Privacy Roundup #0057 • April 2011
April 2011 was dominated by the Sony PlayStation Network mega-breach and the discovery that smartphones quietly logged their owners' every move.
1. Sony admits PlayStation Network intrusion exposed 77 million accounts
Sony disclosed that an unauthorised intrusion between 17 and 19 April had compromised personal details tied to roughly 77 million PlayStation Network and Qriocity accounts. The exposed records included names, addresses, email addresses, birthdates, passwords and login credentials, and Sony could not rule out theft of card data.
2. Epsilon breach raises the spectre of mass spear phishing
Marketing firm Epsilon revealed that intruders had stolen the names and email addresses of customers belonging to dozens of major banks and retailers. Security experts warned that the trove gave criminals everything they needed to craft convincing targeted phishing emails.
3. Researchers reveal the hidden iPhone location file
At the Where 2.0 conference, Alasdair Allan and Pete Warden disclosed that iOS 4 stored a long, unencrypted log of an owner's whereabouts in a file named consolidated.db. They released an open-source tool, iPhoneTracker, that read the backup and plotted a year of movements on a map.
4. Apple publishes its Q and A on location data
Apple issued a formal Q and A denying that it tracked iPhones and arguing that the device merely cached a crowd-sourced database of Wi-Fi hotspots and cell towers. The company conceded that the volume of stored data was a bug and promised an update to shrink the cache, stop backing it up and encrypt it.
5. Senator Al Franken demands answers from Steve Jobs
Within a day of the consolidated.db disclosure, Senator Al Franken sent a two-page letter to Steve Jobs demanding an explanation of why the iPhone logged location data unencrypted. He warned that the file could reveal a user's home, workplace, doctors and the schools their children attended.
6. Apple sued in Florida over covert location tracking
Vikram Ajjampur and William Devito filed a proposed class action against Apple in a Florida federal court, accusing it of fraud and deceptive practices over the consolidated.db logging. The complaint argued that the iPhone tracked users as if by a court-ordered device and sought an injunction to halt the practice.
7. Google sued over Android location tracking
Two Michigan women filed a fifty million dollar class action demanding that Google stop selling Android phones that report user locations. The suit followed researcher Samy Kamkar's finding that Android handsets sent a unique identifier alongside the harvested Wi-Fi and cell-tower data.
8. Windows phones also send location data to Microsoft
Reports confirmed that Windows Phone 7 handsets transmitted a unique identifier, nearby wireless networks, signal strengths and GPS coordinates to Microsoft when location services were enabled. Unlike the iPhone, the devices did not retain a location history on the handset itself.
9. European regulators open Apple location inquiries
Following the consolidated.db revelations, data protection regulators in Italy, Germany and France signalled that they were keen to examine Apple's collection and retention of iPhone location data. South Korea's communications commission moved further, formally questioning Apple about the practice.
10. EPIC documents the iPhone and iPad location logging
The Electronic Privacy Information Center published an analysis warning that iPhones and iPads recorded detailed coordinates and timestamps, stored unencrypted on users' computers. The group catalogued the resulting congressional inquiries and pressed for stronger limits on the practice.
11. US government takes down the Coreflood botnet
The FBI and Justice Department won unprecedented authority to seize the Coreflood botnet's control servers and command infected machines to stop the malware. The operation targeted a network that had compromised hundreds of thousands of computers and drained money from bank accounts for years.
12. SQL injection hits security vendor Barracuda Networks
An automated script found a SQL injection flaw on Barracuda's website while its own web application firewall sat offline for maintenance. The attack exposed databases of names and email addresses belonging to partners, employees and sales leads, embarrassing a firm that sells protection against such attacks.
13. WordPress.com breach exposes confidential source code
Automattic founder Matt Mullenweg disclosed that attackers had gained root access to several WordPress.com servers. The company presumed its source code was copied, including sensitive bits such as API keys and partner credentials.
14. Texas comptroller exposes 3.5 million people's records
Texas Comptroller Susan Combs took responsibility for leaving the names and Social Security numbers of about 3.5 million residents on a publicly accessible server for nearly a year. The unencrypted data, drawn from state retirement and workforce systems, had never been purged as internal rules required.
15. Hyundai Capital learns of breach from a blackmailer
South Korea's Hyundai Capital admitted that hackers had stolen records on about 420,000 of its customers, a quarter of its client base. The firm only discovered the theft when the attacker emailed an extortion demand, having quietly siphoned data through servers in Brazil and the Philippines.
16. European Commission reviews the Data Retention Directive
The Commission submitted its long-awaited evaluation of the 2006 Data Retention Directive to Parliament and the Council. The report defended retention as a valuable law-enforcement tool while conceding that it had done little to harmonise purposes, retention periods or cost reimbursement across member states.
17. Sony settles its lawsuit against George Hotz
Sony announced a settlement with PlayStation 3 hacker George Hotz, ending litigation that had drawn the ire of Anonymous over Sony's demand for the IP addresses of visitors to his blog. The deal included a permanent injunction barring Hotz from further work on Sony products.
18. Kerry and McCain introduce a Commercial Privacy Bill of Rights
Senators John Kerry and John McCain introduced the Commercial Privacy Bill of Rights Act of 2011, the first comprehensive privacy bill in the Senate in over a decade. It would have required privacy by design and given consumers opt-out and opt-in choices over how their data was used and shared.
19. First class action filed over the PlayStation Network breach
Alabama subscriber Kristopher Johns filed the first class action against Sony over the PSN intrusion in a California federal court. The complaint accused Sony of failing to maintain a firewall, encrypt data or notify customers promptly of the exposure.
20. WikiLeaks publishes secret Guantanamo detainee files
WikiLeaks, working with several news organisations, began publishing hundreds of classified Detainee Assessment Briefs from the Guantanamo Bay camp. The documents detailed the intelligence assessments, photographs and personal histories of 776 detainees, exposing how many had been held for years without charge.
Enjoyed this post?
Well, you could share the post with others, follow me with RSS Feeds and/or send me a comment via email.
Tags
Category:
Year: