Friday, November 30, 2018

Clearly security is not a top priority.
Marriott says data breach compromised info of up to 500 million guests
Marriott International said Friday that up to 500 million guests' information may have been accessed as part of a breach of its Starwood guest reservation database, potentially one of the largest breaches of consumer data ever.
The world's largest hotel chain said it first received an alert in September from an internal security tool of an attempt to access the database. As part of an investigation, the company discovered there had been unauthorized access since 2014 and that an "unauthorized party" had copied and encrypted information.
Marriott said it determined on Nov. 19 that the information was from its Starwood database.
… For about 327 million of the guests, it added, the information includes some combination of a name, mailing address, phone number, email address, passport number, Starwood Preferred Guest account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences.
There are some customers who may have also had their credit card information taken. While that data would have been encrypted, Marriott said it can't rule out the information may have been decoded.
… The company also revealed the breach in a filing with the Securities and Exchange Commission, saying it did not expect the breach to hurt its business.


(Related) But considerably smaller…
Catalin Cimpanu reports:
As security experts predicted since last year, ElasticSearch servers –a technology for powering search functions– are becoming the next big source of massive data leaks.
The latest company to be added to the list of breach incidents caused by an exposed ElasticSearch server is Sky Brasil, one of the biggest subscription television services in Brazil.
For at least a week, and possibly more, Sky Brasil has left an ElasticSearch server exposed on the Internet without a password, ZDNet has learned from Fabio Castro, a security researcher based in Brazil.
Read more on ZDNet.




Far lass than a GDPR.
Amendments to data breach notification law in Colorado impact HIPAA-regulated entities
Passed during the 2018 state legislative session, House Bill 18-1128 went into effect on Sept. 1, changing Colorado’s law on the protection of personally identifying information and the procedure businesses must follow when that information is breached.
Although the changes to the law are relatively extensive, HIPAA-regulated entities are exempted from most of these changes.
The new law contains a “deemed compliance” provision stating that most HIPAA-regulated entities who comply with HIPAA’s rules and regulations are deemed also to be in compliance with the state law, with two important exceptions:
  1. HIPAA-regulated entities still must provide notice to individuals affected by a breach within 30 days.
  2. In certain circumstances, HIPAA-regulated entities must provide notice of a breach to the Colorado attorney general.




Kind of a backgrounder.
The Privacy Paradox Could Determine the Next Evolution of Privacy Regulation
… Prior to Buttarelli’s speech, the Privacy Paradox was generally defined as the fundamental inconsistency between people’s stated beliefs and intentions about privacy and their actual behaviors. In other words, it is the paradox of wanting privacy but behaving as if it didn’t matter. Thus, while people may have a deep distrust and uneasiness about granting Facebook and Google so many insights into their daily lives via a constant stream of data, they generally are willing to click any boxes or agree to any terms of service, as long as they can continue to use the service.
In thinking about the Privacy Paradox, most researchers fall into either one of two camps: either they believe that consumers are rational thinkers who perform a sort of cost-benefit analysis in order to determine what is the price they are willing to pay to give away their data, or they believe that consumers are filled with inconsistencies and biases and are largely inaccurate when coming up with the true price of their personal data.
… As Buttarelli also pointed out in his ICDPPC speech, people did not think about ethics when drafting the European General Data Protection Regulation (GDPR), and did not debate the various ways that morality or moral obligations should influence the actions of governments.
… What’s more, says Buttarelli, the next evolution of data privacy regulation must take into account scenarios involving privacy that today might be regarded as futuristic. For example, should humanoid robots also have a right to privacy? When machines instead of humans are doing the sentencing of criminals (a process that Buttarelli refers to as “algorithmic sentencing”), what data should be allowed in their decision-making processes?




What an interesting idea. I wonder why the CIA didn’t think of it first.
Is WikiLeaks a Russian Front?
Consider the ramifications of this article, via The Atlantic – The idea that the putative transparency group served as a connection between Moscow and the president’s associates is starting to become clearer – if it proves to be an accurate appraisal of an increasingly expanding potential exposure of corruption and malfeasance perpetrated by public and private citizens and groups around the world.
“Barely two years later, the idea of WikiLeaks serving as a medium for Russia to boost the Trump campaign seems more and more plausible—even likely. For some time, there has been substantial evidence of Russia’s involvement in attempts to influence the 2016 presidential election and to hurt the Democrat Hillary Clinton’s presidential bid, from an elaborate trolling and Astroturfing operation to simple theft of emails and hacking. Until recently, the connection between those Russian efforts and Trump allies has remained somewhat obscure and speculative. But recent developments have started to flesh out the picture. Russia used WikiLeaks as a conduit—witting or unwitting—and WikiLeaks, in turn, appears to have been in touch with Trump allies. The key remaining questions are what WikiLeaks knew and what Trump himself knew.
According to a draft document from Special Counsel Robert Mueller’s team, which is investigating Russian interference in the election, the conservative author Jerome Corsi tipped off Roger Stone, a Trump friend and former political adviser, that WikiLeaks would release a tranche of emails hacked from Clinton campaign chairman John Podesta. The tip came in August, weeks before the October release. Corsi provided the document to NBC News and then several other news organizations. As per his practice, Mueller has not commented…”




I get the feeling they are looking for something to support a new definition of monopoly.
Amazon Under Fire in Europe as Germany Adds Antitrust Probe
Amazon.com Inc.’s "double role" as Germany’s largest retailer and biggest online host for smaller stores is the target of an antitrust probe into the terms the company sets for other sellers, the German Federal Cartel Office said.
The investigation into Amazon’s biggest market outside the U.S. adds to European Union scrutiny of whether the company gathers information on rival sellers’ successes to help launch its own products. German regulators said they’d received "numerous" complaints from sellers.


No comments: