Privacy Roundup #0111 • October 2015
October 2015 was defined by Europe's court tearing up Safe Harbor, a run of large customer-data breaches, and the United States Senate pushing the CISA surveillance bill through.
1. Europe's top court strikes down the Safe Harbor data pact
The Court of Justice of the European Union ruled the fifteen-year-old Safe Harbor framework invalid, finding that it did not shield Europeans from American mass surveillance. The decision left more than four thousand companies that moved personal data across the Atlantic scrambling for a lawful basis.
2. Experian breach exposes 15 million T-Mobile applicants
Experian disclosed that intruders had stolen a file holding records on about fifteen million people who applied for T-Mobile service or device financing. The data included names, dates of birth, addresses, Social Security numbers and driving licence numbers.
3. Scottrade breach hits 4.6 million brokerage customers
The broker revealed that attackers had taken a list of names and street addresses for roughly 4.6 million clients in an intrusion dating back to late 2013. Scottrade learned of the theft only after federal investigators told the firm its systems had been hit.
4. Stagefright 2.0 leaves a billion Android phones at risk
Researchers at Zimperium disclosed two new flaws in the way Android processes MP3 and MP4 files, which could let a booby-trapped media file run code on a device. The pair of bugs touched almost every Android handset shipped since 2008.
5. California enacts a warrant requirement for digital data
Governor Jerry Brown signed CalECPA, which obliges state police to obtain a warrant before reading emails, texts, location records or other electronic information. The law extended traditional search protections to data held on devices and in the cloud.
6. Patreon user data dumped online after a breach
Attackers published nearly fifteen gigabytes of stolen data from the crowdfunding site Patreon, including 2.3 million email addresses, donation records and private messages. The dump also contained the site's source code, which raised fears about the long-term safety of hashed passwords.
7. Dow Jones discloses a multi-year payment card breach
The publisher of The Wall Street Journal warned that hackers had lurked in its systems from August 2012 to July 2015 and may have reached payment card details for fewer than 3,500 people. The attackers appeared to be harvesting subscriber contact information for fraudulent solicitations.
8. The Senate passes the CISA surveillance bill
Senators approved the Cybersecurity Information Sharing Act by 74 votes to 21, a measure that encourages companies to hand user data to the government. Privacy groups argued that broad immunity clauses and vague definitions made it a surveillance tool dressed up as security.
9. TalkTalk attackers demand a Bitcoin ransom
The British telecoms firm TalkTalk was hit by a cyber attack that reached customer names, addresses and some bank details, and the company received a ransom demand for eighty thousand pounds in Bitcoin. The intrusion exploited an unpatched web page inherited from an earlier acquisition.
10. Pawn Storm exploits an Adobe Flash zero-day
The Russia-linked group known as Pawn Storm used an unpatched Flash flaw to target foreign affairs ministries with booby-trapped spear-phishing emails. Trend Micro found the attackers also stood up fake webmail servers to harvest officials' login credentials.
11. Card breach hits America's Thrift Stores
The southern charity-shop chain America's Thrift Stores said malware planted through a third-party supplier had skimmed payment card numbers and expiry dates. Banks had already spotted fraud on cards used at the stores during September.
12. E*Trade warns 31,000 customers after a 2013 hack
The brokerage notified about thirty-one thousand customers that their contact details may have been taken in an intrusion two years earlier that it had previously thought harmless. Like several other firms that month, E*Trade learned of the problem from law enforcement rather than its own monitoring.
13. Tor Project releases an anonymous messenger
The Tor Project published a beta of Tor Messenger, a chat client that routes instant messages over the Tor network and turns on Off-the-Record encryption by default. The team cautioned that the client-server design still left metadata visible to the chat servers.
14. Regulators miss the drone rule deadline and skip privacy
EPIC noted that the FAA had blown past its congressional deadline for drone regulations while pressing ahead with a registration scheme that ignored privacy safeguards. The group had been pushing the agency for years to write rules limiting aerial surveillance.
15. EFF finds licence plate readers exposed online
An EFF investigation showed that more than a hundred automated licence plate reader cameras run by police agencies were sitting on the open internet with viewable feeds and configuration pages. The findings revealed both lax security and the scale of routine vehicle tracking.
16. Court dismisses Wikimedia's challenge to NSA spying
A federal judge in Maryland threw out Wikimedia v. NSA, ruling that the plaintiffs could not show their communications were caught by the agency's Upstream programme. EFF criticised the decision as another case of a court refusing to look squarely at mass surveillance.
17. CIA director's personal email account is hijacked
A teenager and his associates broke into the personal AOL account of CIA director John Brennan by tricking Verizon and AOL staff into resetting his password. The intruders leaked sensitive documents, including a draft of Brennan's security clearance application.
18. Apple pulls ad blockers that install root certificates
Apple removed several App Store apps that installed root certificates to filter ads, warning that the technique exposed users' encrypted traffic to the app makers. Some developers rewrote their apps to drop the trusted certificate and were allowed back.
19. Chinese hackers breach LoopPay, the maker of Samsung Pay's core technology
A group linked to China sat inside the network of LoopPay, the firm whose magnetic transmission technology powers Samsung Pay, for five months before being noticed. Samsung said the payment service itself stayed isolated and that no customer payment data was at risk.
20. Healthcare.gov agrees to honour Do Not Track
After EFF reported that the federal health exchange shared visitor data with advertising and analytics firms, officials announced a new privacy policy and support for the Do Not Track header. Users would be able to switch off third-party tracking beacons on the site.
Enjoyed this post?
Well, you could share the post with others, follow me with RSS Feeds and/or send me a comment via email.
Tags
Category:
Year: