At a glance.
- Distance learning and privacy risks.
- Data breach fines.
- Crown Prosecution Service criticized for leaks.
- The progress of Canadian data protection laws.
- Major Indian medical lab exposes data in an unprotected AWS S3 bucket.
School data privacy tested by distance learning.
As the pandemic forces many schools to close their doors, the resulting reliance on distance learning technology can leave students vulnerable to privacy threats, particularly when it comes to social media, reports Education Dive. While social media platforms like Facebook and TikTok are an easy way for educators to communicate with students virtually, these platforms collect user data, which the Children’s Online Privacy Protection Act has deemed illegal for children under thirteen. According to a recent study from the Center for Democracy and Technology, over 60% of parents are concerned about school data privacy, while only 4% feel their school has sufficiently explained their data security efforts.
Two US data breaches lead to large fines.
Two major US companies face large fines as a result of recent data breaches. Compliance Week reports investment bank Morgan Stanley is being fined $60 million by the US Office of the Comptroller of the Currency for a 2016 data breach, which was the result of Morgan Stanley’s mishandling of customer data stored on decommissioned computers. The bank is also dealing with a class-action lawsuit as a result of the breach. Meanwhile, EIN Newsdesk reports that Community Health Systems, Inc., a Tennessee-based hospital operator, will be paying $5 million to more than two dozen impacted states for a 2014 breach that compromised the data of over 6 million patients.
UK's CPS criticized for data leaks.
Infosecurity Magazine reports the Crown Prosecution Service (CPS), the UK’s principal public agency for criminal prosecutions, experienced over 1600 data breaches during the 2019-2020 fiscal year, an 18% increase over last year, with most of the breaches being the result of accidental disclosure due to human error. CPS has a history of mishandling private data; most notably, in 2015 and 2018 the agency was fined for misplacing confidential police interview recordings. As the agency handles confidential data related to criminal cases, these leaks put the safety of witnesses and victims at risk.
Canada's slow progress on data protection legislation.
Canadian Privacy Commissioner Daniel Therrien is concerned the country has “clearly fallen behind other jurisdictions in the world” when it comes to cybersecurity, reports IT World Canada. In May 2019, efforts to correct the government’s privacy issues resulted in the development of a Digital Charter outlining privacy legislation, but progress on implementing that legislation has been slow. A recent research paper reports that 90% of Canadians are concerned about the privacy of their data but only 55% feel the government is protecting it. Adding to the pressure, the European Privacy Commissioner is currently conducting a review of Canada’s privacy practices to determine the future of European-Canadian business relations.
Major data exposure in Indian medical lab.
Dr Lal PathLabs, TechCrunch reports, left "hundreds of large spreadsheets packed with sensitive patient data" in an AWS bucket, unsecured without so much as a password, exposed to the Internet. The company has now secured the data; it's unknown how long the information was exposed.
We heard from two security companies about the incident. Both draw lessons for cloud users. Chris Hauk, consumer privacy champion at Pixel Privacy, wrote:
"It's hard to fathom that a firm would leave unprotected data available on the web, especially in today's atmosphere of heightened security. But, it has happened again. While kudos are deserved for the company quickly securing the data once a security researcher tipped them off, the data should never have been left in an unsecured form. Hopefully Dr. Lal PathLabs' 'investigation' will result in the responsible parties being disciplined, which is apparently what it will take for those responsible for data security to begin taking steps to ensure their customers' data is protected from prying eyes.”
Warren Poschman, senior solutions architect at comforte AG, commented:
“It is clear that those who choose to use cloud-based databases must perform necessary due diligence to configure and secure every corner of the system properly. Sadly, with the recent wave of AWS, ElasticSearch, MongoDB, Big Data, and other Open Source breaches, it does look like security is not being taken seriously enough. Healthcare institutions are seen as softer targets as not only are these systems just as rich with data as the traditional targets but security often lags due to the focus on, in the case of healthcare, patient care over IT. Clearly, the Dr. Lal PathLabs have an enormous treasure of sensitive data, so besides improving their perimeter defense, they should explore a data-centric security approach. That way, they could pro-actively protect their data against breaches instead of playing constant catch up in terms of addressing the many different root causes that can lead to cyber incidents.”