At a glance.
- No EU grace period on revocation of Privacy Shield.
- Update on the Blackbaud hack, and its continuing spread.
- Fintech unicorn Dave sustains data breach related to third-party risk.
Schrems II is in immediate effect.
The European Data Protection Board has warned that organizations should expect no grace period following the European Court of Justice's July 16th ruling that overturned Privacy Shield. Privacy Shield had governed data transfers between the EU and the US; that regulatory agreement is now effectively gone. TechCrunch says, "The EU-U.S. Privacy Shield is dead, and any companies still relying on it to authorize transfers of EU citizens’ personal data are doing so illegally is the top-line message." Neither Standard Contractual Clauses (SCCs) nor Binding Corporate Rules (BCRs) were in principle invalidated by the Court's decision in Schrems II, but organizations exporting data under either of those measures should conduct an immediate, "up-front assessment" to determine the legality of any transfers.
Third-party breaches and the software supply chain: universities and not-for-profits.
Blackbaud has posted an account of the breach it sustained in May, and that continues to slosh over the universities and not-for-profits it numbers among its customers. Blackbaud believes the hackers did not get "credit card information, bank account information, or social security numbers," and the company feels confident that the data the attacker did obtain are unlikely to be misused, in part because Blackbaud paid the ransom. The Universities of York and Sussex are two of the affected institutions that have disclosed the effects of the hack on their own data. TechHQ published an updated list of affected institutions, all of which are customers of South Carolina-based Blackbaud, and are located in the UK, Canada, and the US. The schools and universities include:
- De Montfort University
- University of Strathclyde
- University of Exeter
- University of York
- Oxford Brookes University
- Loughborough University
- University of Leeds
- University of London
- University of Reading
- University College, Oxford
- Middlebury College, Vermont
- West Virginia University
- New College of Florida
- Cheverus High School: Catholic High School Portland
- The Bishop Strachan School, Canada
- University of North Florida
- Ambrose University, Alberta, Canada
- Rhode Island School of Design, US
The charities include:
- Choir with No Name
- Vermont Foodbank
- Vermont Public Radio
- Northwest Immigrant Rights Project
- Human Rights Watch
- Young Minds
The National Law Review has a quick overview of some of the steps organizations might take to control the third-party risk to their stakeholders' privacy.
Third-party breaches and the software supply chain: fintech.
Digital banking app maker Dave, specialist in overdraft protection and cash advances, also a tech unicorn, yesterday confirmed that it had sustained a data breach that exposed more than seven-million users' data, ZDNet reports. The data lost include names, phone numbers, emails, birth dates, and home addresses. Social security numbers were also lost, but were apparently encrypted, and passwords accessed in the breach are said to have been hashed. Dave attributes the compromise to a breach at Waydev, a third-party which was once a service provider.
The data have appeared on more than one hacking forum. The most prominent release was by the Shiny Hunters on RAID, where the data were posted without charge. Dave says that it’s working with the FBI and that it’s brought in CrowdStrike to help recover from the incident.
We heard from Javvad Malik, Security Awareness Advocate at KnowBe4, who commented:
"The data breach at Dave is probably among the last thing people who are already struggling financially need to hear. It's good to hear that Dave hashed passwords with Bcrypt, and they are confident no financial information was stolen, but the fact that names, emails, birth dates, home address, and phone numbers were exposed does make this a significant breach as it gives criminals enough information to steal identities, take out loans on the victims behalf, or use the information to authenticate themselves to other services.
"Dave claims that the breach occurred through a third party. While this may be true, the fact remains that whenever an organisation outsources any part of its operation to a third party, be it physically or in the cloud, they are still responsible for the security of the data and need to put in place comprehensive security controls with the third party as well as gain assurance those controls are working correctly."