It’s been a busy few weeks in the world of data breaches! Air Canada confirmed a mobile app data breach affected 20,000 of its users. A prominent Welsh council turned itself in for a data breach that could be 11 years in the making. And finally, Digital Guardian revealed which states are taking data breaches seriously and which ones aren’t.
Let’s dive in.
Air Canada confirms mobile app data breach
American companies aren’t the only ones struggling to protect their customers’ data. After detecting “unusual login behavior” during August 22–24, Air Canada confirmed that hackers breached their mobile app.
The airline insists that credit card data wasn’t compromised in the breach. However, a slew of personal details has been revealed about the 20,000 victims. The compromised data consists of names, email addresses, phone numbers, passport numbers, NEXUS numbers, gender, birth dates, country of residence, and other forms of personal data users may have added to their online profiles.
As a result of the breach, Air Canada locked every mobile app user’s account. This resulted in a significant delay for many users, as the company expressed in a statement on their website:
“Air Canada has asked Mobile+ app users to reset their accounts as a security precaution. Due to the large volume, some customers may experience a delay in the process to change their passwords. We ask customers to be patient and assure them their data is protected and not accessible to unauthorized users. We apologize for the delay. Please wait several hours and try again.”
The Ceredigion Council data breach that may have taken 11 years to identify
The residents of Ceredigion, a county in Mid-Wales, get to enjoy many picturesque sites — ancient castles, 50 miles of beautiful coastline, and a mountainous hinterland envied the world over. Unfortunately, its citizens aren’t so lucky when it comes to their local council. For the full story, we need to take a step back in time.
Back in 2007, resident James Davies alerted the Ceredigion Council that they were inadvertently revealing the personal data of citizens on their website. The council’s response? Davies was arrested on suspicion of hacking, but he was later released without incident or further charges.
Then in August of this year, Davies noticed something strange. He discovered the exact same files on the Ceredigion Council’s website, and this time he reported it to the Information Commissioner's Office (ICO).
The files, which were taken down days letter, consisted of personal information about residents. This data included names, addresses, and even medical conditions of citizens living in Ceredigion.
When pressed for comment by the BBC, the Ceredigion Council would not confirm how long the documents have been posted on their site. Instead, they issued the following statement:
"The council wishes to apologise for this error and there is an ongoing investigation into the exempt information that was available online and measures are being put into place to improve the system … The council has also made a self-referral to the ICO. The outcome of the investigation will be presented to counsellors when investigation is complete."
Which states are taking data breaches seriously
Unlike many of our European allies, there is no federal law regarding data breaches. Instead, each state has passed their own law regarding how private corporations and government agencies must respond to data breaches and notable security incidents. Sorting through each state’s law can be a tedious task. Lucky for us, Digital Guardian did the hard work — and they even converted the data into some pretty nifty infographics.
What did they find?
Well, for starters, most states use a very similar definition when it comes to identifying data breaches. While there are a few exceptions, nearly every state defines a data breach as “unauthorized acquisition of covered information that compromises security, integrity and confidentiality.”
When it comes to ranking the states in order of most strict to least strict, there are a few surprises on both ends of the spectrum. States with the strictest recorded laws include: Alabama, California, Illinois, New Jersey, New York, Ohio, Oregon, South Carolina, South Dakota, Texas, Utah, and Alaska. States with the least strict rules include: Arkansas, Georgia, Kansas, Massachusetts, Pennsylvania, Wisconsin, Wyoming, Washington, D.C., Kentucky, and Mississippi.If you’d like to learn more information about the data breach laws in your state, you can check out Digital Guardian’s definitive guide here.