I wasn’t deliberately going looking for data breaches or other data privacy concerns. However these two examples just leapt out at me. Please note that I have redacted sections of these pictures where there were potentially identifying features. I’ve also removed individual’s names, just in case you could make them out.

Staff roster and holiday plans on public display

I ate and drank in quite a few different establishments on my holiday, but this one had the staff roster and a holiday planner in plain sight, over one of the tills.

Because it was dark, the camera struggled to pick it out very clearly, but I could read the names clearly on the holiday planner (on the left). This had the staff names down the left hand side. Then the columns were for June, July and August and this is where the staff obviously noted their holiday plans.

The weekly roster is on the right, where again the staff names were down the left hand side. Then what shifts they were working each day was in the columns. I couldn’t make this out myself at the distance I was from it – approximately 2m.

If I had a better camera or better light, there is no doubt I could easily have got the complete staff list, their holiday plans and their work schedule for the coming week.

This is a breach of the staff’s right to privacy. Any member of the public could see when they were going to be on holiday or when they were going to be at work. This could lead to their home being broken into, as the bad guys know when they are going to be away. Or how about an abusive ex-partner? How much would they love to have this kind of information available to them.

The real shame about this … this place had a large back-of-house (kitchen and office) that all the staff had access to, but not the public. Why not post these things back there?

Staff surveillance

CCTV is used extensively in pubs and restaurants mainly for crime prevention and health and safety purposes. In this pub there was this ONE camera that only had eyes for one thing … this till

So obviously they were using this camera to keep an eye on staff to see if they were fiddling the till. This was a very obvious placement of a camera. This would not be considered “covert” by any means or standards. That’s me talking as somebody who notices this stuff for a living. If I was still in school, starting out on my first pub job, I may not notice such things.

Surveillance of staff needs to be declared by the employer. In this instance there should be a point in the staff manual noting that the tills are monitored by cameras. If an employer was to use secret cameras to monitor staff, they should also declare this. They should state that from time-to-time covert surveillance of employees, in the performance of their work, may be implemented.

Have you any holiday data breach snaps?

In both of the above situations, I have anonymously (I was on holiday, so I’m not hunting sales leads) notified the owners of the establishments about my observations.

When you are looking through your photos from your vacation, can you find any holiday data breach pictures? If you think you have, send them in confidence to info@L2CyberSecurity.com and I’ll let you know, but please don’t tell me the name of the place or the location.

If you would like to know more about different data breaches under the GDPR, check out the videos available on the GDPR section of my website.

#LetsBeCarefulOutThere

#SecuritySimplified

The post Holiday Data Breach Photos. appeared first on L2 Cyber Security Solutions Ltd..

This has actually been going on, quietly in the background, for some 9 years at this stage and is certainly the first I have heard about it … and it concerns me greatly.

The CSO state that the reason for gathering the data is such that it “may significantly enhance our statistics on tourism and international travel”. How does knowing when a visitor to our country makes a phone call enhance tourism statistics? I don’t know. 

Gathering such call details would require them to also capture some unique identifier for that handset, as otherwise they would have no way of identifying whether a call was a single call made by one tourist or whether it was one of twenty calls made by that same tourist. Guess what? Every mobile phone has a unique identifier. The International Mobile Equipment Identity (IMEI) and this ties back to a person, and so is personal data.

Also noted in the article was

… the Court of Justice of the European Union held that traffic and location data was liable to allow ‘very precise conclusions’ to be drawn about the private lives of individuals.

in other words knowing where somebody is at all times is effectively spying on somebody … state sponsored surveillance even.

The CSO had even gone as far as having a Statutory Instrument drafted by the Attorney General’s office (another state agency), which would have enabled the government to sign off on it, thereby compelling the mobile operators to hand over the personal data on visiting tourists, without their knowledge or permission. Fortunately the DPC raised concerns

The “extraordinary” project would, in effect, “track the movements of visitors to this country and will in turn, affect tourists’ privacy rights, in that their entire holiday will have been recorded and analysed, albeit anonymously”.

The CSO still appear to be continuing with this “project” as stated at the end of the article, but Helen Dixon, the current Commissioner with the DPC, has stated her office would expect to be consulted before any Statutory Instrument is signed off.

In this, the era of the General Data Protection Regulation (GDPR), I would expect that state agencies have to follow the same rules that apply to all other businesses in the EU. I cannot for the life of me think of a single legal justification for the CSO to gather such granular data on private citizens (no matter what country the come from).

This could be the thin end of the wedge … what’s next … if they can do it to tourists, will Irish residents be next?

<googles “tinfoil hat creation”> 

The post State agency wants to track tourists. appeared first on L2 Cyber Security Solutions Ltd..