Information Technology

Hackers who stole information about COVID-19 vaccines in a cyberattack against the European Union’s medical agency and then published it online also manipulated what they found in order to spread disinformation designed to undermine trust in vaccines.
In the latest update on the cyberattack which was first disclosed last month, the European Medicines Agency (EMA) has revealed how hackers accessed confidential internal emails from November about evaluation processes for COVID-19 vaccines.
The ongoing investigation found that some of the contents of those emails has been manipulated by those behind the attack in what appears to be an attempt to create mistrust with disinformation about vaccines.
“Some of the correspondence has been manipulated by the perpetrators prior to publication in a way which could undermine trust in vaccines,” said the update from the EMA.
SEE: Cybersecurity: Let’s get tactical (ZDNet/TechRepublic special feature) | Download the free PDF version (TechRepublic)    
It’s uncertain who the perpetrators of the EMA cyberattack are or why exactly they’ve manipulated the documents to spread disinformation in an effort to undermine trust in the vaccines. Anti-vax conspiracy theories about coronavirus have been a problem for social media and the wider world since the start of the pandemic.
A previous update from the EMA disclosed that hackers accessed and stole COVID-19 vaccine data during the December attack. The intruders, who were specifically targeting data relating to COVID-19 medicines and vaccines gained access to the formation by breaching an undisclosed IT application.

“The agency continues to fully support the criminal investigation into the data breach. Necessary action is being taken by the law enforcement authorities,” said the EMA statement.
The UK’s National Cyber Security Centre, Microsoft and the World Health Organisation are among those which have issued warnings over hacking groups targeting healthcare, pharmaceuticals, universities and other organisations involved in COVID-19 vaccine development and distribution.
MORE ON CYBERSECURITY More

Fingerprint readers are great. When they work.
One thing I’ve noticed since switching to an iPhone with Face ID instead of Touch ID is how much faster and more accurate using my face is than using my fingers.
Not only is fingerprint placement on the sensor critical, but people who work with their hands will find that their fingerprints can wear to the point where they become unreliable (but not enough for you to get away with crimes, in case you’re wondering).
If you work with your hands outdoors or as a technician or mechanic, this will be an issue, but it’s also an issue– if not a bigger issue — for people with demanding hobbies such as rock climbing or weight training.
Add to this the fact that if you are someone who works with your hands, chances are good that your hands aren’t always clean. Oil, dirt, and adhesives can all affect your prints (just today, I got some epoxy resin on my Mac’s fingerprint reader — fortunately for my wallet, it came off!).
I’ve come across four workarounds to this problem.
Must read: Switching to Signal? Turn on these settings now for greater privacy and security

Give your device the middle finger

Literally.
Use your middle finger as the default. Sure, it takes a little bit of getting used to, but I’ve found that the fingerprints on the middle finger takes less battle damage than other fingers, especially the index finger, and is yet dexterous enough to use (I’ve tried using the pinky, but it doesn’t want to play ball!).
I find using the middle finger particularly good for Android smartphones that have the fingerprint reader on the back, or the Touch ID pad on Macs.
Multiple identities
Another trick I find works well is to program in the same finger with Android or macOS several times over a period of time. This way, it learns to read your fingerprint through the random scuffs and scars.
This is useful for those who don’t want to change the finger they use to unlock their smartphone.
Go on the side
Rather than using the pads of the fingers (the parts that get fragged the most), use the sides, especially the thumb. Again, it’s a spot that takes less damage.
I find this works really well for smartphones with side-mounted fingerprint readers on Android smartphones.
Get comfortable
Enroll your fingerprint with the system the way you expect to be holding or using the device. With a new system, you might not know what this natural, comfortable way is until you’ve used it for a few days, so go through the process a second time if you feel like it’s not catching your prints accurately. I know that initially when I enrolled my fingerprints on my MacBook Pro, I was jabbing at them completely differently to the way I would use them in real life, and this affected accuracy a lot. More

