GDPR READY WEEKLY NEWS – No 4, February 2019

News, articles, legislation and analysis, all about data protection and cybersecurity technologies

Research: Cisco Study finds 78% of GDPR-Ready Firms were breached – Cisco released its 2019 Data Privacy Benchmark Study revealing the impact and business benefits from data privacy, based on statements received from 3200 privacy and security professional in 18 countries.

Standards: Avoiding GDPR Consequences adopting ISO 27001 – One of the most popular methods for addressing information security concerns throughout a business is the ISO 27001 Information Security Standard.

Study: 95K Complaints received in Europe – since the General Data Protection Regulation (GDPR) was enacted on 25 May 2018 Data Protection Authorities (DPAs) across Europe received 95,180 complaints regarding the mishandling of personal data and companies reported a record number of 41,502 data breaches

Data Breach: Airbus’ employees in Europe impacted – Airbus SE detected a cyber-incident on Airbus “Commercial Aircraft business” information systems, which resulted in unauthorised access to data. No detected impact on Airbus’ commercial operations.

Vulnerabilities: Total Donations plugin could expose WordPress Websites – Owners and administrators of WordPress websites that use the “Total Donations” plugin are advised to remove the plugin after a zero-day vulnerability and design flaws were seen actively exploited in the wild.  

Research:

Cisco Study finds 78% of GDPR-Ready Firms were breached

According to Cisco Study organizations are benefitting from their privacy investments beyond compliance.  While only 59% of companies believe they are ready for all or most of GDPR’s requirements, those that are ready are capturing substantial business benefits such as reduced sales friction and greater data security compared to the others.  

Specifically, GDPR-ready companies are experiencing shorter sales delays due to customer’s privacy concerns.  Their average delay was 3.4 weeks compared to 5.4 weeks for those that are the least ready for GDPR. The GDPR-ready companies are also less likely to be breached (74% were breached) compared to the least ready for GDPR (89% breached). 

And, most interestingly, when a breach did occur, fewer data records were impacted.  GDPR-ready companies averaged 79,000 records impacted compared with 212,000 records impacted for the least GDPR-ready.   As a result, only 37% of the GDPR-ready companies had data breaches costing more than $500,000, compared with 64% of the least GDPR-ready companies.

Nearly all companies (97%) say they are receiving auxiliary benefits today from their data privacy investments and that privacy is a competitive differentiator in their markets. Cisco recommends that companies:

  • Invest in privacy maturity to address the requirements of GDPR and other relevant privacy regulations and frameworks;
  • Measure any privacy-related sales delays with existing customers or prospects, identify the causes of delays, and take action to reduce them;
  • Minimize the amount of personal data that is stored and processed, and put in place appropriate protections for this data based on risk to help reduce costs and minimize the impact if/when there is a data breach
  • Once data is appropriately protected, work to maximize the value of the organization’s data assets over the lifecycle of the data

  READ MORE ABOUT CISCO STUDY  

Standards:

Avoiding GDPR Consequences adopting ISO 27001

ISO 27001 is an excellent resource for businesses who want to secure their corporate data, regardless of whether they have internet accessible systems or work with personal or sensitive data.

Although it’s not designed specifically with the challenges of GDPR compliance in mind, it can easily be modified to do so with the appropriate knowledge. An Information Security Management System (ISMS) will put in place processes that will help preserve the confidentiality, integrity and availability of corporate data and although it does not specifically address personal information, the identification of relevant tandardslaws and regulations with which compliance is required as part of the Standard. Under this, any organization processing Personally Identifiable Information (PII) would need to be compliant with the DPA (and/or GDPR).

According to an article published in Infosecurity Magazine, the implementing an ISO 27001 Certified ISMS that complies with GDPR and DPA requires the following steps:

Understanding the Organization – Identify and document what information is held and how it is used, as well as any external and internal issues that affect the needs and expectations of customers and suppliers.

  • Culture of Security – To be truly effective, information security practices and concerns should be considered at all points in business operations, from planning to implementation and post-production activities.
  • Continual Improvement – Part of this is ensuring that the right resources and tools are available in the first instance, but businesses should also be measuring and analysing any changes, risks and opportunities
  • Incident Reporting – businesses must be prepared to notify those affected and report the issue to the relevant authorities. Incidents should be treated as learning experiences with data collected and analyzed to prevent similar issues from occurring in future.
  • Security Controls – To comply with ISO 27001, businesses will need to define and implement information security controls describing specific behaviors and steps that must be taken in certain situations to ensure the information security is maintained. READ ORIGINAL ARTICLE HERE  

Study:

95K Complaints received by DPAs in Europe

Following the 95,180 complaints introduced by both individuals and organizations mandated by individuals since the enactment of the GDPR, a number of 255 investigations were initiated by national Data Protection Authorities, and 41,502 data breaches were reported by companies since 25 May 2018.

European Commission’s statistics say that the most common types of GDPR complaints were related to telemarketing, promotional e-mails, and to video surveillance/CCTV, which were found to violate multiple provisions.

European Commission’s joint statement said that:  ”We are already beginning to see the positive effects of the new rules. Citizens have become more conscious of the importance of data protection and of their rights. And they are now exercising these rights, as national Data Protection Authorities see in their daily work. They have by now received more than 95,000 complaints from citizens. “

As reported by Cisco in its Data Privacy Benchmark Study, companies which closely follow the requirements of the GDPR experience benefits such as lower frequency and effect of data breaches, as well as shorter downtimes, fewer records being impacted by the attacks, and lower overall costs. READ MORE HERE  

Data Breach:

Airbus’ employees in Europe impacted

Airbus SE detected a cyber-incident on Airbus “Commercial Aircraft business” information systems, which resulted in unauthorised access to data. There is no impact on Airbus’ commercial operations.

This incident is being thoroughly investigated by Airbus’ experts who have taken immediate and appropriate actions to reinforce existing security measures and to mitigate its potential impact, as well as determining its origins.

Investigations are ongoing to understand if any specific data was targeted, however, we do know some personal data was accessed. This is mostly professional contact and IT identification details of some Airbus employees in Europe.

The company is in contact with the relevant regulatory authorities and the data protection authorities pursuant to the GDPR (General Data Protection Regulation). READ THE NEWS ANNOUNCEMENT HERE

Vulnerabilities

Total Donations plugin could expose WordPress Websites

Total Donations is a plugin that lets non-profit, political, and religious organizations accept donations. According to Wordfence, the security flaws affect all versions of the plugin, including version 2.0.5. Successfully exploiting the zero-day can let unauthenticated attackers remotely modify values in the donation form.

The zero-day is related to the way Asynchronous JavaScript and XML (AJAX) incorrectly carries out the plugin’s access control function. AJAX is a web development technique used for creating dynamic web pages and applications. W

ordfence noted that 49 of 88 AJAX actions in Total Donations could be exploited by hackers to access and steal data, alter the site’s content and settings, or remotely hijack the website. Around 33 percent of all websites are powered by the WordPress content management system (CMS).

The scale of sensitive or mission-critical data they store and manage make them an obvious target for cybercriminals and hackers. In December 2018, for instance, a 20,000-strong botnet of compromised WordPress websites was found using dictionary attacks (using preprogrammed credentials) to break into and infect other WordPress websites.

According to Trend Micro, WordPress isn’t the only target. Popular content management systems like Joomla, Drupal, and Magento were also targeted and used as vehicles to deliver a variety of threats — from ransomware to cryptocurrency-mining and payment data-stealing malware. READ HERE FULL ARTICLE  

Advertisements