The Information Commissioner’s Office (ICO) has fined Cathay Pacific Airways £500,000 for failing to protect customers’ personal data.
The UK watchdog said the airline’s computer systems had exposed details of 111,578 UK residents and a further 9.4 million people from other countries.
These included names, passport details, dates of birth, phone numbers, addresses and travel history.
“Appropriate security” was not in place between October 2014 and May 2018.
The ICO said Cathay Pacific became aware of a problem in March 2018, when it suffered a “brute force” password-guessing attack.
The Hong Kong-based firm reported this to the ICO. The regulator said it subsequently uncovered “a catalogue of errors” during a follow-up investigation, including:
- back-up files that were not password protected
- internet-facing servers without the latest patches
- operating systems that were no longer supported by the developer
- inadequate anti-virus protection
At least one attack involved a server with a known vulnerability – but the fix was never applied, despite having been public knowledge for more than 10 years.
Steve Eckersley, the ICO’s director of investigations, said there were “a number of basic security inadequacies across Cathay Pacific’s system, which gave easy access to the hackers”.
The airline failed four out of five of the basic cyber-essentials guidance from the National Cyber Security Centre, he added.
Analysis: A wake-up call for others
By Joe Tidy, Cyber-security reporter
I’m told investigators were extremely concerned by the failures they found. It paints a picture of a company that did not take security of personal data seriously, and today’s fine will be a wake-up call to them and other firms. It is, however, only a pittance compared to what it could have been if the hack had occurred more recently.
New GDPR rules have increased the potential maximum fine, and it’s clear the failures here would have warranted a far more severe punishment.
Instead of a £500k penalty, Cathay Pacific could have been hit with a share-holder sickening £470m fine – 4% of its annual global turnover.
The £500,000 fine Cathay Pacific is facing is the maximum possible under the Data Protection Act 1998, which was used instead of the newer GDPR “due to the timing of the incidents in this investigation”.
In July 2019, the ICO announced it would fine British Airways £183m for a breach of its systems, and the Marriott hotel group £99.2m. But both fines were delayed until later this year.
The ICO said that Cathay Pacific had acted promptly once it became aware, and sought expert help from a top cyber-security firm, and had also contacted affected customers.
The report also noted there were no confirmed cases of the personal data being misused – but that it was very likely it would be in future.
In a statement about the fine, Cathay Pacific said it “would once again like to express its regret, and to sincerely apologise for this incident”.
It said “substantial amounts” of money had been spent on security in the past three years.
“However, we are aware that in today’s world, as the sophistication of cyber-attackers continues to increase, we need to and will continue to invest in and evolve our IT security systems.”
The flaw in the Elector app revealed the names, addresses and identity card numbers for each one of Israel’s 6,453,255 voters in such a simple way that it didn’t require any advanced knowledge of hacking to access the critical information.
“It wasn’t very technical,” said software developer Ran Bar-Zik, who exposed the flaw in the Haaretz newspaper on Sunday after it was fixed.”It’s amazing. It’s a very simple, very stupid hack. To call it a hack is an insult to professional hackers.” Before the flaw was fixed, Bar-Zik said users could go to the Elector app’s website and view the source code, which revealed the logins of system administrators, allowing anyone to access and download the voter registry.
Bar-Zik was tipped off to the flaw by an anonymous source to his podcast. “The anonymous source sent me my son’s details, who is a soldier in the army. And I was amazed. And when I see the magnitude of the details — more than six million people — I was shocked it was so easy,” Bar-Zik told CNN.
It’s unclear how many people downloaded the sensitive data, but the information was available for at least 24 hours and possibly much longer. Bar-Zik notified the developer of the flaw on Friday evening. It was fixed by Saturday evening, Bar-Zik confirmed, but it may have been available long before Bar-Zik knew about it.
“It could be a lot of days, a lot of months even,” he said.
CNN reached out to the app’s developer, Zuriel Yamin, for comment. The development firm, Feed-b, tried to downplay the security flaw, telling Haaretz the flaw was a “one-off incident that was immediately dealt with” and that security measures had been improved.
The app’s history shows that Elector has been available for at least nine months. The app was last updated four days ago with improvements to the speed of the homepage and additional security features. Beyond Israel, the app has also been downloaded in countries like Moldova, China, Russia, and the United States. The numbers of downloads are far smaller abroad, but if the data is downloaded even once, it can be shared easily, potentially exposing the private data of millions of Israeli citizens. Even after the security flaw was fixed, those who had already downloaded the data could still share it.
In a county that prides itself on its reputation as the “Start-Up Nation,” and a cyber security powerhouse, the security flaw is a significant embarrassment.
The Privacy Protection Authority in the Ministry of Justice has opened up an “oversight procedure” because of the security breach and is working to prevent the leak from continuing. Voter registry data is provided to all of the political parties before an election. The responsibility to comply with privacy and election laws is “first and foremost on the parties,” the ministry said in a statement.
