Ticketmaster fined £1.25million for security compromise (they were hacked by Magecart group, their website code was altered to steal data during payments), #GDPR breach. ~9.4m customers affected. Payment data stolen, too. ico.org.uk/media/action-w…
Third-party (chatbot provider) was breached. This spilled to Ticketmaster. Had this functionality not included on the payment site, this breach would not happen (this way, at least). Fun fact: ICO decided to enforce PCI-DSS requirements. #GDPR #ePrivacy
Ticketmaster says they were unable to use the standard subresource integrity (blog.lukaszolejnik.com/making-third-p…) to protect their site because the software changed too often (but they did not know how often). "ICO views this measure as an appropriate measure to implement" #GDPR
In sum, deployers of vulnerable software inherit and accept the risk. This case is also a model example well subscribing to how #GDPR fines are calibrated (blog.lukaszolejnik.com/everything-you…)

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Lukasz Olejnik

Lukasz Olejnik Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @lukOlejnik

15 Oct 19
The Netherlands government published its position on rules applying to security in cyberspace (cyberattacks/cyberwarfare. My short take (the dokument is v. good) government.nl/binaries/gover…
Sovereignty as a matter of rule applies to cyberspace. But it's extent is not clear. Some investigations may (or may not) be breaching sovereignty of other countries.
Apparently links 'election interference on soc media' with 'intervention'. Is a bunch of trolls an intervention into country affairs? No because it does not effect in behavior change in 'targeted state' (who?)? But you can imagine a State leader issuing threats on social media?
Read 6 tweets
29 May 19
International Committee of the Red Cross releases report on the human cost of cyber operations. What rules exist? Need to expand? I'm proud being part of this (co-author). Threat with analysis. #CyberICRC blogs.icrc.org/law-and-policy…
My analysis of @ICRC report selection. Cyberoperations. What impacts on exploit cost? Why supply chain attacks are a risk? Targeting health care (lethal cyberattacks; can you even detect?), ICS. Armed conflict context. How to move forward? #CyberICRC blog.lukaszolejnik.com/icrc-report-on…
The full report is here. My analysis follows. Report speaks on cyber operations & armed conflict context, where many peacetime assumptions may differ. Supply chain attacks are a risk. Exploit price is driven by specific demand. #CyberICRC icrc.org/en/download/fi…
Read 15 tweets
26 Mar 19
First #GDPR fine by Polish DPA. 6M records in database. Scrapped from public sources. Not informed data subjects about their rights. 229k EUR fine. Breach of Article 14. Impressive: no particular explanation provided.
English press release related to the first PL #GDPR fine. 6M user data scraped from public registers. Not informed data subjects about their rights. €220k fine. No tech component; purely lawful case. uodo.gov.pl/en/553/1009
Full justification of the #GDPR enforcement here. 220k fine is only one thing. Company has been ordered to inform all the 6M data subjects. Costs might exceed the fine. Full GDPR in action here. uodo.gov.pl/decyzje/ZSPR.4… (via G/translate)
Read 5 tweets
28 Nov 18
Massive ad fraud botnet taken down. Pretended to be human traffic, exploited Real-Time Bidding vulnerabilities. I researched this in 2013, interesting how long it take to be operationalized. services.google.com/fh/files/blogs…
The scale of the operation is huge. Over 3 Billion bid request fraud, over 1 million of compromised machines. Border Gateway Protocol hijacking was even used. The biggest and most sophisticated operation like that ever.
What fascinates me is that the attackers used some of the techniques I tested and described here: lukaszolejnik.com/rtbdesc (some details omitted). I also played with the bot detection evasion ;)
Read 4 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!