.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
Ch-Ch-Ch-Changes
Hello all, and thanks for reading today.
Read Now
.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
Hello all, and happy Thursday!
There are plenty of fascinating stories in this week’s Privacy Insider—the APRA is inching its way through the legislative process, and the EU AI Act is right on the cusp of becoming effective—but the recent Ticketmaster-Live Nation hack caught my attention.
A group known as ShinyHunters has claimed responsibility for the hack, which involved the personal information of 560 million users. The hacker group has offered this data up for sale for a whopping... $500,000. Which really doesn’t seem like all that much money considering the scope of the breach.
In fact, it comes out to just a fraction of a fraction of a cent per affected individual. Somebody’s life could be totally upended due to a scam made possible by information that cost less than a tenth of a cent.
Was it really necessary for Ticketmaster to have collected all of this information?
It’s easy to focus on the cybersecurity aspects of this story but had more attention been paid to data privacy, the damage may have been much less significant. Not only is the number of affected individuals considerable, but the scope of information exposed per individual is notable as well. Individuals affected by the hack had their full names, addresses, phone numbers, last four digits of their card numbers and expiration dates, customer fraud details, and more exposed.
From the outside looking in, it’s not possible to say for certain whether Ticketmaster needed to collect all of this data and retain it for as long as they did. In any case, the outcome is the same: 560 million individuals need to safeguard themselves against potential identity theft and fraud because their information is for sale—and it’s going cheap.
Best,
Arlo
P.S. Struggling to persuade your leadership team that data privacy matters? Tomorrow’s webinar (Securing Buy-In: Making the Business Case for Data Privacy) may be exactly the resource you’re looking for. Save your seat here.
Top Privacy Stories of the Week
EU’s ChatGPT Taskforce Offers First Look at Detangling the AI Chatbot’s Privacy Compliance
The European Data Protection Board’s (EDPB’s) AI taskforce just released its preliminary findings on how the EU’s data protection rulebook applies to ChatGPT. The top-line takeaway is that the working group of privacy enforcers remains undecided on crux legal issues, such as the lawfulness and fairness of OpenAI’s processing.
Colorado Sets Baseline for Comprehensive AI Regulation in U.S.
Colorado Governor Polis recently signed the Colorado AI Act into law, the first comprehensive AI law in the US. The Colorado AI Act adopts a risk-based approach, primarily targeting the developers and deployers of high-risk AI systems. As the first of its kind in the U.S., odds are the Colorado AI Act will inform future legislation on AI in the U.S., making it crucial for businesses to become familiar with it.
Hackers Claim Ticketmaster Data Breach: 560M Users’ Info for Sale at $500K
Hackers have claimed to have breached the security of Ticketmaster-Live Nation, compromising the personal data of a whopping 560 million users. Over a terabyte of data is now being offered for a one-time sale for $500,000, including full names, addresses, email addresses, phone numbers, ticket sales and event details, order information, and partial payment card data. The hack comes amidst a DoJ antitrust lawsuit against Ticketmaster-Live Nation.
World’s First Major Law for Artificial Intelligence Gets Final EU Green Light
European Union member states recently gave final agreement to the world’s first major law for regulating artificial intelligence, as institutions around the world race to introduce curbs for the technology. The EU Council said it had approved the AI Act—a groundbreaking piece of regulatory law that sets comprehensive rules surrounding artificial intelligence technology. The AI Act will enter into force 20 days after publication in the Official Journal, which is expected to occur in the very near future.
Proposed American Privacy Rights Act Clears U.S. House Subcommittee
The proposed American Privacy Rights Act is on the move in the U.S. House legislative process. The U.S. House Committee on Energy and Commerce Subcommittee on Data, Innovation, and Commerce approved the updated APRA draft on a voice vote 23 May, advancing the bill to full committee consideration. There was no indication of when and how the full committee will proceed with the bill, but subcommittee members committed to ongoing work with an eye toward a polished bipartisan bill.
Osano Blog: Making the Business Case for Your Data Privacy Program
Want to hear about some tips for securing buy-in in advance of our webinar? Our blog post is on making the business case for your privacy program is the perfect amuse-bouche.
If you’re interested in working at Osano, check out our Careers page!