Last week, Netanyahu urged his party’s Likud supporters to download the Elector app as a powerful tool to boost voter turnout on election day, repeating “Elector!” as the app was shown on a big screen behind him.
A statement from the Likud party pinned the blame on the developer. “Elector is an external private provider that gives services to a number of parties, and the professional and legal responsibility is on [the developers]. From the moment it became clear that the company was not meeting the encrypted standard of security, the Likud turned to a leading information security company to do a thorough check of the system.”
Neither the Likud nor the developer are likely to face any serious penalties for the security flaw, cautioned Tehilla Shwartz Altshuler, who heads the Media Reform Program at the Israel Democracy Institute.
“The privacy authority doesn’t really have enough enforcement tools,” said Altshuler. “They can’t really give fines and so on and so forth.”
One well-timed cyberattack on a major bank could spread rapidly throughout the American financial system, a new report concludes.
According to new research from the Federal Reserve Bank of New York, experts and policymakers see cybersecurity as a major area of concern and something that could prompt widespread problems for the country.
“We model how a cyber-attack may be amplified through the U.S. financial system, focusing on the wholesale payments network,” wrote economists Thomas Eisenbach, Anna Kovner and Michael Junho Lee in the paper.
“We estimate that the impairment of any of the five most active U.S. banks will result in significant spillovers to other banks, with 38 percent of the network affected on average,” they added.
Financial service firms already experience up to 300 times as many cyberattacks per year as firms in other sectors, the papers notes, citing research from Boston Consulting Group.
“One distinguishing feature of cyber attacks is that they may be designed for maximum disruption. Past studies highlight that total payment activity is often heightened at predictable, regular days over the course of the year,” the authors explained.
The paper also states that the Federal Reserve could respond to such cyberattacks in various ways, such as by injecting liquidity into the market.
Although researchers only examined the impact of a cyber attack could have within a single day, they note that a prolonged incident could have more dire consequences.
“If a cyber attack were to compromise the integrity of banks’ systems, the reconciliation and re-cuperation process would be an unprecedented task,” they write in the report’s conclusion. “This could have severe implications on the stability of the broader financial system vis-à-vis spillovers to investors, creditors, and other financial market participants.”
Source: Fox News
The FBI said FaceApp and other mobile applications developed in Russia pose a “potential counterintelligence threat”.
The comments were made in a letter to US Senator Chuck Schumer after he called for an investigation into the app.
The face-editing tool went viral earlier this year but prompted privacy concerns.
The FBI comments come amid rising US concern that products made by foreign tech firms could pose security risks.
In a letter addressed to Mr Schumer, the agency said “it considers any mobile application or similar product developed in Russia, such as FaceApp, to be a potential counterintelligence threat”.
The FBI also said it would act if it found any evidence of foreign political meddling through the application, which alters users’ photos to make them look older or younger.
FaceApp did not immediately respond to requests for comment.
The app was developed by Wireless Lab, a company based in St Petersburg. The company previously said it does not permanently store images, and does not collect troves of data – only uploading specific photos selected by users for editing.
Senate minority leader Mr Schumer called for an investigation into FaceApp in July over concerns it could pose “national security and privacy risks for millions of US citizens”.
It comes amid wider scrutiny of foreign technology products in the US.
Recently, lawmakers have taken aim at TikTok, a video-sharing platform owned by China’s ByteDance.
The platform, thought to have about half a billion active users worldwide, has exploded in popularity in recent years.
That surge in popularity has caused concern in Western markets due to the nature of its Chinese ownership.
US lawmakers, including Mr Schumer, in October requested that “the intelligence community conduct an assessment of the national security risks posed by TikTok and other China-owned content platforms in the US”.
The deal comes amid growing calls in Washington for greater transparency and accountability for technology companies, whose power over social movements as well as personal information has increasingly come to be seen as dangerous by politicians, users, and even one of Facebook’s co-founders.
Facebook agreed to the deal following years of damaging admissions about the company’s privacy practices, such as the inadvertent exposure of up to 87 million users’ information to the political analysis firm Cambridge Analytica.
The settlement resolves a formal complaint by the FTC alleging that Facebook “used deceptive disclosures and settings” that eroded user privacy, violating a prior agreement Facebook signed with the commission in 2012. Facebook also broke the law, the FTC alleged, by misusing phone numbers obtained for account security purposes to also target advertisements to its users. And the company allegedly deceived “tens of millions of users” by implying that a facial recognition feature on the service had not been enabled by default, when in fact it had.
“The magnitude of the $5 billion penalty and sweeping conduct relief are unprecedented in the history of the FTC,” said Chairman Joseph Simons in a statement. “The relief is designed not only to punish future violations but, more importantly, to change Facebook’s entire privacy culture to decrease the likelihood of continued violations.”
