Category: Privacy, Data Protection & Information Management

1
Complex ModPOS Malware Infects Point-of-Sale Terminals in Lead up to Christmas Spend Frenzy
2
Hotel Industry Payment Systems Under Attack
3
Victorian Racing Integrity Commissioner Seeks Access to Metadata
4
European Court of Justice Declares EU/US Safe Harbour Decision Invalid

Complex ModPOS Malware Infects Point-of-Sale Terminals in Lead up to Christmas Spend Frenzy

By Cameron Abbott and Meg Aitken

While the festive season approaches and retailers prepare for their busiest time of the year, a sophisticated form of point-of-sale malware, known as ‘ModPOS’, has reared its ugly head and is targeting payment terminals in the U.S.

It is estimated that the first ModPOS data hacks occurred in 2013 and that millions of credit and debit cards used at a broad variety of U.S. retailers have since been compromised. The unique complexity of the code, which experts say has never been seen before in malware, made it tricky to decipher.

Cyber security experts have warned that ModPOS has the ability to not only “scrape” credit and debit card numbers from the memory of point-of-sale terminals, but that the multifaceted code also records keystrokes of computer operators and transmits stolen data. If that isn’t enough, the malware is particularly difficult to detect and is reportedly capable of infiltrating despite security software and data controls.

More details about ModPOS malware can be found here.

Hotel Industry Payment Systems Under Attack

By Cameron Abbott and Meg Aitken

Stayed at one of Hilton Worldwide Holdings’ (Hilton) hotels between 18 November – 5 December 2014 or 21 April – 27 July 2015? Check your bank statement.

Within the same week, both the Hilton and Starwood Hotels & Resorts Worldwide Inc. (Starwood) have discovered the point-of-sale terminals at a number of hotels across the globe have been infected with malware.

The malicious malware has enabled hackers to pinch the credit and debit card information of Starwood and Hilton customers, however there is apparently no evidence that personal contact information provided as part of the hotels’ guest-reservation system or loyalty rewards program was stolen.

While the attack on Starwood was confined to 54 of its hotels in North America, the Hilton attack affected the chain’s hotels globally, including Australian establishments. The number of cards compromised has not been revealed by either hotel.

Starwood and Hilton hotels are not the only luxury hotel chains to be affected by data hacks in 2015. The Mandarin Oriental and Trump International have also reported data security breaches involving intrusive malware this year. In the case of Starwood the hack occurred over eight months without detection showing how sophisticated some of these attacks are.

Starwood’s media release can be found here. Hilton’s media release can be accessed here.

European Court of Justice Declares EU/US Safe Harbour Decision Invalid

By Cameron Abbott and Melanie Long

The European Court of Justice has declared a decision by the European Commission on the legitimacy of the EU/US safe harbour scheme (safe harbour decision), invalid. In the wake of the Snowden scandal, Austrian citizen, Maximilian Schrems, lodged a complaint against Facebook with the Data Protection Commissioner in Ireland (the location of Facebook’s European headquarters). The Irish supervisory authority rejected Mr Schrems’ complaint on the basis of the safe harbour decision. In invalidating the safe harbour decision, the European Court of Justice declared that “legislation permitting the public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life.” Further, that the safe harbour scheme, by not providing for an individual to pursue legal remedies in order to have access to personal data relating to them, or to obtain the rectification or erasure of such data, compromised, “the essence of the fundamental right to effective judicial protection, the existence of such a possibility being inherent in the existence of the rule of law.”

The consequence of this decision is that the EU/US safe harbour scheme is contrary to the Data Protection Directive, which provides that the transfer of personal data to a third country may, in principle, take place only if that third country ensures an adequate level of protection of the data.

The European Court of Justice’s press release can be found here.

To read the full judgment of the European Court of Justice click here.

Copyright © 2019, K&L Gates LLP. All Rights Reserved.