We had two reminders last week:
First there was this:
Qld agencies told to review public datasets after de-identification lapses
By Justin Hendry on Jul 16, 2020 11:53AM
Several datasets found to be at 'real risk of re-identification'.
Queensland government agencies have been urged to review all published data and identify datasets containing de-identified data, after the de-identification practices of two unnamed agencies were found to be lacking.
The state’s Office of the Information Commissioner (OIC) made the recommendation in a report this week that said there was a “real risk of re-identification” in several public datasets at one of the agencies.
The report, titled ‘Privacy and public data: Managing re-identification risk’, revealed that three of the four public de-identified datasets belonging to the agency that were examined were at “significant risk of re-identification”.
The OIC assessed two of the four datasets as having “medium to high risk” of re-identification, which could disclose the personal information of individuals in breach of the state’s Information Privacy Act 2009.
One of these datasets “contains de-identified information about vulnerable individuals that access a particular government service”, the risk analysis conducted with the assistance of CSIRO’s Data61 said.
“There are only a small number of attributes with unique value. However, when combining two attributes, a significant number of entities are unique,” the report states.
“These attributes are approximate information about the individuals address, and the precise date they accessed the government service.
“On combination of these attributes, an overwhelming 84 percent of entities in this dataset are unique.”
The other audited agency “had relatively low risk scores” on all four datasets in comparison, and used “de-identification techniques to effectively reduce the risk of re-identification to generally low levels”.
Neither agency, however, was found to monitor and review re-identification risk in the examined datasets, meaning risk management strategies could be outdated.
More here:
Second and rather more worrying we had this:
Privacy firm finds oceans of personal data for sale on the dark Web at knockdown prices
Genuine information about a vast number of people is available on the dark Web for very low prices, the firm PrivacyAffairs says, adding that given this availability it was easy to fake the identity of many individuals.
The firm, which styles itself as a source of data privacy and cyber security research, information, and advice, provided iTWire with a range of prices for various forms of identity and personal information that its researchers had found on the dark Web.
PrivacyAffairs researcher Miguel Gomez said in a detailed blog post that the reputation enjoyed by the dark Web — as a place where any kind of nefarious activity could take place — was more than justified.
"The privacy offered by software such as Tor (a browser that can be used to surf the dark Web) creates an environment where criminals can sell their wares without being worried about law enforcement," Gomez said.
"What’s more, many would have heard the horror stories of people’s bank accounts being cleaned out, or their identity stolen and turning up in custody in Mexico. Again, it is not unjustified horror."
The company has just four staff: Joe Robinson, the chief editor and cyber security expert; Gomez, the head of research and also a cyber security expert and analyst; Bogdan Patru, the research co-ordinator and Alex Popa, a news writer.
The PrivacyAffairs research turned up the following prices for different "products". Gomez said the search had been limited to products and services relating to personal data, counterfeit documents, and social media.
Much more here:
It really makes you wonder why you would let any of your personal information go pretty much anywhere when just one week can throw up examples like this.
As they say – ‘Be careful out there!’
David.
2 comments:
What with deidentification problems and things like the Garmin global outage after suspected ransomware attack, it's amazing that people like the HIMSS keep saying how wonderful Digital Health is - especially when they never raise such things as risks. It's almost like they have a vested interest in promoting the snake oil.
I doubt everything is reported anyway so the problem is larger than we are told. Take simple breech notifications - ADHA certainly masks this. Just type in Tim.kelsey or any other employee past or present using haveibeenpwned.com.
Post a Comment