Rising data breaches involving mobile apps and what should you do?

Data breaches are now regular occurrences, with cases reported practically every day, which is consistent with DPEX Network's five predictions for 2021, and privacy breaches involving intrusive mobile apps are now at the forefront of global concerns.

Recent media coverage has focused on the latest data breaches involving mobile apps, including news on a massive fine for WhatsApp and an alleged COVID-19 data breach in Indonesia.

WhatsApp fine

WhatsApp had a 225 million euro fine levied by the Irish data protection regulator after pressure from the EU privacy watchdog. As part of privacy violations, WhatsApp has been fined for failing to be transparent about how it processed personal information (both user and non-user data) and how this data was shared between other companies under Facebook.

Earlier in the year, WhatsApp updated its terms of use and privacy policy to notify its users that they are required to read and agree to the new terms by the initial stipulated date of 8 February 2021. In the event of failure to do so, WhatsApp will delete the user's account (you can accept these terms again to reinstate your account). The move received public backlash and the changes had to be delayed till May 2021.

Read the first of our three-part series regarding WhatsApp’s updated privacy policy controversy here to get an understanding of the situation.

Alleged COVID-19 contact tracing app breach in Indonesia

A number of media outlets reported on 31 August of a possible data breach of the Indonesia Health Alert Card (eHAC), an app developed to track the spread of the pandemic. The system contained around 1.3 million users’ data. vpnMentor, an encryption provider, wrote in a report that the data included contact information, ID card information, and COVID-19 test results.

The Health Ministry data and information center stated that the eHAC system was separate from the mainstream COVID-19 tracing app, PeduliLindungi. The authorities suspect the breach occurred on the third-party platform, but investigations will have to take place before confirmation.

What can individuals do?

Firstly, consumers need to know their rights under the data protection/privacy laws. It is also essential for consumers to understand the reason behind why the organisation is asking for their personal data and how they process, store, as well as protect that data that they collect from individuals. By reading the privacy policies of organisations who provide services and products to them, the consumer can gain greater understanding of how these organisations manage and store their personal data.

What should organisations do?

When developing and operating mobile applications, there are various risks involved. In the course of a mobile app's day-to-day operations, data passes through the company in four stages: collection, usage/processing, disclosure/transfer and storage/retention. It is important for organisations to assess the privacy risks involved at each stage and to implement the relevant controls to mitigate these issues.

Learn about a comprehensive framework and the methodology to embed privacy principles and requirements in a mobile app development lifecycle here.

The following are essential for organisations to have/do:

• Data Protection Officer or Data Protection Committee to be involved in the development process along with the relevant departments e.g. IT and product teams
• Conduct Data Protection Impact Assessments (PIAs) for existing processes and when the organisation is developing a new product
• Embed Data Protection-by-Design principles in their Data Protection/Privacy Management Programme (DPMP) and the design of new products and mobile apps

Find out how organisations can build trust by embedding privacy by design principles when developing mobile applications here.

Get hands-on and learn how to maximise the utility of mobile apps and build trust to various stakeholders by demonstrating transparency and accountability in our course here.

Article by: Steffi Tay (GRCP)

The views and opinions expressed in this article are those of the author and do not necessarily reflect the official view or position of DPEX Network.