Ticketmaster fined £1.25million for security compromise (they were hacked by Magecart group, their website code was altered to steal data during payments), #GDPR breach. ~9.4m customers affected. Payment data stolen, too. ico.org.uk/media/action-w…
Third-party (chatbot provider) was breached. This spilled to Ticketmaster. Had this functionality not included on the payment site, this breach would not happen (this way, at least). Fun fact: ICO decided to enforce PCI-DSS requirements. #GDPR#ePrivacy
Ticketmaster says they were unable to use the standard subresource integrity (blog.lukaszolejnik.com/making-third-p…) to protect their site because the software changed too often (but they did not know how often). "ICO views this measure as an appropriate measure to implement" #GDPR
In sum, deployers of vulnerable software inherit and accept the risk. This case is also a model example well subscribing to how #GDPR fines are calibrated (blog.lukaszolejnik.com/everything-you…)
• • •
Missing some Tweet in this thread? You can try to
force a refresh
The Netherlands government published its position on rules applying to security in cyberspace (cyberattacks/cyberwarfare. My short take (the dokument is v. good) government.nl/binaries/gover…
Sovereignty as a matter of rule applies to cyberspace. But it's extent is not clear. Some investigations may (or may not) be breaching sovereignty of other countries.
Apparently links 'election interference on soc media' with 'intervention'. Is a bunch of trolls an intervention into country affairs? No because it does not effect in behavior change in 'targeted state' (who?)? But you can imagine a State leader issuing threats on social media?
International Committee of the Red Cross releases report on the human cost of cyber operations. What rules exist? Need to expand? I'm proud being part of this (co-author). Threat with analysis. #CyberICRCblogs.icrc.org/law-and-policy…
My analysis of @ICRC report selection. Cyberoperations. What impacts on exploit cost? Why supply chain attacks are a risk? Targeting health care (lethal cyberattacks; can you even detect?), ICS. Armed conflict context. How to move forward? #CyberICRCblog.lukaszolejnik.com/icrc-report-on…
The full report is here. My analysis follows. Report speaks on cyber operations & armed conflict context, where many peacetime assumptions may differ. Supply chain attacks are a risk. Exploit price is driven by specific demand. #CyberICRCicrc.org/en/download/fi…
First #GDPR fine by Polish DPA. 6M records in database. Scrapped from public sources. Not informed data subjects about their rights. 229k EUR fine. Breach of Article 14. Impressive: no particular explanation provided.
English press release related to the first PL #GDPR fine. 6M user data scraped from public registers. Not informed data subjects about their rights. €220k fine. No tech component; purely lawful case. uodo.gov.pl/en/553/1009
Full justification of the #GDPR enforcement here. 220k fine is only one thing. Company has been ordered to inform all the 6M data subjects. Costs might exceed the fine. Full GDPR in action here. uodo.gov.pl/decyzje/ZSPR.4… (via G/translate)
Massive ad fraud botnet taken down. Pretended to be human traffic, exploited Real-Time Bidding vulnerabilities. I researched this in 2013, interesting how long it take to be operationalized. services.google.com/fh/files/blogs…
The scale of the operation is huge. Over 3 Billion bid request fraud, over 1 million of compromised machines. Border Gateway Protocol hijacking was even used. The biggest and most sophisticated operation like that ever.
What fascinates me is that the attackers used some of the techniques I tested and described here: lukaszolejnik.com/rtbdesc (some details omitted). I also played with the bot detection evasion ;)