I’d like to say that these last weeks have been like nothing we’ve ever seen before in America. But that’s not true. There have been numerous internally-driven insurrections against the American government. There was Shay’s Rebellion, the Whiskey Rebellion, Fries’ Rebellion, and even the formation of the State of Muskogee — and all of these were just in the first 25 years of the Republic. And, of course, there was the American Civil War.
But — make no mistake about it — there hasn’t been a direct assault anything like we saw in Washington on January 6 for a really long time. There have been protests and pushbacks against various pieces of legislation. There have certainly been issue-driven protests that turned violent. But armed attackers attempting to block an American election, entering America’s seat of government, forcing legislators to flee out of fear for their lives, and then causing the deaths of five Americans? No, that’s pretty new to any American alive today.
Also: Capitol attack’s cybersecurity fallout: Stolen laptops, lost data and possible espionage  
Unfortunately, it’s probably not over. The FBI has warned of possible armed protests and violent actions against individual state capitals and the US capital. This coming week is inauguration week, and tempers are running hot.
It’s not just lawmakers who are concerned. Businesses and enterprises are worried they might be victims of attack as well. Here are just a few examples of measures being taken: Starbucks in New York City is temporarily closing, as are businesses in downtown Madison, Wisconsin. Raleigh, North Carolina has an expanded police presence to protect people and property. Businesses in downtown Columbus, Ohio are bracing for attacks. Businesses in Denver are boarding up in preparation for inauguration protests and violence.
Even suburban Tigard, Oregon, home of my Apple Store and my local Rockler tool mecca, is dealing with rioting. Add to all that the chaos that’s occurred right here in Salem, Oregon’s state capital.
To say businesses are worried is an understatement.
How to prepare

