At a glance.
- Oracle, Salesforce face €10 billion suit alleging GDPR violations.
- Boston University discloses exposure to Blackbaud ransomware incident.
- HM Passport Office exposes a password. On a flip chart. In a window.
Salesforce and Oracle face GDPR suit.
The lawsuit, seeking up to €10 billion, is to be filed in both England and the Netherlands. The plaintiffs, in an action organized by the Privacy Collective (an organization the Register characterizes as backed in this instance at least by commercial litigation funder Innsworth Advisors) will maintain that Oracle's Bluekai and Salesforce's DMP ad-tech subsidiary misused data by aggregating customer information from various websites. The companies are then said to have assembled the data into more readily marketable profiles, and this is said to violate GDPR.
Another university discloses its exposure to the Blackbaud breach.
Boston University is notifying affected students, faculty, and donors that their personal data may have been exposed in the Blackbaud ransomware attack, the university's student newspaper, the Daily Free Press, reports.
Try to set a good example.
Graham Cluley is in medium dudgeon over a password practice seen through the window of Her Majesty’s Passport Office in Ebrington Street, Plymouth, England. The Plymouth Herald broke the story when local passersby contacted the paper to say that, as they walked past the office they could see a flipchart with the password "Passw0rd1" propped up by the window. The Herald asked the Home Office what was up with that, and received confirmation that staff in the office does indeed use this particular password, but they "fiercely refuted any security breach had taken place" because "Passw0rd1" was used only to gain initial access to the system. At that point, before anyone could access anything that mattered, they'd have to use a second, much more secure and ostensibly less publicly available password.
Leave aside for the moment that the Home Office's statement is really more "denial" than "refutation." There are several problems here. The first is the obvious guessability of "Passw0rd1," which really isn't improved much, as Cluley points out, by changing the "o" to a zero and adding a numeral one at the end, which is low cunning amounted to functional imbecility. If you're using passwords, set a good example and at least try to make them strong. A second problem is the two-step authentication process. What's gained by having a preliminary login step that might as well be no authentication at all? And third, of course, is writing your password in a big schoolhouse hand on a flipchart, and then putting that flipchart in plain view of a window. That's beyond vulnerability to shoulder surfing.
It's also a reminder of how easy it can be to collect openly and overtly: if you leave your credentials available to any passing flaneur, your security program is less than fully successful.