Category Archives: Data and computer security

BA fined record £20m for customer data breach

Personal details of more than 400,000 customers accessed by hackers in 2018

A £183m fine levied on British Airways for a data breach has been reduced to £20m after investigators took into account the airline’s financial plight and the circumstances of the cyber-attack.

The £20m fine is nonetheless the biggest ever issued by the Information Commissioner’s Office (ICO), following the 2018 incident in which more than 400,000 customers’ personal details were compromised by hackers.

Continue reading...

Give up Google, don’t hit ‘accept all’: how to fight for your privacy

In Privacy Is Power, professor Carissa Véliz has made a shocking survey of how much intimate data we are surrendering. But she has a plan to fight back

“If you’re reading this book, you probably already know your personal data is being collected, stored and analysed,” Carissa Véliz begins, in Privacy Is Power. Her challenge, as a writer and a privacy advocate, is to shake us out of our complacency; to persuade us to see this not as a necessary sacrifice in the digital age, but an intolerable invasion. From the mounting dread I felt while reading Privacy Is Power, I’d say she was successful.

From the moment you wake up and first check your phone, to the marketers that infer your mood from your music choices, to the smart speaker that shares your private conversations, or the television that listens in on them (from the terms and conditions of a Samsung smart TV: “Please be aware that if your spoken words include personal or other sensitive information, that information will be among the data captured”), there is nowhere to hide – or even just be – in this hyper-connected hellscape. Corporations can track you both by your face and your digital footprint, your medical records may be handed over to Big Tech, and advertisers may learn of your break-up before you do. In her book, Véliz, a professor at the Institute for Ethics in AI at Oxford University, often veers into the second person, cleverly underscoring her point: it’s impossible not to picture yourself blindly navigating this horror, then you remember - you already are.

Think twice before sharing. Before you post something, think how it might be used against you.

In Japan last year, a man sexually assaulted a pop star, claiming he had found her by analysing reflections in her eyes in photos she had posted online

Related: Government admits breaking privacy law with NHS test and trace

Privacy Is Power: Why and How You Should Take Back Control of Your Data, by Carissa Véliz is published by Bantam Press. To order a copy, go to guardianbookshop.com.

Continue reading...

Your data is not destined for China, assures TikTok’s UK boss

The controversial app’s users are ignoring geopolitical battle over its digital security, says Richard Waterworth

TikTok’s UK chief has strenuously denied the video-sharing app, which Donald Trump has threatened to ban, shares data with China.

Richard Waterworth told the Observer that the UK and European arm of TikTok was growing quickly, despite the “turbulent” geopolitical battle in which the Chinese-born app has found itself.

Continue reading...

MPs criticise privacy watchdog over NHS test-and-trace data

UK information commissioner ‘must ensure government uses public’s data safely and legally’

A cross-party group of more than 20 MPs has accused the UK’s privacy watchdog of failing to hold the government to account for its failures in the NHS coronavirus test-and-trace programme.

The MPs have urged Elizabeth Denham, the information commissioner, to demand that the government change the programme after it admitted failing to conduct a legally required impact assessment of its privacy implications.

Continue reading...

Bank of England paid £3m in ‘golden goodbyes’ over 15 months

Rise in settlements in 2019 included those paid to departing tech security staff shortly before major breach

The Bank of England paid departing staff almost £3m in “golden goodbyes” over 15 months, at the same time as an exodus of workers from its information security team.

Settlement payments to former staff surged to £2.3m in 2019, according to data provided to the Guardian under freedom of information laws. The Bank confirmed that former information security staff received some of the payments.

Continue reading...

Ransomware attack on Garmin thought to be the work of ‘Evil Corp’

Russian cybercrime gang is believed to be responsible for taking Garmin services offline

A ransomware attack that took the GPS and smartwatch business Garmin entirely offline for more than three days is believed to have been carried out by a Russian cybercriminal gang which calls itself “Evil Corp”.

Garmin began to restore services to customers on Monday morning, after being held hostage for a reported ransom of $10m, although some services were still operating with limited functionality.

Ransomware is the most common form of criminal malware currently in use. Targets are commonly infected through malicious emails, which may trick them into downloading and running the software, or through exploiting vulnerabilities in other software such as Adobe Flash. When the ransomware program is activated, it encrypts the user’s hard drive with a single use encryption key, before flashing up a message asking for ransom, typically in the form of a payment in the cryptocurrency Bitcoin.

Related: Garmin down: how to still get your activities on to Strava

Continue reading...

