Latest Data Breach: The European Commission and AstraZeneca

By Alisa Fetic

Most citizens, consumers, and businesses are familiar with redactions - the black boxes, gray boxes, and other shapes that mask out sensitive information in documents. Redacting is a common practice in the world of legal matters, where organizations need to share information with each other while still preserving its confidentiality. But despite its importance, redacting isn't always conducted with the utmost attention to detail. There are several high-profile examples of redactions gone wrong, where confidential information was inadvertently disclosed due to human error or a lack of appropriate security measures.

In this article, we'll detail one of the most recent - involving The European Commission and AstraZeneca.

The onset of COVID-19 created a unique demand for all sorts of products. In March 2020, it was largely toilet paper, non-perishable food items, and masks. About a year later, however, with the finalization of clinical trials, a new item entered the spotlight: vaccines. As the world raced to inoculate as many people as possible before new variants of the virus spread, governments and organizations scrambled to secure vaccine doses.

The European Commission, the executive body of the European Union (EU), was one such entity. To ensure the equitable distribution of vaccines throughout its member states, it entered into negotiations with AstraZeneca, a British-Swedish pharmaceutical company, for the supply of 400 million doses.

The agreement was signed in August 2020, but it wasn't until January 2021 that the Commission published a redacted version of the contract. This was done in an effort to put pressure on the drug maker after months of delayed deliveries and what the bloc considered a 'failure to commitment'.

Unfortunately, this apparent effort to hold AstraZeneca accountable backfired spectacularly. The redactions in the public document weren't as thorough as they should have been, and a significant amount of confidential information was inadvertently revealed.

This includes the total value of the contract - €870m - as well as a breakdown of the "costs of goods". This information should have been obscured, as it could potentially be exploited by other pharmaceutical companies in their own negotiations with the Commission.

The actual reason for the redaction error is speculated to be a technical glitch, where whatever software was used to obscure the text failed to do its job properly. Some important information, including the number of doses and delivery deadlines of the contract, remained hidden.

The European Commission has since publicly acknowledged the breach, and released updated documents with the correct redactions. In the end, those that suffered the most were EU citizens, who were left waiting weeks or months longer for their vaccines.

This incident between the European Commission and AstraZeneca is yet another reminder of how important it is to pay attention to redactions. Organizations should always ensure that their security measures are up-to-date and appropriate - especially when sensitive documents are concerned - and that redactions are performed properly. Doing so can help to prevent confidential information from being disclosed accidentally – something the European Commission has learned the hard way.

After all, an ounce of prevention is worth a pound of cure.

