Exploiting GDPR to Get Private Information

A researcher abused the GDPR to get information on his fiancee:

It is one of the first tests of its kind to exploit the EU’s General Data Protection Regulation (GDPR), which came into force in May 2018. The law shortened the time organisations had to respond to data requests, added new types of information they have to provide, and increased the potential penalty for non-compliance.

“Generally if it was an extremely large company — especially tech ones — they tended to do really well,” he told the BBC.

“Small companies tended to ignore me.

“But the kind of mid-sized businesses that knew about GDPR, but maybe didn’t have much of a specialised process [to handle requests], failed.”

He declined to identify the organisations that had mishandled the requests, but said they had included:

  • a UK hotel chain that shared a complete record of his partner’s overnight stays

  • two UK rail companies that provided records of all the journeys she had taken with them over several years

  • a US-based educational company that handed over her high school grades, mother’s maiden name and the results of a criminal background check survey.

Why Isn’t GDPR Being Enforced?

Politico has a long article making the case that the lead GDPR regulator, Ireland, has too cozy a relationship with Silicon Valley tech companies to effectively regulate their privacy practices.

Despite its vows to beef up its threadbare regulatory apparatus, Ireland has a long history of catering to the very companies it is supposed to oversee, having wooed top Silicon Valley firms to the Emerald Isle with promises of low taxes, open access to top officials, and help securing funds to build glittering new headquarters.

Now, data-privacy experts and regulators in other countries alike are questioning Ireland’s commitment to policing imminent privacy concerns like Facebook’s reintroduction of facial recognition software and data sharing with its recently purchased subsidiary WhatsApp, and Google’s sharing of information across its burgeoning number of platforms.

An Argument that Cybersecurity Is Basically Okay

Andrew Odlyzko’s new essay is worth reading — “Cybersecurity is not very important“:

Abstract: There is a rising tide of security breaches. There is an even faster rising tide of hysteria over the ostensible reason for these breaches, namely the deficient state of our information infrastructure. Yet the world is doing remarkably well overall, and has not suffered any of the oft-threatened giant digital catastrophes. This continuing general progress of society suggests that cyber security is not very important. Adaptations to cyberspace of techniques that worked to protect the traditional physical world have been the main means of mitigating the problems that occurred. This “chewing gum and baling wire”approach is likely to continue to be the basic method of handling problems that arise, and to provide adequate levels of security.

I am reminded of these two essays. And, as I said in the blog post about those two essays:

This is true, and is something I worry will change in a world of physically capable computers. Automation, autonomy, and physical agency will make computer security a matter of life and death, and not just a matter of data.

Hey Belfast, Imperva’s Moving Into The Neighborhood

As a local, I’m very excited to be Imperva’s first Belfast hire, in charge of spinning up the operation in our new European location.

Imperva provides best-in-class data and application security solutions on premises, in the cloud, and in hybrid environments. As we position ourselves for the next phase of our growth, it makes sense that we do this on an increasingly international level.

And what better place to take the next step, than Northern Ireland? With its growing wealth of cybersecurity talent, proximity to the U.S. and the rest of Europe and educational caliber, the move to Belfast feels very natural.

Positioned in a center of technological talent, our Belfast office will benefit from local educational institutions such as Queen’s University and Ulster University as well as the skills and professional experience of the local workforce. The investment in Northern Ireland will allow Imperva to tap into international resources and join the ranks of other cybersecurity companies expanding their presence in Belfast.

Tapping into the local job market

With the support of Invest Northern Ireland, Imperva is committed to creating 220 local jobs over a three to five year period, providing invaluable expertise and experience with Imperva’s cutting edge technologies.

Initial hiring is focused on openings in customer success — tech support, customer success management, and managed services — as well as product development — site reliability, full-stack Java engineers and security researchers — across a range of experience levels, from those who have recently graduated from relevant University courses to seasoned IT professionals.  

The Belfast location affords Imperva the opportunity to build our brand and enhance our global customers’ experience as we deliver compelling, comprehensive solutions to keep customers’ data and applications safe from cybercriminals. We’re excited to be in Belfast and are very much looking forward to playing an active role in the local technology ecosystem.

The post Hey Belfast, Imperva’s Moving Into The Neighborhood appeared first on Blog.