Here is our overview of the Top 10 GDPR incidents in the year of 2018.
The European Union’s General Data Protection Regulation (GDPR) came into force on 25 May 2018. Almost a year has passed by still it’s too early to see how European regulators will enforce GDPR. In this article, we look at 10 most remarkable GDPR-related violations that occurred in 2018.
10. GDPR Compliance Plugin Exploited
In November, Wordfence discovered a privilege escalation vulnerability in a WordPress plugin that allows attackers to manipulate the site, add new admin accounts, or even shut out the original owner. The plugin had approximately 100,000 active installations. Noteworthy about this incident is that the plugin is designed to assist site owners with GDPR compliance. It’s likely that any website using the plugin will be processing user data in some way; so, this could very well lead to a GDPR compliance tool directly leading to a GDPR violation if it had been left unfixed, or remains unpatched by users.
9. Twitter Probed over Right of Access
GDPR guarantees an individual the ‘right of access’. When University College London researcher Michael Veale contacted Twitter with a data request aiming to find out exactly what data was gathered by Twitter’s link shortening service, it was refused. This refusal led to an investigation by the Irish Data Protection Commission over whether Twitter was in breach of GDPR. If Veale’s complaint is upheld, it will show the power of GDPR to enforce data transparency as well as protection.
8. Data, Credit and Ad-Tech Companies Investigated
GDPR imposes restrictions on an organization’s right to gather personal data without explicit consent from the individual concerned. In November, Privacy International made complaints to the regulatory bodies in Britain, Ireland and France about seven different financial and marketing companies, claiming they were flouting these regulations. UK ICO has already issued notices of assessment to Axicom, Experian and Equifax.
7. British Airways Data Breach
The data breach of payment information from British Airways is being talked about as ‘the first’ potential UK fine under GDPR. The maximum fine British Airways could face — 4% of annual turnover — has been estimated at a little shy of £500 million. Thanks to the prominence of the breach in public consciousness, the ICO’s eventual decision will set a benchmark for future GDPR enforcements.
6. Germany’s First GDPR Fine
Germany issued its first ever fine for breach of GDPR in November 2018. Social and dating website Knuddels.de reported a data breach of 1.87 million username and password combinations and 800,000 users’ email addresses in September. The regional data protection authority for Baden-Württemberg determined that the site had been storing the passwords in plaintext, which violates GDPR’s mandate for “the pseudonymisation and encryption of personal data”.
5. Portuguese Hospital Fined €400,000
In July 2018, a Portuguese hospital was inspected by Portugal’s data regulatory body, the Comissão Nacional de Protecção de Dados. After determining that the hospital was allowing patients’ medical data to be accessed by non-medical staff, two fines were imposed for a total of €400,000.
4. Google’s Location Tracking
In August 2018, an investigation by the Associated Press revealed that disabling the ‘Location Tracking’ feature on an Android smartphone would not stop the device tracking the user’s location. This was despite Google’s support page stating “You can turn off Location History at any time. With Location History off, the places you go are no longer stored”. Consumer protection groups in seven different EU nations have filed complaints against Google with their data regulators.
3. AggregateIQ
AggregateIQ (AIQ), a data analytics firm that has been linked with Facebook-Cambridge Analytica scandal, was accused of mishandling people’s data; while this misuse was also prior to GDPR, the ICO believed that AIQ continued to process and handle the data after May 25, making the new regulation applicable. In July 2018, the ICO served the UK’s first ever formal notice under GDPR to AIQ. The notice stated that AIQ had breached GDPR’s terms, and instructed it to cease processing EU or UK citizens’ data for political, analytical or advertising purposes.
2. Facebook’s Fines and Lawsuits
2018 was a tough year for Facebook. After the Cambridge Analytica scandal, Facebook experienced a data breach affecting nearly 50 million users, which prompted an investigation by the Irish Data Protection Commission. If found to be in breach of GDPR, Facebook could face a fine of up to $1.63 billion. On top of this, in November, the Internet Society of France, a non-governmental organization, filed a class action lawsuit against Facebook for €100 million.
1. The Question of Marriott
A data breach affecting up to 500 million Starwood hotel customers has been one of the biggest breaches in a year of very big breaches. Marriott discovered the breach of customers’ personal data in September, long after GDPR came into effect, but did not disclose the fact until late November. This is far outside the 72-hour window for disclosure set by GDPR, and perhaps the strongest case for regulators to treat it as a GDPR violation.
Read this article full and unabridged at the original source: https://www.immuniweb.com/blog/top-10-gdpr-violations-and-incidents-of-2018.html
