This week
California Consumer Privacy Act comes in to force
The California Consumer Privacy Act (CCPA) - the strongest of America’s patchwork of privacy legislation - has come into force. The legislation is heralded as being ‘GDPR-like’ (vol. 2, iss. 41). Whilst it affords some of the same rights, there are plenty of areas where it diverges from European legislation.
CCPA gives Californian resident’s the right to request copies of their data, request its deletion, it also mandates the option to send ‘do not sell’ instructions to businesses. (A site has already sprung up listing how to contact businesses to request this, see TechCrunch article)
Businesses with revenues of over $25M, who deprive over 50% of their revenues selling consumers’ personal information, or buy, sell or trademark than 50,000 ‘consumers, households or devices’ fall within the scope of the regulation.
While the legislation came in to force on 1st January 2020 the attorney general’s office won’t be taking any enforcement action during a six month grace period.
Other interesting aspects include not being able to discriminate on consumer’s who chose to prevent the sale of their data: services must be provided, and at the same price under the ‘right to non-discrimination.’ Publicly available information is not considered personal (so People Data Labs and OxyData, vol. 2, iss. 47, who scrape data from public social media profiles would be considered out of scope.)
Whilst the legislation only applies to Californian residents it’s likely that some of the changes businesses make will be accessible to any users of their service, as has been the case with some data access/download tools social networks have created in response to GDPR. theguardian.com, techcrunch.com
Interesting stats
~500,000 businesses in scope of new CCPA regulations [see This week, above]
Other newsy bits
Travelex hit with virus outbreak on New Year’s Eve, still offline
Foreign exchange company Travelex has taken systems, including their website, offline to limit exposure to a virus outbreak detected on New Year’s Eve. A statement from the company explained that no customer data was affected. At the time of writing, almost a week later, the Travelex UK website still displays a ‘planned maintenance’ message. The company is fulfilling transactions at its 1,200 locations worldwide using manual processes. The incident points to an extreme lack of network segregation within the organisation, or perhaps an abundance of caution, that is also impacting partners including Tesco and Asda. It’s unclear why, if the infected systems have been isolated, why there continues to be a delay in bringing systems back online. Systems have now been down for over 1.5% of the year in what will surely be impactful to business performance. theguardian.com
Wyze data leak exposes details of 2.4 million customers / the rise of ‘data exposure’
Wyze, a company that makes IoT cameras, plugs, lightbulbs accidentally exposed the details of 2.4 million customers after an Elasticsearch database was left publicly accessible. Originally protected, a change on December 4th exposed the information and went undetected by Wyze. The database was not part of protection systems and was being used to develop and test ‘new ways to measure business metrics.’ Using representative test data, or having layered defences would have reduced the impact and likelihood of the incident occurring. Data exposures are becoming much more common and the difference from data breaches is mainly down to intent: data breaches generally occur when a malicious actor actively steals data from an organisation for a specific purpose; data exposures occur when human error leads to a misconfiguration and information accidentally being passively available to those who are not meant to have access. The spate of misconfigured Amazon S3 buckets, or MongoDB instances, are examples. Data are technically available, however, it is often difficult to identify if anyone noticed or the information was copied. As a result, they need to be treated in the same manner as an active data breach. zdnet.com (Wyze), cnet.com (Exposure)
Russia successful tests ‘sovereign internet’
Throughout 2019 Russia has been implementing policy and technical changes to allow it to ‘disconnect from the Internet’ and operate its sovereign version. The move is widely seen as replicating the Great Firewall model of control implemented China and also a potential way to limit the country’s exposure to cyber-attack (vol. 2, iss. 7, 18.) The activities culminated with the announcement of a ‘successful test’ on Christmas Eve. bbc.co.uk
In brief
Threat intel
- Critical flaw in Citrix’s Application Delivery Controller (ADC) could allow unauthorized access to internal networks cyberscoop.com, citrix.com
- US Coast Guard says Ryuk ransomware hit systems that monitor cargo transfers at maritime facility bleepingcomputer.com
- From data-destroying wipers to industrial control system hacking, how Iran’s hackers might strike back after Soleimani’s assassination wired.com
- ToTok, a messaging app, secretly a ‘spy tool’ for UAE nytimes.com
Cyber response
- Microsoft takes control of 50 domains operated by Thallium, a North Korean cyber-espionage group. zdnet.com
Privacy
- ICO agrees delay over GDPR fines with both BA and Marriott mishcon.com
- UK “13th in the row” of countries that are negotiating data deals with EU ft.com
Mergers & Acquisitions
- Mastercard acquires RiskRecon for undisclosed sum techcrunch.com
And finally
Ciaran Martin, head of NCSC, to step down summer 2020
After six years leading the UK’s National Cyber Security Centre (NCSC) Ciaran Martin is stepping down to take up a role in the private sector. He founded NCSC after the 2015 general election and having previously been in charge of cyber at GCHQ (NCSC’s parent organisation) since 2013. The NCSC model, since replicated by other countries, has been successful in promoting cybersecurity across the country. ft.com