Jump to content

Search the Community

Showing results for tags 'personal data'.

More search options

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


  • Site Related
    • News & Updates
    • Site / Forum Feedback
    • Member Introduction
  • News
    • General News
    • FileSharing News
    • Mobile News
    • Software News
    • Security & Privacy News
    • Technology News
  • Downloads
    • nsane.down
  • General Discussions & Support
    • Filesharing Chat
    • Security & Privacy Center
    • Software Chat
    • Mobile Mania
    • Technology Talk
    • Entertainment Exchange
    • Guides & Tutorials
  • Off-Topic Chat
    • The Chat Bar
    • Jokes & Funny Stuff
    • Polling Station

Find results in...

Find results that contain...

Date Created

  • Start


Last Updated

  • Start


Filter by number of...

Found 14 results

  1. US pharmacy store says mobile app exposed names, prescription details, and shipping addresses. Walgreens, the second-largest pharmacy store in the US, said on Friday that its official mobile app contained a bug that exposed the personal details of some of its users. The leak, described as "an error within the Walgreens mobile app personal secure messaging feature," exposed details such as first and last name, prescription details, store number, and shipping addresses, where available. "Our investigation determined that an internal application error allowed certain personal messages from Walgreens that are stored in a database to be viewable by other customers using the Walgreens mobile app," the company said in a breach notification letter it sent customers. The mobile app error that allowed users to view other users' personal data and drug prescription details only last for a week, between Thursday, January 9, and Wednesday, January 15. Walgreens said it fixed the bug on the day it learned of the error, on January 15. "Walgreens promptly took steps to disable the message viewing feature within the Walgreens mobile app to prevent further disclosure until a permanent correction was implemented to resolve the issue," it said. "Walgreens will conduct additional testing as appropriate for future changes to verify the change will not impact the privacy of customer data." The company did not say how many of the app's users were impacted by the bug, but it did say that sensitive drugs prescription details were only exposed for a small percentage of the total users who were affected. The Walgreens Android app lists more than 10 million downloads on the Google Play Store. The app's iOS page does not list a download count, but the iOS app has more than 2.5 million ratings. Source
  2. The Electronic Frontier Foundation (EFF) on Monday announced that its research into the Ring app’s Android version identified several embedded third-party trackers sucking up “a plethora” of personal information. Three of the trackers aren’t included in Ring’s privacy notice—a list last updated a year and eight months ago. The civil liberties group, whose work focuses on privacy and other digital rights, said it had observed Ring for Android’s activity using tools for inspecting web traffic. EFF researchers found it was delivering users’ personal information to four marketing and analytics firms, including Facebook. In Facebook’s case, Ring hands over data whether its customers have Facebook accounts or not, the EFF said. Ring’s privacy policy makes clear that it uses web analytics services. “The service providers that administer these services use automated technologies to collect data (such as email and IP addresses) to evaluate use of our websites and mobile apps,” it says. However, the policy also claims to identify which third-party services specifically are used by the company. The list, last updated in May 2018, does not include Facebook and other trackers currently in use. Screenshot: Ring.com “Like many companies, Ring uses third-party service providers to evaluate the use of our mobile app, which helps us improve features, optimize the customer experience, and evaluate the effectiveness of our marketing,” a Ring spokesperson told Gizmodo. According to EFF’s research, Ring for Android version 3.21.1 delivers a range of personal information to the following sites: branch.io, mixpanel.com, appsflyer.com and facebook.com. Gizmodo also inspected Ring’s web traffic can confirm the EFF’s findings. “The danger in sending even small bits of information is that analytics and tracking companies are able to combine these bits together to form a unique picture of the user’s device,” EFF said. Privacy researchers refer to this as a digital “fingerprint,” which marketing companies use to paint a complete portrait of a person’s likes and activities. A Ring spokesperson said that Ring takes steps to ensure its service providers’ use of customer data is “contractually limited to appropriate purposes such as performing these services on our behalf and not for other purposes.” In the case of business analytics service MixPanel—the only tracker identified by EFF listed among Ring’s third-party services—Ring provides access to users’ names, email addresses, and device information, such OS version and model, EFF said. Ring told Gizmodo that MixPanel is used to target messaging within the app when new features become available, including security-related settings. Other trackers help the company identify which in-app features are performing the best, it said. Ring was purchased by Amazon in the summer of 2018. The company markets a line of home security products, including the popular Ring Doorbell, which uses Amazon Web Services (AWS) servers to store footage. Privacy advocates have scrutinized Ring heavily over the past year, largely due to its quickly expanding local law enforcement partnerships, the terms of which appear often to restrain public officials from speaking freely about the services Ring provides. Gizmodo reported last year, for example, that Ring had edited the written statements of police officials. In some cases, Ring’s intervened to omit the word “surveillance” from quotes attributed to senior police officials, warning them that use of the term could elicit “privacy concerns” among consumers. “Ring claims to prioritize the security and privacy of its customers,” EFF Senior Staff Technologist William Budington said in a statement, “yet time and again we’ve seen these claims not only fall short, but harm the customers and community members who engage with Ring’s surveillance system.” Updated, Article was updated to reflect Ring data collected by Gizmodo confirmed EFF’s findings. Source
  3. At least 11 accessed data in the last two months Facebook says that even after it locked down its Groups system last year, some app developers retained improper access to information about members. A company blog post reports that roughly 100 developers might have accessed user information since Facebook changed its rules in April of 2018, and at least 11 accessed member data in the last 60 days. It says it’s now cut all partners off from that data. Facebook Group administrators can use third-party tools to manage their groups, giving apps information about its activity. Since the changes last year, developers shouldn’t be able to see individual members’ names, profile pictures, or unspecified other profile data. Facebook platform partnerships head Konstantinos Papamiltiadis says a recent security review found that some apps still had access, however. Papamiltiadis says there’s no evidence that partners have abused their access, but he says Facebook has asked them to delete any improperly obtained information and will conduct audits to confirm it’s gone. Facebook didn’t disclose the names of these roughly 100 developers. Papamiltiadis only says that the apps were “primarily social media management and video streaming apps, designed to make it easier for group admins to manage their groups more effectively and help members share videos to their groups.” We also don’t know exactly what information was involved besides names and photos, nor how many users and groups the apps served. Facebook locked down the Groups application programming interface (API) as part of a general crackdown after the Cambridge Analytica data-sharing scandal. It added rules that required developers to get approval from Facebook before using the Groups API, then relaunched the system with new features in July, suggesting that it was trying to implement real oversight — so it’s a little surprising that these apps slipped through the cracks. Source: Facebook says 100 developers might have improperly accessed Groups member data (via The Verge)
  4. A hacker group claimed it has stolen the personal data of thousands of students from Universiti Malaysia Sabah (UMS). In an email to The Star, one of the members sent links to “sample” files containing information such as name, student ID, faculty, address, email and MyKad number. The group, known as BreachDB, has also put up a post on Twitter, offering for sale the personal data of 50,000 students for US$50 (RM210) in bitcoin. The BreachDB crew, a four-person team, said it hacked for fun and profit. A quick check online showed that the names and student IDs match but some of these details are available even on the UMS website.The Star has reached out to the university which is investigating the matter but has yet to release a statement. UMS currently has over 17,000 students and it produces around 5,000 graduates each year. We have also informed the Malaysian Communications And Multimedia Commission (MCMC), Cybersecurity Malaysia, National Cyber Security Agency (Nascsa) and Personal Data Protection Department (JPDP). Last month, Universiti Malaya claimed that no data was leaked after its E-Pay Cashless Payment and Records portal was defaced. However, later on the same day, local tech portal Lowyat.net claimed that personal data of both UM academic and non-academic staff, including payslips and bank account details were leaked on an anonymous file-sharing site. Earlier this year, another hacker claimed to have stolen the personal data of students from Universiti Teknologi MARA (UiTM). According to Lowyat.net the records of 1,164,540 students were compromised from UiTM campuses around the country, including the main one in Shah Alam. Source: Hacker claims to have stolen personal data of Universiti Malaysia Sabah students (via The Star Online) p/s: Here's the English translation for some Malay terms/words used, for understanding. Universiti = University Teknologi = Technology
