On its reasons for making this determination, the agency mentions that its teams identified “certain gaps that hinder the analysis of security incidents”; in addition to this new deadline, CERT-In will encourage the submission of incident reports by analog mediums such as telephone or fax, in addition to e-mail.

The new mechanisms will apply to service providers, intermediaries, data center operators, enterprises and government organizations that manage IT infrastructure.

As mentioned above, the report lists 20 types of security incidents, including information breaches and ransomware infections. Although it is obvious that the situation merits a report in these cases, on other occasions CERT-In provides very little concrete definitions, as is the case of those defined as “Attacks or suspicious activities that affect systems/servers/software/applications in the cloud”.

In addition to ambiguous definitions, CERT-In has received criticism about how short the report window is. Other legislative frameworks such as EU’s General Data Protection Regulation (GDPR) establish a deadline of 72 hours for the reporting of security incidents after their detection, while for the U.S. Government 24 hours are more than enough to submit these reports.

This is not the only update to the security incident reporting process in India. According to the new guidelines, organizations under this regulation must also keep a detailed record of all their information systems during the 180 days after the report, also having the obligation to deliver this data to CERT-In when requested.

Finally, additional requirements were established for organizations operating with cryptocurrency. Providers of services related to virtual assets will have to verify the identity of their customers and safeguard this data for at least five years, in what appears to be an aggressive measure against money laundering through cryptocurrency.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post CERT-IN makes mandatory for Indian companies to report hacking/cyber security incidents to government within six hours after detecting them appeared first on Information Security Newspaper | Hacking News.

In a case brought before the Austrian Data Protection Authority, it is mentioned that the operators of a health-focused website violated various provisions set out in the GDPR, transferring the personal data of their users to Google using the Analytics tool. European law states that it is illegal for a company to send personal information to companies in the U.S. if they cannot guarantee that this data will not be available to American intelligence agencies.

This case was brought as part of an initiative by activist Max Schrems and None of your Business (NOYB), his privacy advocacy group. This was a multinational initiative, so it is anticipated that more countries will make similar decisions in the near future; if so, websites operating in the European Union may stop using Google Analytics and other U.S.-based cloud services.

This week, the activist stated: “We have filed 101 complaints in basically every member state of the European Union. We formed a working group, so we expect the other data protection authorities to now come up with similar decisions, creating a domino effect.”

It is worth mentioning that the resolution was not entirely favorable to privacy advocates. While the Austrian authority ruled against the website that sent the data to the US, the complaint against Google was also dismissed, as the GDPR breach was committed by the company exporting the data.

In addition to stopping using Google’s cloud services, European companies also expect authorities in the U.S. to pass laws to prevent foreigners’ data from being analyzed by local intelligence agencies, though there is no chance of this happening anytime soon.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post Google Analytics banned in EU, due to privacy concerns of leaking people data to spy agencies appeared first on Information Security Newspaper | Hacking News.

Trend Micro experts were also able to analyze this new variant, discovering that the ransomware executable is a payload of just 100 KB, plus it requires a password for its decryption. After its execution, White Rabbit will start scanning all the folders of the infected device, encrypting specific files and showing the ransom note to the victim for each encrypted file.

Encryption of affected devices also affects removable drives and other devices connected to the same network. In addition, the ransom note mentions to the victim that their files were extracted, threatening to sell this data if payments are not met.

The hackers also show a four-day limit for the victim to pay the ransom; the note mentions that, if users do not make the payment, their data will be sent to the data protection authorities, generating fines for violations of the General Data Protection Regulation (GDPR).

The hackers’ payment platform, hosted on Tor, displays a homepage showing some files stolen from victims, as well as including a chat section to communicate with threat actors.

Experts add that the link between this ransomware operation and the FIN8 hacking group can be seen in the implementation of the malware, since in both cases the use of a custom backdoor stands out and that it receives maintenance on a regular basis.

At the moment the scope of this malicious campaign is unknown, although it is believed that the operators of White Rabbit have kept a low profile until now, leaving for later the deployment of a campaign of massive exploitation.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post New 100KB White Rabbit ransomware will encrypt files and send them to GDPR authorities if you don’t pay the ransom appeared first on Information Security Newspaper | Hacking News.

