Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Fine. Show all posts

Govt Proposes Rs 250 Cr Fine for Consumer Data Leaks

The Indian government has proposed a fine of up to Rs 250 crore on enterprises found guilty of disclosing customer data, which is a significant step toward bolstering data protection procedures. This action is a component of the Data Protection Bill, which seeks to protect sensitive personal data about individuals and improve corporate accountability for handling such data. The bill's recent introduction into Parliament represents a turning point in India's effort to strengthen data security.

As per the bill, businesses and entities handling consumer data will be held liable for severe penalties if they fail to maintain the necessary safeguards to protect this information. The proposed fines are among the most substantial globally, reflecting the government's commitment to ensuring the privacy and security of its citizens' data.

According to the Minister of Electronics and Information Technology, this step is crucial to "create a robust mechanism to protect the data rights and privacy of individuals." The increasing digitization of services and the rise in cybercrimes have underscored the urgency of enacting comprehensive data protection legislation.

Industry analysts predict that the proposed sanctions would motivate companies to prioritize data security and make significant investments in cybersecurity. They think that the potential financial repercussions will encourage businesses to embrace cutting-edge frameworks and technologies to stop data breaches.

The Data Protection Bill is the result of intensive talks with several stakeholders, including business representatives, academics, and civil society organizations. In addition to focusing on sanctions, it also seeks to create a Data Privacy Authority (DPA) tasked with monitoring and upholding data privacy laws. The DPA will be crucial in assuring compliance and enforcing any infractions.

Both supporters and opponents of the bill have drawn attention as it moves through Parliament. While supporters applaud the government's efforts to protect personal information, some detractors contend that small firms may be disproportionately affected by the sanctions. Legislators continue to struggle with finding a balance between the protection of personal information and corporate convenience.

Data security has grown to be of utmost importance in a world where it is frequently referred to as the new oil. The government of India has made it clear that it intends to develop a solid framework for data protection, aligning the country with international trends in protecting digital privacy, through the planned fines. As the bill advances, its effects on both consumers and corporations will likely change how data management and privacy are viewed in India.



Meta Penalized 276 Million by Ireland Under EU Laws

According to Meta's handling of sensitive user data, the Irish Data Protection Commission has fined the company $276 million. 

The European Union's primary privacy watchdog, Meta, is the most recent example of how regional authorities are growing more active in their enforcement of the bloc's privacy regulations against major internet corporations.

Insiders discovered the exposed data, which contained the full names, contact information, addresses, and dates of birth of users on the platform between 2018 and 2019. At the time, Meta said that the information was taken by a malicious party using a flaw that the firm addressed in 2019 and that it was the same information used in a prior leak that Motherboard had discovered in January 2021.

The DPC has fined Meta three times already this year. In connection with a slew of 2018 data breaches that compromised the personal information of as many as 30 million Facebook users, the DPC penalized Meta $18.6 million USD in March for poor record-keeping.

In a privacy issue, Meta and its affiliates, including WhatsApp and Instagram, have now been punished by Ireland three times in the last 15 months, reaching more than $900 million in monetary penalties. The other concerns include WhatsApp's transparency on how it manages user data and Instagram's management of children's data. Meta is contesting those judgments.

A representative for Meta stated that the business will reconsider the choice. Meta representative remarked, "Unauthorized data scraping is unacceptable and against our standards.

According to Ireland's privacy regulator, there are dozens more complaints involving numerous major tech corporations that are still pending. Based on the corporations and EU officials, tech companies are currently in discussions with the European Commission, the EU's executive body, to identify which parts of each new law will apply to the particular services they provide. Beginning in the middle of next year, certain parts of the new laws will be put into effect.


CNIL Fines Clearview AI 20 million Euros for Illegal Use of Facial Recognition Technology

 

France’s data protection authority (CNIL) has imposed a €20 million fine on Clearview AI, the controversial facial recognition firm time for illegally gathering and using data belonging to French residents without their knowledge. 

CNIL imposed the maximum financial penalty the company could receive as per GDPR Article 83 and also ordered Clearview AI to stop all data collection activities and delete the data gathered on French citizens or face an additional €100,000 fine per day. 

“Clearview AI had two months to comply with the injunctions formulated in the formal notice and to justify them to the CNIL. However, it did not provide any response to this formal notice,” the CNIL stated. 

“The chair of the CNIL, therefore, decided to refer the matter to the restricted committee, which is in charge of issuing sanctions. On the basis of the information brought to its attention, the restricted committee decided to impose a maximum financial penalty of 20 million euros, according to article 83 of the GDPR.” 

