At a glance.
- Texas Department of Insurance clarifies facts surrounding data incident.
- US Senators request investigation of facial recognition company.
- South African pharmacy suffers customer data breach.
- Highschooler blows whistle on student data leak.
Texas Department of Insurance clarifies facts surrounding its data incident.
The Texas Department of Insurance (TDI) has distributed a fact sheet that clarifies a data incident the agency sustained earlier this year: "In January 2022, TDI found the issue was due to a programming code error that allowed internet access to a protected area of the application. TDI promptly disconnected the web application from the internet. After correcting the programming code, TDI placed the web application back online. The forensic investigation could not conclusively rule out that certain information on the web application was accessed outside of TDI. This does not mean all the information was viewed by people outside TDI. Because we couldn't rule out access, we took steps to notify those who may have been affected." While data could have been accessed by unauthorized personnel, TDI has investigated and found that, “There is no evidence to date that there was a misuse of information."
US Senators request investigation of facial recognition company.
A group of US Senate Democrats have sent a letter to the Federal Trade Commission (FTC) urging it to investigate ID.me, an identity-proofing company whose founder allegedly made “deceptive statements” regarding facial recognition data collected on behalf of the Internal Revenue Service (IRS). KrebsOnSecurity explains that until recently, the IRS required anyone seeking a new IRS account online to provide a live video selfie to ID.me for identity verification, The Senators allege that ID.me CEO Blake Hall used conflicting language regarding how the company uses the facial scan data collected. The main concern rests on the difference between “one-to-one” verification, which compares a video selfie to one image (say, a driver‘s license), and “one-to-many,” which involves comparing the face to a database of potential matches. The Senators’ letter explains “the use of one-to-many recognition means that millions of innocent people will have their photographs endlessly queried as part of a digital ‘line up.’ Not only does this violate individuals’ privacy, but the inevitable false matches associated with one-to-many recognition can result in applicants being wrongly denied desperately-needed services for weeks or even months as they try to get their case reviewed.”
The Senators also note that facial recognition algorithm flaws disproportionately impact people of color. Though the IRS in February announced it would no longer require biometric data from taxpayers seeking to create an account on the agency’s website and pledged to delete any data previously shared with ID.me, the agency still offers new account applicants the option of using ID.me for verification. In response to the Senators’ letter, ID.me has issued a statement highlighting its successful support of government agencies. “Five state workforce agencies have publicly credited ID.me with helping to prevent $238 billion dollars in fraud,” the statement reads. “We look forward to cooperating with all relevant government bodies to clear up any misunderstandings.”
South African pharmacy suffers customer data breach.
Dis-Chem, the second largest pharmacy retailer in South Africa, has disclosed that a data breach exposing the personal data of more than 3.6 million customers was the result of an unauthorized party accessing a third-party database. Infosecurity Magazine explains that Dis-Chem hired the third-party service provider to handle certain managed services, and the provider created the database to store some of the customer data it processed. “It was brought to our attention on 1 May 2022, that an unauthorized party had managed to gain access to the contents of the database. Upon being made aware of the incident, we immediately commenced an investigation into the matter and to ensure that the appropriate steps were taken to prevent any further incidents,” Dis-Chem’s statement reads. The compromised data includes first and last names, email addresses, and cell phone numbers.
Highschooler blows whistle on student data leak.
An American high school newspaper has uncovered a data breach in which thousands of files of student data were inadvertently exposed to students and employees. Chamblee High School senior Keegan Brooks says that while using Microsoft 365 he found he was able to access student information such as academic records, course transcripts, discipline records, medical forms, Social Security numbers, and standardized test scores from schools across the DeKalb County School District (DCSD). Brooks reported the issue to school newspaper The Blue and Gold and informed the district in March, but says school officials have been slow to resolve the problem. “More than two months later, there are still issues that are unresolved, still things that are widely accessible that shouldn’t be,” Brooks said. The district says a subsequent investigation revealed the breach was caused by improper data handling by employees, and they have hired an outside vendor to evaluate the full scope of the issue. “If it is determined that stakeholders had — or may have had — their information accessed by unauthorized individuals, DCSD will promptly notify those individuals as required by law,” the district told the Atlanta Journal-Constitution.