In their resolution, the authorities point out that both companies clearly show the user the option to accept all cookies, in addition to including a single button for it. On the other hand, rejecting cookies is an unclear, non-automated and frustrating procedure, which requires users to disable each tracking option one by one.

After an investigation preceded by thousands of complaints from local users, the authorities came to three main conclusions:

• Companies make rejecting cookies an unnecessarily complicated process
• Trying to dissuade users from rejecting cookies is a systemic practice
• Both companies encourage users to consent to the collection of personal data

Both Facebook and Google were notified about this investigation a few months ago, so both companies committed to make the necessary changes so as not to have problems with the French authorities. However, months later the authorities still did not see the necessary changes, so the fines against both companies were announced.

The representatives of both companies have already spoken out on the matter, mentioning that their commitment to the safety of users is unquestionable and adding that the actions to be taken on these fines will be analyzed. Firms are likely to appeal the decision.

Other countries in Europe have taken similar steps before. In November 2021, the Italian government fined Google €10 million after discovering that the company was activating user options to collect, transfer and exploit your data for business purposes by default.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post Facebook and Google fined with $200 million USD by French government for cookies policy appeared first on Information Security Newspaper | Hacking News.

The French government says the incident was “immediately neutralized,” though threat actors had plenty of time to extract hundreds of confidential records, including names, passport numbers and dates of birth, among other data.

On the other hand, a representative of the Ministry of Foreign Affairs points out that at the moment it is not possible to share with the press and cybersecurity community more details about the incident, which includes information such as the nationality of the affected users. It is important to clarify that the information leaked varies according to the affected users, although these details mainly refer to names and contact information.

On the security risks derived from this cyberattack, the statement notes that the information could be used for malicious purposes, although this potential misuse is limited because the leak does not include sensitive financial details as established in the General Data Protection Regulation (GDPR).

For the affected government offices, it is important to note that no malicious actor could create new applications or administrative processes on behalf of the users affected by this leak, whether they are Visa applications or any other French government procedure.

The French authorities have begun to contact the affected users in order to take the corresponding security measures, in addition to claiming to be working together to prevent a similar incident from happening in the future.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post Personal data of people who applied for France Visa gets leaked. French government confirms the incident appeared first on Information Security Newspaper | Hacking News.

Grindr is a dating app specially designed for the gay, bisexual and transgender community that connects its users based on their approximate location and similar interests. A few months ago the Consumer Protection Council in Norway filed a complaint against the app over the alleged misuse of personal information for advertising purposes; compromised information included location data, personal information and Grindr account status.

The authorities argue that Grindr requires the express consent of its users to share this information with third parties, since its policies at no time mention such practice, not to mention that by sharing details about the sexual preferences of its users, Grindr is exposing particularly sensitive information. It should be noted that the research is only related to the information of Grinder’s free version users.

Bjørn Erik Thon, General Director of the Data Protection Agency in Norway, considers that this is a very serious problem: “Users cannot exercise real control over the information Grindr shares with other platforms; these companies get consent in a blurry way, so the law has to take matters into terms.”

European law states that explicit consent is an essential element in the handling of sensitive personal data, so it is necessary for companies to simply inform users about the information they will collect and their possible uses (mainly associated with marketing). The authorities mention that, in many cases, users are simply forced to accept the policies of these platforms, completely ignoring explicit consent, which is a violation of the GDPR.

Grindr received a draft fine project, so the company has about 15 days to issue any comments or nonconformities about it. Once this period has expired, the European data protection authority shall issue its final decision. 

Norway authorities also filed complaints against five third-party companies that received data from Grindr, including MoPub (owned by Twitter), and OpenX Software.

The post Grindr, the gay dating app, will be fined with €10 million for GDPR breaches appeared first on Information Security Newspaper | Hacking News.

“I DON’T CARE ABOUT COOKIES” is a very useful tool for any user who wants to limit the constant cookie alerts displayed on websites capable of collecting information.

Thanks to this tool users will be freed from all cookie warnings that appear when entering each website in compliance with the European Union’s General Data Protection Regulation (GDPR) and other similar legislation. The I DON’T CARE ABOUT COOKIES browser extension will prevent you from having to click the “OK” button every time you log in to a new platform.