You Might Also Be Interested In

All Amazon Data Breaches - The Mechanics and Takeaways

While every major company is bound to become the target of malicious online activity at some point, Amazon has experienced more than its fair share of data breach incidents over the years. The e-commerce powerhouse has been vulnerable to cyber-attacks by both state-backed hackers and individual criminals alike. Their motives ranged across the board from financial gain to stealing customer information and intellectual property. This article provides a high-level overview of some of the most notable and impactful incidents to take place since 2012. January 2012: Zappos Breach The first significant incident to be noted on Amazon's data breach timeline dates all the way back to January 2012. It was then that the company's subsidiary Zappos.com announced its internal systems had become compromised by cyberattackers, exposing the account information of as many as 24 million customers. While credit card information was reportedly unexposed, the breach evoked widespread panic among customers who suddenly became at risk of identity theft and other forms of fraud. December 2014: Anonymous Breach Hacktivist organization Anonymous is known for its many high-profile operations and attacks. Over the years, Anonymous has taken on governments, corporations, and anyone they feel is violating human rights or civil liberties. Amazon found itself in the crosshairs of Anonymous in 2014 when individuals claiming association with the group leaked more than 13,000 combinations of its clients' usernames and passwords, along with complete credit card numbers. Amazon wasn't alone in this crisis; other major websites and digital platforms, including Xbox Live and Playstation Network, were also targeted. It's estimated that the hacking campaign affected roughly 150 million users worldwide after all was said and done. 2014: Allegations of Staff Spying Corporations as big as Amazon are bound to hire a few bad apples every now and then. But even so, are individual employees always to blame when malpractice occurs? It's a question one can't help but wonder about a lengthy incident that took place for what was likely months during 2015. Magazine WIRED released a damning report detailing telling information its journalists discovered on six pages of Amazon's internal documents. Apparently, staff had been actively going through high-profile individuals' search and order histories to snoop. Countless big names, from rapper Kanye West to multiple stars of the Marvel Avengers movie franchise, were violated. Several ex-workers later stepped forward to confirm they'd indeed seen it happen, and that 'everybody did it'. July 2016: Claim of Breach In July 2016, a Twitter user by the name #0x2Taylor took to that social media platform claiming they had successfully breached Amazon's main servers and would expose the sensitive account data of more than 80,000 Kindle customers if the company did not pay up. Although the requested amount - only $700 - would be nothing to Amazon, it ultimately decided not to react. The anonymous hacker followed through by posting the 'stolen' information, however, it turned out the data was unlikely to be legitimate. 2017: Ring Camera Spying Although it might not fall in the category of more common instances of cybercrime, we'd be remiss to not mention an incident that shocked the world - and particularly Ring video customers - in 2017. An employee at the Amazon subsidiary had been found to have spied on customers using their own devices. This went on for months until the abuse of power was eventually discovered and the staff member was terminated. There were big implications for Amazon, which was forced to pay a $5.8 million settlement to the Federal Trade Commission alongside additional multi-million dollar penalties in Spring 2023. September 2018: Employees Sell Data It's worth acknowledging that not all instances of cybercrime start on the outside. In fact, it's often inside jobs that end up having the most damaging effects on target companies. Take September 2018 for example, when it was discovered that Amazon employees had been using the company's internal systems to access customer data without permission, and in some cases selling it to foreign actors and vendors for payouts ranging between $80 and $2000. The company conducted an internal investigation and wound up taking disciplinary action against select staff members after its internal malpractice was leaked in a story by The Wall Street Journal. July 2021: GDPR Fine In July of 2021, European regulators slammed Amazon with a record $886.6 million penalty for violating the EU's General Data Protection Regulation (GDPR) data processing rules. The Luxembourg National Commission for Data Protection (CNDP) claimed the multinational corporation had mishandled EU citizens' personal information and failed to properly secure their data. While that doesn't technically constitute a breach, lawmakers' argued it could have easily become one. The takeaway from all of this? Online data is almost never 100 percent secure. If the biggest and wealthiest company in the world can fail to protect its servers several times over, everyday enterprises don't stand a chance. Not alone, at least. iDox.ai's data security solutions equip small, medium, and large organizations alike to stop liabilities in their tracks. Easily search your sensitive unstructured data, redact, and eliminate any potential data leakage points with our state-of-the-art solutions. Contact us today to learn more.

