That's a lot of people and a lot of info. Glad I'm not one of them.
Nostalgia aggregator Timehop has revised its advice about the data breach it reported earlier this week. The news is bad in two dimensions, the first of which is that the company has found more data was accessed. Updates to its oops! post has now added “dates of birth, gender [and] country codes” to the list of lost …
That's a lot of people and a lot of info. Glad I'm not one of them.
No beard either.
Not having heard of Timehop, I took a quick look at their website to see what it might do.
Front page is a big picture with a meaningless strapline. The "About Us" offers the meaningless puff:
Timehop created the digital nostalgia category and continues to be THE team reinventing reminiscing for the digital era.
The rest of their site seems to be about advertising opportunities. So I'm none the wiser as to its purported function. This seems to be pretty typical of the social media app - you're supposed to find out about it through viral marketing and want it because of its name and its "vibe", regardless of what it actually does.
Which seems in this case to be equally typical of the social media app - it collects your personal information in order to sell you stuff and carelessly spills it over the Internet.
Disclaimer: I have a beard, but it's grey.
I didn't even know it was a separate company until I saw this article, I assumed it was a part of Facebook since that's the only place I'd ever seen it. I wonder if all the compromised accounts were people who accessed TimeHop directly, or if some of them were people who had only ever used it via Facebook?
Given how freely Facebook seems to let third parties access data, especially one that seems particularly closely integrated like TimeHop is, I think I know the answer to that...
Would Facebook face any penalties under the GDPR if they gave TimeHop access to the user data but it was TimeHop who screwed up and let it escape? TimeHop probably has little in the way of resources, so I know which one I'd rather go after!
Imagine if Cambridge Analytica's data slurp included entire Facebook histories--even stuff long deleted or hidden. (Mind you, I'm not sure I've accurately stated this for the way that Facebook really works, as I've never had an account.)
Even if Cambridge Analytica's didn't, we shouldn't assume other third parties who "worked with" Facebook didn't get exactly that. If they were around long enough, even without access to deleted stuff they had a chance to grab it before deletion.
I found it interesting when it was recently reported that Google was letting third parties access people's actual GMail accounts, which begs the question what else they've given permission to root around in. Governments of the world wouldn't need explicit cooperation from Facebook/Google if posing as various third parties let them grab what they want while providing Zuck and Page deniability when asked "do you give government X access to user data without a warrant?"
Technically they wouldn't be lying if the access was granted to a Cambridge Analytica like front for the NSA, or multiple fronts that each collect different data. Then even Facebook and Google don't quite know the extent of what the government is looking at (which only helps them be able to keep a straighter face when saying "we do not provide access to any of our data without a warrant")
That means that "incident response" is the headless chicken phase of the IT department panicking amongst calls from upper management to know what the hell is going on, preventing anything from actually being done.
Brilliant example of closing the stable door after the horse has bolted.
Now maybe would the time to analyse proper network surveillance options and revise the security procedures ? Nah, just make noise about how security is at the heart of everything you do and lessons will be learned to prevent this from ever happening again until next time.
Tomorrow it'll be business as usual anyway, so why spend money that could go to CxO bonuses ?
Bet you how much that there could be a sizeable GDPR fine lobbed at them and the usual CxO bonuses would STILL happen...?
I suspect you're assuming the stable door is in fact closed. Or closed but perhaps not locked. Deficient information protection practices are pervasive in companies.
Isn't that going to be quite a sizable fine?
Should be the first time we see if GDPR has teeth,
The fines are the for repeat and flagrant offenders, particularly those that don't even try to maintain privacy. While there is an element of punishment/risk in fining organisations after a breach, if the organisation that was breached behaved well and did what they could and it's a first incidence of the time then they are quite unlikely to be fined. If you're a large, or well funded organisation, and don't do your best you will be in trouble though.
On the other hand, the buggers whose business model is hoovering up personal data directly and indirectly and then using this to build profiles of the data subjects and the data subject's contacts... they will receive fines regardless of a malicious breach.
I'll be honest on this one, it's surprising me how transparent they're being considering the potential penalties It makes it hard for me to hate them. Which is probably the idea. What utter bastards!
It's exactly because of the potential penalties they're being open. GDPR fines are not automatic, and the amount can be "up to" - but many factors will play their role when the authority in charge decides them.
Keeping issues hidden (Equifax...) *could* have had a pejorative impact on any fine that could be inflicted upon them.
This could be the first test of how GDRP works - let's keep an eey on it....
"The steps that followed suggest swift escalation to the C-suite, but by the time incident response processes kicked in the data was gone."
This implies that incident response had to be invoked by the C-suite and that the time involved was crucial. In that case there needs to be standing permission for sysadmins to respond immediately. It's an area the relevant regulator will need to check on in deciding what action to take.
The first rule of DOB is to lie on websites
Only organizations that really need it e.g. bank, doctor, HMRC should get it.
Some random website should not get key PII that is a cornerstone of identity fraud.
Too many sites have mandatory DOB - interested to see GDPR scupper that .. if a site has minimum age requirements then all it needs is tickbox to confirm over "n" years, and not require core PII
.. Yes I am aware lots of people freely use correct DOB on social media - they are probably clueless on how easy identity theft is (also is anyone posting details of birthday to social media, no point hiding DOB if you upload 21st (or whatever) birthday party photos to FB, similarly resist classic ID question data such as pet names etc on social media)
... Frankly, just say no to privacy risking social media
A company using primarily servers facing the Internet fails to use MFA for administrators.
You have to consider the CIO neglectful in their duties for not ensuring MFA is implemented
How many other services, websites and apps like this are there, long-forgotten and barely-maintained flashes in the pan running on last-decade technology and security/privacy principles? Surely a massive powderkeg / can-of-worms / [insert metaphor of choice] with all this abandonware holding so much personal information. Thankfully TimeHop is one I never saw the point in so never participated in, but I know many who did.
Biting the hand that feeds IT © 1998–2018