  5. Opinion: Do you know where your data is? Tough new laws are on their way. Consumer data is fast becoming an expensive liability, and it could even lead to jail for executives. It's only a few weeks before California's strict data law takes effect January 2020, and there are others in the pipeline in other states including proposals to jail executives that fail to protect people's data from a breach. Data is fast becoming a business liability rather than a benefit. I go to a lot of media roundtables organized by computer security companies, and they all say that 100% protection is not possible and that every company has to prepare for a security breach. Yet that's assuming that the organization knows where all its data is located, which is unlikely. Companies are constantly making copies of their production database for many reasons and especially for their developers so that they can to test software. These database copies often are not stripped of sensitive data because it is needed for testing. And the data is often used outside of the main IT environment and with different access controls. Developer testing setups are often easy entry points for intruders with nefarious intent. If you don't need to store the data, why collect it and collect the legal liabilities? Companies have been collecting mountains of personal data, but few of them have figured out what to do with it. They assume data is valuable -- like oil -- but like oil, it becomes a slippery thing to work with, and if you slip up and leak your data, you'll face massive fines and damage to brand reputation. BIG DATA BIG LIABILITIES The past couple of years the IT industry talked about the value that can be found in big data -- now it's better described as risky data. Companies will ask themselves, "What's the point of having it and risk losing it if we aren't using it?" The boards of companies and investors will likely recommend dumping any data that increases legal liabilities. Unless the lobbyists for Google, Facebook, and other tech companies manage to persuade Washington to pass weak federal data laws to trump strict state laws. RISKY AD TECH There is currently a big clash of ideas around consumer data privacy and security. Politicians, the media, and the tech industry are trying to define the problem and how best to mitigate problem activities. Data breaches by hackers are certainly a big problem, but there's a much bigger issue at play: Allowing ad technologies to collect and create massive data warehouses of highly sensitive personal data. If the personal data isn't there, there's nothing for hackers to steal. Ad tech makes it all possible. Ad technology is in danger of being severely restricted. Marketers use people's data to save a few cents on the costs of selling services and products. This exact same data is used to judge people's beliefs and leave them exposed to hidden political and ideological manipulation by unknown parties. WHY DOES YOUR SOAP POWDER NEED TO KNOW SO MUCH ABOUT YOU? Procter & Gamble used to sell plenty of soap powder without using targeted data. Contextual advertising is very effective, and it doesn't require collecting personal information. Contextual advertising enables media sites to reclaim their readers from the programmatic dashboards that steal them and follow them wherever they go. It would increase advertising revenues for publishers creating original content and allow them to reinvest rather than layoff people. Over the short term, the winners will be Google and Facebook, because they don't have to sell people's data directly, and they can afford the costs of complying with any new legal regulations. They will essentially become vendors of metadata about personal data. That way they shelter ad clients from any data liabilities because they don't need to handle sensitive data themselves. But over the long term, there are serious problems: Trying to persuade people to buy a product is the same as trying to persuade people to buy an idea -- advertising works and targeted messages work even better for political and ideological ends. It's why it's inevitable that societies will place strict limits on ad technologies and the use and collection of personal data, in my opinion. Source: From big data to risky data: Will companies dump their liabilities? (via ZDNet)
  6. DNA matching can produce interesting data on family trees, but may also expose us to serious risk. DNA testing is no longer simply a tool in the medical field -- in recent years, DNA profiling has become a product offered by private companies and third-party services. These tests, often conducted with a home swab and posted away for analysis, can reveal family matches and possible connections, as well as clues to our ethnic heritage. As records pile up in the databases of companies including Ancestry.com and MyHeritage, third-party websites -- such as GEDmatch -- can also be used to compare DNA sequences submitted by other people. It is undisputably interesting to learn more about our genetic traits and family trees, but as noted by academics from the University of Washington, there may be a trade-off when it comes to our privacy and security. GEDmatch is the focus of new research into the security risks of DNA profiling. The paper (.PDF), published by University of Washington academics and accepted at the Network and Distributed System Security Symposium for presentation in February, explains how small numbers of comparisons made through the platform can be used to "extract someone's sensitive genetic markers," as well as construct fake profiles to impersonate relatives. "People think of genetic data as being personal -- and it is. It's literally part of their physical identity," said lead author Peter Ney from the UW Paul G. Allen School of Computer Science & Engineering. "This makes the privacy of genetic data particularly important. You can change your credit card number but you can't change your DNA." The researchers created an account on GEDmatch and uploaded different genetic profiles