{"id":5818,"date":"2022-07-04T10:32:08","date_gmt":"2022-07-04T08:32:08","guid":{"rendered":"https:\/\/s8.tgin.eu\/?p=5818"},"modified":"2025-01-30T12:54:48","modified_gmt":"2025-01-30T11:54:48","slug":"weekly-digest-03072022-credential-stuffing-misconfigured-cloud-storage-mobile-devices-at-work-drones-and-privacy","status":"publish","type":"post","link":"https:\/\/techgdpr.com\/blog\/weekly-digest-03072022-credential-stuffing-misconfigured-cloud-storage-mobile-devices-at-work-drones-and-privacy\/","title":{"rendered":"Weekly digest 27 June &#8211; 03 July 2022: credential stuffing, misconfigured cloud storage, mobile devices at work, drones &amp; privacy"},"content":{"rendered":"\n<h4 class=\"wp-block-heading\"><em>TechGDPR\u2019s review of international data-related stories from press and analytical reports.<\/em><\/h4>\n\n\n\n<h4 class=\"wp-block-heading\">Official guidance: credential stuffing, patient privacy, use of drones<\/h4>\n\n\n\n<p>The latest report from<a href=\"https:\/\/globalprivacyassembly.org\/wp-content\/uploads\/2022\/06\/22-06-27-Credential-stuffing-guidelines.pdf\"> international data protection and privacy authorities<\/a> has identified credential stuffing as a significant and growing cyber threat to personal information. A credential stuffing attack is a cyber-attack method that exploits an individual\u2019s tendency to use the same credentials (e.g. username\/email address and password combination) across multiple online accounts. The attacks are automated and often large-scale, using stolen credentials (e.g. that are leaked in connection with data breaches and made available on the \u2018dark web\u2019), to unlawfully access users\u2019 accounts on unrelated websites.&nbsp;<\/p>\n\n\n\n<p>Successful credential stuffing attacks may result in fraud or other means of financial loss, as attackers may, for example, make purchases using the compromised account or transfer funds to their own account. Upon establishing a secure foothold, an attacker may attempt to obtain further access to data and systems through the harvesting of other visible or accessible credentials. Such attacks may also be used to cause intangible harm such as reputational damage by spreading disinformation or making false statements about an individual whilst using their compromised account.&nbsp;<\/p>\n\n\n\n<p>The guidance by international privacy authorities&nbsp;provides measures to detect, prevent and\/or mitigate the risk from credential stuffing (guest checkouts, strong passwords and usernames, and their alternatives, multi-factor authentication, secondary passwords and pins, device fingerprinting, identifying leaked passwords, rate-limiting, account monitoring and lockout, incident response plans and user notifications, and more).<\/p>\n\n\n\n<p>The US Department of Health issued <a href=\"https:\/\/www.hhs.gov\/about\/news\/2022\/06\/29\/hhs-issues-guidance-to-protect-patient-privacy-in-wake-of-supreme-court-decision-on-roe.html\">guidance to protect patient privacy in wake of the Supreme Court decision<\/a> where the right to safe and legal abortion was taken away. In general, the guidance addresses:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>how federal law and regulations protect individuals\u2019 private medical information, (known as protected health information or PHI), relating to abortion and other sexual and reproductive health care \u2013 making it clear that providers are not required to disclose private medical information to third parties; and<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>the extent to which private medical information is protected on personal cell phones and tablets, and provides tips for protecting individuals\u2019 privacy when using period trackers and other health information apps.<\/li>\n<\/ul>\n\n\n\n<p>According to recent reports, many patients are concerned that such apps on smartphones may threaten their right to privacy by disclosing geolocation data which may be misused by those seeking to deny care. The guidance also addresses the circumstances under which the Health Insurance Portability and Accountability Act, (HIPAA), permits disclosure of PHI without an individual\u2019s authorisation. It explains that disclosures for purposes not related to health care, such as disclosures to law enforcement officials, are permitted only in narrow circumstances tailored to protect the individual\u2019s privacy and support their access to health care.&nbsp;<\/p>\n\n\n\n<p>Switzerland\u2019s data protection commissioner FDPIC issued an annual 2021-2022 report, noting widespread indifference towards protecting citizens&#8217; data and a growing disregard for privacy. The deficiencies in processing sensitive personal data that have become more frequent on health platforms, and the tendency, now also perceptible in Europe, to discredit the public&#8217;s right to encrypt their data as an abuse of freedoms, are evidence of this development. In relation to freedom of information, the FDPIC continues to see an increase in the number of requests for access and for mediation, which poses problems in meeting the legal deadlines in view of the pandemic-related backlog of work. You can read the detailed report <a href=\"https:\/\/www.newsd.admin.ch\/newsd\/message\/attachments\/72229.pdf\">here.