The downside is that using this tool would allow websites to manage user cookies as they please (although in most cases this already happens). Therefore, it is best to keep your data out of the reach of companies is to configure the automatic deletion of cookies.

For this, browser extensions like Cookie Auto Delete provide the user with the ideal way to delete these records by simply closing a website, or you can opt for periodic deletion of your browsing data after using your trusted web browser.

This is the ideal way to get rid of annoying cookie notices without letting Internet companies collect all your private information.

The post How to get rid of cookies’ warnings from all websites via tool “I DON’T CARE ABOUT COOKIES” appeared first on Information Security Newspaper | Hacking News.

Although the ICO has concluded that the company must implement fundamental changes on how it handles data or face a huge fine, Experian has stated its will to appeal the decision.

“We think the ICO’s view goes beyond the legal requirements,” the Dublin-based firm considers. “This interpretation may also place risks of damaging the services that help consumers, thousands of small business and charities, especially as they try to recover from the crisis”, the statement adds.

Experian argues it has made enormous efforts to improve its information security practices, the ICO said it’s still not enough. From now on, the company has a nine months term to satisfy the regulator’s measures; in case of not complying, Experian faces a fine of up to £20m, or 4% of its global turnover, as set by the General Data Protection Regulation (GDPR).

This is the conclusion of a two-year investigation prompted after a complaint by the non-benefit group Privacy International, which also involves Equifax and TransUnion; all these firms provide a way for people to check their credit score for loans and credit cards. These agencies also operate with data brokers, collecting and selling on information gathered from all kind of sources.

The investigation concluded that the agencies had access to the data of almost every adult in the UK, which was then screened, traded, profiled, enriched, or enhanced to provide direct marketing services. The probe was limited to offline data broking, so did not include data collected about online behavior. That is being investigated by the ICO separately.

Equifax and TransUnion are not facing further actions from the British regulators as they both have already made changes, including withdrawing some products and services. The report did not specify what these products and services were. All three credit reference agencies failed to clearly explain what they were doing with people’s data, said the ICO, despite this being a GDPR requirement.

The post Biggest credit agency banned from selling financial data of millions without their permission appeared first on Information Security Newspaper | Hacking News.

These allegations took on strength after David Stier, a U.S. data scientist, published research stating that the platform had not implemented any mechanism to prevent data from children under the age of 18 from being accessible to third parties. Stier mentions that the platform arbitrarily changed the configuration of multiple infant-operated accounts, turning them into trading accounts. It should be remembered that Instagram business accounts should make their contact details visible on the profile, which could have exposed millions of children and teens.

Facebook has already spoken out, considering that the researcher has taken this incident out of context because it is always users who choose the type of settings of their accounts, even an option has been added for users of trading accounts to decide whether they want to show their contact details or prefer to hide this information.

Although the regulatory authority has made no mention of Stier’s findings, two new investigations were confirmed into how Instagram processes confidential data of minors: “The DPC has been monitoring complaints related to this topic, which will require careful analysis of Instagram,” a statement from the authority says.

The General Data Protection Regulation (GDPR) includes specific provisions related to the processing of information of minors, which states that only those over the age of 13 can consent to their data being processed by an online platform.

Non-compliance with GDPR rules may result in penalties of up to 4% of the offending company’s annual worldwide turnover; in the case of Facebook, it means that any fine for violating regulation could represent billions of dollar losses for the world’s largest social media platform.

The post Instagram gets into serious trouble selling phone numbers and emails from underage children appeared first on Information Security Newspaper | Hacking News.

The Hamburg Data Protection Authority (HMBBFDI) decided to fine the company with 35.2 million Euros due to the “excessive use” of the data of its more than 126,000 employees worldwide. This is the highest fine that has been imposed on a company for activity related to mishandling of employee data.

After a data leak that occurred due to a failure in the implementation of H&M’s online storage, HMBBFDI initiated an investigation in which it was discovered that the company stored large amounts of confidential information from its users, including information extracted from its social networks, medical records, financial details, among other data. 

It appears that this information was also collected during conversations between employees and supervisors in the company’s stores and even during the welcome talks held after the period of social estating. As a result, the authority determined that H&M violated the human rights of its employees.

