IT Security & Privacy

The recent data breach at the Centers for Medicare & Medicaid Services (CMS), which compromised the personal information of nearly one million Medicare beneficiaries, serves as a powerful reminder of the serious cybersecurity, governance, risk management, and compliance (GRC) challenges facing organizations in today's digital landscape. The breach, stemming from a vulnerability in third-party software (MOVEit) has exposed significant gaps in vendor management, IT security, and regulatory compliance.

Swedish regulators have levied a fine against a major domestic bank for unlawfully transferring customer data to Meta's advertising platforms. The Swedish Supervisory Authority (SA) announced a €1.3 million administrative penalty against Avanza Bank AB after an investigation found the bank had been funneling personal information about up to 1 million customers to Meta, the parent company of Facebook, over an 18-month period.

Dick's Sporting Goods revealed in a Securities and Exchange Commission (SEC) filing on Wednesday that it had fallen victim to a cyberattack, highlighting the increasing challenges faced by organizations in managing IT security and resilience. The attack, detected on August 21, involved unauthorized access to several of the company’s information systems, including sensitive areas containing confidential data.

The Information Commissioner's Office (ICO) has issued a formal reprimand to the UK Labour Party for repeatedly failing to respond to subject access requests (SARs) within the legally mandated timeframe. This action follows an investigation prompted by over 150 complaints received by the ICO between November 2021 and November 2022.

The Dutch Data Protection Authority (DPA), in cooperation with the French data protection authority CNIL, has imposed a colossal €290 million fine on Uber B.V. and Uber Technologies Inc. The penalty, announced on August 26, 2024, stems from Uber's unauthorized transfer of European drivers' personal data to the United States without implementing sufficient safeguards—a violation of the General Data Protection Regulation (GDPR).

The United States Department of Justice (DOJ) has joined a whistleblower lawsuit against the Georgia Institute of Technology (Georgia Tech) and its affiliate, Georgia Tech Research Corporation (GTRC), alleging significant cybersecurity violations in connection with Department of Defense (DoD) contracts.

Texas Attorney General Ken Paxton has filed a lawsuit against industry titan General Motors (GM) over the company's alleged unlawful collection and sale of driver data. This action comes as part of a broader data privacy and security initiative launched by Paxton to aggressively enforce Texas privacy laws.