Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label CNIL. Show all posts

FIA Confirms Cyberattack Compromising Email Accounts

 

The Fédération Internationale de l’Automobile (FIA), the governing body overseeing Formula 1 and other major motorsports worldwide, recently disclosed a significant cyberattack. This breach resulted from phishing attacks that compromised personal data within two FIA email accounts, exposing vulnerabilities in the organization’s cybersecurity measures. 

In a brief statement, the FIA confirmed the incidents, detailing that swift action was taken to cut off unauthorized access and mitigate the issue. The organization promptly reported the breach to the French and Swiss data protection regulators, the Commission Nationale de l’Informatique et des Libertés (CNIL) and the Préposé Fédéral à la Protection des Données et à la Transparence, respectively. 

However, the FIA did not disclose specific details regarding the nature of the stolen data, the number of affected individuals, or the identity of the attackers. It also remains unclear whether the hackers demanded any ransom for the compromised data. The FIA, when approached for further information, clarified that these incidents were part of a broader phishing campaign targeting the motorsport sector, rather than a direct and targeted attack on the FIA’s systems. Founded in 1904 in Paris, France, the FIA plays a crucial role in governing numerous prestigious auto racing events, including Formula One, the World Rally Championship, the World Endurance Championship, and Formula E. 

In addition to its sports governance role, the FIA is also an advocate for road safety and sustainable mobility through various programs and campaigns. The organization boasts 242 member organizations across 147 countries, emphasizing its global influence and reach. This incident underscores the persistent cybersecurity threats that organizations face globally. Phishing attacks, in particular, remain a significant threat, as they exploit human vulnerabilities to gain unauthorized access to sensitive information. The FIA’s prompt response to this breach demonstrates its commitment to protecting personal data and maintaining the integrity of its operations. 

However, the incident also highlights the need for ongoing vigilance and robust cybersecurity measures. Cybersecurity experts emphasize the importance of comprehensive security protocols, including regular employee training to recognize and respond to phishing attempts. Organizations must also implement advanced security technologies, such as multi-factor authentication and encryption, to safeguard their digital assets. The evolving nature of cyber threats necessitates a proactive approach to cybersecurity, ensuring that organizations remain resilient against potential attacks. As cyber threats continue to evolve, the FIA and other organizations must remain vigilant and proactive in their cybersecurity efforts. 

The lessons learned from this incident will undoubtedly inform future strategies to protect sensitive information and maintain the trust of stakeholders. The FIA’s experience serves as a reminder of the critical importance of cybersecurity in today’s interconnected digital landscape.

Data Disaster: 33 Million French Citizens at Risk in Massive Leak

 


A massive security breach at two third-party healthcare payment servicers has exposed the information of nearly half of all French citizens by way of a major breach of personal information, the French data privacy watchdog revealed last week. As the National Commission on Informatics and Liberty (CNIL) warned in late January, the two leading payment processing outfits, Viamedis and Almerys, both suffered breaches of their systems, resulting in the theft of data belonging to more than 33 million customers from their systems. 

The information that has been compromised includes information such as the date of birth, marital status, social security number, and information about insurance coverage of customers and their families. According to the CNIL, the company did not compromise any banking information, medical records, or contact information. 

As a result of the sophisticated phishing attack that compromised the Almeras and Viamedis third-party payment portals late last month, both payment portals were affected as well. There was no further information provided on the causes of Almery's loss, but there is a high probability that it was a similar incident. 

As Viamedis reported, the attacks occurred within a matter of five days around the beginning of February. Hackers obtained login credentials for health professionals via phishing attacks and gained unauthorized access to the system as a result. 

Even though the exposed information does not include personal financial data, it is still sufficient to increase the likelihood of individuals being targeted by phishing scams, social engineering, identity theft, and insurance fraud as they are exposed to the information. 

According to CNIL, they will ensure Viamedis and Almerys inform impacted individuals personally and directly, to prevent them from falling victim to phishing scams in the aftermath of the attack in compliance with the General Data Protection Regulation (GDPR). In the meantime, Almerys clarified that the central system was not compromised, but the health professional portal had been infiltrated by hackers. 

As confirmed by CNIL, the compromised data includes sensitive information about the affected individuals, including their marriage status, date of birth, social security numbers, insurance details, and insurance coverage, among others. 

As the attackers accessed the two companies' systems in a targeted raid, they were using credentials stolen from healthcare professionals. Following the General Data Protection Regulation of the European Union, the CNIL is working with Viamedis and Almerys to reach out to all affected individuals. Due to the sheer number of customers involved, the process of completing the project will take some time since there are so many of them. 

The third-party payment system which allows patients to not pay for their medical services in advance will not be available for providers for some time as a result of this attack, but users will still be able to access the system. 

Since the massive amount of compromised data has now been in the wrong hands, the French data authority has issued an alert to beware of phishing attacks, and while a detailed investigation is ongoing to determine exactly how the massive breach happened and if Viamedis or Almerys is to blame, a new warning has been issued regarding phishing attacks.

Burner Phones Warn World Cup Fans of Qatar Apps

 



In a statement issued, the authoritative French data protection authority CNIL has provided tips on how football fans can implement security measures to avoid being spied on by apps. These tips can come in handy for the Qatar World Cup. 

To maximize your security, it would be best to travel with a blank smartphone or an old phone that has been reset by CNIL, a CNIL spokesperson told POLITICO earlier this week. If you are traveling to Qatar for the World Cup, it is highly recommended that you purchase an electronic burner phone.

In addition, you should avoid taking any photos that might violate the strict moral laws that govern the Gulf state. The spokesperson advised you should take special care with photographs, videos, or digital works that may present a problem. This is because of the laws that are in effect in the country you are visiting.

During the 2022 World Cup, which is scheduled to take place in Qatar between November 20 and December 18, around 1.5 million visitors are expected to be in the country. Sports events have been marred by controversy in recent years due to allegations of bribery and corruption. In addition, there are concerns about the treatment of LGBTQ+ people in the Gulf states, and concerns about media freedom throughout the country. 

To participate in the World Cup, foreign visitors are required to download two apps - the official World Cup application Hayya as well as the Covid tracking application Ehteraz, which is required to track gameplay. 

As a form of spyware, these apps have been deemed by experts to be a threat. This is because they will give Qatari authorities wide access to the data of their citizens. Among other things, they would also enable you to read, delete, add, or change content, as well as make direct calls to other users. 

“It is not my job to give travel advice, but I would never bring my mobile phone on a visit to Qatar,” said the Norwegian broadcaster’s head of security to Norway’s NRK broadcaster. The country’s data protection authority is also expected to advise traveling fans to install the apps on a burner phone.

France’s CNIL has other tips to limit spyware's impact on football fans who do not have a blank phone.

According to France's data protection authorities, users should download the app only just before departure and remove it once they have returned to France. The company is also encouraging its customers to limit the number of online services that require authentication to a minimum. They should also keep their smartphones by their side at all times, and have strong passwords for their accounts. 

A football fan should also limit the number of authorizations granted to the system to an absolute minimum.

It appears that Qatar has some form of privacy framework. This is indicated on a map of privacy laws around the world provided by the CNIL. However, it has not been recognized by the EU as providing specific privacy protections. A comparison has been made between this data protection rulebook and one that serves as the flagship of the bloc.

The Qatari apps have also raised concerns on the part of several European regulators.

As a spokesperson for the commissioner of German data protection and freedom of information told POLITICO, a spokesperson for the federal office for information security, as well as the Ministry for Foreign Affairs of Germany are all taking a closer look at the apps. 

In addition, delegations heading to an international climate summit in Egypt were reminded this week that the COP27 summit app is a potential cyber weapon. This is because it could be used to steal data.

Austria: Google Breached a EU Court Order

The Austrian advocacy group noyb.eu complained to France's data protection authorities on Wednesday that Google had violated a European Union court judgment by sending unsolicited advertising emails directly to the inbox of Gmail users. 

One of Europe's busiest data regulators, the French CNIL, has imposed some of the largest fines on companies like Google and Facebook. The activist organization gave CNIL screenshots of a user's inbox that displayed advertising messages at the top.

The French word 'annonce,' or 'ad,' and a green box were used to identify the messages. According to the group, that type of marketing was only permitted under EU rules with the users' consent.

When referring to Gmail's anti-spam filters, which place the majority of unsolicited emails in a separate folder, Romain Robert, program director at noyb.eu, said, "It's as if the mailman was paid to eliminate the ads from your inbox and put his own instead."

Requests for comment from Google did not immediately receive a response. A CNIL spokeswoman acknowledged that the organization had received the complaint and was in the process of registering it.

The CNIL was chosen by Vienna-based noyb.eu (None Of Your Business) over other national data privacy watchdogs because it has a reputation for being one of the EU's most outspoken regulators, according to Robert.

Even while any CNIL ruling would only be enforceable in France, it might force Google to examine its methods there. 

Max Schrems, an Austrian lawyer and privacy activist who won a prominent privacy case before Europe's top court in 2020, formed the advocacy group Noyb.eu.

This year, the CNIL fined Google a record-breaking 150 million euros ($149 million) for making it challenging for people to reject web trackers. Facebook (FB.O), owned by Meta Platforms, was also penalized 60 million euros for the same offense.

The firms are constantly under investigation for their practice of transmitting the private details of EU citizens to databases in the US. Numerous complaints have been made by NOYB to authorities throughout the bloc, claiming that the practice is forbidden.

A crucial tenet of the European Union's data privacy policy and a primary goal for the CNIL is the prior agreement of Internet users for the use of cookies, which are small bits of data that aid in the creation of targeted digital advertising campaigns. 