Doing business safely is very important. Those of us fortunate enough to have jobs rely on business to help us put food on our tables. Communities rely on business as well. But managers and employees are scared. Some businesses have already been vandalized. Financial stress is very real, especially now.
While probably none of us are truly innocent, many businesses are just trying to get by. Business owners may feel that they are not directly contributing to the current unrest, and may even be actively working towards helping alleviate suffering.
Of course, much of how we do business — the coldness, the unfairness, the greed, the racism and sexism inherent in the system — has definitely contributed to conditions that are causing strife in America, but that’s a very big subject that’s outside of the scope of this column. Today, we’re just going to look at how to protect your company and your people. 
To protect your company, the Virginia Fusion Center (VFC) has some guidelines that might help. The mission of the Fusion Center is “to fuse together key counterterrorism and criminal intelligence resources from local, state, and federal agencies as well as private industries in a secure, centralized location, to facilitate information.”
The following guidelines were provided to InfraGard members with a request that we share this information with our constituencies. As such, much of the following is directly quoted from the VFC guidance for businesses concerned about dealing with civil unrest.
1. Stay informed – Depending on where you live, protest organizers are required to get a permit before demonstrating publicly. Most protesters advertise their events to garner more participation and coordinate the protest with police officials. Keep up to date on events in your community by contacting local officials or viewing your city’s website for posted information on upcoming events. Moreover, stay abreast of emergency protocols in your area.
2. Reduce building weaknesses – Determine what makes your storefront [or office or factory] more vulnerable. Are there dark alleys and large windows? A building should have adequate lighting at all entrances along with security cameras with alarms to capture intruders on tape and notify police automatically. Windowless doors made from steel and deadbolts help to deter vandalism.
3. Close your store [or office or factory] – Sometimes closing your store [during times of unrest] is the best decision to ward off losses. Your prime concern is the health and safety of employees and consumers, as well as preventing physical damage to property. You can also adjust store hours and reduce the number of employees who work based on city curfews. Gain guidance from governing officials as to the safest time to remain open.
4. Revise your schedule – If you expect deliveries, reschedule them for a different day or week. You also don’t want to be meeting with clients or staff when a protest is ongoing. Keep staff members informed of safety plans, so they know what to expect.
5. Call the police – If trespassers look suspicious and won’t leave your property, get police assistance immediately. It’s not advisable to take matters into your own hands or use firearms as a means to protect your premises.
6. Review your insurance policy – Make sure your business policy includes coverage for property damage incurred during a protest. You should meet with your insurance agent to verify what exactly your liability and property insurance policy covers.
Signs of terrorism
The Fusion Center recommends you keep an eye out for the following eight indicators of suspicious activity. If you find such activity, you can report it to your local police department, or to the Fusion Center directly. Here’s what to watch out for (again, quoted directly from the fusion center’s guidance):
1. Surveillance – Someone recording or monitoring activities. This may include the use of cameras, note taking, drawing diagrams, annotating on maps, or using binoculars or other vision-enhancing devices.
2. Elicitation – People or organizations attempting to gain information about military operations, capabilities, or people. Elicitation attempts may be made by mail, email, telephone, or in person. This could also include eavesdropping or friendly conversation. [Also, keep an eye out for any social engineering attempts. –DG]
3. Tests of Security – Any attempts to measure reaction times to security breaches, attempts to penetrate physical security barriers, or monitor procedures in order to assess strengths and weaknesses.
4. Funding – Suspicious transactions involving large cash payments, deposits, or withdrawals are common signs of terrorist funding. Collections for donations, the solicitation for money and criminal activity are also warning signs.
5. Supplies – Purchasing or stealing explosives, weapons, ammunition, etc. This also includes acquiring military uniforms, decals, flight manuals, passes or badges (or the equipment to manufacture such items) and any other controlled items.
6. Impersonation – People who don’t seem to belong in the workplace, neighborhood, business establishment, or anywhere else. This includes suspicious border crossings, the impersonation of law enforcement, military personnel, or company employees is also a sign.
7. Rehearsal – Putting people in position and moving them around according to their plan without actually committing the terrorist act. An element of this activity could also include mapping out routes and determining the timing of traffic lights and flow.
8. Deployment – People and supplies getting into position to commit the act. This is the person’s last chance to alert authorities before the terrorist act occurs.
In addition to your local police and the fusion center, you can contact the FBI. Contact the FBI’s Toll-Free Tipline at 1-800-CALL-FBI (1-800-225-5324) to verbally report tips. You may also submit any information, photos, or videos that could be relevant online at fbi.gov/USCapitol. You may also contact your local FBI office or the nearest American Embassy or Consulate.
Guidelines for reporters
Finally, if your job necessitates that you put yourself directly in harm’s way by attending the protests for the purpose of reporting on the events unfolding, keep in mind the following set of quick tips:
Make sure you know where the exit points are.
Consider leaving if the crowd seems to be getting out of control.
Wear closed-toe shoes and keep the laces tied to prevent tripping.
Avoid standing on or near structures that could collapse.
Walk around crowds rather than pushing through them.
Leave early or late to avoid the rush when the event is over.
If you’re caught in a moving crowd, walk sideways or diagonally across it to work your way out.
Keep your phone charged and on. Program it to vibrate as well as ring.
Final thoughts
Please be careful. As grandma used to say, an ounce of prevention is worth a pound of cure. Here’s to a happy 2021, because it’s already soooo much better than 2020.
What are you doing to protect your business? Have you implemented any technical solutions? Share with us in the comments below.
Disclosure: David Gewirtz is a member of InfraGard, a partnership between the Federal Bureau of Investigation (FBI) and members of the private sector for the protection of U.S. Critical Infrastructure.
You can follow my day-to-day project updates on social media. Be sure to follow me on Twitter at @DavidGewirtz, on Facebook at Facebook.com/DavidGewirtz, on Instagram at Instagram.com/DavidGewirtz, and on YouTube at YouTube.com/DavidGewirtzTV. More

Google Cloud’s first chief information security office (CISO) has revealed that Google’s cloud venture does use software from vendor, SolarWinds, but says its use was “limited and contained”. 
Google Cloud announced the hire of its first CISO, Phil Venables, in mid-December, just as the US was beginning to understand the scope of the Russian government’s software supply chain malware attack.
The hack affected US Treasury Department and the US Department of Commerce’s National Telecommunications and Information Administration (NTIA), the Department of Justice, Microsoft’s source code and many more. 
But Venables, a Goldman Sachs veteran, insists that no Google systems were affected by the attack. It’s an important message from Google at a time when hacks have undermined trust in known software suppliers, which in turn threatens Google’s $12bn-a-year cloud business. Google is set to announce its Q4 2020 FY financial results on Tuesday, February 2. 
“Based on what is known about the attack today, we are confident that no Google systems were affected by the SolarWinds event,” Venables said in a blogpost. 
“We make very limited use of the affected software and services, and our approach to mitigating supply chain security risks meant that any incidental use was limited and contained. These controls were bolstered by sophisticated monitoring of our networks and systems.”
Venables also shared some top tips that Google uses to protect itself and customers from software supply chain threats. This particular attack exposed how connected the entire software industry is, and how vulnerable the ecosystem is because of assumptions built into the systems that are used to receive updates from known and trusted suppliers. 

Hackers breached SolarWinds and planted malware inside software updates for Orion, which offered a beachhead from where attackers could move within networks of companies and government agencies. 
Researchers at Crowdstrike last week revealed a third piece of malware was used in the attack on SolarWinds’ customers via official software updates. SolarWinds last week disclosed that the attackers were testing malware distribution through Orion updates from at least September 2019, indicating the planning that went into the attack. 
Other organizations affected by this breach included the Department of Health’s National Institutes of Health (NIH), the Department of Homeland Security (DHS) and its Cybersecurity and Infrastructure Agency (CISA), the US Department of State, the National Nuclear Security Administration (NNSA), the US Department of Energy (DOE), several US state governments, and Cisco, Intel, and VMWare.
According to Venables, Google uses secure development and continuous testing frameworks to detect and avoid common programming mistakes. 
“Our embedded security-by-default approach also considers a wide variety of attack vectors on the development process itself, including supply chain risks,” he says. 
He goes on to explain what trusted cloud computing means at Google Cloud, which comes down to control over hardware and software.  
“We don’t rely on any one thing to keep us secure, but instead build layers of checks and controls that includes proprietary Google-designed hardware, Google-controlled firmware, Google-curated OS images, a Google-hardened hypervisor, as well as data center physical security and services,” says Venables.  
“We provide assurances in these security layers through roots of trust, such as Titan Chips for Google host machines and Shielded Virtual Machines. Controlling the hardware and security stack allows us to maintain the underpinnings of our security posture in a way that many other providers cannot. We believe that this level of control results in reduced exposure to supply chain risk for us and our customers.”
Google also verifies that software is built and signed in an approved isolated build environment from properly checked-in code that has been reviewed and tested.
The company then enforces these controls during deployment, depending on the sensitivity of the code. 
“Binaries are only permitted to run if they pass such control checks, and we continuously verify policy compliance for the lifetime of the job. This is a critical control used to limit the ability of a potentially malicious insider, or other threat actor using their account, to insert malicious software into our production environment,” says Venables.  
Finally, Google ensures that at least one person beyond the author provably reviews code and configuration changes submitted by its developers.   
“Sensitive administrative actions typically require additional human approvals. We do this to prevent unexpected changes, whether they’re mistakes or malicious insertions.” More

The Scottish Environment Protection Agency (SEPA) has confirmed that it was hit by a ransomware attack last month and is continuing to feel the impact.
SEPA’s contact centre, internal systems, processes and internal communication have all been affected by the attack, which hit on Christmas Eve. The organisation, which is Scotland’s government regulator for protecting the environment, has also confirmed that 1.2GB of data has been stolen as part of the attack – including personal information relating to SEPA staff.

