Every month, we dig through cybersecurity research, trends, advice and news for our readers. This month: pwning an entire country, data protection developments, and why anonymised data could still add up to your identity.
As data breaches go, four million records barely registers on the scale these days but this one was different. Attackers breached Bulgaria’s National Revenue Agency and extracted personal information about 70 per cent of the country’s citizens. “It is safe to say that the personal data of practically the whole Bulgarian adult population has been compromised.” The BBC was quoting Vesselin Bontchev, a cybersecurity researcher and assistant professor at the Bulgarian Academy of Sciences.
The haul included people’s names, addresses, social security numbers and, in some cases, income levels. It also contained information from other government agencies that shared data with each other. Some of the data has since turned up online in hacker trading forums. Many Bulgarians reportedly live in fear of falling victim to scammers, although the NRA has denied this is a risk.
The breach became public after someone claiming to be responsible emailed local media with a link to the leaked data. The message, which apparently originated from a Russian email address, also labelled Bulgaria’s cybersecurity “a parody”. The tax agency claimed in a statement that the information amounts to around 3 per cent of its databases. Bulgarian authorities arrested three men who work for, ironically enough, a cybersecurity consultancy. The charges are for a form of terrorism.
More details are still emerging as we were writing this newsletter, but one thing seems clear. The story gives fresh ammunition to privacy campaigners who warn against trusting governments to protect citizens’ personal data.
Data protection developments: the latest
This month’s GDPRoundup (we’re copyrighting that) takes a trip between the sublime and the ridiculous. First, the EU Data Protection Board, which oversees consistent application of the General Data Protection Regulation across Europe, recently published its annual report for 2018. It includes the practical application of guidelines; the group’s recommendations and best practice; binding decisions; and the levels of data protection of natural persons in the EU.
Points of interest in the report include the EDPB’s plans near term and longer term. Over this year and next, it will consider issues like data subjects’ rights, the concepts of controller and processor, and legitimate interests. Looking further ahead, it plans to evaluate emerging technologies and related developments, including connected vehicles, blockchain, AI and digital assistants, video surveillance, search engine delisting, and data protection by design and by default. The report is free to download here.
Meanwhile, the UK Information Commission has published its draft data sharing code of practice. It’s a practical guide for organisations about how to share personal data while staying compliant with data protection legislation.
Some organisations could clearly do with advice about lots of aspects of GDPR, especially a tendency towards over-enforcing the rules. “In my experience, some organisations are hiding behind the GDPR,” BH Consulting COO Valerie Lyons told the Irish Independent. Poor understanding of the regulation, and inadequate staff training as a result, is to blame. “They are missing out on opportunities where they could be helping their customers because it’s easier to say no,” Valerie said.
Taking GDPR interpretation to extremes
We promised ridiculous, so try this: you won’t find visitor books at Ireland’s most popular heritage sites this summer. Tourists can no longer scrawl signatures or messages at locations like Kilmainham Gaol, Dublin Castle, the Hill of Tara or the Rock of Cashel. The Office of Public Works ordered the books’ removal because of, wait for it, data protection concerns.
The OPW took the view that visitors were recording personal data in the books, which were out of view of staff. Conversely, one privacy expert took the view that this was “insanity” and an “overly literal” interpretation of the regulations.
We can de-anonymise it for you wholesale
Staying with our privacy-themed roundup, here’s a worrying development. Researchers have discovered a way to identify people by reassembling pieces of information that should have rendered them anonymous.
The GDPR’s Article 28 expressly refers to anonymisation as a way to reduce the risk to sensitive personal information. For example, data controllers might use this de-identification approach when sharing large data sets as part of medical research. But a team of scientists from Imperial College London and Université Catholique de Louvain developed a machine learning program that proved wildly successful at beating this technique. As The New York Times reported, the algorithm could identify 99.98 per cent of Americans from almost any available data set with as few as 15 attributes, such as gender, ZIP code or marital status.
The researchers noted in the journal Nature Communications: “Our results suggest that even heavily sampled anonymized datasets are unlikely to satisfy the modern standards for anonymization set forth by GDPR and seriously challenge the technical and legal adequacy of the de-identification release-and-forget model.” Helpfully, the researchers also developed a free online tool that lets people check whether their individual characteristics could identify them.
Links we liked
Sound the trumpets: BH Consulting features in top 50 recommended infosec blogs. MORE
They grow up so fast: NoMoreRansom.org turns three, with 108m reasons to celebrate. MORE
Send this up the chain of command. Feds say CEO fraud nets scammers $8.7m a day. MORE
It must be true if the boss says so. Cybersecurity is the ‘biggest threat’ to global economy. MORE
A roadmap for improving security awareness programmes, courtesy of SANS. MORE
Here’s a look behind the UK NCSC’s efforts to ward off attacks. MORE
The Irish Government and National Cyber Security Centre join Have I Been Pwned. MORE
The kill switch that saved the internet from WannaCry: an in-depth report. MORE
Chaos engineering: the next evolution of pen testing. MORE
The Law Enforcement Directive (‘LED’) is a parallel piece of EU legislation to GDPR. MORE