Clearview AI scraps publicly available images and videos of people from websites and social media platforms and associates them with identities. Using this technique, the company has collected over 20 billion images that are being employed to feed a biometric database of facial scans and identities. 

Subsequently, the American-based firm sells access to this database to individuals, law enforcement, and multiple organizations around the globe. 

In Europe, the General Data Protection Regulation (GDPR) dictates that any data collection needs to be clearly communicated to the people and requires consent. Even if Clearview AI is not employing leaked data and the company does not spy on people, individuals are unaware that their images are being used for identification by Clearview AI customers. 

CNIL's latest decision comes after a two-year investigation initiated in May 2020, when the French authority received complaints from individuals about Clearview facial recognition software. Another warning about biometric profiling came from the Privacy International organization in May 2021. 

According to the CNIL, it found Clearview AI was guilty of multiple violations of the General Data Protection Regulation (GDPR). The breaches include unlawful processing of private data (GDPR Article 6), individuals' rights not being respected (Articles 12, 15, and 17), and lack of cooperation with the data protection authority (Article 31). 

The CNIL judgment is the third decision against Clearview's activities after state authorities fined the firm in March and July for unlawfully gathering biometric data in Italy and Greece.

Telco Penalized €9 Million for Obscuring Cyberattack Impact from Customers

 

The Greek data protection authority imposed a fine on COSMOTE of 5,850,000 EUR ($6.55 million) and OTE was fined 3,250,000 EUR ($3.65 million) for exposing sensitive customer data due to a cyberattack. 

COSMOTE violated at least eight articles of the GDPR, according to the agency, including its responsibility to inform impacted customers of the full consequences of the incident. 

COSMOTE and OTE (Hellenic Telecommunications Organization) are both parts of the OTE Group, Greece's largest technological business, which provides fixed and mobile telephony, broadband, and network communication services. 

COSMOTE launched an internal investigation in 2020 and discovered that a hacker utilized LinkedIn to social engineer one of its employees and then used brute-forcing techniques to obtain the target's account credentials. According to the investigation's results, the attacker repeatedly utilized a Lithuanian IP address to access one of OTE's servers. On five consecutive occasions, the threat actor used the account credentials to extract database files and the data that was stolen and was 48GB in size. 

COSMOTE keeps call details on its servers for 90 days for service quality assurance and further 12 months for statistical analysis that aids in targeted service enhancement. The anonymization process wasn't done effectively, and the data holding periods weren't fully adhered to, as the data protection authority investigation discovered. 

The compromised server included sensitive subscriber information and call data for the dates September 1, 2020, to September 5, 2020. 

The following are some of the details that have been revealed: 
• Rough positional data of 4,792,869 unique COSMOTE subscribers. 
• Age, gender, plan, and ARPU of 4,239,213 unique COSMOTE subscribers. 
• MSISDN/CLI of 6,939,656 users of other telecommunication providers who communicated with customers of COSMOTE. 
• MSISDN, IMEI, IMSI, and connected tower position for 281,403 roaming subscribers of COSMOTE. 

In some circumstances, the above data could be utilised for highly targeted social engineering, phishing, and even extortion. Nonetheless, for targeted subscribers who may be high-interest personalities, the consequences of the hacking attack could be substantial.

CRTC Inquiry Targets Dark Web Marketplace Sellers and Administrator

 

Four Canadians have been fined a total of $300,000 by the CRTC's Chief Compliance and Enforcement Officer for their engagement in the Dark Web marketplace Canadian HeadQuarters (also known as CanadianHQ). Following the execution of warrants by CRTC employees, the marketplace was taken offline. 

CanadianHQ was one of the largest Dark Web marketplaces in the world before it was closed down, and it played a pivotal role in damaging cyber operations in Canada. It specializes in the selling of spamming services, phishing kits, stolen passwords, and accessibility to infected systems, which were utilized by buyers to carry out a variety of malicious activities. 

The CRTC's inquiry centered on four people who reportedly sent emails that looked like they came from well-known companies in order to gain personal information like credit card numbers and banking information. 

The following people have been fined for violating Canada's anti-spam legislation (CASL) by sending commercial electronic messages without consent: 

• $150,000 Chris Tyrone Dracos (a.k.a. Poseidon) 
• $50,000 Marc Anthony Younes (a.k.a. CASHOUT00 and Masteratm) 
• $50,000 - Souial Amarak (a.k.a. Wealtyman and Supreme) 
• $50,000 Moustapha Sabir (a.k.a. La3sa) 

Mr. Dracos faces a harsher sentence as the marketplace's inventor and administrator for allegedly assisting in the execution of multiple CASL violations by the platform's suppliers and customers. Several other suppliers have been uncovered as part of this investigation, and enforcement measures will be taken against them in the near future, as per the sources. The Spam Reporting Centre encourages Canadians to report spam, phishing, and other suspicious practices. 

