The Risk Report - Feb. 4

Cookie banners are confusing. Sometimes they won’t let you access the website until you accept them, other times they’ll disappear with a click of the “X”. So does anyone really give them any attention, or even know what they’re opting into? Belgian’s regulators seem to think that the answer is “no”...

BREACHES OF THE WEEK

🚌 Stop the buses

The Rhode Island Public Transit Authority (”RIPTA”), which operates the New England state’s public bus service, has suffered a data breach that has compromised the personal information of around 22,000 people. Documents presented during a State Senate committee this week show that 5,000 of those people were RIPTA employees, with the remaining 17,000 being employees of other Rhode Island state agencies. RIPTA has mailed letters to those impacted, in which they outlined that the PII compromised included Social Security numbers, addresses, dates of birth, Medicare information, and more. The Rhode Island Attorney General’s office is now leading an investigation of the incident.

Read the full story

🇬🇧 Language hacks

The British Council, a UK government-run organization that offers English language and culture courses worldwide has suffered a data breach that has exposed over 144,000 files of student records. Originally reported by a security research firm, the unencrypted records stored in Microsoft Azure Blob revealed names, email addresses, student ID, student status, enrollment dates, and duration of study of students spread across more than 100 countries. The British Council is now working with the UK’s Information Commissioner’s Office on recovery efforts.

Read the full story

🚗 Hack the guards

Securitas, a major multinational provider of on-site security guards and services, has suffered a data leak that exposed over 1.5 million files of data, including hoards of PII. First reported by SafetyDetectives, the data was found to have been stored in an unencrypted, publicly-accessible Amazon S3 cloud storage bucket and primarily contained PII of Securitas employees working at four major airports throughout Colombia and Peru. The PII stored included full names, photo ID cards, and national ID numbers. There were also many other files leaked including GPS logs, pictures of employees, planes, fueling lines, and luggage. Securitas has yet to release a statement in response to these findings.

Read the full story

NOTEWORTHY THIS WEEK

🍪 Illegal pop-ups

Belgium’s Data Protection Authority has issued a 250,000 Euro fine against a major international trade organization after finding it to be in violation of the GDPR. IAB Europe, the organization in question, and one of the world’s largest advertising trade associations, works to establish industry standards and protect the very industry it represents. But one of the standards it has been pushing didn’t seem to make the grade in the eyes of regulators. IAB’s Transparency and Consent Framework (”TCF”), commonly used for online consent popups and cookie banners, was found to be too generic and vague and didn’t “allow users to understand the nature and scope of the processing”. IAB Europe was ordered to permanently delete any personal data already processed by the TCF system and has also been given a strict deadline of just six months to bring TCF into full GDPR compliance or risk additional penalties.

Read the full story

🇺🇸 Start from the top

The Information Technology and Innovation Foundation (“ITIF”), an industry think tank based in Washington, DC, has released a report on the state of American privacy laws and why it believes that “In the absence of a federal privacy law, a growing patchwork of state laws burdens companies with multiple, duplicative compliance costs.” Read the full story to understand why the absence of federal data privacy laws could lead to compliance costs in excess of $1 trillion.

Read the full story

Want to receive this newsletter weekly? Subscribe for the latest news on data breaches and privacy legislation.