[Security Weekly] UK Home Office Mishandles Data of EU Citizens, Violating GDPR 100 Times
1st Week of March 2020
1. UK Home Office carelessly handles data of EU citizens, violating GDPR 100 times
The United Kingdom’s Independent Chief Inspector of Borders and Immigrations (ICIBI), David Bolt, said in a report released this week, that the country’s Home Office has violated the EU’s General Data Protection Regulation (GDPR) more than 100 times, due to careless management of the EU Settlement Scheme (EUSS).
The EUSS is part of the Brexit process, where EU, Norwegian, and Swiss citizens can apply for residency rights to continue to reside in the UK after Brexit. The Home Office, in charge of the EUSS, has received more than 1.3 million applications by August 2019, after millions more have been already approved.
The problem is that between March 30 and August 31, 2019, there were 100 security incidents recorded which violated the GDPR. Most of the incidents were due to careless management. For example, on April 7, an employee sent out a bulk email to 240 recipients without bcc’ing the addresses, leaving them all exposed. Other cases include documents being misplaced, and ID cards being sent to the wrong addresses. Lost passports were also recorded.
The Home Office said that they will review their security measures regularly to prevent further incidents. It has also added a training session on GDPR awareness to its employees on a regular basis. Corporate security solutions can protect the IT system from attacks, but employee awareness is equally important to keep an organization safe and secure.
2. Pharmacy chain Walgreens’ mobile app leaks sensitive user data
Walgreens, a century-old pharmacy store chain with the second largest market share in the United States, disclosed last Friday that a flaw in its mobile app had exposed sensitive information of its customers. The flaw allowed any user of the app to access the private messages of other users.
According to Walgreens, these private messages contained the customers’ full name, prescription detail, store number, and home address. The incident lasted between January 9 and 15, after which the company discovered the problem and immediately disabled the message viewing feature.
In accordance with CCPA, Walgreens filed the case to Californian court on February 28, which would likely lead to high penalties. The company did not reveal exactly how many people were affected, although they claimed that only a “small percentage” of customers had their prescription information leaked. Drug prescription information is extremely sensitive because cybercriminals can use such information to hijack the victim’s medication or participate in insurance fraud.
Walgreen has promised to have its software continuously tested to prevent such incidents from occurring again.
3. Virgin Media data breach exposes personal data of 900,000 customers
Virgin Media, a provider of telecommunications service in the UK, disclosed on Thursday that an internal database used for marketing activities were exposed online for ten months without any password protection.
The database contained the names, home addresses, emails, phone numbers, as well as product and technical information for more than 900,000 customers – 15% of Virgin Media’s entire customer base. At least one person outside the company has accessed the database. Fortunately, no financial information was contained in the database. The company notified the Information Commissioner’s Office and warned its customers about potential phishing attacks.
This data breach is one of the largest in UK history. Virgin Media’s CEO Lutz Schuler apologized to those affected, then claimed that the breach was the result of a human error instead of external attacks.
4. Ransomware steals data from supplier of Tesla, SpaceX, Boeing, and Lockheed Martin
Earlier this week, Visser Precision, a US-based precision parts maker specializing in the automotive and aerospace industries, reportedly suffered from a ransomware attack that compromised files containing client information.
Stolen files contained confidential information related to many large corporations, including automaker Tesla, aerospace manufacturer SpaceX, as well as defense contractor Boeing and Lockheed Martin.
Experts have identified the ransomware to be DoppelPaymer, a new kind of ransomware that became active in 2019. It steals and encrypts data at the same time, so that victims face the possibility of not just losing the data, but also having the data published online.
According to security researchers, DoppelPaymer publishes stolen data on a website called Dopple Leaks. The website now contains a list of encrypted files stolen from Visser Precision, with a portion of the files already made available for download. These downloadable files range from non-disclosure agreements between Visser and its clients, to a partial schematic for a missile antenna manufactured by Lockheed Martin.
A spokesperson from Visser Precision has stated that they are investigating the attack and are working with clients to minimize the damage.
Check out Penta Security’s product lines:
Web Application Firewall: WAPPLES
Web Application Firewall for Cloud: WAPPLES SA
Database Encryption: D’Amo
Smart Car Security: AutoCrypt