by sourcing data from anonymous genetic profiles. The platform then assigned these profiles an ID. When one-to-one comparisons are made, GEDmatch creates graphics to show how two samples match or differ, including a bar for each 22 non-sex chromosome. It is this bar that the researchers honed in on, creating four "extraction profiles" to try and deduce the target profile's DNA by making continual comparisons. "Genetic information correlates to medical conditions and potentially other deeply personal traits," added co-author Luis Ceze. "Even in the age of oversharing information, this is most likely the kind of information one doesn't want to share for legal, medical and mental health reasons. But as more genetic information goes digital, the risks increase." Millions of us have already submitted our DNA for tests, and as more individuals jump on the trend, the risks are likely to increase. Another GEDmatch graphic, together with 20 experimental profiles, revealed that larger samples could be exploited to target a single record with an average of 92 percent of a test profile's unique sequences becoming harvested with roughly 98 percent accuracy. False relationships, too, are a possibility. The researchers created a fake child containing 50 percent of its DNA from one of their experimental profiles. After launching a comparison, GEDmatch came back with an estimated parent-child relationship. By doing so, it is theoretically possible for attackers to also create any family relationship they want by changing shared DNA fractions. "If GEDmatch users have concerns about the privacy of their genetic data, they have the option to delete it from the site," Ney said. "The choice to share data is a personal decision, and users should be aware that there may be some risk whenever they share data." The academics reached out to GEDMatch prior to publication and said that the platform is "working to resolve these issues." The research was funded in part by the University of Washington Tech Policy Lab, with the help of a grant from the Defense Advanced Research Projects Agency (DARPA) Molecular Informatics Program. GEDmatch told ZDNet: Source: GEDmatch highlights security concerns of DNA comparison websites (via ZDNet)
  7. Wednesday, 23 Oct 2019 | 12:12 PM MYT PETALING JAYA: In yet another data breach, more than 17,000 patients' personal data have been exposed on the government-linked National Neurology Registry (NNeuR) website due to a scripting error, news portal Free Malaysia Today (FMT) reported. The portal reported that the data breach exposed among others NRIC numbers, phone numbers and addresses as the registry's database could be accessed. The report noted that its reporter was led to the tip-off by a source in Canada who had stumbled upon a broken link on the website as he was looking for information on Malaysian neurology patients. "All the data was downloadable and editable," the report said. According to NNeuR, the registry started in December 2008 and is supported by the Health Ministry to gather information about stroke and epilepsy in Malaysia. FMT noted that the registry was developed by Shah Alam-based company Rocket Integration Technology in 2008. The country has been involved in several data breaches this year, among which includes, the massive data leak of personal details of telecommunications service providers' customers, the data leak of almost 20,000 patient radiological records, and the personal data leak of Malindo Air customers. The latest incident happened on Oct 17 when bank account details of fuel subsidy recipients were leaked on the Domestic Trade and Consumer Affairs Ministry's newly-launched Petrol Subsidy Programme microsite. Source: Over 17,000 patients' personal data exposed on national neurology registry website (via The Star Online)
  8. Companies using Facebook 'Like' button liable for data: EU court BRUSSELS (Reuters) - Companies that embed Facebook’s “Like” button on their websites must seek users’ consent to transfer their personal data to the U.S. social network, in line with the bloc’s data privacy laws, Europe’s top court said on Monday. FILE PHOTO: A 3-D printed Facebook logo is seen in front of displayed binary code in this illustration picture, June 18, 2019. REUTERS/Dado Ruvic/Illustration/File Photo Website plugins such as Facebook’s “Like” button are a common feature of online retail as companies seek to promote their products on popular social networks, but critics fear the data transfer may breach privacy laws. The ruling from the Luxembourg-based Court of Justice of the European Union (ECJ) came after a German consumer body sued German online fashion retailer Fashion ID for breaching personal data protection rules via its use of the button on its site. A German court subsequently sought guidance. ECJ judges said websites and Facebook share joint responsibility. Under landmark EU data privacy rules adopted last year, a data controller determines why personal data must be collected and processed and also secure consent from users. A data processor only processes personal data on behalf of the controller and is usually a third-party company. “The operator of a website that features a Facebook ‘Like’ button can be a controller jointly with Facebook in respect of the collection and transmission to Facebook of the personal data of visitors to its website,” the judges said. The German retailer benefited from a commercial advantage as the ‘Like’ button made its products more visible on Facebook, the court said, though it