<\/a>&nbsp;<\/p>\n\n\n\n<div class=\"wp-block-media-text is-stacked-on-mobile\" style=\"grid-template-columns:36% auto\"><figure class=\"wp-block-media-text__media\"><img decoding=\"async\" width=\"1024\" height=\"683\" src=\"https:\/\/techgdpr.com\/wp-content\/uploads\/2022\/07\/karl-greif-H5IXIH254AU-unsplash-1-1024x683.jpg\" alt=\"\" class=\"wp-image-5821 size-full\" srcset=\"https:\/\/techgdpr.com\/wp-content\/uploads\/2022\/07\/karl-greif-H5IXIH254AU-unsplash-1-1024x683.jpg 1024w, https:\/\/techgdpr.com\/wp-content\/uploads\/2022\/07\/karl-greif-H5IXIH254AU-unsplash-1-300x200.jpg 300w, https:\/\/techgdpr.com\/wp-content\/uploads\/2022\/07\/karl-greif-H5IXIH254AU-unsplash-1-768x512.jpg 768w, https:\/\/techgdpr.com\/wp-content\/uploads\/2022\/07\/karl-greif-H5IXIH254AU-unsplash-1-1536x1024.jpg 1536w, https:\/\/techgdpr.com\/wp-content\/uploads\/2022\/07\/karl-greif-H5IXIH254AU-unsplash-1-2048x1365.jpg 2048w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure><div class=\"wp-block-media-text__content\">\n<p><\/p>\n\n\n\n<p>The Irish data protection commission issued a<a href=\"https:\/\/www.dataprotection.ie\/sites\/default\/files\/uploads\/2022-05\/Guidance%20on%20the%20use%20of%20drones%20-%20May%202022%20Final.pdf\"> guide on the use of drones<\/a>. Similar to body-worn cameras drones can effectively turn into a mobile surveillance system and are highly likely to capture the personal data of passers-by, (data subjects). These guidelines have been developed for drone operators for purposes other than public law-related use and also to answer queries from the perspective of data subjects. Regardless of the nature, (professional or recreational), of your activity, under EU law regulating unmanned aircraft, the collection of information related to an identifiable person through the operation of a data collection system mounted on a drone potentially constitutes personal data processing.&nbsp;<\/p>\n<\/div><\/div>\n\n\n\n<p> When buying your equipment, you must check whether the device has been produced with data protection obligations in mind. For example, in order to comply with data minimisation, data collection systems mounted on drones should be capable of being switched on and off when appropriate and their visual angle limited in accordance with your purposes. In order to comply with the transparency principle, the drone should have adequate signaling such as lights or buzzers. It is also your responsibility to ensure that appropriate security of processing: check whether the video footage is stored on the device itself, on a portable storage medium, or on a cloud storage service, and take steps to mitigate any additional risk of loss or theft of personal data, such as encrypting data before it is transferred from the device to cloud storage.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Legal processes: criminal activity data<\/h4>\n\n\n\n<p>After the <a href=\"https:\/\/eur-lex.europa.eu\/legal-content\/EN\/TXT\/?uri=uriserv%3AOJ.L_.2022.169.01.0001.01.ENG&amp;toc=OJ%3AL%3A2022%3A169%3ATOC\">amended Europol Regulation<\/a> entered into force on 28 June, the EDPS expressed its concerns that the amendments weaken the fundamental right to data protection. The new document \u201cexpands the mandate of Europol with regard to exchanges of personal data with private parties, the use of artificial intelligence, and the processing of large datasets\u201d, the EDPS states. Consequently, data relating to individuals that have no established link to criminal activity may be treated in the same way as the personal data of individuals with a link to criminal activity. Putting in place strong safeguards, says the regulator, is crucial since the impact of the amended Regulation on personal data protection is further aggravated by the fact that the EU Member States have the possibility to retroactively authorise Europol to process large data sets already shared with Europol prior to the entry into force of the amended Regulation.&nbsp;<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Investigations and enforcement actions: bulk emails, sales prospecting calls, unnecessary cookies, unauthorised logins<\/h4>\n\n\n\n<p>The UK Information Commissioner\u2019s Office issued a monetary penalty to an NHS foundation trust. It used Outlook to send bulk emails to 1,781 Gender Identity Clinic service users. The accident happened despite the fact that the trust had in place some measures including a suite of policies. In particular, the &#8220;Email, Text and Internet Use Procedure&#8221; states: &#8220;To avoid inadvertently sharing other people&#8217;s email addresses, recipients should be selected in the &#8216;Bee&#8217; box, not the &#8216;To&#8217; box&#8221;. Data security and protection training was available to all staff with measures in place to update this at timely intervals. Here are some facts of the case:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The trust&#8217;s intention was to send a bulk email relating to an art competition to approximately 5,000 patients.