What can Eurovision teach us about data privacy?
Meta receives a record-breaking fine from the EU. Is Tesla next? Privacy professionals are doing quite well for themselves. Nearly 60% of firms hit by GDPR-related breaches in the last five years.
Subscribe to FILED Newsletter
Welcome to FILED Newsletter, your round-up of the latest news and views at the intersection of data privacy, data security, and governance.
This month:
- Meta receives a record-breaking fine from the EU. Is Tesla next?
- Privacy professionals are doing quite well for themselves.
- Nearly 60% of firms hit by GDPR-related breaches in the last five years
But first: what does Eurovision have to do with data privacy?
If you only read one thing
Eurovision: a spectacular show and a spectacular example of privacy regulation's limitations
It was Eurovision 2023 last month (congratulations to Sweden). Naturally, the spectacle got us thinking about data privacy, data regulation, and the need for organizations to be more explicit about using our sensitive data.
If you're unfamiliar with the Eurovision Song Contest, this is an annual songwriting contest where participating countries submit original songs to be performed live and broadcast worldwide.
This year's Eurovision was held in the United Kingdom on behalf of Ukraine, which won the competition last year but understandably could not fulfill its hosting duties. As a result, cybersecurity concerns were top of mind during the competition, as pro-Russia hackers attempted to disrupt the event. Businesses were advised to stay vigilant and spectators to be on the lookout for fraud attempts.
Another potential attack vector: Eurovision voting. Eurovision winners are decided by a combination of competing countries' votes and a paid public vote. This year saw votes received from 144 countries: 37 participating countries and 107 non-participating countries. A lot of people voted, and each time they did, they offered up a lot of data. Operating in such a risky environment, what could voters have done to ensure their data was handled carefully?
Bringing privacy into a clearer view
Eurovision partnered with technology provider Digame to run the public vote. Digame in turn partnered with broadcasters around the world to provide voting to their citizens. Each of these regions received its very own privacy policy (listed here). Let's pretend we're privacy-aware, sensible citizens who care about privacy and review the privacy policy.
The first thing that stands out: to verify your identity when voting, you must provide payment data, including your name, email, and credit card information. Seems a bit heavy-handed given the sensitivity of the information, right? There are undoubtedly other ways to verify identity.
But let's accept that this was somehow necessary for this purpose. What then?
Then what?
The credit card data was probably used only for verification purposes and then immediately deleted. But we don't know that for sure because they weren't clear. And given the importance of the data at issue, we need to operate on more than assumptions.
Other key questions remain unanswered. The privacy policy focuses on why and how data will be used, but says nothing about how it will be stored, and how it will be treated while it is present in their systems. Recent data breaches show the importance of understanding where and how data is stored, and who has access to it.
I believe you should only offer data when it delivers a return. There is always a trade-off, and users must ensure the risk is worth the reward. In this case, operating on limited information, a rational user would have decided not to take the risk and hand over the credit card data.
By all accounts, SBS, Digame, and Eurovision were following applicable regulations. But as citizens and consumers, we deserve more information. Focusing on how organizations "use" our data is only part of the story; we need to push for organizations to go beyond this and come clean about what happens next.
🤫 Privacy and governance
Meta was fined €1.2bn for mishandling user information, a record fine under the General Data Protection Regulation (GDPR). Meta infringed GDPR by continuing to transfer EU user data to the US without proper safeguards. The company must cease such transfers for its Facebook platform within the next five months.
A whistleblower leaked 100GB of data from Tesla, including sensitive data from customers, employees, and business partners. The leaked data includes the social security number of founder Elon Musk, as well as private email addresses, phone numbers, employee salaries, and customer bank details. Such a breach would violate the GDPR, which could lead to a fine of 4% of annual sales ($3.5 billion).
In Australia, the Northern Territory government is being criticized for breaching the privacy of thousands of public health patients by sending identifiable medical records to a software vendor with offices in Europe, South America, and China. Cybersecurity experts say sending identifiable patient data in such a way raised the possibility it could be hacked and should never have occurred.
TikTok employees regularly share user information in an internal chat app, which can also be accessed by China-based ByteDance employees. Proponents of a TikTok ban will use this as evidence to propose a crackdown on the company. Still, it's also worth remembering this kind of casual sharing of PII is common behavior in every modern company.
TikTok stored the sensitive financial data of its biggest creators in China, contradicting congressional testimony from its CEO. This behavior is not quite as common for every modern company.
Confidential drug and alcohol test results of graduate paramedics at Ambulance Victoria, in Australia, were made available for all employees to view in what was described as an "inadvertent process issue."
The average privacy role pays US $146,200, though if you are a Chief Privacy Officer, you can expect about US $206,000, according to the annual IAPP Privacy Professionals Salary Survey. It's a satisfying field, with 86% of respondents reporting they were satisfied and 61% selecting a score above eight out of 10, where 10 is extremely satisfied. It must be nice!
🔐 Security
New England health insurer Point32Health was hit with a data breach that affected current and former customers. The insurer, which has 1.1 million members, said the information accessed may contain personal or protected health information.
Cybersecurity researchers who infiltrated the Qilin ransomware-as-a-service group (RaaS) shared details on how the gang rewards' affiliates' for attacks. Affiliates take home 80% of ransom payments that are $3 million or less. For ransom payments above $3 million, affiliates get 85% of the payment. Easy money!
German arms company Rheinmetall confirmed it had been hit by a cyberattack in April, though stressed the attack only affected its civilian operations, which used separate IT infrastructure to its military business. The company has been a critical part of the war in Ukraine.
📣 The latest from RecordPoint
.png)
🎥Watch: RecordPoint CEO Anthony Woodward and VP of Engineering Josh Mason discuss how information security professionals can minimize the impacts of a data breach through proper data management and preparation.