noted the company is not liable for how Facebook subsequently processes the data. Facebook said the ruling sheds clarity on website plugins, calling them an important feature of the Internet. SOCIAL PLUGINS “We are carefully reviewing the court’s decision and will work closely with our partners to ensure they can continue to benefit from our social plugins and other business tools in full compliance with the law,” Jack Gilbert, Facebook’s associate general counsel, said in a statement. Verbraucherzentrale NRW, the German consumer protection group which took Fashion ID to court, welcomed the ruling. “Companies that profit from user data must now live up to their responsibility,” its head Wolfgang Schuldzinski said. Germany’s main technology industry association Bitkom however lamented the burden placed on website operators. “The European court is imposing an enormous responsibility on thousands of website operators – from the small travel blog to the online megastore, as well as the portals of major publishers,” said Bitkom head Bernhard Rohleder. He said the ruling would not only affect websites with an embedded Facebook “Like” button, but all social media plugins, forcing their operators to reach data agreements or face liability for collecting the data of users. The ruling is in line with strict data privacy laws adopted by the 28-country bloc last year, said Nils Rauer, a partner at law firm Pinsent Masons. “The court was right in assessing whether Fashion ID had an interest in collaborating with Facebook by way of embedding the ‘Like’ Button,” Rauer said, adding plugins will continue to be popular notwithstanding the judgment. “Personally, I do not think that companies will turn away from embedding ‘Like’ buttons due to the judgment. Presumably, they will pay more attention to the embedding process, by way of obtaining dedicated data privacy advice,” Rauer said. The case is C-40/17 Fashion ID. Update July 29, 12:20 PM ET: The article has been updated to add a new section heading entitled “Social Plugins” and to add quotes by Wolfgang Schuldzinski (the head of Verbraucherzentrale NRW) and Bernhard Rohleder (the head of Bitkom). Source: Companies using Facebook 'Like' button liable for data: EU court
  9. MI5 headquarters in London The security service MI5 has handled large amounts of personal data in an "undoubtedly unlawful" way, a watchdog has said. The Investigatory Powers Commissioner said information gathered under warrants was kept too long and not stored safely. Civil rights group Liberty said the breaches involved the "mass collection of data of innocent citizens". The high court heard MI5 knew about the issues in 2016 but kept them secret. "MI5 have been holding on to people's data - ordinary people's data, your data, my data - illegally for many years," said Megan Goulding, a lawyer for Liberty, which brought the case. "Not only that, they've been trying to keep their really serious errors secret - secret from the security services watchdog, who's supposed to know about them, secret from the Home Office, secret from the prime minister and secret from the public." Targeted interceptions The criticism of MI5 emerged in the High Court on Tuesday as Liberty challenged parts of the Investigatory Powers Act. Under the act, MI5 can apply to judges for warrants to obtain information such as people's location data, calls, messages and web browsing history. As well as "bulk data" collection, which can include information about ordinary members of the public, MI5 can use targeted interceptions of communications and computer hacking for investigations such as counter-terrorism. But the act includes safeguards about how all this information is stored and handled. It is against the law to keep data when it is no longer needed, or to store it in an unsafe way. MI5 had a "historical lack of compliance" with the law, said Lord Justice Sir Adrian Fulford, who oversees the security service's use of data as Investigatory Powers Commissioner. In a ruling revealed during the court case, he said the security service would be placed under greater scrutiny by judges when seeking warrants in future - which the commissioner compared to a failing school being placed in "special measures". Liberty said the revelations meant that some of the warrants issued to MI5 may not have been lawful, because the security service knew over several years that it was not handling data correctly but did not tell the judges. 'Serious risks' The court heard that senior members of MI5 were aware three years ago that there were serious issues with the management of data. MI5 informed the Home Office and Number 10 of the concerns in April this year, but the commissioner said they should have revealed them earlier. Discussions between lawyers and clients were among the information wrongly held by the security service, Liberty said. The pressure group said such material should be protected by legal privileges, but instead it was being seen by people at MI5. Lawyers for MI5 said they could not explain the exact nature of the breaches in open court, not because they were "embarrassing" but because there were "serious national security concerns". The security service has now taken "immediate and substantial steps" to comply with the law, Home Secretary Sajid Javid has said. Julian Milford, representing Mr Javid and Foreign Secretary Jeremy Hunt, acknowledged in court "the existence of serious compliance risks". But he said these specific issues were a "complete irrelevance" to Liberty's court case, which was challenging the legality of the whole system of information gathering created by the Investigatory Powers Act. Source
