Privacy Roundup #0131 • June 2017

2017-07-06 17:00

June 2017 turned data exposure into a global spectacle, as leaked voter files, spilled customer records, fresh CIA hacking tools and a wave of surveillance laws collided with a few hard-won wins for privacy.

1. China's cybersecurity law took effect with sweeping data rules

On 1 June, China's Cybersecurity Law came into force, requiring network operators to store certain personal data inside the country and to submit to government inspections. Critics warned that the vague terms handed Beijing broad powers to monitor users and to pressure foreign firms holding their data.

→ www.cnbc.com

2. OneLogin breach exposed the ability to decrypt customer data

The single sign-on provider OneLogin admitted on 1 June that intruders had used stolen Amazon keys to reach its United States systems. The company conceded it could not rule out that the attackers had also gained the ability to decrypt the encrypted data it stored for around two thousand corporate customers.

→ krebsonsecurity.com

3. WikiLeaks published the CIA's Pandemic file-server implant

On 2 June, WikiLeaks released documents on a CIA tool called Pandemic, which turns a file server into a launch point for infecting other machines on a network. The implant swaps clean programs for trojaned copies as they travel to colleagues, leaving the original file untouched to hide the tampering.

→ threatpost.com

4. Leaked NSA report on Russian election hacking led to an arrest

The Intercept published a top-secret NSA report on 5 June detailing Russian military attempts to breach a voting software supplier and to phish local election officials. Within hours the contractor Reality Winner was charged with leaking the document, raising sharp questions about source protection.

→ theintercept.com

5. Supreme Court agreed to hear a landmark cell-phone tracking case

On 5 June, the Supreme Court accepted Carpenter v. United States, a challenge to the warrantless collection of historical location records from mobile phones. The case asked whether the third-party doctrine should still strip privacy protection from data that maps a person's movements over months.

→ reason.com

6. UK election put online privacy and encryption under threat

Ahead of the 8 June general election, analysts warned that all three main parties leaned towards weaker encryption and broader surveillance, a mood sharpened by recent terror attacks. The Conservative manifesto called for new powers to police the internet that civil liberties groups feared would erode privacy.

→ blogs.lse.ac.uk

7. EU regulators set strict limits on monitoring workers

On 8 June, the Article 29 Working Party adopted an opinion on processing personal data at work, weighing employer interests against employee privacy. It warned that consent rarely counts as a valid legal basis at work and that pervasive monitoring of staff devices and movements was hard to justify.

→ www.insideprivacy.com

8. University College London hit by a ransomware attack

A strain of ransomware infected University College London from 14 June, encrypting files on personal and shared network drives across the campus. Staff suspected a so-called zero-day infection that slipped past standard antivirus tools after users visited a compromised website.

→ www.ibtimes.co.uk

9. WikiLeaks exposed the CIA's CherryBlossom router surveillance tool

On 15 June, WikiLeaks revealed CherryBlossom, a CIA framework that plants custom firmware on home and office wireless routers. Once installed, the implant lets operators monitor internet traffic and harvest email addresses and other identifiers from everyone using the network.

→ www.theregister.com

10. Data on almost 200 million voters was left exposed online

A contractor for the Republican National Committee, Deep Root Analytics, left a database describing roughly 198 million American voters open on an unsecured cloud server. The cache, discovered on 12 June, held home addresses, birth dates and modelled opinions on sensitive political and personal questions.

→ techcrunch.com

11. WannaCry forced Honda to shut down a car plant

Honda revealed that the WannaCry ransomware had infected older computers across several of its factories, prompting it to halt production at its Sayama plant in Japan. The shutdown around 19 June stopped output of about a thousand vehicles and showed the worm was still spreading weeks after its initial outbreak.

→ threatpost.com

12. Anthem agreed to a record data breach settlement

On 23 June, the health insurer Anthem agreed to pay 115 million dollars to settle lawsuits over a 2015 hack that exposed the personal records of nearly 79 million people. The deal, the largest of its kind at the time, funded credit monitoring and required Anthem to tighten its security for several years.

→ www.hunton.com

13. Google said it would stop scanning Gmail for ad targeting

Google announced on 23 June that it would end the practice of reading the contents of consumer Gmail to personalise advertisements. The change, demanded by privacy campaigners for years, brought the free service in line with the company's paid corporate email.

→ phys.org

14. WikiLeaks detailed the CIA's Brutal Kangaroo air-gap malware

On 25 June, WikiLeaks documents described Brutal Kangaroo, a CIA toolkit built to reach computers cut off from the internet. The malware spreads through infected USB drives, jumping across air-gapped networks to collect data from machines thought to be safely isolated.

→ fossbytes.com

15. Germany gave police sweeping new device hacking powers

On 22 June, the Bundestag approved an amendment letting police plant so-called state trojans on suspects' phones, tablets and computers. The malware can read messages before they are encrypted and reach private photos and files, with use extended well beyond terrorism to a long list of ordinary crimes.

→ www.helpnetsecurity.com

16. Court let the DEA take Oregon prescription records without a warrant

On 26 June, the Ninth Circuit reversed a ruling that had required a warrant before the DEA could reach patients' records in Oregon's prescription monitoring database. The court found the challengers lacked standing and held that federal law overrode the state's stronger privacy protections.

→ www.courthousenews.com

17. NotPetya tore through Ukraine and spread around the world

On 27 June, a destructive attack disguised as ransomware spread from a tainted update to Ukrainian accounting software and crippled banks, ministries and global firms. Dubbed NotPetya, it used a leaked NSA exploit to wipe machines, and victims who paid found there was no way to recover their data.

→ www.bleepingcomputer.com

18. Telegram agreed to register with Russia under pressure

On 28 June, Telegram's founder Pavel Durov agreed to register the messaging app on Russia's list of information distributors to avoid a ban. He insisted that the company would not hand over confidential user data, even as Moscow tightened its grip on private communications.

→ fortune.com

19. A Verizon contractor exposed records of 14 million customers

Researchers found that a supplier called Nice Systems had left the data of as many as 14 million Verizon customers on an unprotected cloud server, discovered on 13 June. The exposed files included names, phone numbers and account PINs that could be used to take over accounts.