29 March 2020

Tesco’s stolen data, NetworkRail wifi exposes data, US OCR’s guidance during Covid-19 and more…

Data Blast: Tesco’s stolen data, NetworkRail wifi exposes data, US OCR’s guidance during Covid-19; and Washington State’s Breach Notification

Tesco issues 600,000 new cards after security issue

In March, the supermarket chain stated that it believed a database of stolen usernames and passwords from other platforms had been tried on its website, many of which worked.

Tesco confirmed that no financial information had been taken, and that its system had not been breached, but said that reissuing cards was a necessary precautionary measure.

A Tesco spokesperson stated ‘We are aware of some fraudulent activity around the redemption of a small proportion of our customers’ Clubcard vouchers. Our internal systems picked this up quickly and we immediately took steps to protect our customers and restrict access to their accounts.’ Of the roughly 19 million people with a Clubcard, it is believed that only 600,000 were affected.

The supermarket chain confirmed that it had emailed all those affected, that new vouchers would be issued and that no points would be lost.

A stolen database of names and emails can be very beneficial to cyber-criminals, as many people still use simple passwords and similar login details for different platforms. By using common passwords in combination with leaked email addresses, cyber-criminals are able to access a large number of personal accounts.

As a firm, we recommend the use of password managers to generate and store unique passwords, as well as instituting two-factor authentication where possible and practical, in which a text or email code is required on top of a password.

Rail station wi-fi provider exposes user data

Network Rail and C3UK, a wi-fi service provider, confirmed on March 2nd that the email address and travel details of roughly 10,000 people who used free UK railway wi-fi has been exposed online.

The leaked database, which was not password protected, contained 146 million records, including personal contact details and dates of birth.

C3UK claims that it secured the exposed database – a backup that includes close to 10,000 email addresses – as soon as they were made aware of the breach, also stating that ‘to the best of our knowledge, this database was only accessed by ourselves and the security firm and no information was made publicly available.’

It has been reported that the database, found on an unsecured Amazon web services storage base, was searchable by username, thereby allowing viewers to glean individuals’ regular travel patterns. Furthermore, the database also revealed software updates and types of software being used by the connected devices, which could enable a pathway for the installation of malware on those devices.

C3UK said it has elected not to inform the UKICO of the incident, as the data had not been stolen or accessed by any other party. However, Network Rail confirmed that it was contacting the ICO, and that it had recommended to C3UK to report the breach as well.

In commenting on the matter, the ICO stated ‘When a data incident occurs, we would expect an organisation to consider whether it is appropriate to contact the people affected and to consider whether there are steps that can be taken to protect them from any potential adverse effects.’

In assessing that the exposed database was not accessed by any third-party, C3UK may have a valid reason for not informing the ICO. However, our firm advises, where a data breach is likely to affect the rights and freedoms of the affected individuals, that the responsible data controller notify the ICO within 72 hours.

U.S. Office for Civil Rights Issues Guidance Concerning Privacy During the Covid-19 Crisis

The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS), the entity responsible for compliance with the enforcement of the Health Insurance Portability and Accountability Act 1996 (HIPAA), has issued guidance regarding the sharing of protected health information (PHI) during the coronavirus pandemic.

The HIPAA Privacy Rule defines PHI as all individually identifiable health information held or transmitted by a covered entity in any form or media, whether electronic, paper, or oral. The Privacy Rule sets out national standards for the protection of PHI and allows HIPPA-covered entities to disclose PHI under certain circumstances. Covered entities are defined in HIPAA to include health plans (i.e. health insurance companies, and Medicare and Medicaid), healthcare clearing houses, and healthcare providers.

In summary, the OCR’s guidance clarifies that HIPAA permits disclosure of PHI during the Covid-19 crisis in circumstances when it is:

  • Necessary for the protection of first responders who may be at risk of infection;
  • Required by law (e.g. when state law requires the reporting of confirmed or suspected cases);
  • Required by correctional institutions or law enforcement; and
  • Necessary for treatment, payment or healthcare operations.

In response to the pandemic, U.S. state and federal government agencies have promoted utilisation of telehealth services. Following criticism that the updated guidance did not go far enough to address the concerns of telehealth providers, and in particular the provision of services using personal devices or other unsecured devices, the OCR issued a further update to its guidance on March 20th 2020.

The OCR’s latest update states that it is exercising its enforcement discretion not to impose penalties for the provision of all non-HIPAA compliant telehealth services in relation to the diagnosis and treatment of all conditions, including coronavirus, during the outbreak. The OCR’s guidance can be read here.

Washington State Amends Agency Breach Notification Law

On March 18th 2020, the Governor of the State of Washington signed into law the latest bill to amend Washington State’s Agency Breach Notification Law (‘Agency breach Law’). The latest amendment means that only the last four digits of an individual’s Social Security number are required in combination with their name for it to be considered personal information.

This amendment follows the failure of the Washington State House and Senate to pass the comprehensive Washington Privacy Act following a disagreement over whether the State Attorney General or consumers should have the power to enforce the law.

This is not the first time that Washington State has amended its Agency Breach Law: Prior to 2019, the Agency Breach Law defined personal information as an individual’s name in combination with their full Social Security number, or other numeric data (e.g. credit card number or state I.D. card number).

In May 2019, the definition was amended to also include an individual’s full date of birth, biometric data, and health insurance policy number, and other data when used in combination with the full name and full Social Security number of the individual.

The latest change to the law follows concerns over the ease at which it is now possible to identify people using only part of their Social Security number. It will be interesting to see if further refinements to the definition of personal information will be needed as technology makes it easier to identify individuals from partial information. For example, truncated credit card and account numbers are often provided on printed and electronic receipts.

For more information please contact Partner, James Tumbridge at