  10. While you might expect Homer Simpson to hand over personal details in exchange for a donut, you wouldn't expect cybersecurity professionals to do the same. However, technology services provider Probrand has carried out a study at a cyber expo attended by UK security professionals, where attendees voluntarily shared sensitive data including their name, date of birth and favourite football team -- all to get their hands on a free donut. This follows recent news that millions of accounts are still using '123456' as a password, with people's names, favourite football teams and favourite bands also commonly employed. "We wanted to put this theory to the test and see just how willing people were to give up their data," says Mark Lomas, technical architect at Probrand. "We started by asking conversational questions such as 'How are you finding the day? Got any plans for after the event?' If someone happened to mention they were collecting their kids from school, we then asked what their names and ages were. One individual even showed a photograph of their children." As part of the task, Probrand also asked more direct questions such as, 'Which football team do you support?', 'What type of music are you into?' and 'What is your favourite band?' Whether asking questions transparently as part of a survey, or trying to adopt more hacker-type methods, they were alarmed to find how easy it was to obtain personal data -- which many people may be using as the basis of their passwords. Lomas adds, "As technology develops, so does the risk of cyber attacks and data breaches, but arguably the greatest consistent vulnerability is employees. It's crucial that businesses improve processes and technology in parallel with educating employees. Our research shows even the basics still need to be addressed." To stay safe, Probrand recommends not using obvious information in passwords, employing multi-factor authentication where available, keeping device security up to date, and for employers to introduce cyber awareness training. Source
  11. Company behind Indiana Pacers and Indiana Fever said hackers breached employee accounts, stole personal data. Pacers Sports & Entertainment (PSE), the legal entity behind the Indiana Pacers and the Indiana Fever NBA and WNBA basketball teams, respectively, announced a security breach on Friday during which hackers gained access to sensitive user information. In a press release published yesterday, the company blamed the breach on phishing campaign during which hackers managed to gain access to several PSE employee accounts. It said hackers had access to these accounts between October 15, 2018, and December 4, 2018. PSE is notifying customers now, but the company said it learned of the breach way back last year, on November 16, leaving many to ask themselves --what took so long? "After a thorough review of these email accounts, PSE determined that a limited number of personal records were present in the affected emails," the company said. Exposed information ranges wildly, and PSE said it might include name, address, date of birth, passport number, medical and/or health insurance information, driver's license/state identification number, account number, credit/debit card number, digital signature, username and password, and in some cases even Social Security numbers. Is it employee or customer data? As DataBreaches.net pointed out, PSE did not mention if this data belongs to PSE employees or PSE customers --such as those who registered for the Pacers online shop to buy gear and memorabilia. By the wide range of exposed information, at first sight, it may appear that it's both --although, ZDNet reached out to PSE via email earlier today to clarify this issue in the company's confusing breach disclosure. A phone number that potential victims can call and get more information about the incident and see if they are impacted is available on the Pacers website. PSE also published information on how impacted individuals can protect themselves against fraud and identity theft. The company said it did not receive any reports that personal data has been misused. Source
  12. The news was first reported by the German newspaper Bild am Sonntag, German regulators are going to request Facebook changes in its platforms aimed at protecting privacy and personal data of its users. The German watchdog want to ask the social network giant to change the way it collects and shares users’ personal data to be compliant with privacy laws. The Federal Cartel Office is monitoring Facebook’s conduct since at least 2015, focusing on the way the company gathers data and share it with third-party apps, including WhatsApp, Instagram. “Germany’s antitrust watchdog plans to order Facebook to stop gathering some user data, a newspaper reported on Sunday.” reported the Reuters. “The Federal Cartel Office, which has been investigating Facebook since 2015, has already found that the social media giant abused its market dominance to gather data on people without their knowledge or consent.” Cambridge Analytica privacy scandal and misinformation campaigns carried out by Russia-linked APT groups raised discussion about the importance of monitoring the activity of the social network. At the time, it is not clear how Facebook will have to comply with the German request. Experts believe the German watchdog will set a deadline for compliance rather than urging to immediately apply the changes. “A Facebook spokeswoman said the company disputes the watchdog’s findings and will continue to defend this position.” concludes the Reuters. Source
  13. Ford’s CEO sees the tech company model as key to the company’s next chapter. Ford Motor Company is known for making cars and trucks; but the future for the iconic automaker might look a little more like Facebook than an assembly line. As it struggles with hemorrhaging earnings in markets outside of North America, industry-watchers are speculating that Ford is looking to a new source of income: The data it can collect from its 100 million customers. Sure, connected cars are a reality; “infotainment” systems and mobile apps are deep repositories of lifestyle information for many car-makers – Ford included. But Ford’s CEO recently suggested that the data collected by the company’s financial services arm also represents a valuable, low-overhead asset. “We have 100 million people in vehicles today that are sitting in Ford blue-oval vehicles,” said Ford CEO Jim Hackett during a Freakonomics Radio podcast. “The issue in the vehicle, see, is: We already know and have data on our customers. By the way, we protect this securely; they trust us. We know what people make. How do we know that? It’s because they borrow money from us. And when you ask somebody what they make, we know where they work, you know. We know if they’re married. We know how long they’ve lived in their house because these are all on the credit applications. We’ve never ever been challenged on how we use that. And that’s the leverage we got here with the data.” The comments, which were amplified by several auto-industry sources and the Detroit Free Press, sparked alarm in the Twitterverse. Against the backdrop of privacy disasters at Facebook and other stalwarts of the internet economy, the fear for many is that Ford sees selling access to consumers based on their lifestyle as a way forward. “Every OEM has data like this, how do you feel about *your* data being used this way?” tweeted one marketing pro. “I heard it yesterday, and was appalled,” tweeted another. “No concern whatsoever for privacy and no reflection on whether or not this is a GOOD thing. Talked about linking with personal medical data while in the vehicle. No thought to ethical considerations. Another Zuckerberg. Disturbing.” Is Ford considering selling consumer data as a revenue stream? Hackett stopped short of saying that — and indeed, the data could instead simply be useful to the company internally, as a way to increase the value (and profit) of its other businesses. With sales of vehicles flagging worldwide, the company is finding itself running out of financial freeway, so to speak. And even in the U.S., its strongest market, Ford is seeing little vehicular success of late beyond sales of its trucks and SUVs). Accordingly, the automaker is wisely taking steps to be more fully integrated into people’s lives, by expanding into ancillary businesses that at first would seem to run counter to its mission. For instance, it recently announced the acquisition of Spin, which is an electric scooter company. This continues an interest in “personal mobility” that has developed over the last two years; in 2016 for instance Ford decided to partner with Motivate, which is a bike-share company that runs the CitiBike program in New York City and other locations. It also invested in Chariot, which is a shuttle-bus service in San Francisco that works much like Lyft or Uber – routes are crowdsourced via a smartphone app. The company said that it wants to tap into the growing pool of people that are “going green” and adopting healthier lifestyles by using alternate modes of travel for short distances. After all, almost 46 percent of Americans’ vehicle trips are three miles or less, according to the National Household Travel Survey. “Spin adds an exciting new offering to Ford’s mobility portfolio as we try to help our customers get places more easily, more quickly and less expensively,” Sunny Madra, the vice president of the company’s Ford X division, said in a press statement. “As more people consider scooters to be a viable mobility option, now is the right time for Ford to work closely with Spin’s highly experienced and dedicated team to help expand their service to more cities.” While the company talks up the altruistic aspects of these moves, the opportunity for collecting personal information may be where the real play is — perhaps not for sharing with third parties, but for better informing the rest of its business. “[Spin] is a deal that makes sense because [Ford] will acquire data,” Ivan Drury, an industry analyst at Edmunds.com, told NPR. “Acquiring and knowing how people are utilizing other modes of transportation in addition to the ones that they already have.” Hackett himself confirmed that assessment back in 2016, while discussing Motivate, which continues to expand to new markets. “What we’re doing differently in San Francisco that isn’t done in New York is we put telemetry on that bike,” he said at an investor conference. “Telemetry is a form of communication, so now the bike is pinging data to us. Listen, here’s the deal. The opportunity is not bikes. That’s not why Ford’s in it. The opportunity is data, and the data is super valuable because it tells us these invisible paths that people are taking in this complex city in terms of how they want to get around. And there’s something else cool about it because we can take that data and