Welcome to our September 2023 review of cyber attacks and data breaches, in which we look at some of the most newsworthy security incidents across Europe.
On the face of it, September was a quiet month in terms of cyber attacks and data breaches in the media, but there was some notable news relating to cyber crime and data privacy.
This month’s blog features a €345 million fine for TikTok as a result of GDPR compliance failures recorded between 31 July and 31 December 2020, and a ransomware attack on a French town.
Irish Data Protection Commission announces €345 million TikTok fine
The Irish DPC (Data Protection Commission) has announced that it is fining TikTok Technology Ltd €345 million following an inquiry into the company’s compliance with the GDPR (General Data Protection Regulation) when processing children’s personal data.
Its investigation focused on platform settings for child users, age verification and transparency information for children between 31 July and 31 December 2020.
The DPC regulates TikTok’s data protection compliance across the EU because the social media giant’s headquarters are in Ireland. Following consultation with the other EU supervisory authorities concerned and the EDPB (European Data Protection Board) in August, the DPC found the following:
- Child user accounts’ profile settings were set to ‘public’ by default, so anyone could view content posted by the child user, infringing GDPR articles 25(1), 25(2), 5(1)(c) and 24(1).
- The ‘Family Pairing’ setting allowed non-child users to pair their account with a child user’s account, even if they were not a parent or guardian. This enabled adults to send direct messages to child users, infringing GDPR articles 5(1)(f) and 25(1).
- Child users’ profiles being set to ‘public’ by default also posed several possible risks to children under the age of 13 who accessed the platform, infringing GDPR Article 24(1).
- TikTok did not provide sufficiently transparent information to child users, infringing articles 12(1) and 13(1)(e).
- TikTok nudged users towards choosing more privacy-intrusive options when registering accounts and posting videos, infringing Article 5(1)(a).
The DPC therefore issued a reprimand, ordered TikTok to bring its processing into compliance with the GDPR within three months, and fined it €345 million.
TikTok is appealing the fine. It said:
“Ireland’s Data Protection Commission (DPC) today announced the findings of its investigation relating to certain platform settings and age assurance measures we had in place three years ago. We respectfully disagree with several aspects of the decision, particularly the level of the fine, and we want to provide some important context while we evaluate next steps.
“The DPC’s investigation focused on the period between July and December 2020 only. The DPC did not find that TikTok’s age assurance measures violated the GDPR, and most of the decision’s criticisms are no longer relevant as a result of measures we introduced at the start of 2021 – several months before the investigation began.”
This is not the first time TikTok has been fined for such practices. The DPC decision follows a £12.7 million fine from the UK’s ICO (Information Commissioner’s Office) relating to TikTok’s failure to protect children’s privacy. The ICO found that TikTok allowed as many as 1.4 million children under the age of 13 to use its platform in 2020 without parental consent and “failed to carry out adequate checks to identify and remove underage children from its platform”, potentially exposing them to harmful content.
And in 2019 the US Federal Trade Commission fined it $5.7 million – the largest civil penalty obtained by the Commission in a children’s privacy case – for “illegally [collecting] personal information from children”.
Betton commune hit by Medusa ransomware
The town of Betton (Ille-et-Vilaine), near Rennes in France, has suffered a ransomware attack, which resulted in residents’ personal information being published on the dark web.
In a press release quoted by numerous sources but now apparently unavailable on the Betton website, the town said the attackers had exfiltrated approximately 2% of the data in its computer systems, including, according to numerama, “a lot of personal information, such as identity documents, addresses and administrative exchanges”.
The town’s mayor, Laurence Besserve, said: “None of the town’s servers were working, everything was encrypted.”
Medusa demanded $100,000 to destroy the data, threatening to publish it online if they didn’t receive the money by 14 September. When the town refused to pay up, the gang behind the attack did exactly that.
According to Jumelages & Partenariats, M. Besserve explained that: “We’re continuing to operate, but in degraded mode, and the questions that arise today are first of all to recover everything that has been encrypted, what is in progress and then to know what use will be made of this data.”
Medusa, also known as MedusaLocker, operates as a ransomware-as-a-service model, allowing affiliates to use the malware for a fee or a cut of any ransom received.
Like most modern ransomware attacks, its affiliates typically use a double extortion approach, exfiltrating data before they encrypt systems, aiming to use it as leverage to persuade victims to pay up, even if the victims have the backups they need to restore their systems.
However, the unfortunate reality is that most ransomware gangs sell the data they have stolen anyway – which is one of the reasons experts urge victims not to pay ransoms.
Are you prepared for a cyber attack?
If you’re facing a cyber security disaster, IT Governance is here to help.
Our Emergency Cyber Incident Response Service offers the necessary support to deal with the incident, as our experts guide you through the recovery process.
They’ll review the breach, mitigate the damage and ensure that you are up and running again as soon as possible.