Tagged: data breach
December 19, 2018 at 18:34 #68587
Many will have noticed generalist media covering the latest personal data scandals in early December. The hotel chain Marriot realised 500 million accounts of their loyalty program had been compromised (some including sensitive information such as passport and credit card details). This position Marrion in the top 3 biggest ever data scandals. Only Yahoo managed to do worse with 1 billion email accounts compromised in 2013, and then another 500 million in 2014.
The British Parliament today released 250 pages of internal communication from Facebook, showing a certain loose attitude to their user’s personal data. From the email, it shows that FB shared profile information (friendship) with some ‘trusted’ companies, but without the permission of the users. It also emerges that Facebook used SMS and call logs from Android devices to enrich profiles. Facebook has since replied that it stopped sharing the information in 2015 and that the users had given permission for Facebook to read their call and message history.
Three messages seem clear:
– Cybersecurity needs to get better; Marriot is a bad example of cybersecurity in action: the hack went undetected for 4 years – there should have been plenty of opportunities to detect even such a sophisticated attack.
– Data breaches responses are getting better; Marriot is also a good example of a prompt reaction: offering free credit check to affect users, communication to customers, a hotline and a specific website. The response was quick, if not fully effective given some of the negative feedback from users on queues bad information and crashing site. The response strategy was good at least, the implementation less so. Any company working on personal data should have a crisis response drill to put in action quickly and effectively.
– Too much is left open to interpretation: Facebook is perfectly entitled to its response, but it highlights how there is yet not a benchmark on clear permission policies or clear opt-ins. The almost legalistic answer is not something the users would really understand or appreciate.
Share with the rest of the ecosystem what you would suggest to do for
– securing personal data
– responding to data breaches
– identifying best practice in permission and opt-ins?
You must be logged in to reply to this topic.