Smartwatch maker Garmin hit by outages after ransomware attack

US company forced to shut down call centres, website and some other online services

Garmin has been forced to shut down its call centres, website and some other online services after a ransomware attack encrypted the smartwatch maker’s internal network and some production systems.

The US company shut down services including the official Garmin website and all customer services, including phone lines, online chat and email.

Related: The five: ransomware attacks

Ransomware is the most common form of criminal malware currently in use. Targets are commonly infected through malicious emails, which may trick them into downloading and running the software, or through exploiting vulnerabilities in other software such as Adobe Flash. When the ransomware program is activated, it encrypts the user’s hard drive with a single use encryption key, before flashing up a message asking for ransom, typically in the form of a payment in the cryptocurrency Bitcoin.

Continue reading...

US judge: WhatsApp lawsuit against Israeli spyware firm NSO can proceed

NSO Group was sued last year by messaging app owned by Facebook

An Israeli company whose spyware has been used to target journalists in India, politicians in Spain, and human rights activists in Morocco may soon be forced to divulge information about its government clients and practices after a judge in California ruled that a lawsuit against the company could proceed.

NSO Group was sued by WhatsApp, which is owned by Facebook, last year, after the popular messaging app accused the company of sending malware to 1,400 of its users over a two-week period and targeting their mobile phones.

Continue reading...

Spanish deputy PM urges investigation into Catalan spyware claims

Exclusive: Pablo Iglesias calls alleged targeting of independence movement figures unacceptable

The Spanish deputy prime minister, Pablo Iglesias, has become the most senior political figure to call for a parliamentary investigation into the use of spyware to target prominent members of the Catalan independence movement, saying such practices are “unacceptable in a democracy”.

A joint investigation this week by the Guardian and El País has revealed that Roger Torrent, the speaker of the Catalan parliament, and former regional foreign minister Ernest Maragall are among at least four pro-independence activists who have been targeted using Israeli spyware that its makers said is sold only to governments.

Continue reading...

CEO of exam monitoring software Proctorio apologises for posting student’s chat logs on Reddit

Australian students who have raised privacy concerns describe the incident involving a Canadian student as ‘freakishly disrespectful’

The chief executive of an exam monitoring software firm that has raised privacy concerns in Australia has apologised for publicly posting a student’s chat logs during an argument on the website Reddit.

Mike Olsen, who is the CEO of the US-based Proctorio, has since deleted the posts and apologised, saying that he and Proctorio “take privacy very seriously”.

Related: Coalition's university fee overhaul accused of being an 'attack on women'

Related: Dan Tehan’s threat to police university enrolments can’t plug the holes in the Coalition’s logic

Continue reading...

EasyJet hacking attack: are you affected and what should you do?

The airline has said the personal information of 9 million customers has been compromised

EasyJet revealed on Tuesday it had suffered a “highly sophisticated” cyber-attack. It comes at a time of heightened concern about a surge in online and phone scams linked to the coronavirus pandemic.

Related: EasyJet reveals cyber-attack exposed 9m customers' details

Continue reading...

EasyJet reveals cyber-attack exposed 9m customers’ details

Airline apologises after credit card details of about 2,200 passengers were stolen
Q&A: are you affected and what should you do?

EasyJet has revealed that the personal information of 9 million customers was accessed in a “highly sophisticated” cyber-attack on the airline.

The company said on Tuesday that email addresses and travel details were accessed and it would contact the customers affected.

Continue reading...

Early access to superannuation paused as police freeze $120,000 in allegedly stolen funds

‘Sophisticated’ identity theft attack leads to Australian Tax Office stopping early super withdrawals until Monday

Allegations of identity theft involving 150 Australians have forced the government to pause the early release of superannuation, after police froze $120,000 believed to have been ripped off from retirement savings.

On Friday the assistant treasurer, Michael Sukkar, announced the Australian Tax Office would pause requests for early access of superannuation until Monday “out of an abundance of caution” to consider further anti-fraud protection.

Related: Under-40s twice as likely to access their super early under coronavirus scheme, survey finds

Related: Should I access my super early during the coronavirus? Here's how it will impact your money

Continue reading...

The Guardian view on an NHS coronavirus app: it must do no harm | Editorial

Smartphones can be used to digitally trace Covid-19. But not if the public don’t download an app over privacy fears – or find it won’t work on their device

The idea of the NHS tracing app is to enable smartphones to track users and tell them whether they interacted with someone who had Covid-19. Yet this will work only if large proportions of the population download the app. No matter how smart a solution may appear, mass consent is required. That will not be easy. Ministers and officials have failed to address the trade-offs between health and privacy by being ambiguous about the app’s safeguards.

