At a glance.
- Facial recognition in the Eurostar.
- RATP reported to have sustained data exposure.
- Dumpster is, unfortunately for privacy anyway, not on fire.
- Charities and online privacy.
- Privacy reflections on Pegasus.
On the fast track to facial recognition.
European high-speed rail service Eurostar is conducting a trial run of facial recognition tech travelers en route from London’s St Pancras International station to continental Europe. Bleeping Computer explains that passengers will be given the option of avoiding the more tedious traditional ticket and passport identification checks by instead using the biometric software in what they’ve dubbed the “SmartCheck” lane.
Eurostar developed the new system with the support of biometric software company iProov, a supporter of “passive authentication” tech, which allows the passenger to consent to the facial scan prior to their travel and be authenticated by simply looking into a camera as they board. Privacy advocates are concerned that such biometric technology could lead to government tracking or data leaks, and just last week the UK Information Commissioner’s office declared it would be fining American facial recognition company Clearview AI over £17 million for violating data protection laws.
French transport giant linked to data exposure.
Researchers at vpnMentor say they have detected a potential data leak in an HTTP server purportedly belonging to French transport infrastructure firm RATP. The unsecured server, possibly linked to an employee benefits web portal, contained benefit data belonging to 57,000 RATP employees, as well as highly sensitive source codes and configuration files for websites belonging to RATP. Though RATP’s name was found throughout the files and the researchers reached out to the company about the issue, RATP has not confirmed the data belongs to them. The server was secured shortly after France’s Computer Emergency Response Team (CERT) and RAPT were informed of the vulnerability.
One person’s trash is a cybercriminal’s treasure.
The Atlanta Journal-Constitution reports that sensitive documents were found discarded in a paper recycling bin at the Your DeKalb Farmers Market, located in the US state of Georgia. The papers, dated from 2006 to 2016, bear letterheads from several organizations including the DeKalb County Board of Health, the Georgia Department of Community Health, and Emory Healthcare, and include an array of private healthcare documents like medical history forms, nursing certificates, and drug test results.The owner of the documents has not yet been determined, but many of the papers appear linked to Senior Connections, a nonprofit organization that worked with several government agencies prior to its closure in 2018. However, when contacted, none of the associated agencies claimed responsibility. Both federal and state privacy laws regarding proper disposal of sensitive data were likely violated, meaning whomever is at fault could face penalties of up to $50,000 per victim.
The cybersecurity issues faced by nonprofits.
Information Security Buzz discusses how a 2020 data leak at HIV Scotland, which resulted in the charity receiving a £10,000 fine from the UK Information Commissioner’s Office (ICO), highlights the need for stronger cybersecurity policies for nonprofits. The leak occurred when a staff member exposed the email addresses of over one hundred recipients by entering the addresses in the “to” field instead of using the blind carbon copy function. The subsequent ICO investigation revealed the incident could be attributed to a lack of staff training, unsafe bulk emailing methods, and an inadequate data protection policy. Interestingly, HIV Scotland was aware of its cybersecurity shortcomings prior to the incident and had even acquired a more secure mass emailing system, but failed to implement it. Such organizations often lack sufficient data protection procedures due to limited resources and a reliance on volunteer staff with little training. Ken Macdonald, Head of ICO Regions, stated, “All personal data is important but the very nature of HIV Scotland’s work should have compelled it to take particular care. This avoidable error caused distress to the very people the charity seeks to help. I would encourage all organizations to revisit their bulk email policies to ensure they have robust procedures in place.”
Comment on the diplomats' Pegasus infestation.
Is the Pegasus in Uganda story a privacy story? Sure, but it's also, as Chris Risley, CEO at Bastille Networks wrote, a spy story. Privacy and opsec converge at several points:
“So far, this has been covered as a tech story and as an Israeli relations story. But this really is a spy story. The striking thing about this discovery is that 11 phones were compromised at once. So, either 11 employees were tricked into clicking on the wrong link, or more likely, the spyware was installed using 'Zero-Click' attacks.
“There’s a message here for corporations and organizations as well: Millions of vulnerable smartphones enter workplaces daily. Any smartphone can now be hacked invisibly. A hacked smartphone can be used as a portal into an enterprise’s most important secrets, earnings data, trading data, merger and acquisition data. It’s a new world of smartphone spyware. It is imperative to have security protocols in place to manage the secure use of smartphones in the workplace. If security teams didn’t think smartphones in the facility were an important threat yesterday, they certainly should think they are an important threat now.
“There are probably some rooms in the U.S. Embassy in Uganda where no cell phones were allowed and we can hope that those were the only places where classified conversations took place. If not, that embassy and every embassy around the world needs to have those phone free rooms and to enforce those rules starting immediately. Also, remember that it isn’t enough to ‘turn your phone off.’ Spyware can turn your phone on.”