Curated advice, guidance, learning and trends in cybersecurity and privacy, as chosen by our consultants.

Failing the transparency test, WhatsApp faces €225 million fine

The Data Protection Commission has fined WhatsApp €225 million for failing to meet GDPR requirements on transparency. The investigation began in December 2018 and the DPC’s draft decision two years later recommended a fine of €30-50 million. Other European data protection authorities objected to the sum so it was revised upwards, becoming the second-highest GDPR penalty yet. Privacy activist Max Schrems pointed out that the fine still only represents 0.08% of the Facebook Group’s turnover. WhatsApp said it will appeal the decision, so a lengthy court delay looks likely.

Explaining its decision, the DPC found that WhatsApp Ireland — the company’s main European data controlling entity — failed in its obligation to users and non-users to be transparent about how it stores and uses their data. Some of the information WhatsApp provided about its data processes was “unnecessarily ambiguous” and “ill-defined” in the final decision. On top of the fine, the DPC also imposed a reprimand and ordered WhatsApp to bring its processing into compliance by taking “specified remedial actions”. Separately, a ProPublica investigation (25-minute read) detailed WhatsApp’s extensive monitoring operation and how it regularly shares personal information with prosecutors. This despite assuring users that no one can see their messages. On the regulation side, a new report from the Irish Council for Civil Liberties argues that Europe is unable to police how the tech industry uses people’s data.

Passwords’ slow path to extinction

Two out of three bad practices listed by the US Cybersecurity and Infrastructure Security Agency (CISA) are password-related. Single-factor authentication and using known or default passwords, are “exceptionally risky” practices (the third was unsupported software). Instead, it recommends multi-factor authentication for accessing internet-exposed systems. Although the agency’s list focuses on critical infrastructure, it’s good advice for all organisations. It also feels like another important step on the road to a future without passwords. Today, research suggests people have to remember 100 passwords on average. 

There are lots of good reasons to start using alternatives to passwords for accessing critical services. The respected Verizon Data Breach Incident Report repeatedly flagged easily guessed passwords as a key driver of security breaches. Last year, the World Economic Forum argued for a move to passwordless authentication. In a related development, the FT recently covered cybersecurity startups aiming to replace passwords with easier and cheaper alternatives. The largest investment in the industry – half a billion dollars – went to a company that wants to “kill the password”. Until that day comes, there are steps you can take to strengthen passwords, as we cover in our BH Consulting video

Access denied: large-scale attack highlights DDoS risk 

How good are your defences against DDoS? How big a threat could it be to your organisation? Two useful questions to ask after Cloudflare reported the “largest ever” distributed denial of service attack. It said the attack comprised 17.2 million requests per second: three times larger than any previous one it tracked. To give an idea of the scale, that’s around 68 per cent of Cloudflare’s normal peak quarterly traffic per second. The intended victim was a financial services company, it said. 

ZDNet’s writeup warned that unmanaged and vulnerable devices mean attacks like this could become more common. BankInfoSecurity’s report took a similar tack, quoting the NetScout Atlas Security Engineering and Response Team which found over 10 million DDoS attacks launched in 2020, up from 8.5 million in 2019. In the SANS newsletter, BH Consulting’s Brian Honan wrote: “DDoS attacks are now so commonplace that hosting an online service without DDoS protection is similar to not having spam filtering for your email. Criminals will continue to evolve their tools and techniques in this area which requires constant innovation by defenders.”

Links we liked

This guide from the UK NCSC helps you to set up a basic security logging system. MORE

Melanie Ensign on communications before, during and after a breach MORE

Cybersecurity awareness skills are vital for a post-pandemic world. MORE

Is third-party risk a blind spot for security leaders? MORE

ENISA has mapped the threat landscape for supply chain attacks. MORE 

Artificial intelligence came up with better emails for phishing tests than humans. MORE

Genesis: like Amazon, but for hackers. CBS explains how it enables ransomware. MORE

A roundup of top hacks from Black Hat and DEF CON 2021 editions. MORE

Security tools showcased at Black Hat 2021. MORE

Learn and practice security for Google’s cloud platform with GCP Goat. MORE

Have you signed up to our monthly newsletter? Every month we send out the latest cybersecurity and data protection news, trends and advice from around the globe. Sign up here