Data Privacy Weekly: Your Industry News Series

01. French Ad Tech Firm Fined with €40M for GDPR Breach

French ad tech firm Criteo has been fined €40 million by the French privacy regulator, CNIL, for breaching GDPR regulations. The company was found to have used website tracking cookies without users’ consent and failed to adequately inform users about how their data was being processed. CNIL’s investigation was prompted by complaints from civil rights organizations.

Criteo plans to appeal the fine, arguing that it uses pseudonymized and non-sensitive data in its activities and that CNIL’s claims are inconsistent with legal rulings. The violations are estimated to have impacted 370 million users in Europe.

Read More
French ad tech firm Criteo has been fined €40 million
Patient Information Compromised in Kentucky-based Firm’s Cybersecurity Incident

02. Patient Information Compromised in Kentucky-based Firm’s Cybersecurity Incident

Kentucky-based firm iHealth Solutions, also known as Advantum Health, will pay a $75,000 fine to federal regulators following a data exfiltration breach in 2017. The breach compromised patient information stored on an unsecured network server, Affecting 267 individuals. The Department of Health and Human Services (HHS) found that iHealth had not conducted a comprehensive security risk analysis.

As part of the settlement, iHealth will implement a corrective action plan, including conducting a thorough security risk analysis and developing a risk management plan. HHS will monitor iHealth’s compliance for two years.

Read More

03. Massive Data Leak Exposes Personal Details of Thousands from US Auto Insurance Comparison Site RateForce!

RateForce, a US auto insurance price comparison site, has suffered a massive data breach exposing the personal information of thousands of individuals. The breach involved an unsecured database containing scans and images of various documents, including driver’s licenses, insurance cards, and vehicle registrations. The breach was discovered by a security researcher who contacted the insurer, USA Underwriters, but received no response.

The researcher eventually managed to secure the database with the help of the insurer. The breach revealed that a third-party vendor, RateForce, was the owner of the compromised database, highlighting the risks associated with such vendors and the need for robust security measures.

Read More
RateForce has suffered a massive data breach exposing the personal information of thousands of individuals.
The NSA and CISA have released guidelines to secure CI/CD environments against cyberattacks.

04. NSA and CISA Join Forces to Shield Your Software

The NSA and CISA have released guidelines to secure CI/CD environments against cyberattacks. Recommendations include minimizing long-term credentials, implementing two-person rules for code updates, securing user accounts, enforcing least-privilege policies, adopting secure code signing, implementing network segmentation, conducting regular vulnerability scanning, and integrating security measures throughout the CI/CD pipeline.

These guidelines aim to mitigate unauthorized access, supply chain compromise, and code injection attacks. This follows a report by Kaspersky showing high malware infection rates in the industrial sector in 2022.

Read More

05. Microsoft Sounds Alarm on Rising Russian Hacker Attacks

Microsoft reveals an increase in credential-stealing attacks by Russian hacker groups Midnight Blizzard (formerly Nobelium) and APT29. Midnight Blizzard targets governments, IT service providers, NGOs, defence, and critical manufacturing sectors using residential proxy services to hide their IP addresses.

Despite being exposed in the SolarWinds compromise, they continue using undisclosed tools and techniques. APT28 conducts spear-phishing campaigns, exploiting vulnerabilities in Roundcube webmail software and a Microsoft Outlook zero-day flaw to target government and military entities in Ukraine.

Read More
Microsoft reveals an increase in credential-stealing attacks by Russian hacker groups Midnight Blizzard (formerly Nobelium) and APT29

Explore More Topics

Explore the full range of services offered by Encryption Consulting.

Feel free to schedule a demo to gain a comprehensive understanding of all the services Encryption Consulting provides.

Request a demo