.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
Tryptophan Won’t Put the Privacy World to Sleep
Hello all, and thanks for reading today.
Read Now
.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
Hello all, and happy Thursday!
Regular readers of this newsletter see plenty of headlines about 1) data breaches and 2) fines levied against violators of data privacy regulations. But I wanted to highlight a story this week that features both—because often, where you find the one, you find the other.
Advanced, a provider of IT and software services, was hacked back in August 2022. Notably, the UK’s National Health Services (NHS) was one of its clients, meaning that a lot of sensitive information wound up in the hackers’ hands. The Information Commissioner’s Office (ICO) stated that this data “included phone numbers and medical records, as well as details of how to gain entry to the homes of 890 people who were receiving care at home.” Scary stuff!
At the time of the breach, medical professionals around the UK were forced to take patient care notes using pen and paper, transmit patient records manually to general practitioners, and essentially perform all of their duties without the benefit of a healthcare IT system.
Now, Advanced potentially faces a £6 million fine for failing to protect personal information. Specifically, the ICO found that the hackers gained access through a customer account that did not have multi-factor authentication implemented.
(It should be noted that this fine is provisional and that the ICO still has more investigating to do—but it seems unlikely that Advanced will be able to dodge this penalty.)
Too often, this is how organizations get penalized for noncompliance. Malicious actors take advantage of some chink in the armor, and the costs just don’t stop. You might pay for the hackers’ ransom, remediation efforts, PR campaigns, lost business, and more. Just when things seem like they’re finally winding down, a data protection authority comes along to rub salt in the wound and add a fine on top.
It’s a good reminder to invest in both robust cybersecurity and data privacy practices. Through security, you reduce the likelihood of a breach, and through privacy, you reduce its impact—after all, if you never need to handle sensitive personal information in the first place, you won’t have to worry about an attacker breaching your systems and getting their hands on it.
Best,
Arlo
Top Privacy Stories of the Week
'This Is Bad': Cybersecurity Expert Says Columbus Breach Included Data of Private Citizens
Recently, nearly half a million Ohioans’ personal data was posted to the dark web for sale. Columbus Mayor Andrew Ginther held a press conference Tuesday morning claiming that the data was unusable, encrypted, or corrupted—however, cybersecurity experts have found that this is not the case. One local cybersecurity expert said he found names, addresses, birth dates, drivers’ license numbers, and Social Security numbers. Initially, the city said that the data of Columbus employees, including police and firefighters, had been exposed in the data breach.
National Public Data Hacked: 2.9 Billion Users Personal Data Stolen
In one of the largest data breaches in history, the personal information of nearly 3 billion individuals has been stolen from National Public Data, a background check and fraud prevention service provider. The breach, which came to light through a class action lawsuit filed in Florida, has sent shockwaves through the cybersecurity community and raised serious concerns about data privacy and protection.
UK Data Protection Authority Fines Company £6.09 Million for Poor Cybersecurity Practices
Following a ransomware attack in August 2022, Advanced Computer Software Group was investigated by the UK Information Commissioner’s Office (ICO). The ICO found that hackers had gained access to Advanced’s systems via a customer account that did not have multi-factor authentication implemented. Now, the ICO has announced its provisional decision to fine Advanced £6.09 million over its failure to implement sufficient measures to protect personal information.
New York AG Issues Guidance on Website Privacy Controls
Although New York does not have a comprehensive data privacy law, businesses’ privacy-related practices and statements may be subject to New York’s consumer protection laws, which generally prohibit businesses from engaging in deceptive acts and practices. Accordingly, the New York Attorney General recently published guidance for website privacy controls, noting that “statements about when and how website visitors are tracked should be accurate, and privacy controls should work as described.”
X Suspends Harvest of EU Users' Personal Data to Train Its AI
X (formerly Twitter) has suspended its much-criticized harvesting of European users' personal data to train its artificial intelligence program, said Ireland's Data Protection Commission (DPC). The DPC, which acts on behalf of the European Union, said in a statement that it "welcomes X's agreement to suspend its processing of the personal data contained in the public posts of X's EU/EEA users which it processed between 7 May 2024 and 1 August 2024, for the purpose of training its AI 'Grok'."
Read more
Osano + Venminder Blog: 5 Ways Privacy Scores Help Manage Third-Party Risks
Certain SaaS providers (*cough cough* Osano) provide scores on third-party vendors to help businesses understand their privacy risk at a glance. But there’s more to it than just seeing Vendor X has a lower score than Vendor Y. We partnered with Venminder, the experts in third-party risk management, to explain how third-party privacy scores can unlock actionable insights into your vendors and the risk they introduce.
Like what you hear from the Privacy Insider newsletter?
There's more to explore:
🎙️The Privacy Insider Podcast
We go deeper into additional privacy topics with incredible guests monthly. Available on Spotify or Apple.
📖 The Privacy Insider: How to Embrace Data Privacy and Join the Next Wave of Trusted Brands
The book inspired by this newsletter: Osano CEO, Arlo Gilbert, covers the history of data privacy and how companies can start building a privacy program from the ground up. More details here.
If you’re interested in working at Osano, check out our Careers page!