Nov 21, 2023

4 Ways Advanced Data Extraction Revolutionizes Business Operations

In today's fast-paced business landscape, advanced data extraction has become an invaluable tool. This technology has the ability to greatly improve business operations, streamline decision-making processes, ensure precision, and minimize manual work. In this article, we will explore the transformative capabilities of advanced data extraction. Understanding Advanced Data Extraction and Its Role in Business Operations Advanced data extraction refers to the use of state-of-the-art technologies to rapidly and accurately sift through data. This innovative approach eliminates the drawbacks of traditional methods, which are often time-consuming and error-prone. Implementing advanced data extraction has proven to be highly advantageous for businesses across various aspects. Exploring the Four Ways Advanced Data Extraction Revolutionizes Business Operations Although the benefits of advanced data extraction are numerous, we will focus on four of its most important advantages: Enhancing Operational Efficiency One area where advanced data extraction really excels is operational efficiency. In the past, businesses had to invest significant time in manually sorting through large volumes of data. This not only consumed valuable resources but also risked overlooking potential opportunities and decreasing productivity. Imagine a manufacturing firm that struggled with inventory management. Their team members had to spend endless hours sifting through mountains of data just to make informed decisions. However, once they introduced advanced data extraction technology, everything changed. They were able to quickly dive deep into their data and gain a clear overview of their stock levels. This led to significant improvements in the firm's supply chain process, minimizing wastage caused by overstocking or running out of stock. Accelerating Decision-Making Process The ability to make swift and well-informed decisions is crucial for companies to stay ahead. A key factor in accelerating this decision-making process is advanced data extraction. By efficiently extracting and analyzing data, companies can quickly adapt to the constantly evolving market dynamics. Consider an investment firm that operates globally and faces challenges in analyzing the vast financial market within limited time frames. With advanced data extraction tools, they can access real-time insights on various markets instantly. This enables them to take immediate action based on valuable information, leading to remarkable improvements in investment returns and significant resource savings over time. Ensuring Accuracy in Data Management Accurate data analysis is also crucial for reliable results. As the amount of data grows, so does the risk of inaccuracy. That's where advanced data extraction technology comes in and transforms the game. This technology utilizes advanced machine learning algorithms to sort through unorganized data, extracting only the relevant information. Additionally, the importance of accurate interpretation and adherence to regulatory compliances increases. Failing to properly understand or missing crucial compliance-related information can result in substantial fines or legal consequences. Reducing Manual Effort Across Various Business Processes Finally, organizations are always on the lookout for ways to improve efficiency. One of the biggest culprits that can eat into productivity is manual tasks, which not only take up precious hours but also introduce the risk of errors. Automating repetitive tasks that were previously done manually can greatly enhance productivity while also reducing costs. This automation eliminates the inherent errors that often occur in manual processes and guarantees reliable and consistent outcomes, ultimately leading to improved operational efficiency. Final Thoughts In today's digital age, the world of advanced data extraction offers a transformative and fascinating opportunity. At iDox.ai, our journey of discovery goes beyond just using advanced data extraction. It extends to truly understanding and interpreting the information we gather, allowing us to make strategic business decisions. Contact us today to see how we can help your business reach new heights.

Aug 21, 2023

Preventing Cyber Threats with iDox.ai Data Security Solutions

By Greg Sallis Cyber security is a growing concern in today's digital world, with cybercriminals using increasingly sophisticated techniques to breach security systems and steal sensitive data. As a result, businesses need to take proactive measures to protect themselves and their customers from cyber threats. One such solution is iDox.ai Data Security , a comprehensive cyber security system that can help businesses prevent cyber-attacks and safeguard their sensitive data. In this article, we will discuss how iDox.ai Data Security Solutions can help businesses prevent cyber threats. Introduction to Cyber Security: In today's digital world, cyber security is more important than ever. Cybercriminals use various tactics such as phishing, malware, and social engineering to breach security systems and steal sensitive data. The consequences of a cyber-attack can be severe, including financial losses, reputational damage, and legal liability. Therefore, businesses need to take proactive measures to protect themselves and their customers from cyber threats. What is iDox.ai Data Security? iDox.ai Data Security is a comprehensive cyber security solution that can help businesses prevent cyber-attacks and safeguard their sensitive data. It provides a range of security features, including encryption, firewalls, intrusion detection and prevention, and antivirus and anti-malware protection. iDox.ai Data Security also offers real-time threat monitoring, incident response, and security analytics, allowing businesses to detect and respond to cyber threats quickly and effectively. How Does iDox.ai Data Security Work? iDox.ai Data Security works by providing multiple layers of protection to prevent cyber-attacks. First, it uses encryption to protect sensitive data from unauthorized access. Second, it uses firewalls and intrusion detection and prevention systems to prevent malicious traffic from entering the network. Third, it uses antivirus and anti-malware protection to detect and remove malicious software. Fourth, it offers real-time threat monitoring to detect and respond to cyber threats as they occur. Finally, it provides incident response and security analytics to help businesses investigate and mitigate cyber-attacks. Benefits of iDox.ai Data Security There are several benefits to using iDox.ai Data Security Solutions to prevent cyber threats: 1. Comprehensive Protection iDox.ai Data Security provides comprehensive protection against various types of cyber threats, including malware, ransom ware, phishing, and social engineering. This means that businesses can rest assured that their sensitive data is secure. 2. Real-Time Threat Monitoring iDox.ai Data Security offers real-time threat monitoring, allowing businesses to detect and respond to cyber threats quickly and effectively. This can help prevent or minimize the damage caused by a cyber-attack. 3. Incident Response and Security Analytics iDox.ai Data Security provides incident response and security analytics, allowing businesses to investigate and mitigate cyber-attacks. This can help minimize the impact of a cyber-attack and prevent it from happening again in the future. 4. Easy to Use iDox.ai Data Security Solutions are easy to use and require minimal technical expertise. This means that businesses can implement them quickly and easily, without the need for extensive training or technical support. 5. Cost-Effective iDox.ai Data Security Solutions are cost-effective, making them an affordable option for businesses of all sizes. This means that businesses can get comprehensive cyber security protection without breaking the bank. Conclusion Cyber security is a growing concern in today's digital world, with cybercriminals using increasingly sophisticated techniques to breach security systems and steal sensitive data. As a result, businesses need to take proactive measures to protect themselves and their customers from cyber threats. iDox.ai Data Security Solutions can help businesses prevent cyber-attacks and safeguard their sensitive data. With its comprehensive protection, real-time threat monitoring, incident response, and security analytics, iDox.ai Data Security is an excellent choice for businesses looking to enhance their cyber security defenses.

