Sunday, July 23, 2017
Where were the thoughtful managers?
Catalin Cimpanu reports:
The Swedish government has exposed sensitive details on millions of citizens in one of the biggest government screw-ups ever, and the official responsible for the whole fiasco was fined only half of her’s monthly salary, which is 70,000 Swedish krona — or around $8,500.
The leak happened in September 2015, when the Swedish Transport Agency (STA) decided to outsource the management of its database and other IT services to companies such as IBM in the Czech Republic, and NCR in Serbia.
Read more on BleepingComputer.
[From the article:
It was only in March 2016 that the Swedish Secret Service realized what happened, and started an investigation, warning other government agencies that unauthorized foreigners were now in control of their IT systems after the STA had bypassed necessary security checks just to expedited the transition to the new IT system as they wanted to fire local IT staff.
According to several Swedish newspapers, the leaked data included:
- Data from all drivers licenses in Sweden
- Personal details of all persons in Sweden's witness relocation program
- Personal details of Sweden's elite military units
- Personal details of Sweden's fighter pilots
- Personal details of all of Sweden's pilots and air controllers
- Personal details of all Swedish citizens in a police register
- Details of all Swedish government and military vehicles
- Details about Sweden's road and transportation infrastructure
How do errors like this even happen? Normal procedure would be to look at the entire dataset and copy selected records to a new file. This looks like, “Give them a copy of the file. The data they want is probably in there somewhere.”
Wells Fargo Accidentally Releases Trove of Data on Wealthy Clients
When a lawyer for Gary Sinderbrand, a former Wells Fargo employee, subpoenaed the bank as part of a defamation lawsuit against a bank employee, he and Mr. Sinderbrand expected to receive a selection of emails and documents related to the case.
But what landed in Mr. Sinderbrand’s hands on July 8 went far beyond what his lawyer had asked for: Wells Fargo had turned over — by accident, according to the bank’s lawyer — a vast trove of confidential information about tens of thousands of the bank’s wealthiest clients.
The 1.4 gigabytes of files that Wells Fargo’s lawyer sent included copious spreadsheets with customers’ names and Social Security numbers, paired with financial details like the size of their investment portfolios and the fees the bank charged them.
… By Mr. Sinderbrand’s estimate, he has financial information for at least 50,000 individual customers.
… The files were handed over to Mr. Sinderbrand with no protective orders and no written confidentiality agreement in place between his lawyers and Wells Fargo’s.
… The disclosure is a data breach that potentially violates a bevy of state and federal consumer data privacy laws that limit the release of personally identifiable customer information to outside parties.
State and federal regulations also require companies to notify customers when their information has been improperly released, as Wells Fargo may now do.
… Based on the fairly narrow subpoena that his lawyer submitted — it sought communications about Mr. Sinderbrand’s employment and compensation — there was no reason for the bank to turn over such information, especially without any redactions, Mr. Sinderbrand said.
Sounds like a “we gotta do something” law.
UK to bring in drone registration
It will affect anyone who owns a drone which weighs more than 250 grams (8oz).
… There is no time frame or firm plans as to how the new rules will be enforced and the Department of Transport admitted that "the nuts and bolts still have to be ironed out".
… "There will be people who will simply not be on the system, that's inevitable."
Similar registration rules in the US were successfully challenged in court in March 2017 and as a result are currently not applicable to non-commercial flyers.
Dr McKenna said there were also issues around how a drone's owner could be identified by police and whether personal liability insurance should also be a legal requirement in the event of an accident.