In a Facebook post
published shortly after the FTC’s announcement Wednesday, company CEO Mark Zuckerberg said, “We’ve agreed to pay a historic fine, but even more important, we’re going to make some major structural changes to how we build products and run this company. We have a responsibility to protect people’s privacy. We already work hard to live up to this responsibility, but now we’re going to set a completely new standard for our industry.”
Separately Wednesday, the Securities and Exchange Commission announced that Facebook had agreed to pay $100 million to settle “charges… for making misleading disclosures regarding the risk of misuse of Facebook user data.”
Facebook’s stock was down slightly when the market opened Wednesday morning.
The FTC settlement — which also covers Facebook subsidiaries Instagram and WhatsApp — could set the tone for a wave of further action by policymakers worldwide as they seek to rein in the most powerful players in Silicon Valley.
The $5 billion fine is nearly 30 times the FTC’s largest-ever civil penalty to date — $168 million, which was levied on Dish Network (DISH) in 2017 — reflecting the tremendous scale of Facebook’s operations, as well as the enormity of its self-admitted mistakes.
In addition to the record civil penalty, Facebook also agreed to accept greater oversight of its privacy practices. Under the FTC deal, Facebook’s board will form a privacy oversight committee made up of independent members who cannot be fired by Zuckerberg alone. That committee will be charged with appointing still other officials who must periodically and truthfully certify that Facebook is complying with the FTC agreement, or risk being held personally liable. Zuckerberg will also be required to make those same certifications, the FTC said.
“False certifications would subject Mr. Zuckerberg and the [designated compliance officers] to personal liability, including civil and criminal penalties,” Simons said in a statement written jointly with the Commission’s two other Republican members, Christine Wilson and Noah Phillips.
The FTC also required that regular third-party assessments of Facebook’s privacy practices not rely on company materials but instead on the auditor’s own fact-finding.
The FTC voted 3-2 to approve the settlement, with the agency’s two Democrats dissenting because they believed the measure did not go far enough. In dissents, Commissioners Rohit Chopra and Rebecca Slaughter said they believed the fines were far too small, and that the FTC wrongfully gave Zuckerberg and Facebook COO Sheryl Sandberg a pass.
“Failing to hold them accountable only encourages other officers to be similarly neglectful in discharging their legal obligations,” wrote Chopra. “In my view, it is appropriate to charge officers and directors personally when there is reason to believe that they have meaningfully participated in unlawful conduct, or negligently turned a blind eye toward their subordinates doing the same.”
Other prominent tech critics, including Democratic Sen. Richard Blumenthal of Connecticut and Missouri Republican Sen. Josh Hawley, have said a $5 billion fine would be “a bargain” for Facebook. In an earnings report earlier this year, Facebook said it was setting aside $3 billion to help cover expenses related to the expected penalty. It reported quarterly revenues of $15 billion at the time and its stock rose after it announced the charge, signaling investors were relieved by the probable outcome.
Facebook initially offered to pay $0 to resolve the Federal Trade Commission’s investigation into the tech giant’s privacy practices, according to details of the closed-door negotiations obtained by CNN.
The company later increased that number to $100 million, but its highest offer in the talks topped out at $1 billion, James Kohm, director of the FTC’s enforcement division and a lead agency negotiator, told CNN in an interview Wednesday.
That is far less than the $5 billion Facebook eventually agreed to pay. But it also pales in comparison to the tens of billions that the FTC initially sought from Facebook for violating a 2012 privacy-related consent order.
Kohm described that stage of the talks as early and said that Facebook’s proposals at the time were not serious. When the two sides reached a ballpark amount, the talks became more serious and shifted to other proposed measures such as changes the FTC wanted from Facebook’s governance and accountability structures.
“At several points we walked out or threatened to walk out,” said Kohm. “It was contentious, but it was professional and adult.”
Neither Zuckerberg nor COO Sheryl Sandberg were deposed as a part of the investigation, Kohm said. But, he added, the Justice Department interviewed roughly two dozen company officials, including some senior officials, and provided notes to the FTC.
The final settlement stretched on for 20 pages, said Kohm, and “every single word was negotiated.”
Formore than a year, Facebook — once the darling of policymakers and a celebrated example of American ingenuity — has lurched from crisis to crisis.
This past October, for example, Facebook disclosed that hackers had compromised tens of millions of accounts by exploiting a series of software flaws, culminating in their ability to impersonate users and take over their profiles.
The following month, Facebook acknowledged that its platform had been abused in Myanmar to “foment division and incite violence,” citing a human rights review of Facebook that the company had commissioned. Facebook at the time said it agreed with the independent report and that “we can and should do more.”
Critics have repeatedly pointed to Facebook’s role in spreading misinformation, hate speech and conspiracy theories on its platforms. The company came under fire in March when reports showed that Facebook’s search tool was recommending anti-vaccination groups and pages to users of the platform. Facebook published a blog post saying it was developing new policies to handle the issue, but the misinformation persisted even after the new initiative began.
That same month, Facebook faced renewed criticism over its content moderation efforts when a Facebook Live video that appeared to show a gunman massacring worshipers in Christchurch, New Zealand, threatened to spiral out of control. Though Facebook shut down the attacker’s account and scrubbed more than a million instances of the video from its services, the company struggled to contain the viral content.
With Wednesday’s announcement, the FTC sought to demonstrate its resolve as the nation’s top privacy cop, attempting to show it is a robust and credible enforcer at a time when tech dominates nearly all aspects of modern life, from advertising to communications and entertainment.
Over more than a year, the FTC investigation gained increasing significance as a test of Washington’s commitment and ability to regulate Silicon Valley. It marked a sharp divergence from the Obama era, when Silicon Valley engineers and entrepreneurs were frequent White House visitors and, in many cases, filled key administration posts. Now, at a time when technology companies are under heightened scrutiny from Congress and on the receiving end of President Trump’s social media jabs, analysts say the FTC was under pressure to seek a tough deal from Facebook.
But the settlement, which must still be approved by a judge, proved much weaker than some commissioners had hoped. Chopra and Slaughter both said the far-reaching consequences of Facebook’s missteps called for more aggressive action.
The federal government should have taken Facebook to court to deter it from violating the law in the future, Slaughter wrote in her dissent.
“Litigation would have provided public transparency and accountability for the company, its leaders, and the Commission,” she wrote. “It would send a message to the market and the public that the Commission is willing to go to the mat to ensure compliance with its orders.”
The settlement does not require Facebook to spin off Instagram and WhatsApp; antitrust experts have said that a breakup proceeding would likely require a separate lawsuit alleging that Facebook violated the nation’s competition laws, as opposed to a prior settlement order.
FTC officials had initially wanted a fine in the “tens of billions” but feared it would not pass muster with a judge, The Washington Post reported Tuesday.
Simons acknowledged some of the agency’s constraints on Monday as he announced a multi-million-dollar settlement with the credit reporting agency Equifax (EFX) over its 2017 data breach. In a press briefing, Simons said the FTC did not slap Equifax with a fine because the commission lacks the power to seek those penalties on a first offense.
FTC proponents have also said the agency needs more resources to better serve as an effective regulator. In 2018, the FTC reported a total budget of roughly $350 million — about two percent of Facebook’s reported revenue in the first quarter of 2019.
The FTC announcements this week may add pressure on Congress to give the agency more power or to develop a national privacy law, some analysts said.
“There’s a need and a demand for legislation irrespective of this [Facebook] settlement,” said Hal Singer, an economist at George Washington University’s Institute of Public Policy.
Such a bill could have far-reaching effects, potentially touching every corner of the economy as technology increasingly finds its way into new areas. But progress on the legislation has been slow, and many policy experts privately say they increasingly doubt a bill can be passed this year.
Facebook faced sharp questioning from Congress last week as a key panel on the House Judiciary Committee continued a “top-to-bottom” antitrust review of the tech industry. Lawmakers on other committees scrutinized Facebook’s plans to launch a digital currency, Libra, with many arguing Facebook must reform itself before trying to disrupt the global financial system.
The “techlash,” as some observers have come to call it, is a remarkable break from recent history — particularly for many Democrats who otherwise share close ties culturally and financially with Silicon Valley. For the tech industry, it represents a dramatic shift in attitudes about its role in civil society.
“These questions of trust and privacy are not limited to Google and Facebook,” said Todd McKinnon, CEO of the cloud services company Okta. “If you’re a laundromat and you have a mobile app that gets your customers in there, you’re a tech company — so the techlash is going to affect your laundromat. It sounds funny, but it’s true.”
Meanwhile on the campaign trail, presidential candidates such as Sens. Elizabeth Warren (D-Mass.) and Bernie Sanders (I-Vt.) have criticized tech giants for being overly powerful and part of a larger wave of corporate concentration that must be beaten back. In March, Warren unveiled a campaign proposal that would all but dismantle giants such as Amazon, Facebook and Google. Sen. Amy Klobuchar, another 2020 Democratic contender, has said the tech industry has contributed to a “major monopoly problem” in the United States.
Facebook has claimed that a breakup would make it harder, not easier, to address problems such as disinformation and hate speech, and that over-regulation risks giving foreign tech companies an edge.
Republicans such as Sen. Marsha Blackburn (R-Tenn.) have also called for greater limits on tech companies. In a recent speech before the U.S. Chamber of Commerce, Blackburn said it is too early to consider breaking up large tech platforms, but that companies such as Facebook have shown they can no longer regulate themselves.
Wednesday’s settlement, however, isn’t likely to deter states that are taking their own close look at Silicon Valley.
Multiple state attorneys general have suggested they could pile on with their own investigations or lawsuits against the tech industry. In December, Karl Racine, attorney general for the District of Columbia, became the first when his office sued Facebook over the Cambridge Analytica debacle.
And the FTC itself could open additional investigations, said Harold Feld, a senior vice president at the consumer group Public Knowledge. A recently established task force charged with reviewing past tech mergers could, for example, seek to determine whether Facebook’s acquisition of WhatsApp or Instagram proved harmful to competition.
“It’s very clear that the settlement is not the end of the game,” said Feld.
The hotel chain said in a regulatory filing Tuesday that Britain’s Information Commissioner’s Office intends to impose a £99 million ($124 million) fine under the General Data Protection Regulation (GDPR).
The regulator said that the penalty stems from a Marriott data breach that exposed 339 million guest records globally, including 30 million Europeans. Marriott has said the hack began in 2014 but was only discovered in November 2018, shortly before it reported the breach.
It’s the second major fine proposed by the regulator this week. On Monday, the ICO said that British Airways (ICAGY) faces a £183.4 million ($230 million) fine after a breach compromised data on 500,000 customers.
Marriott (MAR) said that it would appeal any fine imposed by the regulator.
“We take the privacy and security of guest information very seriously and continue to work hard to meet the standard of excellence that our guests expect,” Marriott International CEO Arne Sorenson said in a statement.
GDPR forces companies to make sure the way they collect, process and store data is safe.
Any organization that holds or uses data on people inside the European Union is subject to the rules, regardless of where it is based. Companies that breach the law can be fined up to 4% of their annual revenue.
Social media giant Facebook and its subsidiaries Instagram and WhatsApp have been the subject of most data investigations in the Republic of Ireland since the European Union’s new data protection regulation came into force a year ago.
Most of the major US tech companies, including Facebook, Google, Microsoft, Twitter, Apple, LinkedIn, Airbnb and Dropbox, are registered for processing personal data in Ireland.
Ireland’s Data Protection Commission says it has launched 19 statutory investigations, 11 of which focus on Facebook, WhatsApp and Instagram.
Twitter and LinkedIn are also under investigation, and last week the commission launched a probe in to Google over the way it uses personal data to provide targeted advertising.
This follows on from Google’s €50m ($56m; £44m) fine imposed by French data regulator CNIL for “lack of transparency, inadequate information and lack of valid consent regarding ads personalisation”.
Google is appealing against the decision.
So the responsibility for policing their compliance with the EU’s General Data Protection Regulation (GDPR) – which started in May 2018 – falls on the country’s Data Protection Commission (DPC).
Nine of the DPC’s investigations were launched after complaints from individuals or businesses, while 10 have been instigated by the DPC itself.
The most common concerns are about the legal basis for processing personal data, lack of transparency about how a company collects personal data, and people’s right to access their data.
“There has been a huge increase in awareness among individuals about their data rights since GDPR came in,” says Graham Doyle, the DPC’s head of communications.
This has led to a steep rise in complaints, with the number increasing from 2,500 in 2017 to more than 6,500 now, says Mr Doyle.
An office of 27 staff has had to be beefed up to more than 130. Mr Doyle expects the number to rise eventually to more than 200 over the next year or so.
A Facebook spokesperson said: “We spent more than 18 months working to ensure we comply with the GDPR.
“We made our policies clearer, our privacy settings easier to find and introduced better tools for people to access, download, and delete their information. We are in close contact with the Irish Data Protection Office to ensure we are answering any questions they may have.”
What is GDPR?
The General Data Protection Regulation (GDPR) took effect in May 2018 and gives EU citizens more rights over how their personal data is collected, used and stored.
We have the right to demand a copy of our personal data from companies, and they have to comply within a month.
That data must be easy to understand and should also be presented in a machine-readable format, so that a customer could transfer all their data to a competitor.
We can ask for any incorrect data to be corrected or for the whole lot to be deleted if we want.
And companies have a responsibility to keep our data safe. If any is stolen or unwittingly shared with unauthorised organisations, companies have to inform the national data regulator within 72 hours.
“Big tech is well and truly in the spotlight at the moment following the Facebook-Cambridge Analytica scandal and other well-publicised data breaches,” says Anthony Lee, data privacy expert and partner at law firm DMH Stallard.
“A lot of these big tech companies are consumer facing so handle a lot of personal data, but come from the US which doesn’t have as strong privacy laws as Europe,” he adds.
“If they weren’t well attuned to the requirements that GDPR imposes, they certainly are now.”
According to the International Association of Privacy Professionals (IAPP), fines levied for GDPR breaches now top €56m. Fines can be as high as €20m or 4% of annual turnover.
“In the first year, we’ve seen tens of thousands of complaints and data breaches,” says Omer Tene, the IAPP’s vice president and chief knowledge officer.
“But we’ve yet to see much evidence that the GDPR has led to an improvement in organisations’ data practices.”
IAPP estimates that organisations have appointed more than 500,000 data protection officers with specific responsibility for handling GDPR-related issues.
But it thinks many companies still need to do much more to bring themselves fully into compliance.
And Ann Bevitt, partner at law firm Cooley, believes that while some companies have instigated a “wholesale change in their culture around privacy and data protection”, many others have simply engaged in “a box-ticking exercise with little to no embedded change in practice”.
A year after GDPR came in to force, she warns that “to some extent, the impact has yet to be felt, in that we haven’t yet seen significant enforcement activity, both in terms of volume and amount”.
This is likely to change over the next year as the number of completed investigations – and potential fines – rises.
There is a time lag because investigations can take many months. All parties need to be consulted before the data protection authority can reach a conclusion. Then the decision has to be circulated to all the other EU data protection authorities for approval.
And the company under investigation has the right to appeal against the final decision.
Ireland’s Data Protection Commissioner, Helen Dixon, is expected to circulate her decisions on some cases by July or August, with final rulings made by the end of the year, Mr Doyle predicts.
Big tech firms may be feeling the heat for some time to come.
At least 121 people were confirmed killed, and hundreds more are missing after a dam crumbled at an iron ore mine Friday, unleashing a muddy sea of debris that all but buried the nearby town of Brumadinho.
The dam is one of hundreds in the mining hub and southeastern state of Minas Gerais, a state whose name literally translates as “general mines.” In November 2015, another dam in the state burst, inundating the small village of Mariana and killing 19 people.
Both dams are associated with the Brazilian mining giant Vale. The disasters have renewed scrutiny of the company’s practices and of environmental regulations in Minas Gerais.
The latest tragedy in Brumadinho also comes against the backdrop of Jair Bolsonaro’s rise to power. The far-right president is an outspoken critic of environmental protection and activists fear that he will loosen regulatory conditions and make another mining disaster inevitable.
Bolsonaro will meet with members of his Cabinet Thursday to discuss the deadly dam collapse in Sao Paulo, where the President is recovering from surgery, according to state media Agencia Brasil.
The Ministry of Regional Development issued a recommendation Wednesday for businesses that manage dams to submit revisions of security plans, which includes audits on procedures and standards for dam safety oversight. They will also have to update the records of these measures in Brazil’s national information system.
Rating Brumadinho as “low-risk”
Brazil’s National Mining Agency classified the Brumadinho dam as “low risk” just weeks before its collapse, the agency confirmed to CNN.
The certification — which found the dam “stable” — has raised serious concerns among some analysts, who said that classification undermined the audits of other dams across the country.
“If this so-called ‘stable’ dam is breaking, there is no guarantee whatsoever about the security of other dams in Brazil,” said Luiz Jardim de Moraes Wanderley, a mining specialist at the State University of Rio de Janeiro.
“It shows a major problem in the public and private monitoring and inspection of dams in the country,” he added.
On Tuesday, Regional Development Minister Gustavo Canuto announced the decision to prioritize the review of the conditions of more than 3,300 dams across Brazil.
The list contains dams classified as “high risk” or “high potential harm.” More than 200 of those under review are mining dams, of which 70 are built based on the same model of Vale’s Corrego do Feijao mine.
Self-assessed safety checks
Mine safety checks have changed little since the Mariana disaster. Mining companies are currently responsible for hiring safety consultants, who make their assessments based on reports supplied by the mining companies themselves.
Andrea Zhouri, professor of anthropology at the Federal University of Minas Gerais, who has campaigned heavily for victims of the Mariana collapse in 2015, told CNN that the safety regulations amounted to “practically self-assessment.”
It’s a view shared by Wanderley, who said the safety evaluation method was “problematic,” and that there was “no public control over this evaluation.” “The Brazilian state does not have enough staff to inspect all the country’s dams, basing their data only on the companies’ report and audition,” he said.
Vale contractor TÜV SÜD evaluated Brumadinho dam for safety in June 2018 and September 2018, the German firm said in a statement emailed to CNN. TÜV SÜD expressed regret for the dam break, but declined to comment further “due to recent investigations.” The firm said its September inspection of the dam had revealed no damage, The New York Times reported.
A Vale spokeswoman told CNN it had “no comment” on the mining regulation process.
The National Mining Agency also told CNN that the dam was assessed in March, June and September last year. It said the most recent survey, carried out in December 2018 by a group of Vale technicians, found “no indication of problems related to the security of the structure.”
The agency declined to comment on the regulation processes, telling CNN it was a matter for the Ministry of Mines and Energy. The ministry in turn told CNN that its disaster response council would oversee a revision of national policy on dam safety. Its mining and geology departments will also investigate the causes of the Brumadinho collapse, it said.
Three Vale employees and two TÜV SÜD contractors were arrested on January 29 on orders of the state court of Minas Gerais. A statement released by the court quoted Judge Perla Saliba Brito saying, “It is unbelievable that dams of those magnitudes, managed by one of the largest mining companies in the world, suddenly rupture without giving any indication of vulnerability.”
Vale has said it is “fully cooperating with authorities” in light of the arrest warrants issued.
In response to the tragedy, Vale chief executive Fabio Schvartsman said Tuesday that the company will decommission 10 dams similar to Brumadinho. “This is the adequate and needed response in face of this enormous tragedy that we had in Brumadinho. This plan was produced 3 or 4 days after the accident,” he said of the closures at a press conference in the city of Belo Horizonte.
The announcement follows Vale chief financial officer’s promise on Monday to donate 100,000 reais ($26,500) to “the families of each missing person or confirmed fatality” of the Brumadinho disaster.
But Greenpeace Brazil says that, with two disasters in just over three years, Brumadinho was “not an accident” but a “crime against people and nature.” “How many lives do we still have to lose (until) the Brazilian state and mining companies learn from their mistakes?” said Greenpeace Brazil campaigns director Nilo D’Ávila in a statement.
In addition to regular safety checks, mines must obtain an environmental license before work begins. That process has accelerated in recent years, sparking alarm among some experts.
For years, various political parties and businesses complained that Brazil’s mining licensing process was slowing development, said Kathy Hochstetler, professor of international development at the London School of Economics and Political Science. Shortly after the Mariana disaster in 2015, the state of Minas Gerais simplified the environmental licensing process.
Under the changes, the state’s multiple stages of licensing can now be reduced to one, several experts told CNN. But in the interest of accelerating operations, environmental assessments became less detailed, with very little input from environmental agencies and the public, the analysts said.
President Bolsonaro has already said that environmental regulations in Brazil — home to the Amazon rainforest — are too stringent. Shortly after taking office, he floated plans to combine the country’s agriculture and environment ministries but was forced to backtrack following international condemnation.
“We intend to protect the environment without creating roadblocks to progress,” Bolsonaro said in November, Reuters reported. Environment permits sometimes take as long as 10 years for certain infrastructure projects and that “cannot continue,” he added. CNN contacted his office for comment on the president’s position on regulation, but had not received a reply at time of publishing.
On Saturday, Bolsonaro expressed “sadness” over the deaths at Brumadinho in an official statement, and said that the Brazilian government will take all necessary measures to ensure such tragedies do not happen again.
The dominance of the “big four” accountancy firms, Deloitte, EY, KPMG and PwC, is set to be scrutinised following widespread concerns.
The Competition and Markets Authority said it would probe whether the sector is “competitive and resilient enough to maintain high quality standards”.
The decision follows fears the sector “is not working well for the economy or investors”, the CMA added.
It follows criticism of the auditors of collapsed construction firm Carillion.
“If the many critics of the audit process are right, it is not just the companies which buy audits that lose out; it is the millions of people dependent on savings, pension funds and other investments in those companies whose audits may be defective,” said the CMA’s new chairman Andrew Tyrie.
The CMA investigation will examine three main areas.
- How firms choose auditors and the frequency of switching, with most firms still turning “almost exclusively” to one of the “big four” when choosing an accountant
- Resilience of the industry because of the risk the “big four” firms’ were “too big to fail”, potentially threatening long-term competition
- The lack of incentive for auditors to produce “challenging performance reviews” given that companies, not investors, pick their own auditor
CMA chief executive Andrea Coscelli said it planned “to move swiftly and to issue our provisional findings before Christmas”.
The CMA’s decision comes after the industry watchdog said earlier this year that the auditing work of the “big four” firms had deteriorated. The Financial Reporting Council said KMPG’s audits in particular had shown “an unacceptable deterioration”.
Michael Izza, chief executive of the Institute of Chartered Accountants in England and Wales (ICAEW),welcomed the investigation.
“It is vital that we rebuild public trust in audit – the success of UK business depends on it,” he said.
Officials in Brazil have blamed lack of funding for a huge fire that has ravaged the country’s National Museum.
One of the largest anthropology and natural history collections in the Americas was almost totally destroyed in Sunday’s fire in Rio de Janeiro.
There had been complaints about the dilapidated state of the museum. “We never had adequate support,” its deputy director said after the fire.
Presidential candidate Marina Silva also criticised lack of investment.
“Given the financial straits of the Federal University of Rio de Janeiro and all the other public universities the last three years, this was a tragedy that could be seen coming,” Ms Silva, a left-wing politician standing in next month’s election, tweeted.