May 31, 2023

Preventing Cyber Threats with iDox.ai Data Security Solutions

Cyber security is a growing concern in today's digital world, with cybercriminals using increasingly sophisticated techniques to breach security systems and steal sensitive data. As a result, businesses need to take proactive measures to protect themselves and their customers from cyber threats. One such solution is iDox.ai Data Security , a comprehensive cyber security system that can help businesses prevent cyber-attacks and safeguard their sensitive data. In this article, we will discuss how iDox.ai Data Security Solutions can help businesses prevent cyber threats. Introduction to Cyber security In today's digital world, cyber security is more important than ever. Cybercriminals use various tactics such as phishing, malware, and social engineering to breach security systems and steal sensitive data. The consequences of a cyber-attack can be severe, including financial losses, reputational damage, and legal liability. Therefore, businesses need to take proactive measures to protect themselves and their customers from cyber threats. What is iDox.ai Data Security? iDox.ai Data Security is a comprehensive cyber security solution that can help businesses prevent cyber-attacks and safeguard their sensitive data. It provides a range of security features, including encryption, firewalls, intrusion detection and prevention, and antivirus and anti-malware protection. iDox.ai Data Security also offers real-time threat monitoring, incident response, and security analytics, allowing businesses to detect and respond to cyber threats quickly and effectively. How Does iDox.ai Data Security Work? iDox.ai Data Security works by providing multiple layers of protection to prevent cyber-attacks. First, it uses encryption to protect sensitive data from unauthorized access. Second, it uses firewalls and intrusion detection and prevention systems to prevent malicious traffic from entering the network. Third, it uses antivirus and anti-malware protection to detect and remove malicious software. Fourth, it offers real-time threat monitoring to detect and respond to cyber threats as they occur. Finally, it provides incident response and security analytics to help businesses investigate and mitigate cyber-attacks. Benefits of iDox.ai Data Security There are several benefits to using iDox.ai Data Security Solutions to prevent cyber threats: 1. Comprehensive Protection iDox.ai Data Security provides comprehensive protection against various types of cyber threats, including malware, ransom ware, phishing, and social engineering. This means that businesses can rest assured that their sensitive data is secure. 2. Real-Time Threat Monitoring iDox.ai Data Security offers real-time threat monitoring, allowing businesses to detect and respond to cyber threats quickly and effectively. This can help prevent or minimize the damage caused by a cyber-attack. 3. Incident Response and Security Analytics iDox.ai Data Security provides incident response and security analytics, allowing businesses to investigate and mitigate cyber-attacks. This can help minimize the impact of a cyber-attack and prevent it from happening again in the future. 4. Easy to Use iDox.ai Data Security Solutions are easy to use and require minimal technical expertise. This means that businesses can implement them quickly and easily, without the need for extensive training or technical support. 5. Cost-Effective iDox.ai Data Security Solutions are cost-effective, making them an affordable option for businesses of all sizes. This means that businesses can get comprehensive cyber security protection without breaking the bank. Conclusion Cyber security is a growing concern in today's digital world, with cybercriminals using increasingly sophisticated techniques to breach security systems and steal sensitive data. As a result, businesses need to take proactive measures to protect themselves and their customers from cyber threats. iDox.ai Data Security Solutions can help businesses prevent cyber-attacks and safeguard their sensitive data. With its comprehensive protection, real-time threat monitoring, incident response, and security analytics, iDox.ai Data Security is an excellent choice for businesses looking to enhance their cyber security defenses.

