•  

Privacy Insider newsletter:                Feb 9, 2021

  • by Angelique Carson
  • last updated February 9, 2021
  • 3 min read
Privacy Insider newsletter:                Feb 9, 2021

While the SolarWinds hack has been public for some time, its repercussions continue to reverberate. The hackers, allegedly working on Russia’s behalf, broke into the IT-management firm’s system and added malicious code into a system called “Orion,” which thousands of companies and U.S. government agencies use to manage IT. 

It’s estimated that some 33,000 SolarWinds customers could be impacted after the hackers installed malware into various systems to “spy on companies and information,” Business Insider reported

Security experts are calling the hack the worst breach in U.S. history, noting it will take millions of dollars and a long time — years — for impacted agencies and organizations to fortify their systems again. 

Curious about privacy? Find out how Osano automates compliance & saves you time! Learn more

The additional nightmare here is that the long recovery ahead is obvious to companies who directly use SolarWinds. But it gets trickier to detect if someone in your supply chain uses SolarWinds. 

In general, vendors don’t include a list of their sub-processors in contracting with clients. While asking for such a list before signing is becoming more commonplace, it isn’t generally part of the transaction. Are you sub-processors using SolarWinds? You should find out. 

The hack is a super unfortunate reminder for all organizations to be cautious when choosing vendors and be vigilant about with whom they choose to work.

Try Osano Free!

Enjoy reading, and see you next week!

Angelique 


  1. It wasn’t just Russia: China also hacked SolarWinds
    Two months ago, a Russian hack into network-management company SolarWinds made headlines all over the world. Once the hackers infiltrated SolarWinds’ system, they launched a supply-chain attack that could ultimately affect “close to 18,000 of the company’s customers,” The Wall Street Journal reported. But it appears that China also hacked into SolarWinds through a different vulnerability than the Russians found, targeting the U.S. Department of Agriculture’s National Finance Center, Wired reports. 
    Read Story
  2. Virginia likely to pass privacy law soon
    Virginia looks ready to pass consumer privacy legislation, “which would make the commonwealth the latest domino to fall in a state-by-state push for data protections,” The Wall Street Journal reports. The state’s Senate and House of Delegates passed versions of the bill recently and will now work to bridge any gaps between the two texts. The bill would allow Virginia residents to correct and delete data, as well as grant them the right to opt-out of the sale of their personal data by the companies that collect it. 
    Read Story
  3. Canadian privacy commissioners say Clearview AI collected data illegally
    Clearview AI has been in trouble for some time over its facial recognition technology, facing lawsuits and investigations around the world. This week, Canada’s privacy commissioners said the technology is “illegal” in Canada and called on the company to delete any photos of Canadians’ faces from its database, The Verge reports. The commissioners released a report this week stating their investigation found Clearview “collected highly sensitive biometric data without consent” and used the data inappropriately. 
    Read Story
  4. Human rights body launches petition against Singapore’s student laptop monitoring
    Singapore’s government plans to ensure every secondary student has a computer for at-home learning during the COVID-19 pandemic, Reuters reports. But the computers will contain software that allows teachers to view and control their students’ screens remotely. The monitoring software's vendor says its product would not track location data or passwords, but Human Rights Watch has launched an online petition against the plan, citing student privacy concerns. 
    Read Story
  5. Stakeholders call for updated definition of “personal information” in Privacy Act
    As Australia’s attorney general reviews the country’s Privacy Act of 1988, stakeholders weigh in on what should change. Many public comments call for a law similar to the EU’s General Data Protection Regulation, which should include a revised definition of “personal information” under the law. Microsoft, among others, said the definition should include data that “relates to an identified or identifiable individual,” ZDNet reports. 
    Read Story
  6. EU antitrust commissioner to Apple: Treat all apps the same
    The EU’s antitrust enforcer, Margrethe Vestager, has warned Apple it must treat all apps on its platform equally after it recently announced it would ask iPhone users for consent to track their data so it can serve them personalized ads. The move will “limit apps’ ability to gather data from people’s phones that can be used for targeted advertising,” Reuters reports. Facebook has called the move anti-competitive.
    Read Story

About The Author · Angelique Carson

Angelique Carson is a professional writer and editor who's worked in journalism and publishing for more than 10 years. She is currently Director of Content at Osano, a B-corp privacy-solution platform aiming to make compliance with global privacy laws easy for companies, including small- and medium-sized businesses. She was previously an editor at the International Association of Privacy Professionals and the host of The Privacy Advisor Podcast. She lives in Washington, D.C. with her puppy Miles.