Privacy Violation
A privacy violation occurs when an unintended person learns about someone elses private information.
Behaviours
SB018: Adds security or privacy extensions to browsers
Security or privacy extensions prevent third parties from following you around the web and helps you block ...
SB049: Covers webcam when not in use
Devices that have been compromised can have their webcams accessed. To limit further breaches to privacy and data, ...
SB052: Clears cookies regularly
Cookies store data. Some cookies may also be malicious. Regularly clearing cookies prevents risks such as data ...
SB070: Reviews privacy settings and permission levels for apps and online services
Some apps and online services will request information from devices for use. Reviewing privacy settings and ...
SB071: Regularly reviews privacy settings on social media accounts
Privacy settings on social media accounts should be reviewed regularly to make sure personal data is not exposed ...
SB074: Uses a private browsing on shared devices
If workplace devices are shared between colleagues, private browsing should be enabled by default. This means ...
SB075: Requests photos are removed if posted online without consent
Photos posted online without consent can increase digital exposure. Taking steps to remove sensitive photos posted ...
SB092: Returns allocated devices when no longer needed
Returns allocated office equipment when no longer needed. This prevents idle devices from going into the wrong ...
SB094: Does not use personal devices for work unless authorised to do so
Has separate work and personal devices. Only uses personal devices for work if authorised by the employer, using ...
SB151: Does not use weak passwords
Using a weak password puts an account at risk of data breaches, takeovers, and various cyberattacks. Some sites ...
SB173: Does not use work email addresses for non-work purposes
Using work email for non-working purposes increases the chance that the email might be compromised in a data ...
SB178: Does not share a desktop device
Sharing a desktop device allows someone else to have access to your personal and/or company's confidential data.
Case study
Grubman Shire Meiselas & Sacks
In 2020, a high-profile law firm suffered a major cyber attack that exposed private information relating to clients including Madonna and Lady Gaga.
A group of hackers stole 756 gigabytes of files from Grubman Shire Meiselas & Sacks. The files included legal paperwork such as project contracts, confidentiality agreements, promotional materials and reimbursements.
The hackers demanded a $21 million ransom, which the firm refused to pay. As a result, the hackers leaked some of the stolen information. When news of the hack became public, the group demanded a fresh $42 million ransom while threatening to reveal further sensitive information relating to the US president Donald Trump.
Grubman Shire Meiselas & Sacks worked with law enforcement agencies and security experts, and announced that it would not be paying the attackers. It also said it would consult with cyber security specialists to improve the security of its company records and track future unauthorised asset access.
NordVPN1 2019
In 2019, NordVPN, a virtual private network provider that promised to “protect your privacy online”, suffered a data breach.
Despite their “zero logs” policy that stated NordVPN did not track, collect, or share private data, the breach left NordVPN’s customer records exposed.
The hack fully compromised NordVPN’s remote management system. In theory, criminals could have used the data they accessed to create a fake NordVPN website and monitor user traffic, violating the “private” browsing NordVPN promised its customers.
When informed about the hack, NordVPN immediately shut down the insecure server and disabled resulting compromised security keys. It also partnered with cyber security specialists to strengthen penetration testing, intrusion handling and source code analysis.
Yahoo, 2019
In 2019, a disgruntled ex-Yahoo employee hacked into his colleagues’ accounts and accessed their personal information.
Soon after Reyes Daniel Ruiz lost his job at Yahoo, he took advantage of the privileged access he still had and hacked into 6,000 Yahoo accounts, including those of his colleagues and friends. He further took advantage of people’s tendency to reuse passwords, hacking into accounts on Apple iCloud, Dropbox, Facebook and Gmail. After searching these accounts for sensitive images and videos, Reyes copied the stolen information to his personal computer.
Yahoo quickly noticed the suspicious account activity and traced the breaches to Reyes, who then destroyed his computer and drives, thus erasing the evidence of the stolen data. He pled guilty for his crimes and was sentenced to probation and home confinement.
Speaking about the incident, Yahoo representatives urged users to reset their passwords, avoid using the same password across multiple accounts, and enable multi-factor authentication on their devices.