The system is being upgraded after a serious

Latest articles from "Threats

Cyberattack on tank logistics company Oiltanking

What companies should do in case of emergency

Why IT security must remain on the agenda

Latest articles from "Networks

Network Access Layer Switches

Securing IoT and OT needs close collaboration between regulators and vendors, including the willingness of leaders in each field to share standards, experience and knowledge

Securing IoT

Video Tip #51: Process Hacker

Latest articles from "Platforms

Play it safe with containerization

The goal of system hardening is to eliminate as many security risks as possible and minimize the attack surface. This gives malicious actors fewer opportunities to penetrate the system or launch a cyberattack

Google does not secure the data stored in GCP - customers must take care of that themselves

Securing Google Cloud Platform properly – even for free

The Future of Cryptography – Part 1

Current articles from "Applications

Reliable and secure data processing

F5 warns of costs due to operational overhead and security risks

In this video tip, we show how to monitor and control processes in real time using the open-source Process Hacker tool on Windows

Video Tip #51: Process Hacker

Security must be a top priority when developers select their open source libraries

Commentary on the SoSS Report 11 from Veracode

Latest articles from "Identity and Access Management

Untethered Labs' GateKeeper allows users to securely log into their workstations without the need for a password

GateKeeper from Untethered Labs

Blockchain applications pose data protection challenges, but they can be solved with a little planning

GDPR and the blockchain in practice

  • Background
  • Coverage

Recent articles from "IT Awards

  • Awareness and employees

Recent articles from "Security Management

Cyberattack on tank logistics company Oiltanking

Pandemic accelerates path to comprehensive observability

What companies should do in case of emergency

  • Head Geeks Speech
  • SAP Security
  • Definitions
  • Security Startups
  • Security Corner
  • Security Management
  • Security Best Practices
  • (ISC)² and the authors

Recent articles from "Specials

Definition of Alice and Bob

Better collaboration between IT experts and executives

  • Companies
  • Images
  • Podcasts

Latest articles from "IT Security Best Practices

Detection and Response Best Practices

Best Practices for Detection and Response

Best Practices for OT Security

Best practices for cloud applications

The data protection year 2021 The biggest data mishaps of 2021

It’s not just the size of the fine imposed that makes it clear that this could be a serious data protection breach under DSGVO (the General Data Protection Regulation). A look at the data breaches that have come to light in 2021 make this clear. Companies should use these incidents to question their own data protection processes.

Companies on the subject

Unfortunately, there were more than enough examples of data breaches in 2021. Not only the data breaches that led to high fines should be considered serious.

Looking back on the data protection year 2021, the question rightly arises as to which data mishaps were to be lamented, and which of them were particularly serious. It’s less about sensationalism and more about learning from incidents.

On the one hand, companies should always ask themselves whether this could also happen in their own operations. Third-party data breaches should be taken as an opportunity to question one’s own data protection concepts. Last but not least, reports on data protection violations should be used to make the instructions as clear as possible for one’s own employees.

Security Insider Podcast – Episode 49

But when is a data breach serious and major? The GDPR defines a "personal data breach" as a "breach of security leading, whether accidentally or unlawfully, to the destruction, loss, alteration of, or unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed".

How consequential a data breach is can then depend on many factors, such as the number of data subjects, the amount and category of data sets affected, the nature of the breach, i.e., whether the data was destroyed, whether the data was misused and for what criminal purpose.

It is already apparent that one should not only look at the amount of a possible fine, even though the competent supervisory authority will of course also examine the previously mentioned factors when it comes to assessing the fine or other sanctions.

In the media or "just" the focus of regulators

If you now think of the numerous headlines in 2021 that revolved around data breaches, you might overlook a large number of data breaches that the media did not mention in detail but that were the focus of the supervisory authorities.

If you take the incidents that the supervisory authorities themselves have reported on in more detail, they include the cases that have made headlines, that goes without saying. As examples may be mentioned:

Case 1: The State Commissioner for Data Protection (LfD) of Lower Saxony had imposed a fine of 10.4 million euros on AG pronounced. The company had been video-monitoring its employees for at least two years without a legal basis for doing so, the regulator said. The unauthorized cameras covered, among other things, workplaces, sales rooms, warehouses and recreation areas. "We are dealing here with a serious case of video surveillance in the company," said the LfD Lower Saxony, Barbara Thiel. "Companies need to understand that by engaging in such intensive video surveillance, they are massively violating the rights of their employees".

Case 2:Between August 2018 and December 2019, Vattenfall Europe Sales GmbH (Vattenfall) routinely checked customers’ contract requests for special contracts that involved special bonus payments to see if they exhibited "behavior conspicuous for switching," according to the Hamburg Commissioner for Data Protection and Freedom of Information (HmbBfDI). This review was intended to prevent customers from concluding such bonus contracts so regularly that this offer to acquire new customers would no longer be profitable for the company.

