Privacy Roundup #0127 • February 2017
February 2017 paired sloppy corporate data leaks with a hardening of government surveillance at the border and in the courts.
1. Cloudbleed bug leaked sensitive data from millions of Cloudflare-fronted sites
A buffer overflow in Cloudflare's edge servers spilled passwords, cookies and other private data into the responses of unrelated websites. Search engines had already cached some of the leaked material before the firm deployed a fix.
2. Vizio settles with the FTC over secret smart TV tracking
Vizio agreed to pay 2.2 million dollars to the FTC and New Jersey after collecting second-by-second viewing data from eleven million televisions without consent. The settlement required the company to obtain affirmative consent and to delete data gathered before March 2016.
3. InterContinental confirms card breach at twelve hotels
InterContinental Hotels Group acknowledged that point-of-sale malware had siphoned payment card data from restaurants and bars at a dozen managed properties. The stolen records included cardholder names, numbers, expiry dates and verification codes.
4. Arby's acknowledges payment card breach at hundreds of restaurants
The fast food chain admitted that malware on its point-of-sale systems had exposed credit and debit card data at hundreds of corporate locations. More than 355,000 cards issued by member banks of one payment processor were affected.
5. CloudPets toys leak two million voice recordings of children
An unsecured MongoDB database belonging to the maker of CloudPets connected teddy bears exposed account details for more than 800,000 users and over two million voice messages. Attackers had already deleted the data and left a ransom demand behind.
6. Germany bans the My Friend Cayla doll as an espionage device
Germany's Federal Network Agency ordered the internet-connected doll removed from sale and urged parents to destroy it. Regulators ruled that its hidden microphone and wireless transmission made it an unlawful surveillance device.
7. Researchers demonstrate the first practical SHA-1 collision
A team from Google and CWI Amsterdam produced two different PDF files sharing the same SHA-1 hash, proving the algorithm broken in practice. The result underlined the danger of relying on SHA-1 for digital signatures and certificates.
8. House passes the Email Privacy Act for a second time
The House of Representatives approved the Email Privacy Act by voice vote, requiring a warrant before the government can read stored emails. The bill aimed to close a loophole that had let agents search messages older than 180 days without one.
9. EFF asks travellers to report invasive device searches at the border
The EFF began collecting first-hand accounts after reports that border agents were demanding device access and social media handles. The call covered US citizens and permanent residents whose phones and laptops had been examined.
10. Yahoo warns users that forged cookies hijacked their accounts
Yahoo notified account holders that attackers had used forged browser cookies to log in without a password. The company linked the activity to the same state-sponsored actor blamed for an earlier theft of 500 million accounts.
11. Verizon cuts the Yahoo acquisition price by 350 million dollars
Verizon and Yahoo amended their merger to lower the purchase price after disclosure of breaches affecting more than a billion accounts. The two firms also agreed to share certain legal and regulatory liabilities arising from the hacks.
12. Amazon argues Alexa recordings are protected by the First Amendment
Amazon filed a motion to quash a warrant seeking Echo data in an Arkansas murder case, claiming both user requests and Alexa's responses are protected speech. The company demanded a heightened showing of need before any recordings were handed over.
13. European watchdogs remain unhappy with Windows 10 privacy settings
EU data protection authorities said Microsoft had not done enough to address concerns over Windows 10 telemetry and default data collection. The Article 29 Working Party pressed for clearer consent ahead of the changes promised in the Creators Update.
14. Trump executive order raises doubts over the EU-US Privacy Shield
An executive order directed agencies to exclude non-citizens from Privacy Act protections, prompting worry about the legal footing of transatlantic data transfers. Commentators questioned how the move would affect the Privacy Shield review later in the year.
15. Privacy groups challenge the FBI's mass hacking in the Playpen case
The EFF, the ACLU of Massachusetts and Privacy International filed briefs arguing that a single warrant could not authorise hacking 8,700 computers across 120 countries. They contended that the network investigative technique amounted to malware deployed without proper authority.
16. DHS floats demanding social media passwords from visa applicants
Homeland Security Secretary John Kelly told Congress the department might require social media login details from some foreign visitors. The EFF warned that the move would expose private communications and associations far beyond border security needs.
17. Sports Direct kept a staff data breach secret for months
The Register reported that Sports Direct had been hacked the previous autumn through an unpatched staff portal, exposing personal details of around 30,000 employees. The retailer had not informed its workforce that their data may have been taken.
18. Polish banks infected by malware served from a government website
Several Polish banks found previously unknown malware on their systems after staff visited the compromised site of the country's financial regulator. The code connected to foreign servers and performed reconnaissance and data exfiltration inside bank networks.
19. NASA engineer forced to unlock his phone at the US border
US-born NASA scientist Sidd Bikkannavar was detained on his return from Chile until he handed over the PIN to his agency-issued phone. Border officers copied data from the device, raising questions over searches of citizens carrying government property.
20. IRS warns of a W-2 phishing scam spreading beyond corporations
The IRS issued an urgent alert as a phishing scheme blending chief executive impersonation with W-2 theft hit schools, tribal bodies and nonprofits. Fraudsters tricked payroll staff into sending employee names, salaries and Social Security numbers.
Enjoyed this post?
Well, you could share the post with others, follow me with RSS Feeds and/or send me a comment via email.
Tags
Category:
Year: