Originally Posted by
Smaguris
Since there is no response from staff and there's nothing being done about it I've reported this website to ICO. Hopefully something can be done about it then
Please don't post dumb things in this thread, there are better ways to gain attention to this other than being provocative.
Originally Posted by
Kore
"The European Union's General Data Protection Regulation (GDPR) will go into effect on May 25, 2018. These regulations will impact businesses that utilize personal data of EU citizens, even if the company does not have a physical presence in Europe. This means that the GDPR will be applicable for US websites as well."
[https://www.cmdsonline.com/blog/the-looking-glass/gdpr-us-websites/]
"If your country is not a member of the EU—currently 28 member states located primarily in Europe (27 after Brexit goes into effect Spring 2019)—you are considered a ‘third country’ under GDPR. Restrictions are imposed under GDPR that will impact how data is transferred to international organizations in third countries."
[https://www.mightybytes.com/blog/wha...ased-websites/]
"For example, if your US-based organization collects email addresses from EU citizens—such as a newsletter signup form, live website chat, or via telephone calls, for example—you’ll need to comply with GDPR guidelines. While you may not be actively targeting EU customers, if they can sign-up or input data to your website or through social media accounts, even if the data ends up in a third-party email marketing or CRM system (and not on your website), you’re responsible for GDPR-compliance." [https://www.mightybytes.com/blog/wha...ased-websites/]
"The GDPR not only applies to organisations located within the EU but also applies to organisations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location." [https://eugdpr.org/the-regulation/gdpr-faqs/]
"This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
b) the monitoring of their behaviour as far as their behaviour takes place within the Union."
[https://gdpr-info.eu/art-3-gdpr/]
The GDPR guidelines must be complied with if data from people in Europe is going to be stored by the company
Thanks for the post, I was planning on writing up something once I got off the bus, but you did it for me. <3
At this point I think it's pretty pointless trying to get toribash to be fully compliant, but at the very least improving on site security would go a far ways in that direction.
I'll add to this post in further once I'm off the bus and at a desk.
Edit:
Please read up on the Singapore Personal Data Protection Act of 2012
[
https://sso.agc.gov.sg/Act/PDPA2012]
In particular Part VI, Section 24.
An organisation shall protect personal data in its possession or under its control by making reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks.
Even if GDPR compliance wasn't needed, which it is contrary to what Icky believes, there would still be Acts from Singapore that it would be required to comply with.
Another issue that I'd like to raise would be how the toribash client stores login details in plaintext, I don't think I need to explain why this is a bad idea. This in combination with pretty much everything about toribash being insecure is just leading to a really bad day for someone.
This is probably the last I'll have to say in this thread, although I hope it provides something for the staff to mull over. I'd like to suggest that with the coming of TBN, it would be a good opportunity to turn a new page in this communities book. Treat it as an excuse to move away from the EOL software we rely on today. and with that hopefully gain better security practices.
The security of 5.5 million user account details should not be 2nd priority, given the amount of people that reuse passwords.
Last edited by Tuna; Feb 23, 2019 at 11:28 AM.