More on privacy

Despite the ransomware attack, SEPA’s ability to provide flood forecasting and warning services, as well as regulation and monitoring services, has continued.
SEE: Cybersecurity: Let’s get tactical (ZDNet/TechRepublic special feature) | Download the free PDF version (TechRepublic)    
But while the infected systems have been isolated, SEPA’s latest update on the ransomware attack says that recovery will take a “significant period” and that a number of systems will “remain badly affected for some time” with entirely new systems required. SEPA has blamed the ransomware attack on “serious and organised” cyber criminals.
“Whilst having moved quickly to isolate our systems, cybersecurity specialists, working with SEPA, Scottish Government, Police Scotland and the National Cyber Security Centre, have now confirmed the significance of the ongoing incident,” said Terry A’Hearn, Chief Executive of SEPA.
“Partners have confirmed that SEPA remains subject to an ongoing ransomware attack likely to be by international serious and organised cyber-crime groups intent on disrupting public services and extorting public funds.”

While the organisation itself hasn’t confirmed what form of ransomware it has fallen victim to, the cyber-criminal group behind Conti ransomware has published what it claims to be data stolen from the Scottish government agency.
Stealing data has become increasingly common for ransomware gangs. They use the stolen data to double-down on attempts at extortion by threatening to leak the information if the victim doesn’t give into the ransom demand of hundreds of thousands, or even millions, of dollars in bitcoin in exchange for the decryption key.
SEE: Cybersecurity: This ‘costly and destructive’ malware is the biggest threat to your network
SEPA hasn’t yet detailed how cyber criminals were able to break into the network to deploy ransomware and the investigation into the incident is still ongoing.
“We are aware of this incident affecting the Scottish Environment Protection Agency and are working with law enforcement partners to understand its impact,” an NCSC spokesperaon told ZDNet.
Ransomware has become one of the most disruptive and damaging cyberattacks an organisation can face and cyber criminals show no signs of slowing down ransomware campaigns because, for now at least, ransomware gangs are still successfully extorting large payments out of victims.
MORE ON CYBERCRIME More

As politicians play whack-a-mole with COVID-19 infection rates and try to balance the economic damage caused by lockdowns, stay-at-home orders have also impacted those out there in the dating scene. 

No longer able to meet up for a drink, a coffee, or now even a walk in the park, organizing an encounter with anyone other than your household or support bubble is banned and can result in a fine in the United Kingdom — and this includes both dates and overnight stays. 
Therefore, the only feasible option available is online connections, by way of social networks or dating apps. 
Dating is hard enough at the best of times but sexual desire doesn’t disappear just because you are cooped up at home. Realizing this, a number of healthcare organizations worldwide have urged us not to contribute to the spread of COVID-19 by meeting up with others for discreet sex outside of our social bubbles, bringing new meaning to the phrase, “You are your safest sex partner.”
This doesn’t mean, however, that we’ve abandoned the search in the time of a pandemic; instead, dating apps — such as Tinder, eHarmony, and the new Quarantine Together — are signing up users in record numbers. 
Apps and chats over Zoom, however, can only go so far and after you’ve made your way through remote small talk, what’s next?
If you’re not careful, it’s blackmail. 

