Privacy Roundup #0120 • July 2016
July 2016 set transatlantic data rules and warrant limits against a steady run of breaches, encrypted messaging launches and surveillance disputes.
1. European Commission adopts the EU-US Privacy Shield
The Commission formally adopted the Privacy Shield framework on 12 July, replacing the Safe Harbour deal that the European Court of Justice had struck down the previous year. Critics warned that the new arrangement still left European data exposed to American mass surveillance.
2. Appeals court rules Microsoft need not hand over emails stored in Ireland
The US Second Circuit ruled that prosecutors could not use a domestic warrant to force Microsoft to surrender customer emails held on servers in Dublin. The decision was a landmark win for the idea that data should be governed by the laws of the country where it is stored.
3. EU Advocate General opines on national data retention laws
Advocate General Saugmandsgaard Øe delivered his opinion on 19 July in the joined Tele2 and Watson cases challenging blanket data retention regimes. He concluded that general retention could be lawful only under strict safeguards, including independent authorisation of access to the data.
4. Pokémon Go granted full access to some players' Google accounts
Researchers found that the iOS version of the game requested full access permissions to the Google accounts of players who signed in with Google. Niantic called it an error and promised a fix that would request only basic profile information.
5. Senator Franken presses Niantic over Pokémon Go data collection
Senator Al Franken wrote to Niantic on 12 July questioning why the game collected such a wide range of location and device information, much of it from children. He asked the company to switch to an opt-in model and to explain how it shared data with third parties.
6. WhatsApp blocked again in Brazil over encrypted messages
A Brazilian judge ordered carriers to cut off WhatsApp after Facebook said it could not hand over end-to-end encrypted chats sought in a criminal case. Brazil's Supreme Court lifted the block within hours, the fourth such order against the service.
7. Facebook Messenger begins testing end-to-end encrypted Secret Conversations
Facebook started rolling out an opt-in encrypted mode for Messenger built on the Signal protocol. The feature was not enabled by default and worked on only one device at a time, which security researchers said limited its protection.
8. Omni Hotels discloses six-month point-of-sale malware breach
Omni Hotels said hackers had planted card-skimming malware on payment terminals at dozens of properties for roughly six months. About 50,000 stolen cards were already being sold on criminal forums by a vendor known as JokerStash.
9. Wendy's says card breach hit more than 1,000 restaurants
Wendy's revealed that at least 1,025 of its locations had been struck by point-of-sale malware that began in late 2015. The chain blamed a hacked third-party service provider with remote access to the affected cash registers.
10. Federal judge suppresses evidence from warrantless stingray use
In United States v. Lambis, a New York judge ruled for what appeared to be the first time that warrantless use of a cell-site simulator was an unconstitutional search. The court suppressed the evidence, holding that the government may not turn a citizen's phone into a tracking device without a warrant.
11. Alleged KickassTorrents owner arrested after iTunes trail
Polish police arrested Artem Vaulin, the alleged operator of KickassTorrents, on a US indictment, and authorities seized the site's domains. Investigators tracked him in part by matching an IP address from an iTunes purchase to one used to log in to the site's Facebook page.
12. Ubuntu Forums hack exposes two million accounts
A SQL injection flaw in a forum add-on let an attacker copy a database table holding the email addresses, usernames and IP addresses of about two million Ubuntu Forums users. Canonical said no valid passwords or code repositories were reached.
13. Clash of Kings forum breached for 1.6 million records
An attacker exploited an outdated forum running old vBulletin software to steal about 1.6 million Clash of Kings accounts. The haul included email addresses, IP addresses, device identifiers and linked Facebook tokens.
14. Peers warn the Investigatory Powers Bill endangers journalists
During House of Lords committee scrutiny on 12 July, peers cautioned that the bill could let the state turn reporters' phones into bugs and seize their notes and unbroadcast footage. An amendment sought judicial approval before authorities could target journalistic material.
15. Congressional report says China hacked the FDIC and officials hid it
A House committee report alleged that Chinese government hackers compromised FDIC computers across several years and that staff covered up the intrusions. The report said the breaches reached the workstations of senior executives at the banking regulator.
16. Cici's Pizza confirms card breach at more than 130 locations
Cici's acknowledged that point-of-sale malware had stolen customer card data at over 135 restaurants, with some intrusions reaching back to 2015. Attackers gained access by posing as technical support staff for the chain's payment vendor.
17. WikiLeaks DNC dump exposes donors' Social Security and card numbers
WikiLeaks published 19,252 Democratic National Committee emails that were easily searchable for donors' personal data. The trove laid bare Social Security numbers, passport numbers and credit card details belonging to ordinary contributors.
18. Backdoored Pokémon Go app spreads DroidJack on Android
Researchers found a tampered Android build of Pokémon Go carrying the DroidJack remote access tool, which could give an attacker full control of a phone. The poisoned file appeared on a download repository within days of the game's launch, riding the wave of players side-loading the app.
19. US health regulator says ransomware attacks are usually HIPAA breaches
The Department of Health and Human Services issued guidance on 11 July stating that a ransomware infection of patient data is a security incident and a presumptive breach. The exception was data already encrypted to the agency's standard, which would not trigger notification.
→ www.dataprivacyandsecurityinsider.com
20. Verizon agrees to buy Yahoo and its trove of user data
Verizon announced a deal to acquire Yahoo's operating business for 4.83 billion dollars, folding it in alongside the earlier AOL purchase. The combination handed the carrier the personal information and viewing habits of more than a billion users to feed its advertising business.
Enjoyed this post?
Well, you could share the post with others, follow me with RSS Feeds and/or send me a comment via email.
Tags
Category:
Year: