Search This Blog

Showing posts with label Fine. Show all posts

Telco Penalized €9 Million for Obscuring Cyberattack Impact from Customers

 

The Greek data protection authority imposed a fine on COSMOTE of 5,850,000 EUR ($6.55 million) and OTE was fined 3,250,000 EUR ($3.65 million) for exposing sensitive customer data due to a cyberattack. 

COSMOTE violated at least eight articles of the GDPR, according to the agency, including its responsibility to inform impacted customers of the full consequences of the incident. 

COSMOTE and OTE (Hellenic Telecommunications Organization) are both parts of the OTE Group, Greece's largest technological business, which provides fixed and mobile telephony, broadband, and network communication services. 

COSMOTE launched an internal investigation in 2020 and discovered that a hacker utilized LinkedIn to social engineer one of its employees and then used brute-forcing techniques to obtain the target's account credentials. According to the investigation's results, the attacker repeatedly utilized a Lithuanian IP address to access one of OTE's servers. On five consecutive occasions, the threat actor used the account credentials to extract database files and the data that was stolen and was 48GB in size. 

COSMOTE keeps call details on its servers for 90 days for service quality assurance and further 12 months for statistical analysis that aids in targeted service enhancement. The anonymization process wasn't done effectively, and the data holding periods weren't fully adhered to, as the data protection authority investigation discovered. 

The compromised server included sensitive subscriber information and call data for the dates September 1, 2020, to September 5, 2020. 

The following are some of the details that have been revealed: 
• Rough positional data of 4,792,869 unique COSMOTE subscribers. 
• Age, gender, plan, and ARPU of 4,239,213 unique COSMOTE subscribers. 
• MSISDN/CLI of 6,939,656 users of other telecommunication providers who communicated with customers of COSMOTE. 
• MSISDN, IMEI, IMSI, and connected tower position for 281,403 roaming subscribers of COSMOTE. 

In some circumstances, the above data could be utilised for highly targeted social engineering, phishing, and even extortion. Nonetheless, for targeted subscribers who may be high-interest personalities, the consequences of the hacking attack could be substantial.

CRTC Inquiry Targets Dark Web Marketplace Sellers and Administrator

 

Four Canadians have been fined a total of $300,000 by the CRTC's Chief Compliance and Enforcement Officer for their engagement in the Dark Web marketplace Canadian HeadQuarters (also known as CanadianHQ). Following the execution of warrants by CRTC employees, the marketplace was taken offline. 

CanadianHQ was one of the largest Dark Web marketplaces in the world before it was closed down, and it played a pivotal role in damaging cyber operations in Canada. It specializes in the selling of spamming services, phishing kits, stolen passwords, and accessibility to infected systems, which were utilized by buyers to carry out a variety of malicious activities. 

The CRTC's inquiry centered on four people who reportedly sent emails that looked like they came from well-known companies in order to gain personal information like credit card numbers and banking information. 

The following people have been fined for violating Canada's anti-spam legislation (CASL) by sending commercial electronic messages without consent: 

• $150,000 Chris Tyrone Dracos (a.k.a. Poseidon) 
• $50,000 Marc Anthony Younes (a.k.a. CASHOUT00 and Masteratm) 
• $50,000 - Souial Amarak (a.k.a. Wealtyman and Supreme) 
• $50,000 Moustapha Sabir (a.k.a. La3sa) 

Mr. Dracos faces a harsher sentence as the marketplace's inventor and administrator for allegedly assisting in the execution of multiple CASL violations by the platform's suppliers and customers. Several other suppliers have been uncovered as part of this investigation, and enforcement measures will be taken against them in the near future, as per the sources. The Spam Reporting Centre encourages Canadians to report spam, phishing, and other suspicious practices. 

Steven Harroun, Chief Compliance and Enforcement Officer, CRTC stated, “Some Canadians are being drawn into malicious cyber activity, lured by the potential for easy money and social recognition among their peers. This case shows that anonymity is not absolute online and there are real-world consequences when engaging in these activities. 

