At a glance.
- Remote learning will face privacy challenges as the academic year begins.
- New South Wales investigates a third-party breach of driver's license data.
- Privacy and matters of public record.
- Lessons from the American Payroll Association breach.
Privacy issues with remote learning technology.
Remote learning tech got a big of a preliminary checkout this past spring, but it's about to get a full-fledged test in the US as many, perhaps most, schools move to remote instruction as a response to the pandemic. While the tools may have been improved in anticipation of greatly expanded use, they may also be about to receive the kind of stress-testing business gave Zoom when the mass movement to remote work began. The Wall Street Journal points out that schools have had very little time to prepare faculty and staff to handle the privacy issues that will inevitably arise as they attempt to teach their students online. The Journal cites a study by the Boston-based International Digital Accountability Council that found challenges around mobile apps in particular, including apps designed for "homework-help communities, language quizzes, and standardized-test prep."
New South Wales investigates a driver's license data breach.
Cyber Security New South Wales is investigating a breach of driver's licence information, Mirage News reports. It is, as early reports suggested, a third-party problem. “The data referred to in media coverage has been exposed via a commercial entity and is understood to include scanned copies of driver licences collected directly by the commercial entity from its customers,” Cyber Security NSW Chief Cyber Security Officer Tony Chapman told Mirage News.
Notes on voter information, and a reminder of how much is publicly, legally, available.
Chatter about Russian compromise of US voter databases has come to nothing. CISA and the FBI haven’t seen anything of the kind during this election cycle. Yesterday’s flurry of tweets linking back to a Russian newspaper article seem to be much ado about some matters of public record. But some privacy experts believe they see a lesson here nonetheless: there's a great deal of data freely available. Privacy experts commented this morning on the report that Voter details for millions of Americans found on Russian hacking site: Report
Comparitech's Paul Bischoff wrote, “It's remarkably easy to get one's hands on voter databases in most states. Many of them are available to the public, including Michigan. Even though there are rules about how the data can be used, rules can be broken. Those who legitimately request receive voter data are responsible for securing it, and not everyone has the same standards of security. I wouldn't be surprised if we see more voter databases in the hands of foreign threat actors before the 2020 general election.”
Pixel Privacy's Chris Hauk commented, “As is usual in cases like these, victims (registered voters) will need to be on the lookout for bad actors attempting to use the information gleaned from these databases to obtain even more information about their targets. It is sad to believe that in this day and age that simply registering to exercise your right to vote can make you the target of hackers.”
But that's the nature of public information. Sometimes the digital exhaust is inevitable.
Lessons from the American Payroll Association breach.
The American Payroll Association's disclosure of a data breach holds some lessons for business in general and for business associations like the APA in particular. Saryu Nayyar, CEO of Gurucul, wrote to offer some perspective:
“The American Payroll Association breach shows a number of places where the industry as a whole still needs to do a better job. Attackers were apparently able to leverage a flaw in APA's content management system (CMS) or a compromised admin account to place their skimmer. If it was a CMS flaw, it shows that security holes aren't being patched in a timely fashion. Whether it was because the flaw was undetected, the patch hadn't been released, or an existing patch hadn't been applied, the result is the same.
“APA was able to identify this attack in under 90 days, which is an improvement over previous years in reducing attacker dwell time, but is still much too long. Better analytic tools could have mitigated the situation by recognizing the behaviors associated with an attack, both on the affected servers and in user activity with stolen credentials.”