Drupal Security Release (8.3.7)

Drupal Notice

Web hosting platform, Drupal, have issued a maintenance release of their software that patches a number of security fixes. Users are urged to upgrade to the latest version, 8.3.7 as soon as possible. The release patches a number of security vulnerabilities: Views – Access Bypass – Moderately Critical – Drupal 8 – CVE-2017-6923 REST API can bypass comment approval – Access Bypass – Moderately Critical – Drupal 8 – CVE-2017-6924 Entity access bypass for entities that do not have UUIDs or […]

GDPR and fines

GDPR and fines

It seems the Information Commissioner’s Office (ICO) is getting a little fed up with misinformation about the General Data Protection Regulation (GDPR) and so are publishing a series of blog posts “sorting the fact from the fiction”. We tend to agree with the ICO on this – there is a lot of misinformation about the GDPR, articles speaking as though this is the first time businesses have had to worry about data protection, or companies pushing their services as though their product (which […]

Talk Talk fined for breach of data protection principle

news header

The ICO has fined TalkTalk £100,000 for a breach of principle 7 of the Data Protection Act – the “security” principle. It found that a third party company, contracted by TalkTalk, had wide access to customer data and that some of the third party accounts had been used to unlawfully access TalkTalk’s customer data. The issue was brought to the attention of the ICO after complaints that TalkTalk customers had been receiving scam calls, using TalkTalk data to identify themselves. You […]

Wordfence reports increase in TrafficTrade malware infection caused by theme

wordpress

WordPress security experts, Wordfence, are reporting a “significant increase in the number of WordPress websites hit by an infection [they’re] calling TrafficTrade.” Wordfence says there seems to be two routes to infection. A small number caused by a redundant searchreplacedb2.php script (which they reported as an issue a few weeks back). The bulk of infections though, are being caused by a vulnerability in the Newspaper theme – this is a premium theme. You can find full details on the Wordfence blog. Your […]

UK Government publishes its planned data protection reforms

House of Lords Report

It was in the Tory manifesto and the Queen’s Speech back in June, so it’s no surprise that we’re getting a Data Protection Bill. We don’t have the actual Bill yet (looks like that is likely to have it’s initial reading in Parliament in September), but today (7th August) the Department for Digital, Culture, Media & Sport have published it’s intentions for the Bill. The initial part of the reform paper suggests additional data protection regulation over and above the […]

Money Supermarket fined £80k for email marketing breach

data protection

Price comparison website, Money Supermarket, has been fined £80,000 by the ICO for PECR breaches. They emailed millions of customers who had oped out of marketing messages, about some changes to terms and conditions and privacy notices, but included a section about reconsidering opting out of future marketing messages. Someone complained and the ICO investigated and reached the conclusion that the emails were a breach of PECR as the ‘signing up to marketing’ message was in itself, a marketing message. The […]

EU Home Affairs Sub-Committee reports on Data Protection & Brexit

House of Lords Report

The House of Lords EU Home Affairs Sub-Committee has published a report on data protection in the UK, post-Brexit. The report “Brexit: the EU Data Protection Package” came about because of the Sub-Committee’s “routine scrutiny of EU legislative proposals, but also forms part of the coordinated series of Brexit-themed inquiries launched by the European Union Committee and its six Sub-Committees following the referendum on 23 June 2016, which aim to shed light on the main issues likely to arise in negotiations on the […]

ICO publishes international strategy

data protection

Last week the ICO published it’s international strategy for the next four years. The strategy sets out a number of global related data protection challenges: To operate as an effective and influential data protection authority at European level while the UK remains a member of the EU and when the UK has left the EU, or during any transitional period. Maximising the ICO’s relevance and delivery against its objectives in an increasingly globalised world with rapid growth of online technologies. […]

ICO Subject Access Request guidance updated

data protection

The ICO has updated its subject access request code of practice not because the GDPR is coming, but because of the outcomes of a couple of court cases (Dawson-Damer & Ors v Taylor Wessing LLP [2017]  EWCA Civ 74  and Ittihadieh v 5-11 Cheyne Gardens RTM Co Ltd & Ors and Deer v University of Oxford [2017] EWCA Civ 121) that impact interpretation of the Data Protection Act. Both cases dealt with issues around proportionality of subject access requests particularly when […]

Royal Free & Google DeepMind trial failed to comply with data protection law

data protection

The ICO has published its ruling on the Royal Free NHS Trust sharing of patient data with Deep Mind (a Google owned AI company). The data (1.6m records) had been shared as part of a trial to test an alert, diagnosis and detection system for acute kidney injury, but the ICO did not believe the patients had been given enough information about the use of the data in this way, and thus failing a number of the tests in the Data […]