\u00a0<\/li>\n\n\n\n<li>The distribution list was extracted from the trust&#8217;s electronic patient record system using a specific set of search criteria which ensured recipients were active patients and had consented to be contacted by email in certain circumstances.\u00a0<\/li>\n\n\n\n<li>The output report produced from the system was then manually split into batches of around 1,000 addresses each.&nbsp;<\/li>\n\n\n\n<li>In two batches the email addresses were copied from the output report and entered into the &#8220;To&#8221; field instead of the &#8220;Blind carbon copy&#8221; field. The recipients of each email could therefore see the email addresses of the other recipients of that email.&nbsp;<\/li>\n\n\n\n<li>Four of the emails were returned as undeliverable and so potentially 1,777 emails were delivered and opened.&nbsp;<\/li>\n\n\n\n<li>The staff member who sent the email noticed the error straight away and attempted, albeit unsuccessfully, to recall both the emails. They also contacted the trusts&#8217; Information Management and Technology Service Desk to report the breach.&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>The French Council of State validated the 2020 <a href=\"https:\/\/www.cnil.fr\/fr\/cookies-le-conseil-detat-valide-la-sanction-de-2020-prononcee-par-la-cnil-contre-amazon\">sanction pronounced by the state privacy regulator CNIL against Amazon<\/a>. In December 2020, the CNIL imposed a fine of 35 million euros against the company, in particular for having placed advertising cookies on the computers of users of the sales site &#8220;Amazon.fr\u201d without prior consent or satisfactory information, (in violations of Art. 82 of the Data Protection Act (transposing the \u201ce-Privacy\u201d directive). In addition, the CNIL noted that when users went to the \u201cAmazon.fr\u201d site after clicking on an advertisement published on another website, the same cookies were deposited but without any banner being displayed. Finally, the Council of State considers that the size of the fine imposed by the CNIL is not disproportionate with regard to the seriousness of the breaches, the scope of the processing and the financial capacity of the company.<\/p>\n\n\n\n<p>The CNIL also issued a fine of 1 mln euros against TOTALENERGIES \u00c9LECTRICIT\u00c9 ET GAZ. The regulator has received several complaints concerning the difficulties encountered by people when dealing with a <a href=\"https:\/\/www.cnil.fr\/fr\/prospection-commerciale-et-droits-des-personnes-sanction-de-1-million-deuros-lencontre-de\">French energy producer and supplier, their requests for access to their data, and opposition to receiving sales prospecting calls<\/a>. The company offered, on its website, a subscription form for an energy contract in which the user acknowledged giving his consent for the use of his personal data in order to subsequently receive commercial offers, without having the possibility of opposing it. Therefore, by completing this form, the user,&nbsp; had no means of opposing the reuse of his data for commercial prospecting purposes for similar products or services.<\/p>\n\n\n\n<p>In 2020 Norway\u2019s parliament the Storting was exposed to data breaches, and in January this year, the Norwegian data protection authority Datatilsynet announced a fine of approx 200,000 euros for a lack of security measures. <a href=\"https:\/\/www.datatilsynet.no\/aktuelt\/aktuelle-nyheter-2022\/overtredelsesgebyr-til-stortinget\/\">The regulator assessed Storting&#8217;s comments and maintains the notified <\/a>fine. The data breach was related to an unauthorized login to the email accounts of an unknown number of Storting representatives and employees in the administration and group secretariats. The regulator has placed particular emphasis on the fact that the Storting had not established two-factor authentication or similar effective security measures to achieve adequate protection.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Data security: mobile devices at work<\/h4>\n\n\n\n<div class=\"wp-block-media-text has-media-on-the-right is-stacked-on-mobile\" style=\"grid-template-columns:auto 36%\"><div class=\"wp-block-media-text__content\">\n<p><\/p>\n\n\n\n<p>America&#8217;s NIST&#8217;s publication explains how to organise <a href=\"https:\/\/www.nccoe.nist.gov\/news-insights\/nccoe-buzz-phishing-avoid-getting-hooked\">enterprise mobile data security and avoid getting hacked<\/a>. According to the agency, most phishing attempts come by email, while other attacks\u2014including text messages \u2014 are also on the rise. Ultimately, phishing attacks are not just limited to laptops or desktops, mobile phones can be the target of phishing attacks as well.&nbsp;<\/p>\n<\/div><figure class=\"wp-block-media-text__media\"><img decoding=\"async\" width=\"1024\" height=\"680\" src=\"https:\/\/techgdpr.com\/wp-content\/uploads\/2022\/07\/office-620822_1920-1024x680.jpg\" alt=\"credential stuffing\" class=\"wp-image-5825 size-full\" srcset=\"https:\/\/techgdpr.com\/wp-content\/uploads\/2022\/07\/office-620822_1920-1024x680.jpg 1024w, https:\/\/techgdpr.com\/wp-content\/uploads\/2022\/07\/office-620822_1920-300x199.jpg 300w, https:\/\/techgdpr.com\/wp-content\/uploads\/2022\/07\/office-620822_1920-768x510.jpg 768w, https:\/\/techgdpr.com\/wp-content\/uploads\/2022\/07\/office-620822_1920-1536x1020.jpg 1536w, https:\/\/techgdpr.com\/wp-content\/uploads\/2022\/07\/office-620822_1920.jpg 1920w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure><\/div>\n\n\n\n<p><a href=\"https:\/\/www.nccoe.nist.gov\/sites\/default\/files\/2022-06\/Phishing-Short-Form.pdf\">URL filtering, multi-factor authentication and mobile threat defense can help protect against phishing attacks<\/a>. In environments that use multi-factor authentication, if a phishing attacker successfully gains a user\u2019s password, they can still be denied access to enterprise information because they do not have the second factor required for authentication. For more information on phishing protection and other <a href=\"https:\/\/techgdpr.com\/blog\/data-protection-digest-14082023-privacy-laws-worldwide-ai-measuring-school-progress-and-security-of-connected-objects\/\">mobile device security<\/a> and privacy enhancements for your organisation, refer to NIST publication on <a href=\"https:\/\/www.nccoe.nist.gov\/mobile-device-security\/corporate-owned-personally-enabled\">corporate-owned personally-enabled mobile devices<\/a> and <a href=\"https:\/\/www.nccoe.nist.gov\/mobile-device-security\/bring-your-own-device\">personal mobile devices to perform work-related activities.<\/a><\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Big Tech: misconfigured data storage containers, French \u201ctrusted cloud\u201d in partnership with Google<\/h4>\n\n\n\n<p>According to Reuters, the US supermarket chain Wegmans agreed to pay 400,000 dollars and upgrade its security practices over <a href=\"https:\/\/www.reuters.com\/business\/retail-consumer\/supermarket-chain-wegmans-settles-with-new-york-over-data-breach-2022-06-30\/\">a data breach that exposed the personal information of more than 3 million consumers nationwide<\/a>. Reportedly, the company was accused of storing customer information in cloud storage containers hosted on Microsoft Azure that were left open because they had been misconfigured, leaving the data vulnerable to hackers. \u201cCustomers&#8217; email addresses and Wegman&#8217;s account passwords were exposed for about 39 months, while customers&#8217; names, mailing addresses, and data tied to their driver&#8217;s license numbers were exposed for about 30 months\u201d, states the article quoting the New York Attorney General Letitia James.<\/p>\n\n\n\n<p>Meanwhile, French defense company Thales has introduced a new firm within its group &#8211; S3NS in partnership with Google Cloud to offer state-vetted <a href=\"https:\/\/www.reuters.com\/technology\/frances-thales-creates-cloud-services-company-powered-by-google-2022-06-30\/\">cloud computing services for the storage of some of the country&#8217;s most sensitive data<\/a>, Reuters reports. The new company is the result of a government plan under which France acknowledged <a href=\"https:\/\/www.reuters.com\/technology\/frances-thales-partners-with-google-secure-cloud-services-2021-10-06\/\">US technological superiority<\/a>. Some of France&#8217;s biggest banks and healthcare organisations are among 40 potential customers of the new company.&nbsp;S3NS will offer from the second half of 2024 its <a href=\"https:\/\/www.thalesgroup.com\/en\/group\/press_release\/thales-introduces-s3ns-partnership-google-cloud-and-unveils-its-offering-first\">\u201ctrusted cloud\u201d<\/a> that will ultimately combine full performance, services and applications of Google Cloud technology while allowing protection against extraterritorial foreign laws and in compliance with the requirements of the \u201cTrusted Cloud\u201d label of France\u2019s Information Systems Security Agency. <\/p>\n","protected":false},"excerpt":{"rendered":"<p>TechGDPR\u2019s review of international data-related stories from press and analytical reports. Official guidance: credential stuffing, patient privacy, use of drones The latest report from international data protection and privacy authorities has identified credential stuffing as a significant and growing cyber threat to personal information. A credential stuffing attack is a cyber-attack method that exploits an [&hellip;]<\/p>\n","protected":false},"author":21,"featured_media":5819,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"inline_featured_image":false,"footnotes":""},"categories":[94],"tags":[133,129,100,102,98,35,105],"class_list":["post-5818","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-data-protection-digest","tag-cloud-services","tag-consumer-data-protection","tag-cookies","tag-data-subjects-rights","tag-direct-marketing","tag-gdpr","tag-health-tech"],"acf":[],"featured_image_urls":{"full":["https:\/\/techgdpr.com\/wp-content\/uploads\/2022\/07\/phishing-6573326_1280.png",1280,989,false],"thumbnail":["https:\/\/techgdpr.com\/wp-content\/uploads\/2022\/07\/phishing-6573326_1280-150x150.png",150,150,true],"medium":["https:\/\/techgdpr.com\/wp-content\/uploads\/2022\/07\/phishing-6573326_1280-300x232.png",300,232,true],"medium_large":["https:\/\/techgdpr.com\/wp-content\/uploads\/2022\/07\/phishing-6573326_1280-768x593.png",640,494,true],"large":["https:\/\/techgdpr.com\/wp-content\/uploads\/2022\/07\/phishing-6573326_1280-1024x791.png",640,494,true],"1536x1536":["https:\/\/techgdpr.com\/wp-content\/uploads\/2022\/07\/phishing-6573326_1280.png",1280,989,false],"2048x2048":["https:\/\/techgdpr.com\/wp-content\/uploads\/2022\/07\/phishing-6573326_1280.png",1280,989,false],"image-200-200":["https:\/\/techgdpr.com\/wp-content\/uploads\/2022\/07\/phishing-6573326_1280-200x200.png",200,200,true]},"post_excerpt_stackable":"<p>TechGDPR\u2019s review of international data-related stories from press and analytical reports. Official guidance: credential stuffing, patient privacy, use of drones The latest report from international data protection and privacy authorities has identified credential stuffing as a significant and growing cyber threat to personal information. A credential stuffing attack is a cyber-attack method that exploits an individual\u2019s tendency to use the same credentials (e.g. username\/email address and password combination) across multiple online accounts. The attacks are automated and often large-scale, using stolen credentials (e.g. that are leaked in connection with data breaches and made available on the \u2018dark web\u2019), to unlawfully&hellip;<\/p>\n","category_list":"<a href=\"https:\/\/techgdpr.com\/blog\/category\/data-protection-digest\/\" rel=\"category tag\">Data Protection Digest<\/a>","author_info":{"name":"Olya Vasylyk","url":"https:\/\/techgdpr.com\/blog\/author\/olyav\/"},"comments_num":"0 comments","featured_image_urls_v2":{"full":["https:\/\/techgdpr.com\/wp-content\/uploads\/2022\/07\/phishing-6573326_1280.png",1280,989,false],"thumbnail":["https:\/\/techgdpr.com\/wp-content\/uploads\/2022\/07\/phishing-6573326_1280-150x150.png",150,150,true],"medium":["https:\/\/techgdpr.com\/wp-content\/uploads\/2022\/07\/phishing-6573326_1280-300x232.png",300,232,true],"medium_large":["https:\/\/techgdpr.com\/wp-content\/uploads\/2022\/07\/phishing-6573326_1280-768x593.png",640,494,true],"large":["https:\/\/techgdpr.com\/wp-content\/uploads\/2022\/07\/phishing-6573326_1280-1024x791.png",640,494,true],"1536x1536":["https:\/\/techgdpr.com\/wp-content\/uploads\/2022\/07\/phishing-6573326_1280.png",1280,989,false],"2048x2048":["https:\/\/techgdpr.com\/wp-content\/uploads\/2022\/07\/phishing-6573326_1280.png",1280,989,false],"image-200-200":["https:\/\/techgdpr.com\/wp-content\/uploads\/2022\/07\/phishing-6573326_1280-200x200.png",200,200,true]},"post_excerpt_stackable_v2":"<p>TechGDPR\u2019s review of international data-related stories from press and analytical reports. Official guidance: credential stuffing, patient privacy, use of drones The latest report from international data protection and privacy authorities has identified credential stuffing as a significant and growing cyber threat to personal information. A credential stuffing attack is a cyber-attack method that exploits an individual\u2019s tendency to use the same credentials (e.g. username\/email address and password combination) across multiple online accounts. The attacks are automated and often large-scale, using stolen credentials (e.g. that are leaked in connection with data breaches and made available on the \u2018dark web\u2019), to unlawfully&hellip;<\/p>\n","category_list_v2":"<a href=\"https:\/\/techgdpr.com\/blog\/category\/data-protection-digest\/\" rel=\"category tag\">Data Protection Digest<\/a>","author_info_v2":{"name":"Olya Vasylyk","url":"https:\/\/techgdpr.com\/blog\/author\/olyav\/"},"comments_num_v2":"0 comments","yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.4 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Weekly digest 27 June - 03 July 2022: credential stuffing, misconfigured cloud storage, mobile devices at work, drones &amp; privacy - TechGDPR<\/title>\n<meta name=\"description\" content=\"TechGDPR\u2019s review of the important data-related stories: credential stuffing, misconfigured cloud storage, mobile devices at work, drones...\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/techgdpr.com\/blog\/weekly-digest-03072022-credential-stuffing-misconfigured-cloud-storage-mobile-devices-at-work-drones-and-privacy\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Weekly digest 27 June - 03 July 2022: credential stuffing, misconfigured cloud storage, mobile devices at work, drones &amp; privacy - TechGDPR\" \/>\n<meta property=\"og:description\" content=\"TechGDPR\u2019s review of the important data-related stories: credential stuffing, misconfigured cloud storage, mobile devices at work, drones...