May 15, 2023

Unveiling Hidden Risks: The Power of Sensitive Data Discovery in Business Risk Mitigation

By Alisa Fetic In today's digital age, businesses are amassing vast amounts of sensitive data, ranging from customer information to proprietary trade secrets. While this data fuels innovation and enhances customer experiences, it also exposes businesses to significant risks if mishandled or compromised. Therefore, proactive measures like sensitive data discovery have become crucial to mitigate these risks effectively. In this article, we will delve into the concept of sensitive data discovery and explore its indispensable role in helping businesses safeguard their valuable assets and maintain their reputation. The Essence of Sensitive Data Discovery: Sensitive data discovery refers to the systematic process of identifying, categorizing, and securing sensitive data within an organization's digital ecosystem. It involves deploying advanced technologies, such as data scanning tools, machine learning algorithms, and data loss prevention (DLP) solutions, to locate sensitive data throughout various storage systems, applications, and databases. By understanding the nature and location of sensitive data, businesses can take informed actions to protect it and mitigate potential risks. Identifying Hidden Vulnerabilities: The first step in mitigating risk is knowing where it resides. Sensitive data discovery enables businesses to uncover hidden vulnerabilities that could otherwise go undetected. It helps identify data repositories that are prone to breaches, such as unprotected databases, unencrypted files, or legacy systems lacking security updates. By gaining visibility into these weak points, businesses can proactively reinforce security measures, implement access controls, and encrypt data to minimize the risk of unauthorized access or data leakage. Compliance with Regulatory Standards: With the proliferation of privacy regulations like the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), businesses face legal obligations to protect sensitive data. Failure to comply can result in severe penalties and reputational damage. Sensitive data discovery assists in meeting compliance requirements by mapping the flow of data across the organization, identifying areas where data privacy may be compromised, and ensuring appropriate measures are in place to protect sensitive information. It facilitates audits, risk assessments, and the implementation of privacy-by-design principles. Mitigating Insider Threats: Not all risks originate from external sources. Insider threats, whether intentional or unintentional, can pose significant dangers to sensitive data. By implementing sensitive data discovery techniques, businesses can monitor and detect suspicious activities within their internal systems. This includes identifying employees with excessive access privileges, detecting abnormal data transfers or downloads, and flagging unauthorized attempts to access sensitive data. By being proactive, organizations can mitigate potential risks before they escalate into major breaches. Strengthening Data Governance: Sensitive data discovery serves as a foundation for robust data governance practices. It enables businesses to establish data ownership, define data handling procedures, and enforce data classification policies. By understanding the types of sensitive data they possess and the associated risks, businesses can implement appropriate controls, such as data encryption, role-based access controls, and data retention policies. This strengthens overall data governance, reduces the likelihood of data mishandling, and enhances overall security posture. Enhancing Incident Response Capabilities: In the unfortunate event of a data breach, an effective incident response plan can make a significant difference in mitigating the consequences. Sensitive data discovery provides valuable insights into the data landscape, allowing businesses to develop incident response strategies tailored to specific types of data. It facilitates faster identification of affected data, aids in notifying affected individuals promptly, and helps organizations take immediate action to contain the breach and restore normalcy. This proactive approach minimizes damage, builds trust with stakeholders, and safeguards the company's reputation. In an era where data breaches and privacy concerns dominate headlines, businesses must prioritize the discovery and protection of sensitive data. By investing in sensitive data discovery technologies and adopting proactive measures,

May 15, 2023

Latest Data Breaches To Learn From

By Alisa Fetic Cybersecurity attacks remain a top threat for businesses as more and more companies devise proactive measures to secure their data. More than 4,000 publicly disclosed data breaches occurred in 2022, exposing over 22 billion records to bad actors. IBM reported that the average cost of data breaches increased from $4.24 million in 2021 to $4.35 million in 2022—representing a 2.6% increase. While the financial loss resulting from data breaches is significantly high, the real impact on businesses runs much deeper; reputational damages, legal liabilities, and loss of customer trust. Unfortunately, cybersecurity threats aren’t going away. In fact, they get more sophisticated by the day. These threats affect businesses of all sizes—big and small, so it’s vital for organizations to take appropriate measures to thwart the attacks. This article discusses the most notable data breaches that occurred in December 2022. 1. Uber Uber, the global mobility company, suffered a series of attacks in 2022. In September, the company suffered a data breach from an alleged “teenager” threat actor. The hacker compromised the company’s ride-sharing system, gaining access to confidential user data. Uber reported that the attacker downloaded some internal slack messages and accessed data from an internal tool the company uses to manage invoices. Its latest attack happened in December 2022. On December 10 th , a new trove of Uber data was posted on BreachForums. The leaked data included personally identifiable information (PII) of 77,000 Uber employees, source code, and the company’s internal reports. Uber announced on December 12 th that a hacker going by the name “UberLeaks” gained access to their employees’ data and was posting it on social forums. The company believes the attackers accessed its data in a recent breach on TeqTivity—a vendor Uber uses for tracking services. 3. Rackspace On December 2 nd , Texas-based cloud computing giant Rackspace was hit by a ransomware attack, leaving thousands of customers worldwide without access to their data. A few days later, the firm revealed that it was dealing with a security incident that forced it to shut down its Microsoft Exchange Server. Shortly after, Rackspace confirmed that the incident was indeed a ransomware attack. The company also warned its customers not to hand over their sensitive information to anyone who may contact them requesting such information over email or phone. Rackspace didn’t disclose which ransomware group was behind the attack and whether customer data was compromised. The company has received widespread criticism for concealing critical information about the incident. So far, at least two lawsuits have been filed against the company. 2. Last Pass On December 22 nd , the beleaguered password manager giant Last Pass confirmed in a blog post that a hacker had infiltrated their system in an August data breach attempt. Customers’ data may have been at risk of being exposed in a data breach that targeted a database of encrypted password vaults. The hacker used data they stole in the August breach to compromise another employee and obtain credentials that allowed them access to the password database. But just because the attacker gained access to the encrypted vaults doesn’t mean they accessed the passwords. While they have the vaults, it would still be difficult for them to access the passwords, though not impossible. It’s just the first step to cracking the passwords. Wrapping Up 2022 has been a busy year for security professionals as data breaches have affected millions of users and cost companies billions in damages. As attackers advance their strategies, organizations should tighten their security policies to thwart cyberattacks and minimize damage.

Jan 11, 2023

Latest Data Breach: 2,000 Social Security Numbers Released

By Alisa Fetic From a young age, most Americans are taught to protect their Social Security Number, not sharing it with anyone aside from an employer or financial provider. No one would think that the federal government itself could put such information at risk, making people vulnerable to identification theft, yet that’s just what happened. A Washington Post report shared that, about 2,000 Social Security Numbers were released in hundreds of records that were posed online as a part of the January 6 th Committee. The information contained the numbers of a wide range of people who were a part of President Trump’s cabinet, federal judges, and numerous others including people who visited the White House in December of 2020. Imagine Congress exposing your Social Security Number on a website. That’s just what occurred. What Is the Risk? Social Security Numbers are a key component of data that people can use to create fake identifications. This along with a person’s address and other minimal data could help with opening bank accounts, create credit card files, or used in the production of fake identification cards. In addition, this bit of information could be used to gain access to financial records and legal documents since it is so commonly used as a way to prove identification. Though the federal government removed the spreadsheet containing that data from the website it was on, the data was exposed and put all of those individuals at risk. The result of this is that now those individuals have to take aggressive (and sometimes costly) measures to protect their information such as: Freezing their credit Changing passwords Contacting banks and other financial organizations to report risk Checking their credit reports for any evidence of a stolen identification Using multi-factor authentication to protect all of their credit accounts online Using credit and account monitoring tools How Redaction Software Could Have Eliminated the Risk There’s no real understanding of how a mistake like this could occur so carelessly especially at this level, but the use of redaction software could have eliminated the risk to every one of these people. This type of software works automatically to remove sensitive information from material. That means that, before being put online, this software could have scanned those spreadsheets, recognized the numbers present, and then erased them, blocked them out, or otherwise sanitized the data so that it could not be seen or used by anyone else. Utilizing redaction software like this – whether for home use or for business – is a simple step towards protecting sensitive data. It is one of the most effective methods of ensuring this type of data is not exposed because it does not rely on person to manually detect and remove the data themselves. In this situation, it could have eliminated those Social Security numbers, preventing the risk to 2,000 people from data being shared. Consider the value of incorporating the use of redaction software into your business and daily life to minimize your risks.

