At a glance.
- StarHub customer data leaked.
- Data breach at Georgia hospital.
- Child protection and Apple's reputation for privacy.
- Facebook considers ways of collecting less advertising data.
- Fake faces.
Singapore telco data leaked.
The Register reports that Singaporean telecommunications company StarHub apparently waited a month before disclosing a data leak that exposed the data of over 50,000 customers. Singapore's Personal Data Protection Act 2012 requires organizations notify the Personal Data Protection Commission of breaches impacting more than five hundred individuals within three days of discovery, but the telco asserts they are not in violation. Corporate communications assistant VP Cassie Fong stated, "StarHub notified our affected customers progressively from 6 August 2021, in accordance with Section 26D of Singapore's Personal Data Protection Act 2012.”
Georgia medical network ransomware attack.
St. Joseph’s/Candler (SJ/C) hospital system, located in the US state of Georgia experienced a ransomware attack that rendered files inaccessible and exposed patient and employee data, Becker’s Hospital Review reports. Though the attack was discovered in June, the resulting investigation indicates the intruder had access to SJ/C’s systems for approximately six months without detection. Infosecurity Magazine adds that although employees had to rely on pen-and-paper documentation after SJ/C shut down its network to prevent the spread of the attack, most appointments were unaffected.
Sascha Fahrbach, Cybersecurity Evangelist at Fudo Security, sees the Georgia incident as a spur to reevaluation of the sector's security posture, especially with respect to privilege management and third-party risk:
"The healthcare industry continues to be under serious strain, not just from the global pandemic but also by persistent hackers and insiders looking to exploit a tempting target: valuable PHI. This most recent incident, combined with the earlier breach of Renaissance Life & Health Insurance Company's customer PHI, emphasizes that healthcare operators need to reassess their security posture, as well as shifting their mindset, when it comes to safeguarding their data.
"In particular, third parties remain a security liability which needs to be remedied urgently. Many in the healthcare industry are not taking the proper steps to mitigate third-party remote access and third-party vendor risk. This could seriously damage and expose organizations to misuse and non-compliance risk.
"In addition, healthcare organizations must take care to evaluate how much privilege access they are granting to their partners and vendors, as this is often one of the main vulnerabilities which leads to misuse and data breaches. Only with a holistic approach, which includes a zero trust strategy and tools for monitoring access, can these threats be mitigated."
Is Apple living up to its reputation as a privacy pioneer?
In the midst of the debate surrounding Apple’s new child protection features and how they impact user privacy, Wired questions whether the tech giant is really the privacy leader it purports to be. As one of Apple’s most popular (and profitable) services, iCloud stores the data of hundreds of millions of customers, but iCloud’s easy-access user interface could be what makes it so vulnerable. Though Apple has asserted its data is so secure that even Apple (let alone the FBI) can’t touch it, the fact that Apple holds onto iCloud encryption keys provides a backdoor that could render all of Apple’s other privacy trappings meaningless. And with iCloud storing everything from photos to GPS data, the bottom line is that a court order could be all that stands between a user’s privacy and police surveillance. There are also reports (which Apple denied) that the company is monitoring remote workers with in-home cameras, and the use of facial verification for Apple’s new digital identification card could make practices like automated ID checks and facial scanning an everyday part of life.
Facebook explores new privacy-focused ad policies.
In an exclusive interview with the Verge, Graham Mudd, Facebook’s VP of product marketing for ads, discusses how the social media giant is reworking its advertising personalization policies to limit the data collected from users. Facebook very vocally challenged Apple’s recent move requiring app developers to ask permission to track users for ad targeting, which will likely result in Facebook losing a great deal of ad-generated revenue. With Google planning something similar for Android, Facebook is considering new ways to provide targeted advertising without infringing on user privacy. One possible solution could be to use secure multi-party computation to encrypt user data shared between companies for targeted ads. Mudd explains, “Because data and personalization is at the heart of almost every one of our systems, from targeting to ad optimization to measurement, almost all our systems will be rebuilt over the next couple of years.”
Faking faces.
Motherboard explores how researchers at the Blavatnik School of Computer Science and the School of Electrical Engineering in Tel Aviv discovered a technique that could be used to trick facial recognition systems. By using StyleGan and an evolutionary algorithm to train a neural network to create nine "master key" faces, the researchers demonstrated they could successfully impersonate nearly half the faces in the datasets of three sophisticated facial recognition programs. The research shows just how vulnerable these facial recognition systems could be. “We are interested in further exploring the possibility of using the master faces generated by our method in order to help protect existing facial recognition systems from such attacks,” said lead author Ron Shmelkin.