The fire started on Sunday evening, after the building – a 19th Century former royal palace – closed for the day.
The cause is not known, but Culture Minister Sergio Sa Leitao was quoted in Brazilian media as saying it may have been ignited by a small paper hot air balloon landing on the roof.
No injuries have been reported but most of the 20 million items the museum contained went up in flames.
Brazil’s President Michel Temer said in a tweet that it was a “sad day for all Brazilians” as “200 years of work, research and knowledge were lost”.
Mr Sa Leitao said it was a “tragedy that could have been avoided” but a reconstruction effort would begin.
‘We had to break down doors’
Prof Paulo Buckup, an expert in fish science at the museum, arrived at 19:30 (22:30 GMT) local time to find parts of the building where animal specimens were kept still intact.
“It’s unfortunate but the firefighters were not in a position to do anything, to fight anything,” he told BBC Brasil’s Julia Carneiro.
“They had no water, no ladders, no equipment.
“So we took the initiative to get in to try and save what we could. We had to break down doors. The soldiers helped us carry things.”
Prof Buckup rushed into the burning building to save its extensive collection of molluscs rescuing “a few thousand” specimens, a “tiny” part of the collection.
“I don’t know how many tens of thousands of insects and crustaceans were lost,” he says.
“I feel very sorry for my colleagues, some of whom have worked here for 30 or 40 years. Now all evidence of their work is lost, their lives have lost meaning, too.”
What has the reaction been?
A deputy director at the museum, Luiz Fernando Dias Duarte, expressed “immense anger”, and accused Brazilian authorities of a “lack of attention”.
“We fought years ago, in different governments, to obtain resources to adequately preserve everything that was destroyed today.”
Demonstrators gathered at the gates of the museum on Monday morning, protesting against the budget cuts that they blame for the fire. Police were seen firing tear gas.
One issue appears to be the lack of a sprinkler system. Mr Dias Duarte told Globo TV that a $5.3m (£4.1m) modernisation plan agreed in June would have included the installation of modern fire prevention equipment, but only after October’s elections.
A major dinosaur exhibition, which was forced to shut following a termite attack five months ago, had recently reopened only thanks to a crowdfunding campaign.
Museum librarian Edson Vargas da Silva told local media that the building had wooden floors and contained “a lot of things that burn very fast”, such as paper documents.
Why the lack of funds?
The museum, Brazil’s oldest, is managed by the Federal University of Rio de Janeiro and the federal government has been struggling with huge budget imbalances in recent years.
The deficit was about 8% of GDP in 2017, only slightly down from a record 10% two years earlier.
But Rio de Janeiro state is also facing a budget crisis.
A stark metaphor for a city in crisis
By Katy Watson, BBC South America correspondent
This isn’t just Brazilian history that’s gone up in flames. Many see this as a metaphor for the city – and the country as a whole.
Rio de Janeiro is in crisis. Growing violence, a deep economic decline and political corruption have combined to make the city a shadow of what it once was. It was only in 2016 that it was hosting the Olympic Games – an event into which Brazil poured billions of dollars.
But the hangover from the sporting event has hit Rio hard. Add to that the fact that federal spending has been slashed, and with violence on the rise, tourism numbers have also declined.
This was a museum that many saw as long ignored and underfunded – now, with devastating consequences for Brazil’s heritage.
What did the museum contain?
Its 20 million artefacts included fossils, dinosaur bones and a 12,000-year-old skeleton of a woman known as “Luzia”, the oldest ever discovered in Latin America.
A highlight for many was the Bendegó meteorite, weighing more than five tonnes and discovered in Minas Gerais region in the 18th Century. Images taken in the aftermath suggest it is still intact.
The building was also home to items covering the centuries from the arrival of the Portuguese in the 1500s to the declaration of a republic in 1889.
The ethnology collection had unique pieces from the pre-Columbian era and artifacts from indigenous cultures.
Portugal’s royal family transferred the court to the building in 1808, when the country faced the threat of invasion from Napoleon.
The museum was established in 1818, with the aim of promoting scientific research by making its collection available to specialists.
Major fires at world’s museums
- Jan 2018 – Much of Indonesia’s Maritime Museum in Jakarta – which contained Dutch East Indian ship models and cannons – is gutted
- July 2017 – Hundreds of objects are destroyed – including three paintings on loan from the Louvre – at the Maritime Museum in Tatihou, France
- Apr 2016 – Rare specimens of flora and fauna are destroyed at the National Museum of Natural History in Delhi, India
- Oct 2014 – Cutty Sark – one of the world’s last tea clippers to be built – is damaged by a fire in London for the second time in seven years
- July 1865 – New York City’s Barnum’s American Museum – whose collections included false artefacts like the “skeleton of a mermaid”- is burned to the ground