Security Weekly News Episode #33 - May 12, 2020
Subscribe to all of our shows and mailing list by visiting: https://securityweekly.com/subscribe
1. News - ThunderSpy, Hacking COVID Research, & GDPR Fines - 02:00 PM-02:30 PM
This week in the Security Weekly News, DEFCON 28 is indeed cancelled, Paying Ransomware may double the recovery cost, Thunderspy evil maid attack on thunderbolt devices, FBI to release a warning about Chinese hackers targeting virus research, and more! Jason Wood returns for the Expert Commentary to talk about Four GDPR Violations that multiple companies have been fined for!
Doug White's Content:
- DEFCON 28 is indeed cancelled.
- Paying Ransomware may double the recovery cost.
- Thunderspy evil maid attack on thunderbolt devices.
- A-List Celebrity law firm gets data kidnapped.
- FBI to release a warning about Chinese hackers targeting virus research.
- Microsoft and Intel joint Venture Stamina for a new malware detection approach.
- Facebook update crashes phone apps.
- Japanese Giant Hornets on the menu tonight?
Jason Wood's Content:
About 2 years ago the security news was full of articles about GDPR and its impact. Not only was the news full of articles, our email inboxes were full of GDPR privacy notifications. Everyone was focused on a large number. 20 million EUR. That was the top end of fines that was being talked about every where. Today I found some blog posts that discussed what the actual punitive actions have been so far. Security company Comforte published 2 blog posts about the total fines of GDPR after one year and the 4 top violations after 2 years. Let’s take a look.
First off, lets look at the most frequently fined violations. The first is the “failure to pseudonymize sensitive data”. This one surprised me a bit, but mostly because I focused on the anonymizing of data, rather than randomizing it. I pictured things like changing my address to something not associated with me. Instead, the fines have been focused on storing passwords in clear text. In fact, the first GDPR fine ever was against a German company that had a data breach of clear text passwords in their application. They were fined 20,000 EUR. Facebook faced this fine as well, but was fined 500,000 GBP instead.
The second was the failure to assess risk. The idea here being that companies will go back and review their practices and risks periodically. A Portuguese hospital messed this one up and one of the issues cited is that they did not have a regular reviews of their risk profile, didn’t have controls in place to prevent the exposure of sensitive data, and didn’t limit access to data.
Now that I’ve mentioned the failure to limit access to data. This issue also was a big deal at this hospital. In their business and resource applications the hospital allowed over 900 people to have the “doctor” role in their systems, but only had 300 doctors. Oops. Here’s their 400,000 EUR fine.
And finally, and least surprisingly, companies are not getting authorization to collect personal data. Comforte cited a surprising violation for this requirement. An Austrian company was cited for the arrangement of their CCTV cameras and lack of signage notifying people of monitoring. It turns out the cameras were capturing the entrance to their business and a large portion of the sidewalk. Go figure. I would have expected the normal stuff where people’s data get’s sucked up into applications without their knowledge.
So those are the top violations. What were the total fines looking like after a year of enforcement? Well, you can see some of the ranges already. On GDPR’s first birthday the total of fines was 56m EUR. Smaller companies typically faced something in the 10,000-20,000 EUR range. Larger companies got hit with more. Still, it would have take a while to get to 56M EUR, except for Google. Go figure. Google got hit with a huge fine of 50M EUR in one go. Pocket change to them, but ouch!
So is GDPR being enforced? Yes it is and in some ways I didn’t picture. It seems like the smaller companies were getting fined when a security incident occurs. Larger companies are more likely to be picked up in the general course of enforcement and obviously get hit with larger fines. Bottom line, the 20M EUR fine everyone was worrying about hasn’t really come to pass. Unless you are Google and in that case they are willing to more than double that number to 50M EUR. There are always exceptions I guess. So that is 2 years in review of GDPR enforcement. Mind your business practices. Even if you are at a small company, you can get caught up in it and a 5 figure fine can hurt.