January 28 is Data Protection Day, an annual event created in 2006 by the Council of Europe. It commemorates the date the council’s data protection convention, “Convention 108” was signed in 1981. This was the first legally binding international tool for data protection. Signatories agreed to “ensure respect in their territory for the fundamental human rights of all individuals with regard to processing of personal data.”
Convention 108 was updated in 2018 and its Amending Protocol has been signed by nearly 40 countries. Its relevance has survived for over three decades because of its “technologically-neutral, principle-based approach.”
– Watch our free taster sketch “Phishing Emails in Real life” from our hilarious Sketches security awareness training series
Since the implementation of GDPR, 160,000 data breach notifications have been made to GDPR governing authorities.
Though GDPR and other initiatives are indeed raising awareness of, and improving, data protection, the cyber war to prevent data breaches whether intentional or accidental continues.
Let’s look at a few of this past week’s breaches and revelations…
SuperCasino, UK customers
An online casino website that serves UK gamblers has suffered a breach that was revealed on an affiliate forum, as per Calvin Ayre. A forum member posted an email that SuperCasino had sent to its customers that warns the website has “suffered a security incident and some of your data has been revealed to an unauthorized person.”
SuperCasino says the unauthorized person had access to customer names, usernames, email addresses, phone numbers and physical addresses but had not been able to access credit card information, passwords or document copies.
The website says it has taken “measures,” to mitigate the breach but has asked customer to reset their SuperCasino passwords as well as passwords on other sites if they have used similar passwords. It has also warned customers to look out for fake emails asking them to change passwords, change payment methods or even transfer money.
The UPS Store, US locations
As per Bleeping Computer, 100 The UPS Store locations have been affected after a breach caused by a phishing email. Public Relations & Social Media Manager Jenny Robinson says:
“Email accounts at less than two percent of The UPS Store locations in the U.S. were victim of a phishing incident, which may have impacted some Personally Identifiable Information (PII) for a very small fraction of customers of The UPS Store.”
The breach affected the locations between September 29, 2019 and January 13, 2020 but has reportedly not affected point-of-sale transactions at the stores.
The information exposed is that contained in emails received from customers by the affected UPS email accounts. Robinson explains:
“The types of personal information involved varied by individual, but included information emailed to the affected The UPS Store locations, including things like government-issued identification, financial, and other information.”
The UPS incident has been detailed in a filing with the Vermont, US, attorney general including that, “an unauthorized person potentially had access to a limited number of local store email accounts.”
So far it appears the exposed data has not been misused and an official statement by company reveals:
“Immediately upon discovering this incident, The UPS Store, Inc. initiated an investigation to assess the incident’s scope, including engaging a third-party cybersecurity firm, and has taken steps to further strengthen and enhance the security of systems in The UPS Store, Inc. network, including updating administrative and technical safeguards.”
Affected customers have been provided with credit monitoring services.
30,000 medical cannabis users, US
vpnMentor researchers discovered an unsecured Amazon S3 bucket on December 24, 2019, that according to CISOMag exposed “sensitive” data relating to medical cannabis users and dispensaries in the US. The exposed database is reportedly owned by the point-of sale system, THSuite, used by medical cannabis dispensaries across the US.
THSuite fixed the breach on January 14, 2020 after being informed by vpnMentor. The data exposed includes identification, medical ID numbers, names, dates of birth, addresses and details on the amount and price of cannabis used.
H&M employees, Germany
As per Reuters, H&M has identified “unacceptable” data security breaches in its German operation and is reportedly cooperating with Germanys data protection supervisors. A spokesperson for H&M says action has been taken and it is in discussions with “all colleagues,” adding, “since the incident is in legal examination … we cannot further comment on that at the moment.”
A German publication says Germany’s State Data Protection Commissioner, Johannes Caspar, is investigating H&M management for storing details on the personal lives of employees. Casper is quoted as saying:
“The qualitative and quantitative extent of the employee data accessible to the entire management level of the company shows a comprehensive research of the employees, which is without comparison in recent years.”
Want to help secure your organisation? Sign up for a free demo and find out how we’re already helping organisations just like yours.
Data Protection Day perseveres to raise awareness of good data protection practices and inform individuals about their data rights. The European Commission has issued a statement ahead of the day outlining its commitment to the importance of data protection rules. It says:
“Data is becoming increasingly important for our economy and for our daily lives. With the roll-out of 5G and uptake of the Artificial Intelligence and Internet of Things technologies, personal data will be in abundance and with potential uses we probably can’t imagine. While this offers amazing opportunities, some cases show that robust rules are needed to address clear risks for individuals and for our democracies. In Europe we know that strong data protection rules are not a luxury, but a necessity.”
Subscribe to the Proofpoint Blog