Jan 18, 2023

Public Record Request Failures

By Alisa Fetic Public record requests are a common practice in the United States. Journalists, politicians, and concerned citizens alike use them as a tool to obtain information they're legally entitled to access under official laws. But despite their importance, public record requests aren't always handled the way they should be. There are countless high-profile examples of large organizations and groups failing to properly produce records, for reasons ranging from logistical issues to outright dereliction of responsibility. In this article, we'll go over two of these cases and explain what make them such important learning opportunities to those who fall under the provisions of laws like the PRA. UW Public Records Office The University of Washington's football team decided to partner with rapid antigen company Quidel to handle player testing protocols at the onset of COVID-19. It, like many other schools in the country, was doing everything it could to salvage the 2020 season, and hoped that offering these ultra-rapid - but notably less accurate - tests would be enough to keep the team safe. The Seattle Times and other local media outlets quickly jumped on this story, filing a public records request to the UW for copies of emails about the Quidel deal. The school responded by saying it could not find any relevant records, not once, but twice, after being asked to search again. Further investigation by the Seattle Times with Oregon State University revealed that there were indeed emails regarding the matter - many of which painted an ugly picture of the school's decision-making process. The UW was forced to admit it had failed to properly search for the emails, and local media outlets sued them for violating the Public Record Act. It blamed the fact that the school was incredibly short on resources and only had eight employees to respond to requests for information. This incident isn't just noteworthy for the $97,000 settlement it cost the University of Washington. It also resulted in an intangible loss, that being the damage the school's reputation suffered after all was set and done. West v City of Tacoma (1/28/2020) In 2013, the city public record request was made by resident Arthur West seeking records related to the acquisition, which the city promptly responded to. But the documents provided by West soon after appealed the city's decision, claiming that their search for documents was inadequate and hence, withholding information on the matter was illegal. After deliberation, the court reasoned that while the city was correct to withhold certain documents pertaining to 'Stingray', they had also failed to turn over emails about the technology, including responses to a reporter's questions. This was deemed responsive to West's request and therefore constituted withholding of public records - something strictly prohibited by the PRA. These two cases demonstrate just how easy it is to run afoul of public records law, even when specifically trying to abide by it. In both cases, the courts found that despite good intentions, there had been a violation of the law, and this was something that could have been easily avoided. This is why it's so important for those tasked with responding to public record requests to take their jobs seriously and make sure they are providing all of the relevant documents that have been requested - it's not just the law, but a matter of public trust.

