Record data breach fines issued

The French data protection watchdog CNIL has fined Google a record €50m for failing to provide users with transparent and understandable information on its data use policies. According to a report in The Guardian, for the first time, the company was fined using new terms laid out in the pan-European general data protection regulation. The maximum fine for large companies under the new law is 4% of annual turnover, meaning the theoretical maximum fine for Google is almost €4bn. The fine was levied, CNIL said, because Google made it too difficult for users to find essential information, ‘such as the data-processing purposes, the data storage periods or the categories of personal data used for the ads personalisation’, by splitting them across multiple documents, help pages and settings screens. That lack of clarity meant that users were effectively unable to exercise their right to opt out of data-processing for personalisation of ads. Additionally, the watchdog found that even when user consent was collected, it did not meet the standards under GDPR that such consent be ‘specific’ and ‘unambiguous’, since users were not asked specifically to opt in to ad targeting, but were asked simply to agree to Google’s terms and privacy policy en masse. CNIL justified the large fine by noting that the violations were continuous, and still occurring. Dr Lukasz Olejnik, an independent privacy researcher and adviser, said the ruling was the world’s largest data protection fine. ‘This is a milestone in privacy enforcement, and the history of privacy. The whole European Union should welcome the fine. It loudly announced the advent of the GDPR decade,’ he said.

Full Premium Times report

The body behind the operation of several hospitals and other health institutions in Singapore and the city state's central national IT agency for the public healthcare sector have been fined $739 000 over data security failings that enabled a hacker to access the personal data of nearly 1.5m people. A report on the Out-Law site notes that the Personal Data Protection Commission of Singapore imposed separate fines on SingHealth and Integrated Health information Systems (IHiS) in a case the watchdog described as ‘the worst breach of personal data in Singapore’s history’. It said both SingHealth and IHiS were responsible for failing to make reasonable security arrangements to protect personal data of individuals, in breach of their obligations under Singapore's Personal Data Protection Act. ‘These are record fines and reflect the magnitude of the breach and more importantly the findings of the inquiry committee,’ said technology law expert Bryan Tan. Details of the ‘deliberate, targeted and well-planned cyber attack’ were made public in July 2018.

Full report on the Out-Law.com site

More than 770m e-mail addresses have been discovered in a database allegedly used by hackers, a security researcher has revealed. Cybersecurity expert Troy Hunt said a list of more than 2.6bn records containing about 773m unique e-mail addresses and more than 21m unique passwords was being shared on a ‘popular hacking forum’. A Tech Central reports notes that Hunt said his initial analysis of the data, which has been dubbed Collection #1, found it had been compiled from more than 2 000 different data breaches and hacked databases or websites, confirming some of his own personal information had also appeared in the lists. Hunt said his research on the list suggested about 140m of the e-mail addresses had not appeared in previous breaches and were therefore newly exposed details. He warned the lists could be used by hackers to carry out ‘credential stuffing’ attacks, where hackers take lists of user names and passwords and enter them on a range of other platforms to try to force access to different user accounts.

Full Tech Central report