Jul 182018
 July 18, 2018  Posted by  Breaches, Featured News, Non-U.S.

From the Information Commissioner’s Office, this press release:

The Independent Inquiry into Child Sexual Abuse (IICSA) has been fined £200,000 by the Information Commissioner’s Office (ICO) after sending a bulk email that identified possible victims of non-recent child sexual abuse.

The Inquiry, set up in 2014 to investigate the extent to which institutions failed to protect children from sexual abuse, did not keep confidential and sensitive personal information secure. This is a breach of the Data Protection Act 1998.

On 27 February 2017, an IICSA staff member sent a blind carbon copy (bcc) email to 90 Inquiry participants telling them about a public hearing. After noticing an error in the email, a correction was sent but email addresses were entered into the ‘to’ field, instead of the ‘bcc’ field by mistake.

This allowed the recipients to see each other’s email addresses, identifying them as possible victims of child sexual abuse.

Fifty-two of the email addresses contained the full names of the participants or had a full name label attached.

The Inquiry was alerted to the breach by a recipient of the email who entered two further email addresses into the ‘to’ field before clicking on ‘Reply All’.

The Inquiry then sent three emails asking the recipients to delete the original email and not to circulate further. One of these emails generated 39 ‘Reply All’ emails.

ICO Director of Investigations, Steve Eckersley, said:

“This incident placed vulnerable people at risk, which is concerning. IICSA should and could have done more to ensure this did not happen.

“People’s email addresses can be searched via social networks and search engines, so the risk that they could be identified was significant.”

The ICO investigation found:

  • The Inquiry failed to use an email account that could send a separate email to each participant;
  • The Inquiry failed to provide staff with any (or any adequate) guidance or training on the importance of double checking that the participant’s email addresses were entered into the ‘bcc’ field;
  • The Inquiry hired an IT company to manage the mailing list and relied on advice from the company that it would prevent individuals from replying to the entire list;
  • In July 2017 a recipient clicked on ‘Reply All’ in response to an email from the Inquiry, via the mailing list, and revealed their email to the entire list;
  • The Inquiry breached their own privacy notice by sharing participants’ emails addresses with the IT company without their consent.

The Inquiry and the ICO received 22 complaints about the security breach, and one complainant told the ICO he was “very distressed” by the security breach. IICSA has since apologised to the affected individuals.

The case was dealt with under the provisions and maximum penalties of the Data Protection Act 1998, and not the 2018 Act which has replaced it, because of the date of the breach.

Jul 172018
 July 17, 2018  Posted by  Surveillance, U.S.

Hmmm.  I had missed this one, but thankfully, Joe Cadillic didn’t.  Frank Bajak of Associated Press reported:

In the first known case of its kind, U.S. drug agents supplied unwitting cocaine-trafficking suspects in California with smartphones they thought were encrypted but had been rigged to allow eavesdropping, Human Rights Watch reported Friday.

The advocacy group said it feared the technique could be abused to violate the privacy of non-criminals.

Read more on Courthouse News.

Jul 172018
 July 17, 2018  Posted by  Business, Surveillance, U.S.

Joe Cadillic writes:

Golf fans will be happy to know that the LPGA considers every fan a potential terrorist.

Last week an article in Sport Techie revealed that the LPGA is using NEC’s biometric NeoFace facial recognition technology to identify every fan.

Why would the LGPA use facial recognition to spy on fans?

If you guessed public safety, give yourself a gold star.

Read more on MassPrivateI.

Jul 172018
 July 17, 2018  Posted by  Featured News, Healthcare, Non-U.S.

Frances Cook reports:

A stoush has erupted over patient medical records, with a claim the privacy of up to 800,000 Auckland patients has been put at risk.

Four New Zealand and Australasian healthcare IT companies, Healthlink, Medtech Global, My Practice, and Best Practice Software New Zealand, have jointly contacted the Privacy Commissioner to flag the issue.

They said primary health organisation (PHO) ProCare Health was putting private information of up to 800,000 Auckland patients into a large database, including patient name, age, address, and all financial, demographic, and clinical information.

ProCare Health runs a network of community-based healthcare services, including GPs, throughout Auckland. It strongly denies patient privacy is being compromised.

Read more on New Zealand Herald.