To verify this, Vattenfall used invoices from previous contractual relationships with these customers, which must be kept for up to ten years anyway according to tax and commercial law requirements. However, it was not apparent to customers that such data matching was taking place.

The Hamburg Commissioner for Data Protection and Freedom of Information (HmbBfDI) came to the conclusion after an examination of the matter that Vattenfall, through this action, violated the transparency obligations under data protection law (Art. 12, 13 DSGVO) violated, as customers were not adequately informed about the data matching process. A total of around 500 were affected.000 persons. As a result, in September 2021, the HmbBfDI fined Vattenfall more than 900.000 euros imposed.

Case 3: In 2021, various cases of data breaches, leaks and data protection violations by large international digital corporations have also come to light. The consequences turned out to be serious in some cases, ranging from phishing scams and bullying to a case of suicide. The State Commissioner for Data Protection and Freedom of Information (LfDI) of Rhineland-Palatinate, Professor Dieter Kugelmann, explained: "The current cases show, in some cases dramatically, the importance that data protection and data security must have in digital times. If more is not done on all sides for data protection, more and more citizens could become victims of fraud attempts, cyber attacks and bullying."

Security vulnerabilities and data privacy violations

However, data privacy violations should not only be taken seriously when fines have been imposed. In 2021, there were also cases of possible data breaches related to prominent security vulnerabilities that (so far) have not resulted in sanctions.

One example was the security vulnerabilities in the widely used mail infrastructure "Microsoft Exchange Server". On the one hand, the Thuringian State Commissioner for Data Protection and Freedom of Information (TLfDI) requested that the available security patches be installed immediately. This urgent notice was based on the obligation to ensure the security of processing activities under Article 32 of the GDPR by controllers of vulnerable systems.

Furthermore, said Dr. Lutz Hasse, Thuringia State Commissioner for Data Protection and Freedom of Information, something about possible data mishaps: "Please also check whether malicious codes have already been installed. Identified data breaches must be reported to the TLfDI in accordance with Article 33 of the GDPR. Furthermore, it must be checked whether the data subjects must be notified".

The Rhineland-Palatinate State Commissioner for Data Protection and Freedom of Information (LfDI) received a dozen inquiries and reports of personal data breaches (data breach reports) under Article 33 of the General Data Protection Regulation (GDPR) within a short period of time due to security vulnerabilities on Microsoft Exchange servers.

The State Commissioner for Data Protection and Freedom of Information of Baden-Wurttemberg stated the same thing: "If the exploitation of the vulnerability is detected during the check of the systems, it must generally be assumed that there is an obligation to report to the supervisory authority. Only in atypical constellations will there be no risk to the rights and freedoms of data subjects. Any waiver of notification should be justified and documented."

The State Commissioner for Data Protection and Freedom of Information of the Free Hanseatic City of Bremen (LfDI) had also received a significant number of corresponding notifications of personal data breaches. It advised all operators of Microsoft Exchange Server infrastructures that, if not already done, immediate action must be taken to close the vulnerabilities and check for compromise of the systems.

In addition, she pointed out the obligation of data controllers (operators) to notify personal data breaches under Article 33 of the General Data Protection Regulation (GDPR). This already applies when a compromise has occurred – even if no leak of personal data has occurred or could not yet be detected.

Current example: vulnerability in Log4j

Another example from 2021: The Hessian Commissioner for Data Protection and Freedom of Information (HBDI) informed about the acute need for action regarding the vulnerability in the Java library Log4j (Log4j). In the presence of the vulnerability in Log4j, the security of the processing pursuant to Art. 32 GDPR for the systems concerned and, where applicable. moreover, no longer fully guaranteed. It is the responsibility of the controller to restore the security of the processing, the supervisory authority said.

How companies can defend themselves against the Log4J vulnerability

Closing the weak point would not be sufficient in this case. Those responsible would additionally need to check whether successful attacks have already occurred. In this case, take further action and consider whether to file a personal data breach notification under Art. 33 DSGVO must take place at the HBDI.

The Bavarian State Office for Data Protection Supervision said: Bavarian data controllers must immediately check whether their IT systems and applications are affected by the Java security vulnerability Log4Shell due to the increased risk situation for compliance with data protection obligations. If a security breach has already occurred, z. B. because the vulnerability has been actively exploited and if IT systems containing personal data are affected, according to Art. 33 DSGVO for controllers regularly a notification obligation with the competent data protection supervisory authority.

As it turns out, there were unfortunately more than enough examples of data mishaps in 2021. It’s not just the data breaches that have resulted in hefty fines that should be considered serious. Even security breaches that have become known can lead to data breaches and reporting obligations, even if there should not be any fine procedures for this yet. Failure to report under GDPR may itself constitute a breach under GDPR and lead to sanctions.

Like this post? Please share to your friends:
Leave a Reply

;-) :| :x :twisted: :smile: :shock: :sad: :roll: :razz: :oops: :o :mrgreen: :lol: :idea: :grin: :evil: :cry: :cool: :arrow: :???: :?: :!: