Privacy Roundup #0113 • December 2015
December 2015 closed the year with breaches of children's data, freshly discovered firewall backdoors, and a wave of European and American rule-making over surveillance and consent.
1. VTech breach exposed millions of children and parents
A hacker took data on millions of parents and children from the toymaker VTech, including names, addresses, photographs, chat logs, and audio recordings. The scale of the theft made it one of the largest known breaches of children's records.
2. Hello Barbie doll found vulnerable to hackers
Researchers reported that Mattel's internet-connected Hello Barbie carried flaws that could let attackers eavesdrop on a child's conversations with the toy. The doll reused authentication credentials and would join any wireless network whose name contained the word Barbie.
3. Let's Encrypt opened free HTTPS certificates to the public
Let's Encrypt, the free and automated certificate authority built with the EFF and partners, entered public beta on 3 December. The project removed the cost and difficulty that had long discouraged website operators from adopting encryption.
4. EU institutions agreed on the Network and Information Security Directive
European negotiators reached an informal agreement on the first EU-wide cybersecurity rules, obliging operators of essential services to report serious incidents. The deal applied stricter oversight to sectors such as energy and banking and lighter rules to digital service providers.
5. Wyndham settled the FTC data security case
Wyndham agreed to settle Federal Trade Commission charges that it had unfairly failed to protect customer payment cards across three breaches. The settlement followed an appeals court ruling that confirmed the FTC's power to police corporate data security.
6. MEPs on the Civil Liberties Committee backed the Passenger Name Record deal
The European Parliament's Civil Liberties Committee endorsed a provisional deal requiring airlines to hand passenger records to member states for counterterrorism. The agreement set a five-year retention period and drew objections from privacy campaigners over bulk collection.
7. Ted Cruz campaign tied to harvested Facebook profiles
Reporting revealed that the Ted Cruz presidential campaign paid Cambridge Analytica to build psychological profiles from tens of millions of Facebook users. Much of the data came from people who never consented, having been scraped through the friends of survey respondents.
8. Twitter warned users of state-sponsored attacks for the first time
Twitter sent its first ever alerts telling a small group of users that government-backed hackers might have targeted their accounts. The attackers appeared to seek email addresses, telephone numbers, and internet addresses tied to the accounts.
9. MacKeeper left 13 million customer records exposed
A researcher found a misconfigured database belonging to the maker of MacKeeper that exposed the details of 13 million customers. The records included names, addresses, and passwords protected only by a weak unsalted hash.
10. Firefox added tracking protection to private browsing
Mozilla shipped a version of Firefox that let users block trackers while browsing privately, with a stricter list available for those who wanted it. The feature aimed to stop advertising, analytics, and social trackers from following people across the web.
11. EU confirmed agreement on the General Data Protection Regulation
After almost four years of negotiation, the Council confirmed agreement with the Parliament on the General Data Protection Regulation. The new law promised stronger individual rights and fines of up to four per cent of a company's global turnover.
12. EFF opposed cybersecurity bill bolted onto the budget package
Congressional leaders attached cybersecurity legislation to the year-end spending bill, which the President then signed into law. The EFF argued the measure encouraged data sharing without addressing the real causes of recent breaches.
13. Juniper disclosed backdoors in its firewall software
Juniper revealed unauthorised code in ScreenOS that let attackers log in with a hardcoded password and decrypt protected traffic. Researchers identified the secret password within hours, and tens of thousands of devices were reachable online.
14. Hello Kitty database exposed 3.3 million fans
A researcher found a publicly accessible database for the SanrioTown community that exposed the records of 3.3 million Hello Kitty fans. The data included names, birthdays, email addresses, and weakly hashed passwords, with many records belonging to children.
15. Oracle settled FTC charges over Java security updates
Oracle agreed to settle FTC allegations that it had misled consumers about the safety of its Java updates. The company had left older, vulnerable versions on machines while telling people the update process would keep them safe and secure.
16. EU set the digital age of consent at sixteen
Negotiators on the data protection regulation set sixteen as the age below which children would need parental consent to use online services. The move drew sharp criticism for potentially shutting younger teenagers out of social platforms.
→ phys.org
17. Hyatt found card-stealing malware across its hotels
Hyatt disclosed that malware had infected the payment systems at around 250 of its locations worldwide. The software could capture cardholder names, card numbers, expiry dates, and verification codes used at the affected sites.
18. Database exposed 191 million American voter records
A researcher found a misconfigured database holding the records of 191 million registered United States voters open to anyone online. The data included names, addresses, dates of birth, and party affiliations, and no owner came forward to claim it.
19. Report said NSA surveillance swept up members of Congress
The Wall Street Journal reported that the NSA, while targeting Israeli officials, had captured private conversations with American lawmakers about the Iran deal. The disclosure prompted outrage from some legislators who had long defended mass surveillance.
20. Microsoft pledged to warn users of state-sponsored attacks
Former staff said Microsoft had declined to tell Hotmail users that Chinese authorities had compromised their accounts, including those of Tibetan and Uighur leaders. Facing questions, the company said it would in future notify users when it believed an attacker was state-sponsored.
Enjoyed this post?
Well, you could share the post with others, follow me with RSS Feeds and/or send me a comment via email.
Tags
Category:
Year: