. That was enough to make it the fourth largest ever breach to that point – however minor by today’s standards. Possibly the least surprising detail in the story was that the attacker used SQL injection to access the data. Lee Munson noted that even in 2015, this was an ancient and well known attack vector.

Lesson 5: employee negligence can lead to breaches too

Not all breaches are the work of external miscreants. ESET estimated that 138,000 smartphones and laptops are left behind in UK bars every year. Let’s leave aside some questionable maths in arriving at such an arresting stat. There’s no denying the risk from leaving devices just lying around when they could well hold personal information. That could include passwords, location history, personal photos and financial information. The survey found that two thirds of lost devices had no security protection. As anyone familiar with data protection and privacy issues will know, encrypting sensitive data is now a must.

Lesson 6: a data security breach can seriously harm your ability to do business

Whatever the source, the steady drip of breaches was starting to have an effect. By early 2016, data breaches ranked second on a listing of the biggest threats to business continuity. TalkTalk, victim of a serious breach the previous year, was a case in point. In the wake of the incident, and the company’s ham-fisted attempts at handling the fallout, a quarter of a million customers took their business elsewhere. Not long after, we covered a separate report that found the cost of online crime had tripled over the previous five years. Lee Munson wrote: “a data breach is not a one-time cost but rather an event that can cause extreme reputational damage (think TalkTalk) or additional loss of revenue when the damage is widespread”.

Lesson 7: mind your language

All too often, companies that have suffered a data breach are quick to throw about phrases like “sophisticated cyberattack”. But it’s often premature and just downright wrong, when any investigation is still ongoing, and the facts are unclear. “It’s hard to escape the suspicion that victim organisations reach for these terms as a shield to deflect blame. By definition, they imply the incident was beyond their means to prevent,” we wrote. Our post carried the headline “Time to remove ‘cyberattack’ from the infosecurity incident response manual?” Our inspiration was the Associated Press Stylebook’s decision to stop using the word cyberattack unless it specifically referred to widespread destruction. As AP lead editor Paula Froke said: “the word is greatly overused for things like hacking”.

That said, positive communication is a key part of any incident response plan. After detailing what word not to use, our post included advice for companies preparing post-incident statements.

  • Deal only in verified facts
  • Avoid speculation
  • Explain the incident in business terms
  • Include details of users or services affected by the breach.

Lesson 8: prepare a security incident response team

By mid-2017, the prospect of GDPR started coming into view, and the need to handle breaches appropriately started becoming clear. Senior management must lead the response efforts. “This is a business issue, not an IT problem,” said Brian Honan, who was speaking at an awareness-raising event. Brian recommended that organisations should assemble an incident response team from across all business functions. Ideally, the team should include people from:

  • IT operations (because they know how data storage systems work)
  • HR (because a data breach could involve staff data, or because a member of staff may have caused the breach inadvertently or deliberately)
  • Legal (because GDPR obliges organisations to notify the regulator)
  • PR or communications (because the company will need to deliver accurate messages to external stakeholders, the media, or internal staff as appropriate)
  • Facilities management (because the organisation may need to recover breach evidence from CCTV or swipe card systems).

Lesson 9: test the security incident response plan

The most critical lesson is to develop and test their incident response processes in advance. Speaking at the same GDPR event, Brian stressed that companies shouldn’t wait for a breach to happen before testing how its policies work. “Find out in advance how well your team works when an incident occurs. Carry out table-top exercises and scenario planning. It is important to have processes and infrastructure in place to respond to a security breach. Developing your incident response plan while responding to a security breach is not the best time to do it,” he said.

Our trawling expedition proves it’s worth planning for something even when you don’t intend for it to happen. The steps we’ve outlined here should help you to recover from a data breach or security incident faster.

If you would like to evaluate your breach response, see our risk assessment services page for more information. Or, if you need guidance in developing a structured incident response plan, contact us.

The post Nine lessons for strong incident response and recovery in a data breach appeared first on BH Consulting.

By

Five tips for managing data subject access requests under GDPR

“Information wants to be free”, was the old technology activist’s mantra – but someone has to pay the price. The catchphrase has taken on fresh meaning since the General Data Protection Regulation (GDPR) came along. It’s made people more aware they are entitled to copies of information about themselves, and it’s placing a heavy workload on organisations who have to comply. In this blog, I’m going to look at five ways to make this process easier to manage – and where it’s appropriate to push back.

Since May 2018, there has been a noticeable increase in data subject access requests (DSARs, or more commonly SARs). I know of one client whose SARs increased by more than 60 per cent in the past year. A survey of businesses in the UK by Parseq had a similar finding. Almost two-thirds of UK businesses reported that data access requests had risen since GDPR. Of that number, a huge majority faced challenges in responding effectively to those requests.

And that’s before we get to spurious requests, or what a younger generation might call ‘trolling’. I know of one case where a shoplifter submitted an access request for a store’s CCTV footage to check if they’d been caught in the act.

Spike in SARs

So what’s behind the increase in subject access requests? In many cases, they’re coming from employees who received training in data protection (it’s a requirement under GDPR). As a result, they all know that they can ask for copies of their HR files. Another factor behind the increase in SARs is higher public awareness about their right to information under the regulation.

What’s more, they can submit a request for free, so why wouldn’t they? It doesn’t cost them a thing. The cost transfers to the data controller instead. The increase in SARs has put a huge workload on organisations to compile and prepare this information. Firstly, there’s the cost of having a member of staff to work on the request (and the cost of the business disruption as a result). It’s not possible to automate this; a SAR needs human eyes, there is no other way around it. A lot of time and effort goes into the manual work to compile the data, read it carefully, and then redact information that is either commercially sensitive or relates to other people.

A second cost is where the organisation needs to search through its email archive or its CCTV footage. This may well involve making a request from their IT supplier to perform these searches. It’s also worth noting that you must carry out a search under a range of different options; not just the person’s name, but different spellings and even initials, to make sure you haven’t missed anything.

So, to make a long story a bit less long, SARs can be a big drain on resources for data controllers. Understandably, many organisations are confused about what they need to do. Here are my five tips that should help make the process easier.

1: Narrow the request

Many people use the free template on the Data Protection Commission’s website when they send a SAR. But the problem is, the wording of this is so broad that it creates a huge burden for data controllers. “I wish to make an access request under Article 15 of the General Data Protection Regulation (GDPR) for a copy of any information you keep about me, on computer or in manual form in relation to…”

But you can get creative to see if you can narrow what you need to look for in the first place. If a SAR comes from an existing member of staff, it’s often simpler to set up a meeting. Invite them to come and meet HR and offer to photocopy whatever information they want to take.

In cases where it’s someone outside the organisation, there is nothing to stop you from contacting them and explaining the situation. You might say: ‘we have a lot of information about you, can you tell us exactly what you’re looking for?’ This really cuts down on the amount you need to search. (Sometimes the SAR letters come from solicitors and are tied to legal actions; in those cases, calling back might not be appropriate.)

2: Keep proper records

Now that SARs are here to stay, it means everything in a file is potentially up for grabs. So it’s vital for data controllers to explain to all staff members that they need to keep records in a professional manner. I’ve been involved in SARs where I’ve seen the devil smiley face emoji, or worse, where someone complains that ‘so and so is a head wrecker’. Guess what? GDPR considers examples like those as expressing an opinion about someone. So it’s personal data the controller needs to disclose in a SAR. Not a good look for the organisation in question if it’s about a customer.

For SARs relating to an employee, you should narrow the field to internal communications that only relate to their employment. That could be emails to managers only, so you can exclude emails to customers, since that’s just the person doing their job. If the HR people are recording this communication properly in the first place, it makes internal SARs much easier.

3: Manage response times

The rules of GDPR give data controllers 30 days to respond to a SAR. They can also apply for an extension of a further 60 days if the information proves hard to locate. In my experience, many organisations instinctively respond to the request with a standard acknowledgement like ‘thank you for your request, we will be back in 30 days’ before they’ve even begun looking for information about that person or they even know if it will be possible to achieve in that timeframe. Yet nowhere in GDPR does it say you must acknowledge a SAR immediately.

Instead, my advice is that as soon as you get a request, start compiling the information about the data subject. Give yourself 10 days to get the data, so you’ll have an idea of how much there is. When you have done that and reviewed the information, only then should you contact the subject. By that time, you’ll be better able to say if you can complete the request within the original timeframe or if you will need an extension. And remember, the extension is yours to avail of; when you inform the data subject, you’re telling, not asking.

4: Don’t get caught (out) on camera

CCTV footage comes up a lot in SARs, and under GDPR, it can be part of an access request. If it’s possible to identify the person, then you must provide the images to them. Many organisations I know hold CCTV files for far longer even though they don’t need to. It’s worth only storing this data for 30 days, in line with DPC recommendations. Not only is there a huge resource cost to identify people from footage – especially if the request doesn’t specify an exact date or time – but there’s a financial cost too. If other people are in the footage, you must blur out their faces, and I know of some cases where the price for this service was around €800.

It’s also worth knowing what the exemptions are. Data subjects are only entitled to request images that they are in. For example, they can’t ask for images to see if someone pranged their car in a car park.

5: Know what you have

Although GDPR talks about ‘data’, this term covers not just electronic records but physical hard-copy files too. However the regulation states that any documents in a SAR must be in a filing system of some kind. For HR files, that might be everyone’s employee files kept in alphabetical order. If you can find a paper document easily, you must give it to the data subject who requests it. But the regulation also includes the concept of disproportionate effort. If it is stored in a random box of papers and would take too long to find, you may be able to use this concept to exclude this information from a SAR. That might be a visitor book and would involve reviewing pages and pages to identify someone’s signature.

There are exemptions to the right of access. A data controller can refuse to act on a SAR if it can show that it is not in a position to identify the data subject (Article 12(2) of the GDPR); or if the SAR is manifestly unfounded or excessive, in particular because of its repetitive character (Article 12(5) of the GDPR).

Don’t interpret this as an excuse not to keep proper records. GDPR is a great opportunity to manage your data better. SARs are a fact of life, but with the right approach, they shouldn’t cause your organisation undue effort.

For more information about GDPR, SARs, privacy and related issues, visit our data protection page or contact us.

The post Five tips for managing data subject access requests under GDPR appeared first on BH Consulting.

By

Fighting talk and fines obscure other GDPR lessons from BA and Marriott data breaches

There’s been lots of talk about regulations with bite, a watchdog baring its teeth, and that ‘the gloves are off’ after the UK Information Commissioner’s Office one-two punch of a £184 million fine against British Airways, and £99 million against Marriott International announced a day later.

It certainly looks like the ICO went for the jugular (sorry, it’s contagious) over breaches of the General Data Protection Regulation. But it reminds me of the build-up to the regulation before May 2018. Then, much of the coverage focused on the potentially huge fines at stake. In the same way, last week’s news shouldn’t obscure the lessons beyond the attention-grabbing sums of money.

A wake-up call

The first thing to clarify is that these fines haven’t been issued yet. In both cases, the ICO is saying it’s an intention to fine – it’s giving both companies a warning. Whether or not the amounts will be close to the published figures, we know there will be fines for sure. Companies should take this as a wake-up call that non-compliance with GDPR requirements may result in tough penalties.

As I noted in the SANS Institute newsletter, the fines are not for having a breach, but for poor security that helped it. The ICO press statement makes this very clear. “The ICO’s investigation has found that a variety of information was compromised by poor security arrangements at the company, including log in, payment card, and travel booking details as well name and address information,” it said.

Strong message

That being said, the proposed fine nevertheless amounts to 1.5 per cent of British Airways’ revenue. “This should send a strong message to all organisations that are regulated by the GDPR to take the security and privacy of their customer data seriously,” I wrote.

In an interview with Bank Info Security, I said that more GDPR fines are likely on the way. “Many GDPR data breaches, especially the highly publicised ones, can take a long time for proper investigations by the supervisory authorities… What we are seeing now are the beginnings of the supervisory authorities issuing penalties under GDPR, and I expect we will see many more over the coming months.”

The ICO’s moves last week aren’t the first fines that a supervisory authority has imposed under GDPR. As Tracy Elliott noted in our blog marking the first year post-GDPR, there have been other, smaller fines issued in the UK, Portugal and France. We also know that Ireland’s Data Protection Commission (DPC) has several cases ongoing against Facebook, Google and Quantcast.

(Don’t just) follow the money

Last week, I was at the Maastricht University European Centre on Privacy and Cybersecurity, where I contribute to certification training for data protection officers (DPOs). Some attendees said their senior management were now asking what the fines could mean. They also wondered what assurances they have that their own organisations aren’t at risk from a similar incident.

After the race to get ready for GDPR by May 2018, a certain amount of complacency set in. Since these breaches, the size of these proposed fines has raised GDPR on senior management’s radar again. (Side note: BA’s share price fell by more than £115 million after the news came out.)

There are broader lessons from last week’s news. It’s important to look beyond the financial repercussions, particularly in companies whose business model relies on gathering and processing data. Bear in mind that fines are just one penalty that a regulator can impose. They could compel companies to delete data or stop processing certain types of data. That could have a bigger long-term impact on their business than a monetary fine which they could absorb. Not being able to gather data in a certain way could have negative repercussions on how you do business.

Third-party risk

The root causes of BA and Marriott’s breaches highlight a particular security risk: external third parties. BA’s breach was due to a software script integrated into its website. There were no checks in place to verify any changes to that code. The Marriott breach came from its acquisition of Starwood hotels in 2016. It only discovered in 2018 that Starwood’s customer database suffered a hack in 2014.