In a recent case documented by the UK’s Thames Valley police, a sextortion scam started innocently enough: a young man was contacted over Facebook by a woman who wanted to video chat. 
They talked twice online and the woman asked him to show off his body. While no “intimate” acts took place in the first online session, the police say, the second chat was another story — and the intimate footage he provided was then covertly recorded by the scam artist. 
She then told her victim that their online session had been recorded and demanded £200 ($270) on pain of it being sent to all of his family and friends, now available to her through the Facebook connection. 
The man refused, but over the next two hours, he received over 100 demands for payment. Eventually, he appeared to cave in — but instead blocked her and deactivated all of his accounts before contacting law enforcement. 
Thames Valley asks for us to “not do anything silly” online, but this case — as it goes, a small fish in a large phishing pond and one in which the young man escaped from the net — still highlights how careful we need to be now about sharing intimate footage or allowing the opportunity for it to be taken online without our permission. 
Sextortion is not a new concept, and unfortunately, the internet has provided a lucrative arena for people trying to extort money, sexual acts, services, or images from others. Some of the most common forms of sextortion are:
Phishing emails: Messages claim to have seen your web history or pornographic website visits, and may also say that ‘hackers’ accessed your webcam and recorded you. 
Phishing emails containing known passwords: The same, but with the addition of passwords used by you to access online accounts that may have been leaked in a data breach to try and appear more legitimate.
Revenge porn: Threats to release intimate photos or videos online, sometimes by ex-partners or other people you know. 
Internet of Things: Nest and Ring devices have been compromised to recycle old tactics and convince victims that hackers have illicit recordings of them. 
Emotional triggers are the key: humiliation, fear, worry of friends, family, or co-workers finding out or viewing footage, and the concern of the future impact such material could have on your life. 
A report conducted by Thorn and the Crimes Against Children Research Center (CCRC) estimates that in 45% of cases where a perpetrator has access to sensitive material, they will carry out their threat. 
After all, it’s not them who face humiliation.
With this in mind, it’s time to reconsider just what risks we are comfortable taking online, lockdown or not. Sextortion can be devastating but there’s no guarantee that a scammer will delete footage they have obtained after you’ve paid up — and may simply demand more and more from you.
“Anybody who is threatened with this type of blackmail by an online contact is advised to contact the police and should refuse to send the scammer any money,” commented Ray Walsh, Digital Privacy Expert at ProPrivacy. “Once a scammer knows that a victim is willing to pay they will only double down and ask for more. For this reason, it is vital that you contact the police and refuse to pay.”
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Singapore has revised its current set of guidelines on technology risk management for financial institutions to include, amongst others, “strong oversight” of their partnerships with third-party service providers to ensure data confidentiality. The updated list also comprises updated guidance on security controls and stress tests as well as the appointment of third-party vendors and senior IT executives.
Detailed under the Technology Risk Management Guidelines, the revisions were made to keep pace with emerging technologies and shifts in the current threat landscape, said the Monetary Authority of Singapore (MAS) in a statement Monday. 

Global pandemic opening up can of security worms
Caught by the sudden onslaught of COVID-19, most businesses lacked or had inadequate security systems in place to support remote work and now have to deal with a new reality that includes a much wider attack surface and less secured user devices.
Read More

Noting that financial institutions increasingly were tapping cloud technologies and APIs (application programming interfaces), the industry regulatory underscored the need to incorporate security controls and stronger risk mitigation strategies as part of these organisations’ technology development and deployment lifecycle. 
“The recent spate of cyber attacks on supply chains, which targeted multiple IT service providers through the exploitation of widely-used network management software, is a clear indication of a worsening cyber threat environment,” it added. 
The use of third-party services providers, for instance, likely would be provided using IT and might involve confidential customer data stored by the service provider. Any system failure on security breach on the part of these providers could adversely impact the financial institution’s customers and operations. 
The guidelines highlighted the need to assess and manage the company’s exposure to technology risks that might affect the confidentiality and availability of IT systems and data at the third-party service provider, before a contractual agreement or partnership was established. Financial institutions also should ensure, on an ongoing basis, that the third party adopted “a high standard of care and diligence” in safeguarding data confidentiality and integrity as well as system resilience.
In addition, financial institutions must establish processes to enable the “timely analysis and sharing” of cyber threat intelligence within the sector and conduct drills to stress test their cyber defences, via the simulation of real-world attack tactics and procedures. 