A spokesman for the company publicly apologized to employees, and announced financial compensation for all those affected. This incident was revealed at a particularly difficult time for the company, which has announced the closure of more than 250 stores worldwide that will be completed in 2021.

Currently the firm has about 5,000 stores worldwide, although nearly 200 remain closed as part of measures to combat coronavirus. The increase in online shopping also seems to have prompted the company in its decision to close some branches.

The post $41 million USD fine to H&M for breaching GDPR and spying on the personal lives of 126,000 employees worldwide appeared first on Information Security Newspaper | Hacking News.

A new strategy to combat the pandemic will be implemented n the near future. According to instructors in a GDPR course, European Union member countries will begin to take the measures established by some Asian countries on mobile data sharing in order to track some cases of coronavirus, without detaching themselves from European data protection legislation.

A report by the GSMA lobbying group, telecommunications companies have decided to share user location data with European authorities. Companies that have decided to join this initiative include:

• Vodafone
• Deutsche Telekom
• Orange
• Telefonica
• Telecom Italia

GDPR course specialists have pointed to the possibility of the government starting to use the technology to monitor the activities of quarantined users and track new coronavirus outbreaks, representing an increase in the activities of government surveillance.

In recent statements, a representative of the European Commission mentioned that user location data will be used to track users by moving to hospitals to identify some metrics about the spread of the virus. Furthermore, the Commission states that this information will be handled anonymously: “We do not seek to centralize user information or monitor people”, the Commission states.

It should be noted that anonymous data is not covered by the EU’s General Data Protection Regulation (GDPR), although the Commission ensures that these measures do not violate this legislation in any way, however, some clarifications need to be made: ” The Commission must clearly define what information it will be collecting, in addition to ensuring that this measure is applicable only until the pandemic passes,” the experts of the GDPR course consider.

The International Institute of Cyber Security (IICS) considers that the main concern regarding this measure is the possibility that it will be implemented on a permanent basis, so this decision should not be abandoned.

Countries such as Singapore and Taiwan are using various methods to collect information on coronavirus outbreaks, with data centralization being the main one, although data protection legislation in these territories is less forceful or, in particular, multiple cases, non-existent.

The post Telecom companies will share users’ location data with government to track users visiting hospitals appeared first on Information Security Newspaper | Hacking News.

To help resolve some of the most frequent questions on the subject, here are some clarifications, presented from the experience of multiple small companies and nonprofits and charities.

Only large companies, such as Google or Facebook, must comply with the GDPR: Although tech giants are the primary responsible for securing our personal information, data protection is the responsibility of any company or organization properly safeguarding any confidential user and employee information.

Non-governmental organizations (NGA) and small businesses should review their existing data protection policies and update all necessary points to ensure that their current information handling policy complies with GDPR collection, storage, protection and destruction of personal data and storage systems.

The implementation of general policies is sufficient to comply with GDPR: Although multiple public organizations, firms and IT security services specialists agree on most points to be met by companies and NGOs in terms of data protection, it is critical that each organization analyze its own infrastructure, resources and expertise to find the best way to adapt to the legislation.

Consent does not exempt companies from further improvement: Many companies mistakenly believe that users cannot disagree with their data collection policies after they have consented to this process. In addition, companies must remember that consent must be freely granted, in an informed, specific and explicit manner, and that it may be withdrawn at any time.

Charities must also adjust: It is true that some NGOs are not subject to GDPR compliance, although this exemption is reserved only for organizations that process only information from their members or beneficiaries.

This is different when talking about organizations working with other companies or beneficiaries. In these cases, NGOs must register with the country’s data protection authority, as mentioned by the IT security services specialists.

GDPR compliance never ends: Information security is an ever-moving world, so small and medium-sized enterprises, plus nonprofits, must conduct consistent security assessments on an ongoing basis to ensure that their policies and procedures are not over the over reality, becoming an easy prey for threat actors. According to the experts of the International Institute of Cyber Security (IICS), this update work must be carried out at least every two years.

The post How to protect your small business from privacy breaches and GDPR fines appeared first on Information Security Newspaper | Hacking News.