This Week in Data Breaches: British Airways Faces $230 Million GDPR Fine

From news of the UK’s Information Commissioner’s Office slapping British Airways with a $230 million fine for its 2018 data breach to startling new reports of Chinese state surveillance, here we round up the latest in data security and privacy news.

British Airways Faces $230 Million Fine for 2018 Data Breach

British regulators announced on Monday that they plan to hit British Airways with a $230 million fine for a data breach last year that exposed the records of over 500,000 passengers. The fine, brought by the UK’s Information Commissioner's Office (ICO), will set a new record for the largest fine under the European Union’s new General Data Protection Regulation (GDPR), which went into effect in May 2018.

The data breach occurred between June and September of last year, as poor cybersecurity practices allowed hackers to divert British Airways website visitors to a fraudulent website that then collected names, addresses, login credentials, credit card information, and travel bookings on over 500,000 customers.

In a statement, Information Commissioner Elizabeth Denham said, “People’s personal data is just that - personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear - when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”

Orvibo Leaks Billions of Smart Home Device Records

Last week, a team of security researchers at vpnMentor found yet another massive user database unprotected online. The database, which belonged to Orvibo, a Chinese smart home device maker left 2 billion smart home records exposed without password protection. The logs included usernames, email addresses, passwords, and location data.

The breach has major implications for the privacy and security of millions of smart home device users across the globe. In a blog post, vpnMentor said, “The data breach affects users from around the world. We found logs for users in China, Japan, Thailand, the US, the UK, Mexico, France, Australia, and Brazil.”

Included in the leak was precise geolocation data, down to the exact longitude and latitude coordinates, giving anyone the ability to pinpoint exactly where a device was, and to whom it belonged, and gain unauthorized access to it. All of which would have made for easy account takeover by any nefarious actors who came across the unprotected database.

Leaks of this magnitude, especially those involving smart home devices, pose an enormous privacy risk for the millions of users who have turned to internet-connected devices to enhance the security of their home or business. As smart home systems have come under increased attack, it is more important than ever that consumers weigh the trade-offs associated with internet-connected devices, which often entail a wide range of security vulnerabilities.

Largest Financial Cooperative in North America Exposes Personal Information of Millions in Massive Data Leak

Desjardins Group, a Canadian federation of credit unions and the largest financial cooperative in North America, disclosed last month that an employee illegally exposed the personal data of 2.9 million customers in a massive data leak.

The leaked information included customers’ names, birth dates, social insurance numbers, email addresses, phone numbers, street addresses, and banking habits. The company said that passwords, security questions, and PINs were not compromised and that it has not seen a spike in fraud cases involving members’ accounts.

In a statement, Desjardins said, “The investigation quickly traced the leak to a single source: an ill-intentioned employee who acted illegally and betrayed the trust of their employer...In light of these events, additional security measures have been put in place to ensure all our members’ personal and financial data remains protected.”

China Secretly Installing Surveillance Apps on Tourists’ Phones

As reported by the Guardian and the New York Times, Chinese border police have been secretly installing surveillance apps on the phones of tourists who cross into the remote Xinjiang region of China through Krygyzstan. The spyware then extracts emails, contacts, and texts in an effort to screen visitors to the region, which has come under increased state surveillance for its large Muslim population.

According to the Guardian, “Border guards are taking their phones and secretly installing an app that extracts emails, texts and contacts, as well as information about the handset itself. Tourists say they have not been warned by authorities in advance or told about what the software is looking for, or that their information is being taken.”

China has deployed a wide-range of intrusive surveillance technologies in the region over the past year, leading the New York Times to call Xinjiang “an incubator for increasingly intrusive policing systems that could spread across the country and beyond.” From facial recognition to phone location tracking, China’s sophisticated use of technology to curb anonymity and autonomy in the region is alarming and poses fundamental questions about the privacy of individuals in the digital age.

Bloom: Take Back Control of Your Data

At Bloom, we are giving you the tools to take back control of your data. No more centralized data storage. No more selling off your data to the highest bidder. No more risking identity theft. Bloom enables you to own, control, and protect your data using the latest advancements in blockchain technology.

It’s time to take back control of your data and unlock the power of a secure, reusable identity today. Download the Bloom mobile app to build a cryptographically secure identity and get free data breach alerts with Radar!