02/06/20 GDPR Community Round-Up

Here’s a round-up of interesting reading we found online today*;

• At a time when supermarkets in the UK are experiencing their fastest growth in sales, cybercriminals have been setting up dozens of fake domains to impersonate popular supermarket brands and lure online shoppers into sharing their personal and financial information.

• Councils don't have a consistent view of cybersecurity according to a new report. The Ministry of Housing, Communities and Local Government releases findings around security perceptions of local authorities. Councils face a number of shortcomings when it comes to their cybersecurity perceptions, according to research published by the Ministry of Housing, Communities and Local Government (MHCLG).

• Trowbridge Town Council has been found to have breached GDPR following a complaint from a taxpayer. Paul Jubbie told the Information Commissioner's Office the council had infringed his data protection rights by disclosing his email address to other people. Mr Jubbie told the town council's annual meeting on May 19 his personal details had been "compromised" by the council's failure to take adequate GDPR security measures. He said: "Everybody who was invited to take part in this meeting had their email addresses shared with 50-60 other people. That is in breach of GDPR article 32 and GDPR Article 5.

• Dubai issued a new data protection law, which combined best practices of data protection regulations across the world, for companies operating within the Dubai International Financial Centre. The DIFC Data Protection Law - No 5 of 2020 - will come into effect on July 1, the Dubai government’s media office said in a press statement Monday. The current law, Data Protection Law - No 1 of 2007, will be valid till then.

• Interesting write up "Big GDPR Fines in UK and Ireland: What's the Holdup? Both Countries Have Each Issued Only a Single, Finalized Fine Under EU's Privacy Law".

• TVSmiles, a Berlin-based mobile native advertising app whose users earn digital currency in exchange for engaging with branded content such as quizzes, apps and videos, has suffered a data breach. Security researcher UpGuard disclosed in a report today that it found an unsecured Amazon S3 bucket online last month — containing personal and device data tied to millions of the app’s users. According to TVSmiles’ marketing material the quiz app has up to three million users. The storage bucket UpGuard found exposed to the Internet contained a 306 GB PostgreSQL database backup with “unencrypted personally identifiable information matched to individual users, profiling insights about users’ interests based on quiz responses, associations to smart devices, and accounts and login details for TVSmiles’ business relationships”, according to its report.

• The team behind the Joomla open source content management system (CMS) announced a security breach last week. The incident took place after a member of the Joomla Resources Directory (JRD) team left a full backup of the JRD site (resources.joomla.org) on an Amazon Web Services S3 bucket owned by their own company. The Joomla team said the backup file was not encrypted and contained details for roughly 2,700 users who registered and created profiles on the JRD website -- a portal where professionals advertise their Joomla site-making skills.

• In a rare public warning, the US spy agency NSA says the notorious arm of Russian military intelligence is targeting a known vulnerability in Exim. On Thursday, the NSA issued an advisory that the Russian hacker group known as Sandworm, a unit of the GRU military intelligence agency, has been actively exploiting a known vulnerability in Exim, a commonly used mail transfer agent—an alternative to bigger players like Exchange and Sendmail—running on email servers around the world.

*These sites aren’t affiliated with GDPR Community and these aren’t an advertisement, they’re simply site’s we’ve thought the community might have an interest in reading.