Privacy Roundup #0110 • September 2015
September 2015 paired a wave of record-setting breaches with landmark surveillance reforms, as courts, regulators and Edward Snowden himself pushed the privacy debate forward.
1. Advocate General advises the European court to strike down Safe Harbour
On 23 September the Court of Justice published Advocate General Bot's opinion that the EU to US Safe Harbour data transfer arrangement was invalid. He argued that American mass surveillance left European citizens without adequate protection or redress.
2. Justice Department reverses course and requires warrants for stingrays
On 3 September the Department of Justice announced that federal agencies must obtain a probable cause warrant before using cell-site simulators. The policy was a long awaited concession after years of secret deployment of the surveillance devices.
3. Office of Personnel Management says 5.6 million fingerprints were stolen
On 23 September the OPM revised the count of fingerprints taken in its breach upward to 5.6 million, more than five times the earlier estimate. The disclosure deepened concern about the 21.5 million people whose background records had already been compromised.
4. Excellus BlueCross BlueShield discloses a breach affecting 10 million people
On 9 September the health insurer revealed that hackers had sat inside its systems since December 2013. The exposed records included names, Social Security numbers, financial details and clinical information.
5. Researchers crack 11 million Ashley Madison passwords
On 10 September the CynoSure Prime group revealed that it had recovered 11 million passwords from the leaked Ashley Madison database. The team exploited weak MD5 login tokens to sidestep the site's stronger bcrypt hashing.
6. XcodeGhost malware slips into Apple's App Store
In mid September researchers found that a tampered version of Apple's Xcode tool had injected malicious code into hundreds of iOS apps. The infected apps could harvest device information and present fake prompts to steal credentials.
7. EFF shows courts that phone companies took part in NSA spying
On 11 September the EFF asked two courts to accept declassified surveillance court filings as evidence. The documents confirmed that AT&T, Verizon, Verizon Wireless and Sprint had participated in the NSA's bulk records programme.
8. The Intercept exposes GCHQ's KARMA POLICE web tracking
On 25 September The Intercept revealed that British intelligence had built a system to record the browsing habits of internet users worldwide. The KARMA POLICE programme stored billions of metadata records to profile people through their online activity.
9. Privacy International launches a tool to check for GCHQ spying
On 14 September Privacy International opened a webpage where people could ask the Investigatory Powers Tribunal whether GCHQ had collected their data. The campaign followed a ruling that intelligence sharing with the United States had been unlawful.
10. Banks trace a card breach to Hilton hotel properties
On 25 September Brian Krebs reported that fraud patterns pointed to compromised point-of-sale registers across Hilton brands. The affected gift shops and restaurants spanned Embassy Suites, DoubleTree and Hampton Inn locations.
11. iOS 9 brings content blockers to the iPhone
Apple's iOS 9, released in mid September, allowed third party apps to block ads and trackers in Safari. The feature improved privacy and page speed while reigniting debate over the economics of the advertising-funded web.
12. Let's Encrypt issues its first certificate
On 14 September the Let's Encrypt project, backed by the EFF and Mozilla, issued its first publicly trusted certificate. The free certificate authority aimed to make encrypted HTTPS the default across the entire web.
13. FTC finalises its order against retail tracker Nomi Technologies
On 3 September the Federal Trade Commission approved a final order resolving charges that Nomi misled shoppers about its in-store device tracking. The company had promised an opt-out mechanism and notice that consumers never actually received.
14. EFF says proposed CISA amendments fail to fix the surveillance bill
On 1 September the EFF argued that amendments to the Cybersecurity Information Sharing Act did nothing to cure its privacy flaws. The group warned that the bill still let companies hand user data to the government without a warrant.
15. The United States and China agree to curb commercial cyber theft
On 25 September, during Xi Jinping's state visit, the two governments pledged not to support cyber-enabled theft of trade secrets for commercial gain. The deal followed accusations that Chinese hackers had stolen American government and business data.
16. Microsoft defends Windows 10 data collection
On 28 September Microsoft's Terry Myerson published a blog post responding to criticism of Windows 10 telemetry. He set out the company's data collection principles and insisted that users retained control over what was gathered.
17. EPIC challenges the FAA over the absence of drone privacy rules
On 29 September EPIC filed its opening brief in a lawsuit against the Federal Aviation Administration. The group argued that the agency's failure to set privacy rules for commercial drones broke the law and should be overturned.
18. Edward Snowden joins Twitter
On 29 September the NSA whistleblower opened a Twitter account with the message "Can you hear me now?" The only account he followed at first was the official feed of the National Security Agency.
19. EPA exposes Volkswagen's emissions defeat-device software
On 18 September the Environmental Protection Agency revealed that Volkswagen had programmed millions of diesel cars to detect when they were being tested. The hidden software demonstrated how deceptive code inside everyday devices could evade scrutiny.
20. Experian confirms theft of T-Mobile applicant data
On 22 September Experian confirmed that intruders had stolen a file containing records on about 15 million people who applied for T-Mobile service. The exposed data included names, dates of birth, addresses and Social Security numbers.
Enjoyed this post?
Well, you could share the post with others, follow me with RSS Feeds and/or send me a comment via email.
Tags
Category:
Year: