Privacy Roundup #0124 • November 2016
November 2016 hardened state surveillance into law while breaches, botnets and ransomware showed how fragile everyday data really was.
1. UK Investigatory Powers Act becomes law
The Investigatory Powers Act received royal assent on 29 November, forcing providers to retain a year of internet connection records and granting bulk interception powers. Critics named it the Snoopers' Charter and called it the most extreme surveillance law in any democracy.
2. FriendFinder Networks hack exposes 412 million accounts
Six FriendFinder databases, including AdultFriendFinder, were stolen and analysed by LeakedSource, exposing more than 412 million accounts. The company had stored passwords in plain text or weak SHA1, and kept records for millions of people who had deleted their accounts.
3. Tesco Bank halts online payments after accounts raided
Tesco Bank froze online transactions on 7 November after money was taken from thousands of current accounts over a weekend. The bank confirmed 40,000 accounts were affected and that around 9,000 customers lost money, which it pledged to refund.
4. Three Mobile breach exposes 133,000 customers
Three Mobile confirmed that personal data on more than 133,000 customers was reached through a compromised upgrade database. Attackers used authorised logins to order high value handsets, and three people were arrested in connection with the fraud.
5. Facebook pauses WhatsApp data sharing across Europe
Facebook agreed to suspend sharing WhatsApp user data for advertising in the UK after the Information Commissioner raised consent concerns. The pause then extended across all European Union member states while regulators investigated.
6. Mirai worm knocks 900,000 Germans offline
A new Mirai variant exploited a router management flaw and crippled internet access for about 900,000 Deutsche Telekom customers in late November. The worm disabled the very feature it abused, which complicated recovery for the provider and its users.
7. Gooligan malware breaches a million Google accounts
Researchers at Check Point disclosed Gooligan, Android malware that rooted devices and stole authentication tokens for Gmail, Drive and other Google services. It had already compromised more than a million accounts and was infecting thousands of new devices each day.
8. FCC publishes broadband privacy rules
The Federal Communications Commission released the full text of its broadband privacy rules in early November, requiring internet providers to obtain opt-in consent before sharing sensitive data. The rules covered web browsing history, location, health and financial details, and imposed breach notification duties.
9. Madison Square Garden discloses payment card breach
The Madison Square Garden Company revealed that malware on its payment systems harvested card data from concession stands for nearly a year. The breach hit venues including Radio City Music Hall and the Beacon Theater between November 2015 and October 2016.
10. Avalanche cybercrime network dismantled
On 30 November an international operation across 30 countries dismantled Avalanche, a platform that had delivered malware and phishing for years. Investigators seized or blocked more than 800,000 domains, arrested five people and took dozens of servers offline.
11. Ransomware locks San Francisco transit system
Ransomware encrypted around 2,000 machines at the San Francisco Municipal Transportation Agency over the Thanksgiving weekend, forcing free travel while ticket machines were disabled. The attacker demanded 100 bitcoin, but the agency restored from backups and the extortionist was himself hacked.
12. Germany expands BND foreign surveillance powers
On 4 November the Bundesrat approved a law expanding the Federal Intelligence Service's powers to gather foreign signals intelligence and cooperate with foreign agencies. The measure followed the NSA affair and drew strong criticism from press freedom and civil liberties groups.
13. New Rule 41 expands FBI hacking powers
Changes to Rule 41 of the Federal Rules of Criminal Procedure took effect at the end of November, letting judges issue warrants to hack computers anywhere in the country. Civil liberties groups and technology firms warned that the change removed an important safeguard against forum shopping.
14. Firefox zero-day used to unmask Tor users
A JavaScript zero-day exploiting a Firefox memory flaw was found in the wild, designed to deanonymise Tor Browser users on Windows. The code resembled an earlier law enforcement attack, and Mozilla and the Tor Project rushed out patches.
15. Uber begins tracking riders in the background
Uber pushed an app update that collected rider location from request until five minutes after drop-off, even when the app was closed. Users could now choose only Always or Never, losing the option to share location only while using the app.
16. China passes sweeping cybersecurity law
On 7 November China enacted its first comprehensive cybersecurity law, imposing data localisation duties on operators of critical information infrastructure. Foreign companies warned that security reviews could expose source code and personal data to state inspection.
→ www.dataprotectionreport.com
17. Cobalt gang strikes European banks with ATM jackpotting
Security firm Group-IB reported that the Cobalt group had compromised bank networks and forced cash machines to dispense money across more than a dozen countries. The attacks used remote commands rather than physical tampering, which made them harder to detect.
18. Michigan State University breach exposes 400,000 records
Michigan State University disclosed that an intruder reached a database holding around 400,000 student and staff records, including names and social security numbers. The university took the server offline within a day and offered identity protection to those affected.
19. LinkedIn blocked in Russia over data localisation
A Moscow court upheld a ruling to block LinkedIn across Russia for failing to store citizens' data on local servers. The regulator Roskomnadzor enforced the block in November, the first major test of the country's data localisation law.
20. Locky ransomware spreads through Facebook Messenger
Attackers abused Facebook Messenger to push malicious SVG image files that installed a rogue Chrome extension and the Nemucod downloader. In some cases the chain delivered Locky ransomware while also messaging the victim's contacts to spread further.
Enjoyed this post?
Well, you could share the post with others, follow me with RSS Feeds and/or send me a comment via email.
Tags
Category:
Year: