CNIL Hit Microsoft with a Formal Notice

The Problem Since Microsoft’s release of Windows 10, in July 2015, excessive amounts of personal and usage data have been harboured from its users. Despite customers turning off all settings that may allow Microsoft to send data to their server in the US, user still have no control over this. Windows 10 harbours this information through their Cortana and Bing products. Windows 10 manages to do this by sending any ‘home searches’, ‘live tile’ searches as well as Internet inquiries via an unencrypted http data channel ‘threshold.appcache’. This is worrying as customers are not asked to consent to this. They aren’t even able to turn this feature off. There is also the issue of the unencrypted channel that leaves customers open to malicious actors. CNIL and Microsoft Since the French Data Protection Authority (CNIL) became aware of this seven online observations were carried out in April and June 2016. They have since questioned Microsoft Corporation on this. Microsoft interestingly said nothing to defend or deny the excessive data collection of Windows 10. They responded saying they were happy to comply with the CNIL and “understand the agency’s concerns fully and to work toward solutions that it will find acceptable.” Microsoft also address the reason behind the data being send back to the company’s US servers. They stated it was under the previously applicable ‘Safe Harbour Agreement’. Knowing now these regulations are no longer required they have said they will work towards the new requirements of the ‘Privacy Shield’ Despite these statements, the Chair of the Commission Nationale de l’Informatique et des Libertés (CNIL) issued a formal notice to Microsoft on...

Nulled, Expect the Unexpected

On May 6, 2016 Nulled.IO tag line ‘expect the unexpected’ became a reality for the hacker forum. An unknown hacker broke through the simple MD5 hashing algorithm securing the website and gained access to a 9.45GB file containing all of the websites information. By securing a sensitive website with such a simple algorithm suggests that the forum didn’t follow their tagline themselves! Nulled.io is a forum for hackers where they can trade and purchase leaked information (including stolen credentials), hacking tools and cracks as well as have access to Nulled software. Risk Based Security discovered the hack and found the 3GB compressed file ready to download free on the open Internet. This breach is seen as a gold mine for law enforcement. They now have access to IP addresses, email address and conversations for 473,000 registered users, including information from the seemingly private VIP forums. Risk Based Security noted: “If law enforcement obtains this information, (which no doubt they already have) it can be used to filter out any “suspects” under investigation for possibly conducting illegal activities via the forums. With this being such a comprehensive dump of data it offers up a very good set of information for matching a member ID to the attached invoices, transactions and other content such as member messages and posts.” The breach also means that VIP access for older contents on the site is now deemed as worthless as it is all freely accessible within the download. This clearly impacts Nulled.IO business model. The current site is deemed under temporary unscheduled maintenance, and has been since the breach...

GDPR and the Brexit Campaign

The EU’s General Data Protection Regulations (GDPR) are some of the most important regulations in terms of data security.  Christopher Graham, The UK Information Commissioner, stated the following at the ICO’s annual Data Protection Practitioners’ Conference in March 2016. “The EU data protection reforms promise to be the biggest shake up for consumers’ data protection rights for three decades.” The regulations are expected to harmonise data protection legislation across Europe, as well as increasing the shock of failing to comply. The GDPR will raise the level of fines for companies who have data breaches to heights of  €20m or up to 4% of annual global turnover. These regulations are a way off however, they have been released now and are given a 2year transition period, which means they are not becoming legally binding until latest summer 2018. This is to allow companies to adjust and prepare before these fines could blow up businesses that fail to comply. “Now, now,” you might be saying, “What if we leave Europe?“. What will they have over British companies then? Unfortunately we won’t be escaping that easily. Any company that engages with European customers will be forced to comply with European legislation. So the choice is to exclude one of the most accessible markets to us today, or to abide by these regulations. Luckily for businesses that handle card data there are some simple solutions to compliantly handling payment card and personal data. If you are worried how these regulations will affect your company then feel free to get in touch with us at Compliance3. We are here to guide you through every step of the...