At a glance.
- Of penalty kicks and privacy.
- Update on the Medibank breach.
- GAO report shows an increase in personal data leaks at DoD.
- Twitter shake-up elicits security concerns.
Of penalty kicks and privacy.
As we noted yesterday, the World Cup is set to begin in just a few days in Qatar, and cyber experts are warning attendees to be cautious in the face of potential cyber threats associated with the event. As the Wall Street Journal reports, it will be the first FIFA World Cup hosted in the Middle East, and the first in a conservative Muslim country. Two million visitors are expected to gather within a radius of just thirty-five miles around the city of Doha, and with Qatar being an authoritarian monarchy with a history of human rights violations, the clash of cultures has already created some friction. Though Qatar has a data privacy framework, it’s not recognized by the EU as providing user protection comparable to Europe’s regulations. French data protection authority CNIL has offered advice for attendees on how to protect themselves from spyware or cyber scams. “Ideally, travel with a blank smartphone … or an old phone that has been reset,” a CNIL spokesperson told POLITICO. “Special care should be taken with photos, videos, or digital works that could place you in difficulty with respect to the legislation of the country visited.”
Thousands of surveillance cameras equipped with facial recognition tech will keep a close eye on the events. They’re ostensibly for the safety of players and fans, but security experts are wary. The UK Information Commissioner's Office says it’s "aware of media reports on this matter and we will consider the potential impact on the privacy rights of UK citizens. If anyone is concerned about how their data has been handled, they can make a complaint to the ICO."
Visitors traveling to Qatar for the event are required to download two mobile apps – the official World Cup app Hayya and Covid-tracking app Ehteraz – and experts say the platforms provide Qatari authorities with liberal access to users’ data. Tom Lysemose Hansen, CTO and co-founder of app security firm Promon, told The Register, "Ehteraz is able to install an encrypted file which claims to hold a unique ID, QR code, infection status, configuration parameters and proximity data of other devices using the app. Essentially, it is clear that the app is taking data from the end user for more reasons than are expressed by the given consent button." Germany's data protection agency BfDI told The Register it is working with the German Foreign Ministry and the German Federal Office for Information Security to investigate the two apps. CNIL advises device owners to “limit online connection to services requiring authentication to the strict minimum,” keep their phone with them at all times, and use a strong password.
Richard Bird, CSO at Traceable AI, suggests the advantages of watching the matches from home:
“With all the noise about the apps being promoted in Qatar for the World Cup, no one in cybersecurity should be feigning shock that these applications are rife with tracking and monitoring capabilities. Personal freedoms aren't respected or treated the same way everywhere in the world and if you feel threatened or concerned about the Qatari stance on allowing these types of apps to be used, then frankly, don't go to the World Cup. I'm not suggesting that what Qatar is doing is appropriate, I'm just saying we should stop suggesting that technology freedoms supersede situational awareness. The situation in Qatar is that privacy for citizens and visitors alike, are not a concern of the government or the state-sponsored corporations in that region.
"For tourists traveling to Qatar, the answer to maintaining your privacy and security really boils down to one of two options. The first? Stay at home and watch the World Cup in your living room or local bar or pub. The second? As every CISO that operates across a global footprint knows, you take a burner phone to Qatar, or China, or Russia. If you balk at the idea of having to pay extra for security and privacy, then it is doubtful that security or privacy are really that important to you at a personal level. In many nations, privacy and security come at a premium cost. Expecting those nations to act differently simply because we expect technology rights and privileges to be respected is naive.”
Neil Jones, director of cybersecurity evangelism at Egnyte, recommends a burner phone if you plan to travel to watch in person.
"Recent research indicates that up to 75% of the world's population will be covered by modern data privacy regulations by the end of 2024. Most of these regulations are designed to protect consumers from having their Personally Identifiable Information (PII) or Protected Health Information (PHI) shared without their specific authorization. However, the situation with the FIFA World Cup apps presents an interesting quandary – football fans are unable to attend the events unless they download applications that provide COVID-19 tracking capabilities and even track their geographical locations and access their device data. If hacked, the information would be a treasure trove to potential cyber-attackers.
"If you plan to travel to the event, I would strongly recommend the purchase of a burner phone, if the privacy-limiting capabilities cannot be disabled. In addition, all users should consider the following when downloading and accessing new applications: 1) If prompted, allow only the minimum permissions for the application to function on your device. 2) Strongly consider limiting other users' access to view your geographical location. 3) Don't allow the application to make calls on your behalf or alter your device's data. 4) Consider deleting event-related applications when the events have concluded."
Update on the Medibank breach.
In the latest news on the data breach of Medibank, Australia’s leading insurance provider, Medibank chairman Mike Wilkins defended the company's decision not to meet the demands of the ransomware group responsible for the attack. “Based on extensive advice from cybercrime experts, we formed the view that there was a limited chance paying a ransom would ensure the return of our customers' data and prevent it from being published,” Wilkins told ABC Australia. "In fact, the advice we have had is that to pay a ransom could have had the opposite effect and encouraged the criminal to directly extort our customers, and put more people in harm's way by making Australia a bigger target.” Medibank's chief executive David Koczkar says the company has started reaching out to the 480,000 customers who were impacted by the breach.
GAO report shows an increase in personal data leaks at DoD.
The US Government Accountability Office (GAO) Monday released a report analyzing the data breaches experienced by the Department of Defense (DoD), FCW reports. While cyber intrusions and disruptions are down from 3,880 in 2015 to just 948 last year, data breaches involving personally identifiable information have more than doubled, reaching 1,891 reported cases last year. The report also notes that although the DoD has policies for assessing the risk of a personal data breach and informing impacted individuals, it's unclear whether those policies are being followed. Out of a sample of breaches that occurred between 2017-2020, the GAO found that the DoD only contacted 18% of individuals designated to be notified of a breach within the ten-day requirement, and that thirty reported breaches did not fully determine whether a risk assessment had been performed. For its part, DoD says it’s developing a new breach reporting system that will have a built-in risk assessment module, and it’s expected to be implemented by early fiscal 2023.
Twitter shake-up elicits security concerns.
The recent purchase of Twitter by Elon Musk has led to major changes for the company. As Bloomberg reports, Musk fired approximately 3,700 of Twitter’s workforce, including the social media giant’s data protection chief, Damien Kieran. The transition has led to security fears, and Ireland’s Data Protection Commission, which is Twitter’s European privacy watchdog, met with company representatives in Dublin to discuss next steps. The DPA is “closely” monitoring the situation, and Grant Doyle, the DPA’s deputy commissioner, says the company has appointed Renato Monteiro as its acting data protection officer in Kieran’s absence.