Stronger oversight should further extend to human skillsets, including contractors and service providers, where financial institutions should ensure all personnel had the requisite competence to perform the necessary IT functions and manage technology risks. 
This should include the appointment of CIO or CISO and the financial institution’s board must comprise members with the necessary knowledge to offer “effective oversight of technology and cyber risks”, said MAS. 
MAS’ chief cyber security officer Tan Yeow Seng said: “Technology now underpins most aspects of financial services. Not only are financial institutions adopting new technologies, they are also increasingly reliant on third party service providers. The revised guidelines set out MAS’ higher expectations in the areas of technology risk governance and security controls in financial institutions.” 
RELATED COVERAGE More

The data regulator for the German state of Lower Saxony has fined a local laptop retailer a whopping €10.4 million ($12.5 million) for keeping its employees under constant video surveillance at all times for the past two years without a legal basis.

The penalty represents one of the largest fines imposed under the 2018 General Data Protection Regulation (GDPR) not only in Germany but across Europe as well.
The recipient is notebooksbilliger.de AG (doing business as NBB), an online e-commerce portal and retail chain dedicated to selling laptops and other IT supplies.
The State Commissioner for Data Protection (LfD) for the state of Lower Saxony said that the company installed two years ago a video monitoring system inside its warehouses, salesrooms, and common workspaces for the purpose of preventing and investigating thefts and tracking product movements.
Officials said the video surveillance system was active at all times, and recordings were saved for as much as 60 days in the company’s database.
But while the retailer thought it was running a banal video monitoring solution, as found in many other businesses across Germany and all over the world, the German data regulator found it to be a gross encroachment on the rights of German workers.
Constant video surveillance encroaches privacy rights
“We are dealing with a serious case of video surveillance in the company,” said Barbara Thiel, head for LfD Lower Saxony, in a press release earlier this month.

“Companies must understand that with such intensive video surveillance they are massively violating the rights of their employees.”
The German data regulator argued that employees do not have to give up their right to privacy because their employer puts them under suspicion of potentially committing a crime in the future.
“If that were the case, companies could extend surveillance without limit,” Thiel said.
The German official claimed that video surveillance was not to be used as a “deterrent” to prevent crime but only when an employer had justifiable suspicion against certain employees. In those cases, employees could be monitored for limited periods of time until the suspicion was confirmed, and not for years in a row.
“Video surveillance is a particularly intensive encroachment on personal rights, because, theoretically, the entire behavior of a person can be observed and analyzed,” Thiel said.
The LfD head said that because of the constant video monitoring, employees are under continuous stress and pressure to behave as inconspicuously as possible in order to avoid being criticized for their behavior.
Furthermore, the German data regulator said that NBB also recorded customers while testing devices in its salesrooms without their knowledge or consent, which represented another major privacy breach.
LfD officials said they fined the retailer for its constant video surveillance practices because they had no legal basis, citing the reasons above but also the fact that the company had failed to implement other methods of stopping thefts, such as random bag checks for customers and employees leaving their premises.
NBB describes fine “as wrong as it is irresponsible”
But in a PDF statement published on its website, NBB CEO Oliver Hellmold said the fine and accusation that it monitored employees were unfounded.
“At no point was the video system designed to monitor employee behavior or performance. It wasn’t even technically equipped for it,” Hellmold said.
The NBB CEO accused the LfD Lower Saxony office of misconduct. He argued that officials didn’t visit its premises during the three-year investigation and that NBB previously made adjustments to its video surveillance system at the office’s request in order to become compliant.
Furthermore, Hellmold called the fine disproportionate to the company’s size and said that they plan to appeal.
“It is absurd that an authority imposes a fine of more than 10 million euros without sufficiently investigating the matter. Apparently, an example is to be made here at the expense of our company,” he said.
This is the second fine that the same LfD office has imposed on a company for video monitoring employees. The Hamburg-based data regulator previously fined fashion retail store chain H&M €35.3 million ($42.6 million) last October for a similar offense of keeping employees under constant video surveillance. More