This week, we discuss a disgruntled former student hacking Greenwich University, the exposure of 154 million American voters’ unprotected personal information, and answer listeners’ questions on data protection legislation.
Hello and welcome to the IT Governance podcast for Friday, 24th June. Here are this week’s stories.
Greenwich University has suffered its second data breach of the year after “A hacker claiming to be a disgruntled former student gained access to the university’s website […] and stole personal data,” according to the Evening Standard. The compromised data, which was posted on the dark web, included students’ full names, contact details and passwords, coursework results and feedback, and confidential medical information. Analysts have confirmed that more than 21,000 email accounts were affected. In a message posted to the university’s website, the hacker said: “So due to my elite skills and e-fame, you guys decided to kick me out of University because you couldn’t handle the beast. In response to this, I’ve used the skills I’ve obtained to show you how good I actually am. Please let me come back.” The ICO is investigating. I, for one, doubt ‘the beast’ will get to complete his degree.
An unprotected database “containing the profiles for 154 million American voters” has been discovered online. Security researcher Chris Vickery, who found the database, reports that it was hosted on Google’s Cloud, and was “configured for public access with no username, password or other authentication required.” The compromised information – including voters’ names, ages, genders, marital status, addresses, education and ethnicity, as well as their stance on gay marriage and abortion – was exposed by a client of data brokerage firm L2. L2’s CEO Bruce Willsie told Vickery that the database was a year-old copy of the national file. According to Willsie, the client claimed to have been hacked – a claim that Vickery says he is taking with a grain of salt.
Regular listeners will know that I’ve invited you to tell me what you want this podcast to cover. And we’ve had another question!
After I discussed the EU General Data Protection Regulation, Madeupname Jr (no relation) asked: “What other regulations are there for different areas of the world? The EU has the GDPR – what about America, Australia, Canada, China, Japan etc.?”
Blimey. That’s a very broad question, Madeupname Jr. We’d still be here next week if I told you about every single data protection law and regulation from around the world. I can, however, address a few of the specific ones you mention:
The USA has hundreds of state laws relating to data protection (California alone has more than 25), plus a range of sector-specific laws, including the Health Insurance Portability and Accountability Act (HIPAA), which applies to the healthcare industry, the Federal Information Security Management Act of 2002 (FISMA), which applies to federal agencies, and the Gramm-Leach-Bliley Act (GLBA) 1999, which applies to the financial sector. You can find information on all of them on our US site, itgovernanceusa.com.
Australia’s legislation affecting data protection is led by The Federal Privacy Act 1988, which was last amended by the Privacy Amendment (Enhancing Privacy Protection) Act 2012. States and territories also have their own data protection legislation, including the Australian Capital Territory’s Information Privacy Act 2014 ; the Northern Territory‘s Information Act 2002; New South Wales’s Privacy and Personal Information Protection Act 1998; Queensland’s Information Privacy Act 2009; Tasmania’s Personal Information Protection Act 2004; and Victoria’s Privacy and Data Protection Act 2014.
Canada has 28 laws that relate to data protection, principal among which is the Personal Information Protection and Electronic Documents Act (PIPEDA), which governs how private-sector organisations “collect, use or disclose personal information in the course of commercial activities. PIPEDA also applies to federal works, undertakings and businesses in respect of employee personal information.”
For further information about international data protection laws, I recommend DLA Piper’s Data Protection Handbook. This is where I tend to begin my research. I hope this points you in the right direction.
Well, that’s it for this week. Don’t forget to comment below, telling us a bit about yourself and what you want to hear more of. And until next time, remember that you can keep up to date with the latest information security news on our blog. And whatever your cyber security needs – whether regulatory compliance, stakeholder reassurance or just greater business efficiency – IT Governance can help your organisation to protect, comply and thrive. Visit our website for more information: itgovernance.co.uk.