Weekly digest 27 June – 03 July 2022: credential stuffing, misconfigured cloud storage, mobile devices at work, drones & privacy

TechGDPR’s review of international data-related stories from press and analytical reports.

Official guidance: credential stuffing, patient privacy, use of drones

The latest report from international data protection and privacy authorities has identified credential stuffing as a significant and growing cyber threat to personal information. A credential stuffing attack is a cyber-attack method that exploits an individual’s tendency to use the same credentials (e.g. username/email address and password combination) across multiple online accounts. The attacks are automated and often large-scale, using stolen credentials (e.g. that are leaked in connection with data breaches and made available on the ‘dark web’), to unlawfully access users’ accounts on unrelated websites. 

Successful credential stuffing attacks may result in fraud or other means of financial loss, as attackers may, for example, make purchases using the compromised account or transfer funds to their own account. Upon establishing a secure foothold, an attacker may attempt to obtain further access to data and systems through the harvesting of other visible or accessible credentials. Such attacks may also be used to cause intangible harm such as reputational damage by spreading disinformation or making false statements about an individual whilst using their compromised account. 

The guidance by international privacy authorities provides measures to detect, prevent and/or mitigate the risk from credential stuffing (guest checkouts, strong passwords and usernames, and their alternatives, multi-factor authentication, secondary passwords and pins, device fingerprinting, identifying leaked passwords, rate-limiting, account monitoring and lockout, incident response plans and user notifications, and more).

The US Department of Health issued guidance to protect patient privacy in wake of the Supreme Court decision where the right to safe and legal abortion was taken away. In general, the guidance addresses:

• how federal law and regulations protect individuals’ private medical information, (known as protected health information or PHI), relating to abortion and other sexual and reproductive health care – making it clear that providers are not required to disclose private medical information to third parties; and

• the extent to which private medical information is protected on personal cell phones and tablets, and provides tips for protecting individuals’ privacy when using period trackers and other health information apps.

According to recent reports, many patients are concerned that such apps on smartphones may threaten their right to privacy by disclosing geolocation data which may be misused by those seeking to deny care. The guidance also addresses the circumstances under which the Health Insurance Portability and Accountability Act, (HIPAA), permits disclosure of PHI without an individual’s authorisation. It explains that disclosures for purposes not related to health care, such as disclosures to law enforcement officials, are permitted only in narrow circumstances tailored to protect the individual’s privacy and support their access to health care. 

Switzerland’s data protection commissioner FDPIC issued an annual 2021-2022 report, noting widespread indifference towards protecting citizens’ data and a growing disregard for privacy. The deficiencies in processing sensitive personal data that have become more frequent on health platforms, and the tendency, now also perceptible in Europe, to discredit the public’s right to encrypt their data as an abuse of freedoms, are evidence of this development. In relation to freedom of information, the FDPIC continues to see an increase in the number of requests for access and for mediation, which poses problems in meeting the legal deadlines in view of the pandemic-related backlog of work. You can read the detailed report here. 

When buying your equipment, you must check whether the device has been produced with data protection obligations in mind. For example, in order to comply with data minimisation, data collection systems mounted on drones should be capable of being switched on and off when appropriate and their visual angle limited in accordance with your purposes. In order to comply with the transparency principle, the drone should have adequate signaling such as lights or buzzers. It is also your responsibility to ensure that appropriate security of processing: check whether the video footage is stored on the device itself, on a portable storage medium, or on a cloud storage service, and take steps to mitigate any additional risk of loss or theft of personal data, such as encrypting data before it is transferred from the device to cloud storage.

Legal processes: criminal activity data

After the amended Europol Regulation entered into force on 28 June, the EDPS expressed its concerns that the amendments weaken the fundamental right to data protection. The new document “expands the mandate of Europol with regard to exchanges of personal data with private parties, the use of artificial intelligence, and the processing of large datasets”, the EDPS states. Consequently, data relating to individuals that have no established link to criminal activity may be treated in the same way as the personal data of individuals with a link to criminal activity. Putting in place strong safeguards, says the regulator, is crucial since the impact of the amended Regulation on personal data protection is further aggravated by the fact that the EU Member States have the possibility to retroactively authorise Europol to process large data sets already shared with Europol prior to the entry into force of the amended Regulation. 

