Weekly Newsletter: 6 April – 9 April 2021
GDPR EU Representative

April 12, 2021

Why the EDPB should avoid torpedoing BCRs for processors

[#EDPB #BindingCorporateRule #Datatransfers] 

“Many global service providers and their customers rely on binding corporate rules for processors to transfer European Economic Area customer data to processors outside the EEA. There are strong indicators that the European Data Protection Board is about to restrict the application of BCRs for processors to internal transfers within the processor group of companies. This would mean that BCRs for processors can no longer be used as a mechanism for transfers from an EEA customer directly to a processor outside the EEA. […]

If the EDPB were to make a drastic change in course, it could undermine the legitimate expectations of the organizations and markets that rely on the EDPB’s consistent guidance on BBCRs for processors. After more than 10 years of investments by global processors that obtained BCRs-for-processors authorizations and implemented them within their organizations, and with so many of their customers subsequently relying on BCRs for processors in thousands of service contracts, such a restriction would be nothing short of a violation of the principles of proper government.”

To read more: Click here.

Facebook leak: Irish regulator probes ‘old’ data dump 

[#EDPB #BindingCorporateRule #DataTransfers] 

“A data leak involving personal details of hundreds of millions of Facebook users is being reviewed by Ireland’s Data Protection Commission (DPC). Facebook says the data is “old”, from a previously-reported leak in 2019. But the Irish DPC said it will work with Facebook, to make sure that is the case. […]

Despite the claims of the data being “old”, some security researchers remain concerned due to the unchanging nature of the data involved. Phone numbers, for example, are unlikely to have changed for many people in the past two to three years, and other information – such as a date of birth or hometown – never change.

Alon Gal, a well-known personality in cyber-security circles who tweets as @UnderTheBreach, wrote that the phone number database first appeared in January, where hackers could look up the phone database for a small fee.

But the widespread leak of the database “means that if you have a Facebook account, it is extremely likely the phone number used for the account was leaked,” he tweeted.”

To read more: Click here

Buy a phone, get a tracker: unauthorized tracking code illegally installed on Android phones

[#GoogleAdds #Eprivacy #Android #DataTracking] 

“As reported by the Financial Times, noyb launched further action against Google’s AAID (Android Advertising Identifier), following similar complaints against Apple’s IDFA. The somewhat hidden ID allows Google and all apps on the phone to track a user and combine information about online and mobile behaviour. […]

Google not only installs the AAID without consent but it also denies Android user’s the option of deleting it. As we have proven in our previous complaint filed in Austria, users can merely “reset” the ID and are forced to generate a new tracking ID to replace the existing one.This neither deletes the data that was collected before, nor stops tracking going forward. […]

Next steps. Since this complaint is based on the e-Privacy directive, the French authority can directly make a decision, without the need for cooperation with other EU Data Protection Authorities as under GDPR.”

To read more: Click here

Scraped data of 500 million LinkedIn users being sold online, 2 million records leaked as proof 

[#Linkedin #DataLeaks #Cybersecurity

“Days after a massive Facebook data leak made the headlines, it seems like we’re in for another one, this time involving LinkedIn. An archive containing data purportedly scraped from 500 million LinkedIn profiles has been put for sale on a popular hacker forum, with another 2 million records leaked as a proof-of-concept sample by the post author. […]

The data from the leaked files can be used by threat actors against LinkedIn users in multiple ways by:

– Carrying out targeted phishing attacks.
– Spamming 500 million emails and phone numbers.
– Brute-forcing the passwords of LinkedIn profiles and email addresses.

The leaked files appear to only contain LinkedIn profile information – we did not find any deeply sensitive data like credit card details or legal documents in the sample posted by the threat actor. With that said, even an email address can be enough for a competent cybercriminal to cause real damage.”

To read more: Click here

Do Passwordless Logins Trade Your Privacy for Your Security?

[#Passwordsecurity #TwofactorAuthentification #Cybersecurity] 

“Passwordless logins are the most secure login method if you don’t like creating complex passwords and changing them every few months. And you’d only need to set it up once. No more forgetting passwords or writing them down on paper. […]

You’re always told to keep your passwords secure by not writing them anywhere and by using a password manager with end-to-end encryption. But websites you log into using your password also store it, meaning a data breach or leak could expose your most secure passwords, especially if they’re not encrypted.

Passwordless authentication is different. When it comes to authentication codes or links, the website only knows your email address or phone number. […]

2FA [Two-Factor Authentication] still relies on a password. If the password is weak or compromised, half of the hacker’s work is already done for them. That leaves the security of your account dependent on the second method of authentication. This ranges from SMS messages 2FA—which hackers can easily bypass—and one-time passwords (OTP) generators to biometrics and physical keys.”

To read more: Click here.

Cookie Consent Speed.Run

[#Cookies #Consent #Personaldata] 

“Have you heard of this great new game, Cookie Consent Speed Run? In a few seconds, you’ll learn if you are know as much as you thought about cookie consent banners! Click to read more on their website!

To read more: Click here.

Hefty Fine for Booking.com Due to Delayed Data Breach Notification; With Little Financial Information Stolen, Is the Amount Excessive?

[#Bookingcom #DataBreach #Cybersecurity]

“Is policing of data breach notifications becoming more strict? The personal information of about 4,100 customers who booked hotels in the UAE in 2018 was exposed in the breach, but only 283 of these had credit card details exposed (97 had the CVV security code exposed along with the full card number). […]

Booking.com’s immediate acquiescence is somewhat surprising given that EU regulators have tended to be forgiving of companies in the travel industry, particularly during the pandemic. […] the companies involved found responsible for the loss of millions of records of sensitive personal and financial information. […]

The Dutch DPA did not play a role in those decisions, however. It is thus unclear if this signals a trend in the EU toward stricter enforcement of slow data breach notifications, or if companies based in the Netherlands are going to be subject to tougher standards in this area.”

To read more: Click here.