“Canadian Headquarters was one of the most complex cases our team has tackled since CASL came into force. I would like to thank the cyber-security firm Flare Systems, the Sûreté du Québec and the RCMP’s National Division for their invaluable assistance. Our team is committed to investigating CASL non-compliance on all fronts.”

The CNIL Penalized SLIMPAY €180,000 for Data Violation.

 

SLIMPAY is a licensed payment institution that provides customers with recurring payment options. Based in Paris, this subscription payment services firm was fined €180,000 by the French CNIL regulatory authority after it was discovered that sensitive client data had been stored on a publicly accessible server for five years by the firm. 

The company bills itself as a leader in subscription recurring payments, and it offers an API and processing service to handle such payments on behalf of clients such as Unicef, BP, and OVO Energy, to mention a few. It appears to have conducted an internal research project on an anti-fraud mechanism in 2015, during which it collected personal data from its client databases for testing purposes. Real data is a useful way to confirm that development code is operating as intended before going live, but when dealing with sensitive data like bank account numbers, extreme caution must be exercised to avoid violating data protection requirements.

In 2020, the CNIL conducted an inquiry on the company SLIMPAY and discovered a number of security flaws in their handling of customers' personal data. The restricted committee - the CNIL body in charge of applying fines - effectively concluded that the corporation had failed to comply with several GDPR standards based on these elements. Because the data subjects affected by the incident were spread across many European Union nations, the CNIL collaborated with four supervisory agencies (Germany, Spain, Italy, and the Netherlands). 

THE BREAKDOWNS 

1.  Failure to comply with the requirement to provide a formal legal foundation for a processor's processing operations (Article 28 of the GDPR)

SLIMPAY's agreements with its service providers do not include all of the terms necessary to ensure that these processors agree to process personal data in accordance with the GDPR. 

2. Failure to protect personal data from unauthorized access (Article 32 of the GDPR) 

Access to the server was not subject to any security controls, according to the restricted committee, and it could be accessed from the Internet between November 2015 and February 2020. More than 12 million people's civil status information, postal and e-mail addresses, phone numbers, and bank account numbers (BIC/IBAN) were all hacked. 

3. Failure to protect personal data from unauthorized access (Article 32 of the GDPR) 

The CNIL determined that the risk associated with the breach should be considered high due to the nature of the personal data, the number of people affected, the possibility of identifying the people affected by the breach from the accessible data, and the potential consequences for the people concerned.

Dutch Privacy Watchdog fines Booking.com €475K



On Wednesday, the Dutch Data Protection Authority reported that it had fined online travel agency Booking.com €475,000 for failing to disclose a data security incident within the required timeframe.

The fine was imposed by the Dutch data protection authority as the company is legally headquartered in Amsterdam. It came after criminals stole the personal data of over 4,000 Booking.com customers, including over 300 victims' credit card information. The cybercrooks attempted to phish the card information of others by posing as Booking.com employees over the phone.

Booking.com witnessed a similar incident in the past in November 2020, wherein the data of millions of its customers was jeopardized. The investigation revealed that the breach was caused due to Prestige Software which stored customers’ payment details with no protection. Any customer who had booked with the company since 2013 was affected by the breach. 

In an official statement, while announcing the fine, VP of Dutch regulator Monique Verdier said: "This is a serious violation. A data breach can, unfortunately, happen anywhere, even if you have taken good precautions. But to prevent damage to your customers and the recurrence of such a data breach, you have to report this in time."

The travel company detected the data breach on January 13, 2019, but did not alert the Data Protection Authority until February 7, although the incident should have been reported within 72 hours, Booking.com notified affected customers on February 4th. 

Of the delay, Booking.com said: "We, unfortunately, didn't get the matter escalated as fast as we would have liked internally. However, we have since implemented measures to further improve awareness and education amongst our partners and the employees who support them closely, with an aim of further optimizing the speed and efficiency of our internal reporting channels, which is an ongoing and iterative process." 

The company in an emailed statement also stated, “We have since taken additional steps to improve awareness and education amongst our partners and employees on important privacy measures and general security processes, while also working to further optimize the speed and efficiency of our internal reporting channels. The protection and security of personal data is and will remain a top priority at Booking.com.”