Investigations and enforcement actions: bulk emails, sales prospecting calls, unnecessary cookies, unauthorised logins

The UK Information Commissioner’s Office issued a monetary penalty to an NHS foundation trust. It used Outlook to send bulk emails to 1,781 Gender Identity Clinic service users. The accident happened despite the fact that the trust had in place some measures including a suite of policies. In particular, the “Email, Text and Internet Use Procedure” states: “To avoid inadvertently sharing other people’s email addresses, recipients should be selected in the ‘Bee’ box, not the ‘To’ box”. Data security and protection training was available to all staff with measures in place to update this at timely intervals. Here are some facts of the case:

• The trust’s intention was to send a bulk email relating to an art competition to approximately 5,000 patients. 
• The distribution list was extracted from the trust’s electronic patient record system using a specific set of search criteria which ensured recipients were active patients and had consented to be contacted by email in certain circumstances. 
• The output report produced from the system was then manually split into batches of around 1,000 addresses each. 
• In two batches the email addresses were copied from the output report and entered into the “To” field instead of the “Blind carbon copy” field. The recipients of each email could therefore see the email addresses of the other recipients of that email. 
• Four of the emails were returned as undeliverable and so potentially 1,777 emails were delivered and opened. 
• The staff member who sent the email noticed the error straight away and attempted, albeit unsuccessfully, to recall both the emails. They also contacted the trusts’ Information Management and Technology Service Desk to report the breach. 

The French Council of State validated the 2020 sanction pronounced by the state privacy regulator CNIL against Amazon. In December 2020, the CNIL imposed a fine of 35 million euros against the company, in particular for having placed advertising cookies on the computers of users of the sales site “Amazon.fr” without prior consent or satisfactory information, (in violations of Art. 82 of the Data Protection Act (transposing the “e-Privacy” directive). In addition, the CNIL noted that when users went to the “Amazon.fr” site after clicking on an advertisement published on another website, the same cookies were deposited but without any banner being displayed. Finally, the Council of State considers that the size of the fine imposed by the CNIL is not disproportionate with regard to the seriousness of the breaches, the scope of the processing and the financial capacity of the company.

The CNIL also issued a fine of 1 mln euros against TOTALENERGIES ÉLECTRICITÉ ET GAZ. The regulator has received several complaints concerning the difficulties encountered by people when dealing with a French energy producer and supplier, their requests for access to their data, and opposition to receiving sales prospecting calls. The company offered, on its website, a subscription form for an energy contract in which the user acknowledged giving his consent for the use of his personal data in order to subsequently receive commercial offers, without having the possibility of opposing it. Therefore, by completing this form, the user,  had no means of opposing the reuse of his data for commercial prospecting purposes for similar products or services.

In 2020 Norway’s parliament the Storting was exposed to data breaches, and in January this year, the Norwegian data protection authority Datatilsynet announced a fine of approx 200,000 euros for a lack of security measures. The regulator assessed Storting’s comments and maintains the notified fine. The data breach was related to an unauthorized login to the email accounts of an unknown number of Storting representatives and employees in the administration and group secretariats. The regulator has placed particular emphasis on the fact that the Storting had not established two-factor authentication or similar effective security measures to achieve adequate protection.

Data security: mobile devices at work

URL filtering, multi-factor authentication and mobile threat defense can help protect against phishing attacks. In environments that use multi-factor authentication, if a phishing attacker successfully gains a user’s password, they can still be denied access to enterprise information because they do not have the second factor required for authentication. For more information on phishing protection and other mobile device security and privacy enhancements for your organisation, refer to NIST publication on corporate-owned personally-enabled mobile devices and personal mobile devices to perform work-related activities.

Big Tech: misconfigured data storage containers, French “trusted cloud” in partnership with Google

According to Reuters, the US supermarket chain Wegmans agreed to pay 400,000 dollars and upgrade its security practices over a data breach that exposed the personal information of more than 3 million consumers nationwide. Reportedly, the company was accused of storing customer information in cloud storage containers hosted on Microsoft Azure that were left open because they had been misconfigured, leaving the data vulnerable to hackers. “Customers’ email addresses and Wegman’s account passwords were exposed for about 39 months, while customers’ names, mailing addresses, and data tied to their driver’s license numbers were exposed for about 30 months”, states the article quoting the New York Attorney General Letitia James.

Meanwhile, French defense company Thales has introduced a new firm within its group – S3NS in partnership with Google Cloud to offer state-vetted cloud computing services for the storage of some of the country’s most sensitive data, Reuters reports. The new company is the result of a government plan under which France acknowledged US technological superiority. Some of France’s biggest banks and healthcare organisations are among 40 potential customers of the new company. S3NS will offer from the second half of 2024 its “trusted cloud” that will ultimately combine full performance, services and applications of Google Cloud technology while allowing protection against extraterritorial foreign laws and in compliance with the requirements of the “Trusted Cloud” label of France’s Information Systems Security Agency.