Especially worthy of notice today.
- The EU considers AI regulations that may stop national surveillance programs.
- Crooks breach Mitsubishi for PII.
- British students' data handed over to betting industry.
- When you disclose a breach, look like you mean business.
Regulating AI: sanitized for your protection.
A European Commission white paper on artificial intelligence, obtained by Euractiv, seeks to provide a framework for the development and deployment of a range of A.I. technologies. The framework is at least as restrictive as it is enabling, with concerns about privacy motivating most of the document's reservations. Among the measures proposed is a moratorium of three-to-five-years' duration on the use facial recognition tools in public places. If adopted, the proposal would derail plans for large-scale facial recognition A.I. in both Germany and France.
Delayed disclosure of a breach.
Mitsubishi Electric sustained an attack last year that may have compromised not only trade secrets, but personal data on some eight-thousand individuals, NHK reports. According to the Japan Times, Chinese actors are the leading suspects.
Student data overshared.
The Sunday Times reported that a large database of British students, belonging to the Learning Records Service, was made available to Trustopia, a training and education provider based in London, and then to GB Group, a firm that provides age and identity services to betting firms and other businesses. Trutopia denies it did so, but the British Department of Education named the company in its disclosure. Some twenty-eight million children were affected by the breach.
Javvad Malik, Security Awareness Advocate at KnowBe4 told us in an email that the incident is likely to have consequences for years, given the ways in which the data could be monetized. "This is not just a security breach, but a breach of trust, where there is an expectation of fair, lawful and transparent uses of the data by everyone who has access to it - which in this case has not happened," Malik said. "In all of this, the responsibility sits squarely with the Department of Education, which has collected vast amounts of children's data for nearly a decade with apparently little oversight."
Nothing to see here; move on.
Travelex, whose recovery from ransomware continues, maintains that no customer data were compromised in the incident, according to Computing.
Two other breaches affecting individual privacy are worth noting. SC Magazine reports that British co-working provider Regus lost data on some nine-hundred employees when its corporate parent IWG commissioned "mystery shopping business Applause to audit sales staff performance using covert filming." The data collected were then accidentally leaked through the task-management website Trello. And in the US, a 2018 breach Health Quest sustained is now known to have affected more customers and patients than was originally believed. Health Quest, since April 2019 a Nuvance Health subsidiary, has, the Poughkeepsie Journal says, sent a fresh round of notification letters to the individuals whose data were exposed.
Pensacola isn't sure, says it can't yet determine, whether personal information was compromised in its recent ransomware incident, but it's sending out warnings to people who may have been affected, the city tells WEAR TV. Should a city's breach notification and an offer of identity protection look like it means business; that is, should it look legit, like something really from the city? Apparently the letters Pensacola sent out looked like junk mail, the kind of stuff that gets tossed into the trash unopened, or so complain recipients of such letters to (again) WEAR TV.
Big Tech likes medical data.
It's not just Google that's negotiated access to health records with hospitals. Microsoft and IBM are in the game, too, the Wall Street Journal reports.