At a glance.
- Notes on Data Protection Officers.
- A new romance scam.
- Missouri teachers' data exposed.
Debunking the myths of DPOs.
In honor of the third anniversary of the General Data Protection Regulation (GDPR), the legal experts at Cooley highlight the most prevalent missteps entities make when considering the appointment of a Data Protection Officer (DPO). The DPO is intended to serve as an intermediary between the organization, the data subjects, and regulatory authorities, and as such should be readily available to all three parties. The DPO can be a staff member, but only if the entity can ensure that there is no conflict of interest. Not all organizations need a DPO, but the assumption that companies who only process data do not require a DPO is a fallacy. Organizations can disagree with the DPO, but must properly document disagreements and follow proper protocol if a dismissal is considered. And finally, assigning a DPO is just one step toward GDPR compliance; entities need to carefully assess their obligations to ensure that all GDPR requirements are being met.
New romance scam: There’s an app for that.
The researchers at SophosLabs have uncovered a new approach when it comes to online romance scams, Naked Security reports. Instead of the typical long con, where the fraudster woos the victim and gains their trust over time before asking for a handout, these new scammers, dubbed CryptoRom crooks, strike up a quick friendship and then offer the target an investment opportunity that typically requires a cryptocurrency transaction. To make the operation appear legitimate, the criminals develop a realistic-looking, seemingly Apple-approved investment trading app, evading the App Store’s vetting process by tricking the target into handing over administrative access to their device to install the platform. Rule of thumb: don’t give anyone admin access to your phone, and remember that what an app says about itself cannot always be trusted.
School staff SSNs exposed.
The Saint Louis Post-Dispatch discovered a vulnerability in a certification database run by the Department of Elementary and Secondary Education (DESE) that exposed the Social Security numbers of over 100,000 school faculty and administrators in the US state of Missouri. The application was intended to allow the public to search for teachers’ training credentials. Though no private data was visible on the site, Social Security numbers were embedded in the HTML source code. “Unfortunately, these types of flaws and poor design choices are more common than we’d like,” said Shaji Khan, a cybersecurity professor at the University of Missouri-St. Louis. “Local and state governments across the country are often still using applications developed many years ago and potentially containing serious security flaws.” The Post-Dispatch notes that the DESE seemingly underplayed its responsibility by claiming the leak was found by a “hacker” and implying that only a handful of individuals were compromised.