we can connect it in ways that our new shuttle is going to connect to the cloud as well.” It may make a lot of sense for Ford (and other automakers) to go in the data-broker direction to combat the financial headwinds stemming from the deeply cash-intensive vehicular design and production business, but a Ford spokesperson told Threatpost that this isn’t part of the plan. “In the podcast…Jim Hackett was painting a picture of the future possibilities of data use given the long-term relationship and trust we have with our customers,” she said. “Specifically, it is important to know we do not sell or monetize information from customer credit applications. We take seriously our obligations related to how we use this information. With regard to all data use, we are committed to protecting customer privacy and we do that by ensuring transparency and appropriate consent in the collection and use of all customer data.” What is clear however is that many consumers are uncomfortable with Ford acting more like a tech company than an automaker. Kevin Bankston, director of privacy think-tank New America, on Monday tweeted about Ford’s interest in personal data, with a posting that quickly went viral. “Ford’s CEO just said on NPR that the future of profitability for the company is all the data from its 100 million vehicles (and the people in them) they’ll be able to monetize,” he tweeted. “Capitalism & surveillance capitalism are becoming increasingly indistinguishable (and frightening).” After that tweet was liked and retweeted thousands of times, he noted, “Hey @Ford, you should note just how viral my previous tweet has gone. I don’t have a huge following or anything. There’s just a whole lotta drivers uncomfortable with this direction. They already paid for their cars with $$$, they don’t also want to pay with their privacy.” Source
  14. The rollout of legal weed in Ontario is now beset by potential privacy issues. The decision to make recreational cannabis legal in Ontario, Canada, has been fraught with problems and now has been tarnished by a data breach at Canada Post. On Wednesday, the Ontario Cannabis Store (OCS) revealed the security incident on Twitter, saying that an unnamed individual was able to access the order records of 4,500 customers, or roughly two percent of the firm's customer base. The compromised information included names or the initials of nominated signatories, postcodes, dates of delivery, OCS reference numbers, Canada Post tracking numbers, and OCS corporate names and business addresses. However, OCS insists that the name of buyers -- unless they were accepting delivery -- the full delivery address, contents of the order, and payment information were not compromised. Smoking weed might now be legal in the area but this does not mean individuals taking advantage of the change in legislation would necessarily want their usage known -- and no-one wants their personal data stolen and potentially leaked on the web, no matter the circumstances. The breach was uncovered on November 1. Canada Post and OCS have been working together since this date to investigate how the data breach was allowed to take place, and OCS said a failure by Canada Post to inform customers led to the company taking action. "The OCS has encouraged Canada Post to take immediate action to notify their customers," the cannabis supplier said. "To date, Canada Post has not taken action in this regard. Although Canada Post is making its own determination as to whether notification of customers is required in this instance, the OCS has notified all relevant customers." Canada Post may be in hot water, but over 1,000 complaints have been received by the Ontario Ombudsman relating to OCS, including those describing billing issues, late deliveries, and poor customer service. A data breach is likely the last thing OCS would want to face when already facing censure over sales -- especially when the Ombudsman considered the problem severe enough to issue a press release -- and while the regulatory body was only at the stage of monitoring the complaints, the security incident might escalate the situation, whether or not OCS was at fault in this instance. The OCS is the only legal supplier in the region until April when private retailers are permitted to launch. A Canada Post spokesperson told ZDNet that the individual behind the leak "only shared it with Canada Post and deleted it without distributing further." "Important fixes have been put in place by both organizations to prevent any further unauthorized access to customer information," the spokesperson added. "We are pleased that OCS has notified their customers of the issue and will continue to work together to provide customers with assurance that this is being fully addressed." The Federal Privacy Commissioner and the Ontario Information and Privacy Commissioner have been informed of the breach. "It didn't take long for the cannabis industry to be treated like any other one and turned into a target for cyber attacks, this time exposing addresses and names or initials that are most likely out in the Dark Web," Don Duncan, director at NuData Security told ZDNet. "While names and addresses are always useful to cybercriminals, companies can devalue that personally identifiable information by adding a layered security solution that includes passive biometrics and behavioral analytics so that customers are also identified by their online behavior." ZDNet has reached out to OCS and will update if we hear back. Source
  • Create New...