As modern organizations collect customers’ data, they assume the implicit responsibility of keeping it private and secure. Personal data can be a valuable resource, and when it isn’t secured it can easily end up in the wrong hands. Companies that possess large quantities of sensitive data may become a target for data breaches, and it’s important they keep data secure, private, and compliant with the most up-to-date data regulations and laws.
Our most recent Immuta Unlocked Newsletter dives deeper into the topics, themes, and trends driving secure data use in 2023. This March, we highlight the unfortunately prevalent trend of data breaches and compliance violations by delving into stories regarding data at risk.
Here is a roundup of the key data stories we followed in March:
Insufficient Privacy Measures Place Health Data at Risk
Article: First FTC Health Breach Notification Rule case addresses GoodRx’s not-so-good privacy practices (FTC.gov)
It’s important that digital health platforms tell the truth about how they intend to use customers’ data. Organizations should be transparent about how they use consumers’ personal health information (PHI) and receive consent before collecting, sharing, and using the data.This past month, GoodRx allegedly failed to comply with the most up to date data privacy rules and best practices.
GoodRx, a digital health platform where consumers can compare prescription drug prices and get coupons for these medications, violated its privacy policies by disclosing their customers’ PHI to companies like Facebook and Google without authorization. This included sharing information about users’ prescription medications, health conditions, and personal information for the express purpose of aiding in digital advertising. GoodRx is being charged with violating Section 5 of the FTC Act and the Health Breach Notification Rule, and will be required to pay a fine of $1.5 million USD.
Government Concerns about Data Weaponization
Article: What to Know about the TikTok Security Concerns (Time Magazine)
Data weaponization is a growing threat for businesses and agencies around the world. Data is a valuable resource for gathering people’s information, and some theorize it can be leveraged to conduct influence operations aimed at other countries or territories. As a result, the United States government has good reason to worry about Americans’ data falling into the wrong hands and potentially being used against them.
Specifically, the U.S. has concerns about American data being collected by the popular social media platform TikTok, run by Chinese tech firm Bytedance. Though TikTok has denied using data for such purposes, many countries are worried that the company has ties to the Chinese Communist Party. TikTok admitted that employees had spied on reporters using location data in the past, but the company says it has since invested $1.5 billion in a project to ensure sensitive user data is kept on U.S. soil, cannot be accessed from Beijing, and is subject to U.S. government audits. On March 23rd, TikTok’s CEO Shou Zi Chew fielded questions from U.S. lawmakers at a congressional hearing to address these concerns. And while no concrete action has been taken by the federal government, it is becoming increasingly likely that the platform will be heavily regulated or even banned in the coming months.
Data Leaks Target A Growing AI Company
Article: A bug revealed ChatGPT users’ chat history, personal and billing data (Help Net Security)
In recent months, a range of OpenAI tools have gone viral on the internet. Among these is ChatGPT, an artificial intelligence chatbot that can interact in conversations, generate essays, write code, and answer many other queries. Still, the immaturity of the ChatGPT application, combined with the lack of security assurance available for OpenAI, is thought to potentially put organizations–and their sensitive information–at risk.
OpenAI has confirmed that on March 20th, ChatGPT experienced a data leak. During a nine-hour window, some ChatGPT users may have been able to view other users’ personal and billing information. The bug exposed payment-related information belonging to 1.2% of ChatGPT Plus subscribers. An internal investigation from OpenAI revealed that the leak was caused by a bug in the Redis client open-source library. The bug has since been patched, and OpenAI has added checks to make sure users can’t access other customers’ data.
Financial Services Institution Victim of Cyber Attack
Article: Latitude Financial Admits Breach Impacted Million (InfoSecurity Magazine)
Financial services companies hold some of the most sensitive personal information that consumers create. It is essential that this data is properly secured, as these customer records are frequently the target of hackers looking to obtain the information illegally for criminal use. For example, hackers may be looking for personal details such as name, address, telephone number, date of birth, driver’s license numbers, etc. to carry out phishing scams, identity theft, and other financial crimes.
This month, Latitude Financial was the victim of a cyber attack. According to Info Security Magazine, hackers stole the driver’s license numbers of 7.9 million Australian and New Zealand residents, as well as 6.1 million records dating back to 2005. Attackers reportedly were able to obtain Latitude employee credentials to access the information, although it is currently unclear how. Latitude Financial is taking steps to minimize the risk and disruption to its customers.
Keeping Up with Key Stories
Examining the risks of companies holding customer data, March’s Key Stories demonstrates the importance of modern organizations keeping consumers’ personal information safe and secure.
To stay up-to-date on the latest in data security and beyond, subscribe to the Immuta Unlocked Newsletter today. Each month, we include Key Stories in the newsletter to provide you with access to the latest news in data. We’ll see you next month!
