Included in this issue of Data & Privacy News: Security flaw affects 50m Facebook users and leaves thousands of other apps vulnerable; ICO makes inquiries into incident involving Conservative Party Conference event app.


Security flaw affects 50m Facebook users and leaves thousands of other apps vulnerable 

Facebook has revealed that almost 50m user accounts have been compromised in a breach that allowed hackers to steal automated log-in credentials (or "tokens"). These tokens gave the hacker full control of the victim's account, including logging into third-party applications that use Facebook log-in.  

Those potentially affected by the breach had their accounts reset by Facebook and were prompted to log back into the site on Friday.

The flaw is thought to stem from three bugs that were introduced into the site's "view as" feature in July 2017 and may affect other apps such as Tinder and AirBnB.

Read the full article

ICO makes inquiries into incident involving Conservative Party Conference event app  

The Information Commissioner's Office (ICO) is making inquiries with the Conservative Party over an incident involving an event app at the Conservative Party Conference 2018.

The app allowed third parties to access personal details such as phone numbers and email addresses of Conservative MPs without using a password. 

Attendees at the conference, also reported that information could be changed on the app. Various MPs had their accounts vandalised whist other reportedly received prank calls.

Read the full article

ICO discusses GDPR Strategy at recent European Data Protection Board Plenary meeting 

At the recent European Data Protection Board (EDPB) Plenary meeting, the ICO Information Commissioner and Deputy Commissioners made clear the ICO's views on the General Data Protection Regulations (GDPR) Strategy following Brexit.

The ICO noted that they have been fully involved in the adoption process of the GDPR and will continue to maintain the high standards of data protection in the UK after the UK leaves the EU. 

As a proud, active and energetic partner of the EDPB, the ICO sees that data protection concerns do not begin and end at national borders and interactions between the ICO and EU supervisory authorities will continue to be essential.

Read the full article

Uber fined $148m for data breach cover-up that affected 57 million user accounts 

Uber has agreed to pay $148m (£113m) to settle legal action for a data breach that affected 57 million user accounts and 600,000 US drivers.

The cyber-attack occurred in 2016 but only came to light in November 2017 as the company sought to hide it from regulators. 

Uber paid the hackers $100,000 through its bug bounty programme to delete stolen data taken from the companies cloud servers and to keep quiet about the breach.

The case was brought by the US government and 50 States and follows a fine the company received in January 2017 for failing to disclose a less serious breach in 2014.

As well as paying the fine, Uber has also agreed to improve its data security to prevent further attacks and submit regular reports on security incidents to regulators.

Read the full article

ICO sends notices of intent to organisation for failure to pay new data protection fee 

The ICO has sent notices of intent to 34 organisations across both the public and private sector for failing to pay the new data protection fee.

Organisations have 21 days to respond to the notices or face a fine ranging from £400 to £4,000 depending on their size and turnover.

The ICO requires all organisations to pay a fee if they process personal data, unless they are exempt. This is then used to fund the ICO's data protection work and new services introduced such as their advice line. 

Current fees for small organisations are a maximum of £35 and £2,900 for larger organisations. 

The ICO's website contains a fee calculator tool and guidance on the data protection fee. 

Read the full article

Data protection breaches offshore: avoiding snakes and building ladders

Ross McKenzie, Partner in the data protection team, has written a blog post on the practical measures that should be considered for data protection compliance in the oil and gas sector.

Read the blog post

Key contacts

Ross McKenzie

Ross McKenzie

Partner, Commercial Services
Aberdeen

View profile
Helena Brown

Helena Brown

Partner, Head of Data
Edinburgh, UK

View profile