Steven Harroun, Chief Compliance and Enforcement Officer, CRTC stated, “Some Canadians are being drawn into malicious cyber activity, lured by the potential for easy money and social recognition among their peers. This case shows that anonymity is not absolute online and there are real-world consequences when engaging in these activities. 

“Canadian Headquarters was one of the most complex cases our team has tackled since CASL came into force. I would like to thank the cyber-security firm Flare Systems, the Sûreté du Québec and the RCMP’s National Division for their invaluable assistance. Our team is committed to investigating CASL non-compliance on all fronts.”

The CNIL Penalized SLIMPAY €180,000 for Data Violation.

 

SLIMPAY is a licensed payment institution that provides customers with recurring payment options. Based in Paris, this subscription payment services firm was fined €180,000 by the French CNIL regulatory authority after it was discovered that sensitive client data had been stored on a publicly accessible server for five years by the firm. 

The company bills itself as a leader in subscription recurring payments, and it offers an API and processing service to handle such payments on behalf of clients such as Unicef, BP, and OVO Energy, to mention a few. It appears to have conducted an internal research project on an anti-fraud mechanism in 2015, during which it collected personal data from its client databases for testing purposes. Real data is a useful way to confirm that development code is operating as intended before going live, but when dealing with sensitive data like bank account numbers, extreme caution must be exercised to avoid violating data protection requirements.

In 2020, the CNIL conducted an inquiry on the company SLIMPAY and discovered a number of security flaws in their handling of customers' personal data. The restricted committee - the CNIL body in charge of applying fines - effectively concluded that the corporation had failed to comply with several GDPR standards based on these elements. Because the data subjects affected by the incident were spread across many European Union nations, the CNIL collaborated with four supervisory agencies (Germany, Spain, Italy, and the Netherlands). 

THE BREAKDOWNS 

1.  Failure to comply with the requirement to provide a formal legal foundation for a processor's processing operations (Article 28 of the GDPR)

SLIMPAY's agreements with its service providers do not include all of the terms necessary to ensure that these processors agree to process personal data in accordance with the GDPR. 

2. Failure to protect personal data from unauthorized access (Article 32 of the GDPR) 

Access to the server was not subject to any security controls, according to the restricted committee, and it could be accessed from the Internet between November 2015 and February 2020. More than 12 million people's civil status information, postal and e-mail addresses, phone numbers, and bank account numbers (BIC/IBAN) were all hacked. 

3. Failure to protect personal data from unauthorized access (Article 32 of the GDPR) 

The CNIL determined that the risk associated with the breach should be considered high due to the nature of the personal data, the number of people affected, the possibility of identifying the people affected by the breach from the accessible data, and the potential consequences for the people concerned.

Dutch Privacy Watchdog fines Booking.com €475K



On Wednesday, the Dutch Data Protection Authority reported that it had fined online travel agency Booking.com €475,000 for failing to disclose a data security incident within the required timeframe.

The fine was imposed by the Dutch data protection authority as the company is legally headquartered in Amsterdam. It came after criminals stole the personal data of over 4,000 Booking.com customers, including over 300 victims' credit card information. The cybercrooks attempted to phish the card information of others by posing as Booking.com employees over the phone.

Booking.com witnessed a similar incident in the past in November 2020, wherein the data of millions of its customers was jeopardized. The investigation revealed that the breach was caused due to Prestige Software which stored customers’ payment details with no protection. Any customer who had booked with the company since 2013 was affected by the breach. 

In an official statement, while announcing the fine, VP of Dutch regulator Monique Verdier said: "This is a serious violation. A data breach can, unfortunately, happen anywhere, even if you have taken good precautions. But to prevent damage to your customers and the recurrence of such a data breach, you have to report this in time."

The travel company detected the data breach on January 13, 2019, but did not alert the Data Protection Authority until February 7, although the incident should have been reported within 72 hours, Booking.com notified affected customers on February 4th. 

Of the delay, Booking.com said: "We, unfortunately, didn't get the matter escalated as fast as we would have liked internally. However, we have since implemented measures to further improve awareness and education amongst our partners and the employees who support them closely, with an aim of further optimizing the speed and efficiency of our internal reporting channels, which is an ongoing and iterative process." 

The company in an emailed statement also stated, “We have since taken additional steps to improve awareness and education amongst our partners and employees on important privacy measures and general security processes, while also working to further optimize the speed and efficiency of our internal reporting channels. The protection and security of personal data is and will remain a top priority at Booking.com.”