"Application Security Meetup - Data Privacy", hear about Data Protection and Privacy in Modern times, recent Cyber Fraud attacks and data theft, and practical methods of implementing Data Protection in the process development life cycle.
5. Cyber Fraud Predictions for 2021
5
Constant Automated Attacks: hackers will increasingly turn to
automated methods, including script creation (using fraudulent
information to automate account creation) and credential stuffing
(using stolen data from a breach to take over a user’s other
accounts) to make cyberattacks and account takeovers easier and
more scalable than ever before;
Putting a Face to Frankenstein IDs: Synthetic identity fraud
when a fraudster uses a combination of real and fake information
to create an entirely new identity – is currently the fastest growing
type of financial crime;
Social media will continue to be weaponized for Social
Engineering;
https://www.securitymagazine.com/articles/94313-fraud-predictions-for-2021-and-beyond
13. Impersonation fraud
13
5. Voice Impersonation (AI)
https://www.wsj.com/articles/fraudsters-use-ai-to-mimic-ceos-voice-in-unusual-cybercrime-case-11567157402
Criminals used artificial intelligence-based software to impersonate a
chief executive’s voice and demand a fraudulent transfer of €220,000
($243,000) in March 2019 in what cybercrime experts described as an
unusual case of artificial intelligence being used in hacking.
The CEO of a U.K.-based energy firm thought he was speaking on the
phone with his boss, the chief executive of the firm’s German parent
company, who asked him to send the funds to a Hungarian supplier.
The caller said the request was urgent, directing the executive to pay
within an hour.
17. Founder: Yuli
Stremovsky
● Previous significant role: Kesem.IO blockchain payments startup
CTO.
● Hands-on cybersecurity architect & technology blogger.
● Filed a security vulnerability in Microsoft Azure Active Directory
that revealed a privacy bug.
● Founder of database security company GreenSQL (Hexatier) that
helped companies to become PCI compliant. The company was
acquired by Huawei and now is a part of Huawei cloud.
● Various roles in RSA Security, Checkpoint.
● https://www.linkedin.com/in/stremovsky/
18. ● Your customer / user / marketing lead.
● It can be your employee.
● Natural person.
Note: Data Subject is a data owner.
Related terms:
● Data Subject Request - DSR.
● Data Subject Access Request - DSAR.
What is data subject?
19. ● End-user facing services
● Collect personal data
● Direct relationship with data
subject.
Example: ecommerce comp, bank
Controllers vs Processors
● Process data on behalf of controllers
● Processor company can be
considers Controller for it’s
marketing leads
Example: Mailchimp, cc processing
Note: Individuals can bring claims for compensation
and damage against both controllers and processors.
20. ● PII or Personal Identifiable Information.
● Personal data is any information that relates to an identified or
identifiable individual.
● Strong identity, i.e. user name, email address, telephone, SSN.
● Weak identity, i.e. browser information, IP address, cookie name.
● Like in triangulation, a combination of weak identities can lead us to
a user.
● Strong and weak user identities are PII.
Personal data / PII
21. Processing covers a wide range of operations performed on
personal data, including by manual or automated means:
Personal Data Processing
Collection Recording Organisation Dissemination
or making
available
Structuring Storage Alignment Adaptation or
alteration
Retrieval Consultation Combination Disclosure by
transmission
Alignment Use Restriction More
22. 1. Consent
2. Contract
3. Legal obligation
4. Vital interest
5. Public task
6. Legitimate interest
Legal bases for processing
personal data
23. 1. Lawfulness, fairness and transparency
2. Purpose limitation
3. Accuracy
4. Integrity and confidentiality (security)
5. Accountability
6. Storage limitation
7. Data minimisation
GDPR Principles
25. 1. Over retention of personal data.
2. Data Controller did not have a legal ground to store personal data longer
than was necessary;
3. Second, this was considered an infringement of the data protection by
design requirements under Article 25 (1) GDPR;
4. Finally, it was an infringement of the general processing principles set out in
Article 5 GDPR.
https://www.dataprotectionreport.com/2019/11/first-multi-million-gdpr-fine-in-germany-e14-5-million-for-not-
having-a-proper-data-retention-schedule-in-place/
Deutsche Wohnen SE was almost fined €14.5
mln
26. ● Proactive and preventive
● Privacy by default
● Embed in the design
● End-to-end security
● Visibility and transparency
● Respect user privacy
Databunker open-source tool was build to serve as a
cornerstone for your privacy by design solution.
Privacy by design
27. 1. Failing to put “sufficient technical and organizational measures” in place to
protect customer data in its call centers.
2. Callers to its call center could obtain customer information by simply providing
their name and date of birth which meant that its customer's personal
information was not properly safeguarded.
3. GDPR Article 32 - companies are obliged to take appropriate technical and
organizational measures to systematically protect the processing of personal
data."
https://www.techradar.com/news/1and1-hit-with-million-euro-gdpr-fine
1&1 has been fined €9.55 mln
28. ● Rights to be informed
● Right to access
● Right to rectification - fix incorrect personal data
● Right to erasure - forget me
● Right to restrict processing
● Right to data portability
● Right to object
● Rights related to automated decision making
including profiling
Databunker has an API and UI to automate most of
the user requests.
GDPR user rights
30. ● Limit PII to what is actually required
● Comply with data subject forget-me request
a. Retention method to 1 month or
b. Use pseudonymisation or
c. Encrypt PII inside log events or
d. Manually remove user logs
● Due to government requirements, to keep payment
details for 5-10 years it can be as long as required.
How to make your service logs
GDPR friendly
31. ● From EU to USA: privacy shield framework was cancelled on July
16, 2020.
● Companies now need to use standard contractual clauses (SCC or
‘model clauses’).
● European Data Protection Board (EDPB) guidelines (2020) - has a few
examples, including pseudonymisation.
Cross border personal data
transfer
32. ● In case of a breach, a company has 72 hour to report to the
authorities.
● Sometimes you need to report to individual users - to the victims.
● Consult with your lawyers before.
Reporting a breach
33. 1. Due to late breach notification.
2. GDPR Article 33 - organizations have 72 hours for breach notification.
3. Twitter was not fined for the data breach itself.
https://www.pinsentmasons.com/out-law/news/twitter-gdpr-dispute-resolved-by-edpb
Twitter has been fined €450,000
35. 1. Company was depositing user cookie before getting user consent without
being given an opportunity to refuse.
2. Upon their visit to a website, users should be shown a cookie banner setting
out the explicit purposes for which cookies are used, and mentioning the
possibility of disabling or opposing these cookies and change parameters by
way of a link included in the banner;
https://privacyinternational.org/news-analysis/4347/cnil-fines-google-and-amazon-unlawful-use-
cookies
Google has been fined €100 mln
36. ● Optional categories must be unchecked by default.
● Make sure advertising and similar code is executed after approval.
Cookie popup 2
37. 1. Google had not obtained clear consent to process user data (for ads
personalization).
2. Option to personalise ads was "pre-ticked" when creating an account, which
did not respect the GDPR rules.
https://www.bbc.com/news/technology-46944696
Google has been fined £44 mln
38. CCPA vs GDPR
GDPR CCPA
Right to be
deleted
Right of access
Extraterritorial
scope
Any company For big companies
PII sale Prior consent Opt out