Friday Five: 11/15 Edition
Microsoft warns about BlueKeep - again, a real estate firm is fined $16M for violating GDPR, and more - catch up on the week's news with the Friday Five.
1. Google’s Secret ‘Project Nightingale’ Gathers Personal Health Data on Millions of Americans by Rob Copeland
Likely the biggest news story of the week came in the form of this scoop, via the Wall Street Journal, on Monday, that Google was working with one of the country's biggest healthcare systems to aggregate data on millions of individuals. As part of the initiative, dubbed Project Nightingale, Google has been collecting health data from 21 states thanks to Ascension, a health system based in St. Louis. in an effort to combine its cloud computing capabilities with the system's patient data. Through artificial intelligence and machine learning, healthcare providers would eventually be able to pull up certain patient pages easier. Knowing its hand(s) were forced, Google disclosed the news in a blog post and Ascension in a press release later that day. The news, no surprise, has resulted in a great deal of blowback, including the triggering of a federal inquiry. Both companies acknowledged that the effort is compliant with federal law and that users' health data will be kept secure but that hasn’t managed to quell the backlash.
2. Department of Education criticized for secretly sharing children's data by Sally Weale
Over in the UK, the Information Commissioner's Office cracked down on the country's Department of Education for sharing the personal data of children - details belonging to roughly 1,5000 school children each month - to the Home Office, a department of the UK's government that's responsible for immigration, security and law and order. This is obviously a human rights issue but also a data protection issue according to the UK's privacy regulator. The ICO said its going to look into whether or not it takes action against the Department of Education, adding in a letter to Liberty, a human rights group that lodged the complaint: "“Our view is that the DfE is failing to comply fully with its data protection obligations, primarily in the areas of transparency and accountability, where there are far reaching issues, impacting a huge number of individuals in a variety of ways.”
3. Microsoft: find and patch RDP services now because new BlueKeep threats are coming by Liam Tung
Microsoft is again sounding the alarm for Windows admins who somehow haven't patched the BlueKeep RDP flaw, first outlined way back in May, when it was patched by the company. The news comes shortly after researchers described how attacks leveraging the flaw could be used to carry out an attack, specifically the installation of cryptominers. As CSO noted Tuesday, Microsoft worked alongside two researchers Kevin Beaumont and Marcus Hutchins - both great follows on Twitter, it's worth mentioning - to look into crashes caused by an unstable BlueKeep Metasploit module. The silver lining here is that the exploit hasn't been co-opted to spread ransomware - yet. These advancements will likely lead to more attacks though, Microsoft stressed, and they'll likely be "more impactful and damaging than coin miners."
4. Microsoft vows to ‘honor’ California’s sweeping privacy law across entire US by Makena Kelly
More Microsoft news: News came this week that next month, when the calendar flips over to January, Microsoft will be extending the California Consumer Privacy Act not just across its California users but the entire country. Julie Brill, Microsoft's Chief Privacy Officer announced the news in a company blog post on Monday. While the news is interesting, what's perhaps more notable is that the blogpost functions as a call to arms for state and federal policymakers to enact even stronger consumer data and privacy regulations. “As with GDPR and CCPA, whenever and wherever strong, sensible privacy laws are enacted, we will work to quickly extend the core protections those laws offer to our customers everywhere,” Brill wrote in a blog.
5. Real Estate Company Fined €14.5 Million in Germany for Violating GDPR Principle of Privacy By Design by By Lars Lensdorf and Ulrike Elteste
The first multi-million GDPR fine in Germany is a big one, 14.5 million Euro - a figure that translates to almost $16M dollars. The culprit, Deutsche Wohnen SE, is a real estate company who Germany's supervisory authority, discovered was storing personal data belonging to tentants without a valid reason. The fine has been a long time coming apparently: According to Inside Privacy, Covington & Burling LLP's data privacy blog, the SA first started looking into the company's systems in 2017 and found that it was keeping personal data belonging to individuals "without checking if this was legal or even necessary." The SA based its fee on four things: The fact the systems did not contain special categories of data, that the data hadn’t been transferred to any third parties, that it could not be proven that the company had used the unlawfully stored personal data, and that Deutsche Wohnen had been cooperative during the investigation.