The CNIL Penalized SLIMPAY €180,000 for Data Violation.

 

SLIMPAY is a licensed payment institution that provides customers with recurring payment options. Based in Paris, this subscription payment services firm was fined €180,000 by the French CNIL regulatory authority after it was discovered that sensitive client data had been stored on a publicly accessible server for five years by the firm. 

The company bills itself as a leader in subscription recurring payments, and it offers an API and processing service to handle such payments on behalf of clients such as Unicef, BP, and OVO Energy, to mention a few. It appears to have conducted an internal research project on an anti-fraud mechanism in 2015, during which it collected personal data from its client databases for testing purposes. Real data is a useful way to confirm that development code is operating as intended before going live, but when dealing with sensitive data like bank account numbers, extreme caution must be exercised to avoid violating data protection requirements.

In 2020, the CNIL conducted an inquiry on the company SLIMPAY and discovered a number of security flaws in their handling of customers' personal data. The restricted committee - the CNIL body in charge of applying fines - effectively concluded that the corporation had failed to comply with several GDPR standards based on these elements. Because the data subjects affected by the incident were spread across many European Union nations, the CNIL collaborated with four supervisory agencies (Germany, Spain, Italy, and the Netherlands). 

THE BREAKDOWNS 

1.  Failure to comply with the requirement to provide a formal legal foundation for a processor's processing operations (Article 28 of the GDPR)

SLIMPAY's agreements with its service providers do not include all of the terms necessary to ensure that these processors agree to process personal data in accordance with the GDPR. 

2. Failure to protect personal data from unauthorized access (Article 32 of the GDPR) 

Access to the server was not subject to any security controls, according to the restricted committee, and it could be accessed from the Internet between November 2015 and February 2020. More than 12 million people's civil status information, postal and e-mail addresses, phone numbers, and bank account numbers (BIC/IBAN) were all hacked. 

3. Failure to protect personal data from unauthorized access (Article 32 of the GDPR) 

The CNIL determined that the risk associated with the breach should be considered high due to the nature of the personal data, the number of people affected, the possibility of identifying the people affected by the breach from the accessible data, and the potential consequences for the people concerned.

France’s data protection authority CNIL gives a sharp warning to WhatsApp ;issues a formal notice

Facebook, when it acquired WhatsApp back in early 2014 said that it won't have the capacity to link the WhatsApp users to their Facebook accounts. In any case, things being what they are, turns out it wasn't so difficult after all. A year ago, the organization changed the WhatsApp terms of services to do just that: link the WhatsApp and Facebook profiles belonging to the same user.

Facebook had allowed many of its users to opt out, yet that wasn't sufficient for the regulators. Germany had even requested Facebook to quit gathering WhatsApp data last September, a similar thing happened in the UK several months later and now fast forward to December 2017; there be yet another European nation issuing similar order.

Facebook's messaging service WhatsApp was given a one-month final proposal by one of Europe's strictest privacy watchdogs, which requested it to quit offering user data to its parent without getting the necessary assent. France's information insurance specialist also known as the data protection authority, CNIL gave quite a cautioning to WhatsApp by issuing a formal notice, scrutinizing it for "inadequate and insufficient" participation and cooperation.

The decision comes a year later after the European Union privacy authorities (security specialists) said that they had "genuine concerns" about the sharing of WhatsApp user data for purposes that were excluded in the terms of conditions and the privacy policy when people had signed up to the service.
However, even after the EU slapped Facebook with a €110 million fine over unlawful WhatsApp information sharing, France says that it has still not collaborated with information security expert CNIL, and could confront another sanction if it doesn't start thinking responsibly inside 30 days. The social network is as yet exchanging Whatsapp information for "business intelligence," it claims, and the only possible way that clients can quit is by uninstalling the application.

It was a French regulator, who saw that WhatsApp was sharing user information like phone numbers to Facebook for "business insight" reasons. When it over and over made a request to take a look at the information being shared, Facebook said that it is put away in the US, and "it considers that it is only subject to the legislation of the country," as per the CNIL. The regulator countered that whenever information is assembled in France, it naturally turns into the authority in charge.

The information exchanges from WhatsApp to Facebook occur to some extent without the users' assent, nor the legitimate interest of WhatsApp, CNIL said.

France says that while the notice was issued to Facebook, it's additionally intended to exhort users that this "gigantic information exchange from WhatsApp to Facebook" was occurring. "The best way to deny the information exchange for 'business insight' purposes is to uninstall the application," it adds. In any case, Facebook guarantees that it will keep on working with the CNIL to ensure that the users comprehend what data it gathers as well as how the data is utilized.

The merging of WhatsApp's data with Facebook was the first step taken by Facebook a year ago towards monetising the stage since the social network's CEO Mark Zuckerberg bought the company for about $22bn in 2014.