Instead of offering cast-iron guarantees about the length of time for which data would be held; who can access it; and the level of anonymity afforded, we have had opacity and obfuscation. It is true that we are dealing with uncertainties. But without absolute clarity about privacy the public is unlikely to take up the app with the appropriate gusto.

Continue reading...

Government investigates data breach revealing details of 774,000 migrants

Guardian Australia on Sunday revealed SkillSelect app allowed users to see partial names of applicants for skilled visas

The home affairs and employment departments are investigating a data breach revealing the personal details of 774,000 migrants and people aspiring to migrate to Australia, despite playing down the seriousness of the breach.

On Sunday, Guardian Australia revealed the government’s SkillSelect app allowed users to see unique identifiers of applicants for skilled visas, including partial names, which could then be used through searches with multiple filters to reveal other information about applicants.

Related: Immigrants don't take Australian jobs. They create jobs for others | Jock Collins

Continue reading...

Email bungle at company seeking jobkeeper payments exposes staff’s personal details

Names, addresses and birthdates of more than 100 people shared in privacy breach

The company responsible for delivering traffic reports on radio and TV stations across Australia accidentally sent out the dates of birth, names and home addresses of more than 100 current and former staff to potentially thousands of people as the company seeks to apply for the jobkeeper payments.

Australian Traffic Network provides short traffic report updates during news bulletins to 80 radio and television stations, including the ABC, Seven, Nine, 10, 2GB and Triple M.

Related: As Australia takes on Google and Facebook over news content, the world is watching | Margaret Simons

Continue reading...

Using Big Tech to tackle coronavirus risks swapping one lockdown for another | Adam Smith

An app that logs movements and contacts might seem like a fair trade now but we risk giving away our privacy for good

Even when the lockdown is lifted, there is no guarantee that life will ever return to normal. To prevent a future outbreak of coronavirus, the UK will need to roll out mass testing, maintain some social distancing measures and closely monitor communities to curb future flare-ups.

In pursuing that last aim, governments across the world are developing technology to track our movements. When lockdown ends, technology could be a valuable means of controlling future outbreaks, alerting people to cases of Covid-19 in their area and hopefully preventing future shutdowns.

Related: The expansion of mass surveillance to stop coronavirus should worry us all | Veena Dubal

Continue reading...

‘Zoom is malware’: why experts worry about the video conferencing platform

The company has seen a 535% rise in daily traffic in the past month, but security researchers say the app is a ‘privacy disaster’

As coronavirus lockdowns have moved many in-person activities online, the use of the video-conferencing platform Zoom has quickly escalated. So, too, have concerns about its security.

In the last month, there was a 535% rise in daily traffic to the Zoom.us download page, according to an analysis from the analytics firm SimilarWeb. Its app for iPhone has been the most downloaded app in the country for weeks, according to the mobile app market research firm Sensor Tower. Even politicians and other high-profile figures, including the British prime minister, Boris Johnson, and the former US federal reserve chair Alan Greenspan, use it for conferencing as they work from home.

Related: Coronavirus and app downloads: what you need to know about protecting your privacy

Continue reading...

Why isn’t the government publishing more data about coronavirus deaths? | Jeni Tennison

Studying the past is futile in an unprecedented crisis. Science is the answer – and open data is paramount

Coronavirus – latest updates
See all our coronavirus coverage

Wherever we look, there is a demand for data about Covid-19. We devour dashboards, graphs and visualisations. We want to know about the numbers of tests, cases and deaths; how many beds and ventilators are available, how many NHS workers are off sick. When information is missing, we speculate about what the government might be hiding, or fill in the gaps with anecdotes.

Data is a necessary ingredient in day-to-day decision-making – but in this rapidly evolving situation, it’s especially vital. Everything has changed, almost overnight. Demands for food, transport, and energy have been overhauled as more people stop travelling and work from home. Jobs have been lost in some sectors, and workers are desperately needed in others. Historic experience can no longer tell us how our society or economy is working. Past models hold little predictive power in an unprecedented situation. To know what is happening right now, we need up-to-date information.

Related: A public inquiry into the UK's coronavirus response would find a litany of failures | Anthony Costello

Continue reading...

Morrisons not liable for massive staff data leak, court rules

UK supreme court says retailer not to blame for actions of employee with grudge

The UK’s highest court has ruled that Morrisons should not be held liable for the criminal act of an employee with a grudge who leaked the payroll data of about 100,000 members of staff.

The supermarket group brought a supreme court challenge in an attempt to overturn previous judgments which gave the go-ahead for compensation claims by thousands of employees whose personal details were posted on the internet.

Continue reading...