Top infosec trends in the media spotlight this week.
There was mild celebration this week, after everyone’s favorite credit reporting agency, Equifax, was slammed with a fine by the UK’s Information Commissioner’s Office (ICO) for the 2017 security breach on its systems.
The £500,000 (around $379,000) penalty, however, which was issued on behalf of the 15 million Britons affected by the incident, was met with some precarious eye rolls, as some doubted the fee would be able to persuade a billion-dollar company to start taking consumer data seriously.
Equifax, the ICO said, was found to have taken insufficient steps at managing the sensitive information of its clients, including the particularly worrying move to store plaintext passwords in an easily accessible testing environment.
Equifax has received the highest fine possible under the 1998 legislation because of the number of victims, the type of data at risk and because it has no excuse for failing to adhere to its own policies and controls as well as the law,” said Information Commissioner Elizabeth Denham, noting that Equifax was liable under the UK’s Data Protection Act, and not the General Data Protection Regulation (GDPR), since the cyber-attack had occurred before its implementation.
In fact, the ICO hasn’t issued any fines under the new EU legislation, despite the increase in reported data breaches since the law came into force on May, 25.The ICO, a non-revenue generating body, urged businesses to review its breach reporting guidelines, saying that many had been overzealous in its notifications, while others often submitted incomplete or inaccurate reports.
But the data protection watchdog has issued its first formal GDPR notice, giving Canadian analytics firm AggregateIQ some time to appeal before having to pay a potentially astronomical fine for misleading people on how collected data was being used.
Stateside, data breach retribution also hogged the spotlight this week, following the lawsuit settlements related to the 2014 data breach at Yahoo
Writing to shareholders, Thomas McInerney, Altaba CEO in charge of Yahoo business, said that he expected the litigation damages from the incident, which affected millions, to reach a whopping $47 million.
“We have reached an agreement in principle (subject to court approval) to settle the consumer class action litigation related to the Yahoo data breach. We have also received final court approval of the securities class action settlement, and we have negotiated an agreement to settle the shareholder derivative litigation (subject to court approval),” McInerney said, expecting his company to resolve the three cases and continue to strive for a more transparent and honest company mandate.
In addition, Yahoo has received a $35 million fine from the US Security and Exchange Commission (SEC), but security lessons from American federal agencies appeared to take a bit of a downturn on Monday, when the State Department (DOS) announced a breach of its very own.
The security incident, first reported by Politico, compromised a DOS email system and potentially exposed a number, approximately 1%, of employees’ personally identifiable information, sparking a full review of the agency’s internal systems.
The DOS reminded its employees that cybersecurity was a job for everyone, and to limit the amount of sensitive information shared over email. The agency also, notably, offered three years of free credit monitoring to those affected.
And speaking of regaining professionalism, Linux creator Linus Torvalds apologized this week for his ill-mannered behavior, one that had become notorious in the kernel community for its toxicity.
In an open letter the notoriously short-tempered and often callous software engineer said that he would be taking a break from the open-source project, admitting that he was ready to reflect and work to improve the ways he conducted business and interacted with other people – an admittance that was, mostly, welcomed.
The letter comes off the back of the annual Linux Kernel Maintainers’ Summit, which Torvalds had rescheduled last minute to suit his vacation plans.
Torvalds said: “I am not an emotionally empathetic kind of person and that probably doesn’t come as a big surprise to anybody. Least of all me. The fact that I then misread people and don’t realize (for years) how badly I’ve judged a situation and contributed to an unprofessional environment is not good.”