Dec 21, 2022

CommonSpirit Health Ransomware Attack

By Greg Sallis The recent ransomware attack against CommonSpirit Health has caused a stir in the healthcare industry. The attack resulted in a massive data breach, exposing the personal information of thousands of patients and employees. This incident underscores the importance of cybersecurity in the healthcare sector and how they must prepare organizations to protect sensitive data from malicious actors. In this blog post, we will discuss the details of the CommonSpirit Health ransomware attack, how they could have prevented it, and the importance of data redaction in mitigating the risks of a similar attack. What Happened? CommonSpirit Health operates more than 700 care sites and 142 hospitals in 21 states, providing high-quality healthcare for millions of patients. On October 5, the organization confirmed an “IT security issue” as a ransomware attack. Threat actors gained access to portions of the network between September 16 and October 3, potentially compromising patient and family members’ data. The U.S. Department of Health data breach portal confirms that threat actors gained access to the personal data of 623,774 patients. The attackers may have accessed files containing names, addresses, phone numbers, dates of birth, and unique ID numbers used internally by the organization. Fortunately, they did not get their hands on medical record numbers or insurance IDs. CommonSpirit quickly reacted to the attack and mobilized to protect its systems, contain the incident, begin an investigation, and maintain continuity of care. The organization also notified law enforcement and is supporting its ongoing investigation. How To Prevent This Attack? What could have CommonSpirit done to avoid this attack? Let’s explore some possibilities. Update All Systems One of the most effective preventative measures was to ensure that all systems are up-to-date with the latest security patches and software. They should do this regularly to ensure the patching of any vulnerabilities. Train Employees On Security Protocols In addition, it is important to train employees on proper security protocols, including avoiding suspicious emails, using strong passwords, and not using public Wi-Fi networks. These steps could have helped reduce the chances of a successful attack. Implement Redaction Finally, organizations should consider redaction to reduce the risk of an attack. Redaction involves masking or removing sensitive data from documents before them sharing publicly. Let’s look more into it. What is Redaction and Why is It Important? Redaction is the latest, most effective method to secure data and prevent ransomware attacks. Here are two reasons why it is making massive waves in the data security industry: Reduces Risk of Exposure Redaction helps reduce the risk of exposing information to exploitation by those looking to harm. With the increasing prevalence of digital media, organizations need to use redaction to safeguard sensitive material. Removes Identifying Information Redaction can help prevent cyberattacks by removing identifying information from documents and emails before sending them. This process ensures hackers won’t be able to access confidential information if they intercept the material. Redaction: The Future of Ransomware Prevention Organizations should take steps to train employees on the importance of redaction and how to use it. As we have seen, redaction is as close as we can get to a fool-proof ransomware prevention strategy.

Dec 21, 2022

Latest Data Breach News Story

By Alisa Fetic The breach of Optus' customer database is the latest data breach story to rock the news. The data breach exposed the personal information of hundreds of thousands of customers, including their names, dates of birth, and phone numbers. As a result, Optus began notifying customers who may have been affected by the breach. On their website, they posted a statement stating that it is collaborating with the Australian Cyber Security Center to reduce any threats to customers. Optus also reported the "strange activities" to the Australian Federal Police, and an investigation was launched to determine who has been accessing the data and for what reason. The company assured its customers that it would provide updates as they become available. They also advised them not to use passports for online identification until the matter is resolved. Optus also notified its customers to be alert for any fraudulent activity they detected. Furthermore, they should secure their online accounts using two-factor authentication and unique, complicated passwords. But how could this data breach have been prevented? How Optus Could Prevent Data Security Breaches Redaction Redaction is a way to hide sensitive information from the public view. It is commonly used in the legal and financial industries to protect confidential information that criminals or competitors may use. Redaction is also used to release information about a client, such as names and addresses, to prevent cyber criminals from learning more about them. The process can be done manually by hand-writing over the original document or electronically by using computer software like Objective Redact or CaseGuard. More Ways Optus Could Prevent Data Security Breaches Install Firewall Software A firewall protects from hackers by blocking unauthorized attempts to access or modify network data or control systems. It also prevents intruders from using your computer as an entry point into the network or accessing sensitive files on it. There are two types of firewall software: hardware-based and software-based. Hardware-based firewalls include routers and switches that protect the entire network by restricting all traffic passing through it. Software-based firewalls run on a single computer and can be set up at home or in business premises to separate work and private networks. Encrypt All Customer Data Encryption is a process that transforms plain text into cipher text. This transformation prevents someone from viewing or accessing your data without the proper key needed to decrypt it. In this way, if a hacker were to break into your system and steal passwords, they would not be able to access any other information in the system because all their passwords would be encrypted with that one key. Encrypting client information helps prevent hackers from gaining access to them while being transmitted between servers and users in a network. Limit Employee Access to Crucial Company Data To do this, businesses can implement policies limiting how much access each employee has to critical company data. These policies may include: A password policy : Allowing employees to log in with a password rather than using their name and social security number (or other personally identifiable information) as their username will help ensure that no unauthorized person can access your system. Wrap-Up On Optus's Data Breach Data breaches can have a devastating effect on affected companies, not to mention their customers. In reality, they are one of the biggest threats to the corporate world, yet many companies lack a sufficient defense against them. All it takes is one mistake to let a hacker in, and they can wreak havoc on your data. Companies should take caution by using measures like redaction to ensure their client's data is safe.

Nov 15, 2022