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/techgdpr.com\/blog\/weekly-digest-03072022-credential-stuffing-misconfigured-cloud-storage-mobile-devices-at-work-drones-and-privacy\/\" \/>\n<meta property=\"og:site_name\" content=\"TechGDPR\" \/>\n<meta property=\"article:published_time\" content=\"2022-07-04T08:32:08+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-01-30T11:54:48+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/techgdpr.com\/wp-content\/uploads\/2022\/07\/phishing-6573326_1280.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1280\" \/>\n\t<meta property=\"og:image:height\" content=\"989\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Olya Vasylyk\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@techgdpr\" \/>\n<meta name=\"twitter:site\" content=\"@techgdpr\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Olya Vasylyk\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"10 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/techgdpr.com\\\/blog\\\/weekly-digest-03072022-credential-stuffing-misconfigured-cloud-storage-mobile-devices-at-work-drones-and-privacy\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/techgdpr.com\\\/blog\\\/weekly-digest-03072022-credential-stuffing-misconfigured-cloud-storage-mobile-devices-at-work-drones-and-privacy\\\/\"},\"author\":{\"name\":\"Olya Vasylyk\",\"@id\":\"https:\\\/\\\/techgdpr.com\\\/#\\\/schema\\\/person\\\/07e9c14fd01b25bd2c1907537e8547e8\"},\"headline\":\"Weekly digest 27 June &#8211; 03 July 2022: credential stuffing, misconfigured cloud storage, mobile devices at work, drones &amp; privacy\",\"datePublished\":\"2022-07-04T08:32:08+00:00\",\"dateModified\":\"2025-01-30T11:54:48+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/techgdpr.com\\\/blog\\\/weekly-digest-03072022-credential-stuffing-misconfigured-cloud-storage-mobile-devices-at-work-drones-and-privacy\\\/\"},\"wordCount\":2031,\"publisher\":{\"@id\":\"https:\\\/\\\/techgdpr.com\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/techgdpr.com\\\/blog\\\/weekly-digest-03072022-credential-stuffing-misconfigured-cloud-storage-mobile-devices-at-work-drones-and-privacy\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/techgdpr.com\\\/wp-content\\\/uploads\\\/2022\\\/07\\\/phishing-6573326_1280.png\",\"keywords\":[\"Cloud services\",\"consumer data protection\",\"cookies\",\"data subjects rights\",\"direct marketing\",\"GDPR\",\"health tech\"],\"articleSection\":[\"Data Protection Digest\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/techgdpr.com\\\/blog\\\/weekly-digest-03072022-credential-stuffing-misconfigured-cloud-storage-mobile-devices-at-work-drones-and-privacy\\\/\",\"url\":\"https:\\\/\\\/techgdpr.com\\\/blog\\\/weekly-digest-03072022-credential-stuffing-misconfigured-cloud-storage-mobile-devices-at-work-drones-and-privacy\\\/\",\"name\":\"Weekly digest 27 June - 03 July 2022: credential stuffing, misconfigured cloud storage, mobile devices at work, drones &amp; privacy - TechGDPR\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/techgdpr.com\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/techgdpr.com\\\/blog\\\/weekly-digest-03072022-credential-stuffing-misconfigured-cloud-storage-mobile-devices-at-work-drones-and-privacy\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/techgdpr.com\\\/blog\\\/weekly-digest-03072022-credential-stuffing-misconfigured-cloud-storage-mobile-devices-at-work-drones-and-privacy\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/techgdpr.com\\\/wp-content\\\/uploads\\\/2022\\\/07\\\/phishing-6573326_1280.png\",\"datePublished\":\"2022-07-04T08:32:08+00:00\",\"dateModified\":\"2025-01-30T11:54:48+00:00\",\"description\":\"TechGDPR\u2019s review of the important data-related stories: credential stuffing, misconfigured cloud storage, mobile devices at work, drones...\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/techgdpr.com\\\/blog\\\/weekly-digest-03072022-credential-stuffing-misconfigured-cloud-storage-mobile-devices-at-work-drones-and-privacy\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/techgdpr.com\\\/blog\\\/weekly-digest-03072022-credential-stuffing-misconfigured-cloud-storage-mobile-devices-at-work-drones-and-privacy\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/techgdpr.com\\\/blog\\\/weekly-digest-03072022-credential-stuffing-misconfigured-cloud-storage-mobile-devices-at-work-drones-and-privacy\\\/#primaryimage\",\"url\":\"https:\\\/\\\/techgdpr.com\\\/wp-content\\\/uploads\\\/2022\\\/07\\\/phishing-6573326_1280.png\",\"contentUrl\":\"https:\\\/\\\/techgdpr.com\\\/wp-content\\\/uploads\\\/2022\\\/07\\\/phishing-6573326_1280.png\",\"width\":1280,\"height\":989},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/techgdpr.com\\\/blog\\\/weekly-digest-03072022-credential-stuffing-misconfigured-cloud-storage-mobile-devices-at-work-drones-and-privacy\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/techgdpr.com\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Weekly digest 27 June &#8211; 03 July 2022: credential stuffing, misconfigured cloud storage, mobile devices at work, drones &amp; privacy\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/techgdpr.com\\\/#website\",\"url\":\"https:\\\/\\\/techgdpr.com\\\/\",\"name\":\"TechGDPR\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/techgdpr.com\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/techgdpr.com\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/techgdpr.com\\\/#organization\",\"name\":\"TechGDPR\",\"url\":\"https:\\\/\\\/techgdpr.com\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/techgdpr.com\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/staging.techgdpr.com\\\/wp-content\\\/uploads\\\/2018\\\/04\\\/TGDPR_logo_500px.png\",\"contentUrl\":\"https:\\\/\\\/staging.techgdpr.com\\\/wp-content\\\/uploads\\\/2018\\\/04\\\/TGDPR_logo_500px.png\",\"width\":501,\"height\":334,\"caption\":\"TechGDPR\"},\"image\":{\"@id\":\"https:\\\/\\\/techgdpr.com\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/techgdpr\",\"https:\\\/\\\/www.linkedin.com\\\/company\\\/techgdpr\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/techgdpr.com\\\/#\\\/schema\\\/person\\\/07e9c14fd01b25bd2c1907537e8547e8\",\"name\":\"Olya Vasylyk\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/techgdpr.com\\\/wp-content\\\/uploads\\\/2021\\\/10\\\/readyIMG_3694-1-2-150x150.jpg\",\"url\":\"https:\\\/\\\/techgdpr.com\\\/wp-content\\\/uploads\\\/2021\\\/10\\\/readyIMG_3694-1-2-150x150.jpg\",\"contentUrl\":\"https:\\\/\\\/techgdpr.com\\\/wp-content\\\/uploads\\\/2021\\\/10\\\/readyIMG_3694-1-2-150x150.jpg\",\"caption\":\"Olya Vasylyk\"},\"description\":\"Creator and editor of TechGDPR\u2019s weekly Digest. Postgraduate masters Diploma in Data Protection, Digital law and Management. Over a decade Olga previously was a broadcast journalist in Ukraine and France specializing in international affairs.\",\"url\":\"https:\\\/\\\/techgdpr.com\\\/blog\\\/author\\\/olyav\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Weekly digest 27 June - 03 July 2022: credential stuffing, misconfigured cloud storage, mobile devices at work, drones &amp; privacy - TechGDPR","description":"TechGDPR\u2019s review of the important data-related stories: credential stuffing, misconfigured cloud storage, mobile devices at work, drones...","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/techgdpr.com\/blog\/weekly-digest-03072022-credential-stuffing-misconfigured-cloud-storage-mobile-devices-at-work-drones-and-privacy\/","og_locale":"en_US","og_type":"article","og_title":"Weekly digest 27 June - 03 July 2022: credential stuffing, misconfigured cloud storage, mobile devices at work, drones &amp; privacy - TechGDPR","og_description":"TechGDPR\u2019s review of the important data-related stories: credential stuffing, misconfigured cloud storage, mobile devices at work, drones...","og_url":"https:\/\/techgdpr.com\/blog\/weekly-digest-03072022-credential-stuffing-misconfigured-cloud-storage-mobile-devices-at-work-drones-and-privacy\/","og_site_name":"TechGDPR","article_published_time":"2022-07-04T08:32:08+00:00","article_modified_time":"2025-01-30T11:54:48+00:00","og_image":[{"width":1280,"height":989,"url":"https:\/\/techgdpr.com\/wp-content\/uploads\/2022\/07\/phishing-6573326_1280.png","type":"image\/png"}],"author":"Olya Vasylyk","twitter_card":"summary_large_image","twitter_creator":"@techgdpr","twitter_site":"@techgdpr","twitter_misc":{"Written by":"Olya Vasylyk","Est. reading time":"10 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/techgdpr.com\/blog\/weekly-digest-03072022-credential-stuffing-misconfigured-cloud-storage-mobile-devices-at-work-drones-and-privacy\/#article","isPartOf":{"@id":"https:\/\/techgdpr.com\/blog\/weekly-digest-03072022-credential-stuffing-misconfigured-cloud-storage-mobile-devices-at-work-drones-and-privacy\/"},"author":{"name":"Olya Vasylyk","@id":"https:\/\/techgdpr.com\/#\/schema\/person\/07e9c14fd01b25bd2c1907537e8547e8"},"headline":"Weekly digest 27 June &#8211; 03 July 2022: credential stuffing, misconfigured cloud storage, mobile devices at work, drones &amp; privacy","datePublished":"2022-07-04T08:32:08+00:00","dateModified":"2025-01-30T11:54:48+00:00","mainEntityOfPage":{"@id":"https:\/\/techgdpr.com\/blog\/weekly-digest-03072022-credential-stuffing-misconfigured-cloud-storage-mobile-devices-at-work-drones-and-privacy\/"},"wordCount":2031,"publisher":{"@id":"https:\/\/techgdpr.com\/#organization"},"image":{"@id":"https:\/\/techgdpr.com\/blog\/weekly-digest-03072022-credential-stuffing-misconfigured-cloud-storage-mobile-devices-at-work-drones-and-privacy\/#primaryimage"},"thumbnailUrl":"https:\/\/techgdpr.com\/wp-content\/uploads\/2022\/07\/phishing-6573326_1280.png","keywords":["Cloud services","consumer data protection","cookies","data subjects rights","direct marketing","GDPR","health tech"],"articleSection":["Data Protection Digest"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/techgdpr.com\/blog\/weekly-digest-03072022-credential-stuffing-misconfigured-cloud-storage-mobile-devices-at-work-drones-and-privacy\/","url":"https:\/\/techgdpr.com\/blog\/weekly-digest-03072022-credential-stuffing-misconfigured-cloud-storage-mobile-devices-at-work-drones-and-privacy\/","name":"Weekly digest 27 June - 03 July 2022: credential stuffing, misconfigured cloud storage, mobile devices at work, drones &amp; privacy - TechGDPR","isPartOf":{"@id":"https:\/\/techgdpr.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/techgdpr.com\/blog\/weekly-digest-03072022-credential-stuffing-misconfigured-cloud-storage-mobile-devices-at-work-drones-and-privacy\/#primaryimage"},"image":{"@id":"https:\/\/techgdpr.com\/blog\/weekly-digest-03072022-credential-stuffing-misconfigured-cloud-storage-mobile-devices-at-work-drones-and-privacy\/#primaryimage"},"thumbnailUrl":"https:\/\/techgdpr.com\/wp-content\/uploads\/2022\/07\/phishing-6573326_1280.png","datePublished":"2022-07-04T08:32:08+00:00","dateModified":"2025-01-30T11:54:48+00:00","description":"TechGDPR\u2019s review of the important data-related stories: credential stuffing, misconfigured cloud storage, mobile devices at work, drones...","breadcrumb":{"@id":"https:\/\/techgdpr.com\/blog\/weekly-digest-03072022-credential-stuffing-misconfigured-cloud-storage-mobile-devices-at-work-drones-and-privacy\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/techgdpr.com\/blog\/weekly-digest-03072022-credential-stuffing-misconfigured-cloud-storage-mobile-devices-at-work-drones-and-privacy\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/techgdpr.com\/blog\/weekly-digest-03072022-credential-stuffing-misconfigured-cloud-storage-mobile-devices-at-work-drones-and-privacy\/#primaryimage","url":"https:\/\/techgdpr.com\/wp-content\/uploads\/2022\/07\/phishing-6573326_1280.png","contentUrl":"https:\/\/techgdpr.com\/wp-content\/uploads\/2022\/07\/phishing-6573326_1280.png","width":1280,"height":989},{"@type":"BreadcrumbList","@id":"https:\/\/techgdpr.com\/blog\/weekly-digest-03072022-credential-stuffing-misconfigured-cloud-storage-mobile-devices-at-work-drones-and-privacy\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/techgdpr.com\/"},{"@type":"ListItem","position":2,"name":"Weekly digest 27 June &#8211; 03 July 2022: credential stuffing, misconfigured cloud storage, mobile devices at work, drones &amp; privacy"}]},{"@type":"WebSite","@id":"https:\/\/techgdpr.com\/#website","url":"https:\/\/techgdpr.com\/","name":"TechGDPR","description":"","publisher":{"@id":"https:\/\/techgdpr.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/techgdpr.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/techgdpr.com\/#organization","name":"TechGDPR","url":"https:\/\/techgdpr.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/techgdpr.com\/#\/schema\/logo\/image\/","url":"https:\/\/staging.techgdpr.com\/wp-content\/uploads\/2018\/04\/TGDPR_logo_500px.png","contentUrl":"https:\/\/staging.techgdpr.com\/wp-content\/uploads\/2018\/04\/TGDPR_logo_500px.png","width":501,"height":334,"caption":"TechGDPR"},"image":{"@id":"https:\/\/techgdpr.com\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/techgdpr","https:\/\/www.linkedin.com\/company\/techgdpr"]},{"@type":"Person","@id":"https:\/\/techgdpr.com\/#\/schema\/person\/07e9c14fd01b25bd2c1907537e8547e8","name":"Olya Vasylyk","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/techgdpr.com\/wp-content\/uploads\/2021\/10\/readyIMG_3694-1-2-150x150.jpg","url":"https:\/\/techgdpr.com\/wp-content\/uploads\/2021\/10\/readyIMG_3694-1-2-150x150.jpg","contentUrl":"https:\/\/techgdpr.com\/wp-content\/uploads\/2021\/10\/readyIMG_3694-1-2-150x150.jpg","caption":"Olya Vasylyk"},"description":"Creator and editor of TechGDPR\u2019s weekly Digest. Postgraduate masters Diploma in Data Protection, Digital law and Management. Over a decade Olga previously was a broadcast journalist in Ukraine and France specializing in international affairs.","url":"https:\/\/techgdpr.com\/blog\/author\/olyav\/"}]}},"_links":{"self":[{"href":"https:\/\/techgdpr.com\/wp-json\/wp\/v2\/posts\/5818","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/techgdpr.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/techgdpr.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/techgdpr.com\/wp-json\/wp\/v2\/users\/21"}],"replies":[{"embeddable":true,"href":"https:\/\/techgdpr.com\/wp-json\/wp\/v2\/comments?post=5818"}],"version-history":[{"count":24,"href":"https:\/\/techgdpr.com\/wp-json\/wp\/v2\/posts\/5818\/revisions"}],"predecessor-version":[{"id":10228,"href":"https:\/\/techgdpr.com\/wp-json\/wp\/v2\/posts\/5818\/revisions\/10228"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/techgdpr.com\/wp-json\/wp\/v2\/media\/5819"}],"wp:attachment":[{"href":"https:\/\/techgdpr.com\/wp-json\/wp\/v2\/media?parent=5818"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/techgdpr.com\/wp-json\/wp\/v2\/categories?post=5818"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/techgdpr.com\/wp-json\/wp\/v2\/tags?post=5818"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}