So, companies need to ask what due diligence they need to carry out against third-party vendors and suppliers. If your company plans to acquire or partner with businesses, you inherit their risk profile, security and data protection frameworks. You need to check what assurances you have that these third parties are adhering to your security requirements, rather than you inheriting theirs.

In light of the news, what actions should other companies take? Interestingly, even before the ICO’s news, the Irish DPC issued a short guide to information sources to consider when reviewing or setting security.

Companies should carry out continuous auditing and verification to ensure their security and privacy controls are working. And if they don’t have the internal resources to do this, to work with independent experts to verify those controls.

The post Fighting talk and fines obscure other GDPR lessons from BA and Marriott data breaches appeared first on BH Consulting.

By

Security roundup: July 2019

Every month, we dig through cybersecurity research, trends, advice and news for our readers. This month: T&Cs, stronger security in Europe, and a birthday with bitter memories.

Policing policies to protect privacy

One of the greatest lies on the internet is “I have read the terms and conditions”. But maybe most people aren’t to blame when those same policies read like “an incomprehensible disaster”. That’s what a New York Times investigation found after reviewing 150 privacy policies. The European Commission came to a similar conclusion after surveying 27,000 citizens on their attitudes to data protection. Commissioner Věra Jourová noted that 60 per cent of Europeans read their privacy statements, but only 13 per cent read them fully. “This is because the statements are too long or too difficult to understand,” she said.

But not reading T&Cs could have unwitting consequences; like turning your phone into a spying tool. Spain’s Liga app activated a user’s smartphone audio function when it knew they were in a bar. Spain’s football administrators said the app’s terms made it clear this was to identify places that were streaming matches illegally. The Spanish data protection authority took a different view and slapped the league with a €250,000 fine.

In other privacy news, the UK Information Commissioner’s Office has published guidance providing clarity and certainty on correct cookie use. Cookie rules technically fall under the Privacy and Electronic Communications Regulations, but some of that regulation’s concepts derive from GDPR. As well as a reader-friendly myth-busting blog, there’s also more comprehensive guidance in a longer document.

Strengthening security across Europe

The EU Cybersecurity Act came into force on 26 June. For the first time, it introduces EU-wide cybersecurity certification rules for digital products, services and processes. It also strengthens the mandate for ENISA. The Union’s cybersecurity agency will set up the certification framework and it now has a remit to help Member States to handle cyber incidents.

BH Consulting is a contributor to ENISA and our CEO Brian Honan recently gave a presentation on threat intelligence at an ENISA industry event. The meeting also covered cybersecurity, internet regulation and Europe’s position in the race to a competitive ICT global industry. Brian also spoke to the Irish Times for a feature article about steps under way to improve security. Meanwhile Ireland’s second national cyber security strategy is expected in the coming weeks, as the Irish Examiner reports.

Déjà vu all over again

If working in information security can sometimes feel like Groundhog Day, then you might want to pause before reading further. Consider the following sentences, then guess when they were written (no peeking). “Paradoxically, the drive for business efficiency and globalism serves only to increase the potential damage which computer viruses and other malicious programs can cause… the more streamlined and interconnected computers become, the greater will be the penalties resulting from carelessness, recklessness and vandalism… no-one knows when or where a computer virus will strike. They attack indiscriminately. Virus writers, whether or not they have targeted specific companies or individuals, must know their programs, once unleashed, soon become uncontrollable.”

So how old is that text? Five years? Ten? Fifteen, at a push? Actually, it’s double that number. Edward Wilding penned them in the summer of ’89, for the very first edition of Virus Bulletin (PDF). Brain, the world’s first computer virus, appeared just three years before then.

It says a lot that Wilding could write these words and, without knowing, still have them resonate three decades later. The same issues he identified then have not gone away. (Side note: the same is true of attacks like SQL injection. Even today, they account for two-thirds of all web app attacks, according to new findings from Akamai.) The industry’s progress, or lack of it, is a point to ponder while security professionals (hopefully) enjoy some deserved downtime this summer.

Links we liked

NIST guidance on understanding and managing security risks with IoT devices. MORE

Demand for cybersecurity jobs in Ireland is growing, but supply can’t keep up. MORE

Controversial: you should think about paying to get data back from ransomware. MORE

An open letter to the security profession, from a privacy practitioner. MORE

You know that ‘padlock’ icon in your web browser? It could be a fake. MORE

How a data request can quickly turn into a data breach. MORE and MORE

The Irish privacy champion on a mission to clean up dirty adtech. MORE

A sceptical take on Facebook’s planned move into cryptocurrency. MORE

When BGP goes wrong, the whole internet feels it. MORE

How a trivial cell phone hack is ruining lives. MORE

 

The post Security roundup: July 2019 appeared first on BH Consulting.