Privacy Roundup #0132 • July 2017
July 2017 was dominated by misconfigured cloud servers spilling millions of customer records, while governments pushed harder against encryption and anonymity tools.
1. ICO rules Royal Free NHS Trust broke the law by handing patient data to Google DeepMind
The UK Information Commissioner found that the Royal Free London NHS Trust failed to comply with data protection law when it gave Google DeepMind the records of 1.6 million patients. Regulators said patients were not properly told how their information would be used.
2. Most US states refuse to hand voter data to Trump's election fraud commission
At least 44 states declined to give all of the personal voter information requested by the presidential commission led by Kris Kobach. Officials cited privacy laws and objected to submitting names, addresses and partial Social Security numbers through an online portal.
3. Self-service kiosk vendor Avanti Markets hacked, payment and biometric data exposed
Malware on Avanti Markets break-room kiosks stole customer names, payment card numbers and card expiry dates. Because some kiosks accept fingerprint payments, the company warned that biometric details might also have been taken.
4. Exposed server leaks personal details of over three million WWE fans
Researchers found an unprotected Amazon S3 server holding plain-text records on more than three million wrestling fans. The data included names, home and email addresses, ethnicity and other personal details.
5. The AA finally admits it exposed customer data and kept quiet
The British motoring group confirmed that a misconfigured server left around 117,000 customers' emails, addresses and partial card data publicly accessible. The AA had known about the exposure since April but did not tell affected customers for months.
6. US government drops Kaspersky from its approved vendors list
The General Services Administration removed Kaspersky Lab from the lists of suppliers federal agencies can buy from, citing security concerns. The move followed allegations of ties between the Moscow-based firm and Russian intelligence.
7. Verizon exposes data on 14 million customers through a contractor's open server
A contractor, NICE Systems, left an Amazon storage server unprotected, exposing records on roughly 14 million Verizon customers who had recently called support. The data sat openly accessible for six months before researchers reported it.
8. EFF day of action floods the FCC with 1.6 million net neutrality comments
On 12 July, the EFF and hundreds of sites staged a day of action defending net neutrality and broadband privacy. Supporters filed more than 1.6 million comments with the FCC, breaking the previous record.
9. EFF ranks which companies stand up for users against government data demands
The EFF published its seventh annual Who Has Your Back report, rating major technology firms on how they handle government requests for user data. Nine companies earned perfect scores, while large telecoms such as AT&T and Verizon scored lowest.
10. Rogue Bupa employee steals data on more than half a million customers
Health insurer Bupa said an employee had copied and removed customer information, initially affecting around 108,000 international policyholders. The data included names, dates of birth, nationalities and contact details.
11. Australia's prime minister says the laws of mathematics do not apply to encryption
Malcolm Turnbull announced plans to force technology firms to give law enforcement access to encrypted communications. Pressed on the maths, he declared that the laws of Australia prevail over the laws of mathematics, a claim cryptographers ridiculed.
12. Swedish Transport Agency leak hands sensitive citizen data to foreign contractors
An outsourcing deal with IBM gave staff in eastern Europe access to a register holding personal details on millions of Swedes, including police and military records, without proper security clearances. The scandal triggered a political crisis and the conviction of the agency's former head.
13. Dow Jones exposes customer data through a misconfigured Amazon S3 bucket
Researchers found a Dow Jones storage repository configured so that any holder of a free Amazon account could download it. The exposed data included names, addresses, email addresses and partial card numbers for millions of subscribers.
14. Police shut down AlphaBay and Hansa in coordinated dark web takedown
Law enforcement agencies across several countries dismantled the AlphaBay and Hansa marketplaces in one of the largest dark web operations to date. Dutch police secretly ran Hansa for weeks, harvesting buyers' and vendors' identifying details.
→ www.infosecurity-magazine.com
15. iRobot's chief defends Roomba home mapping after data-selling concerns
After a Reuters interview suggested iRobot might sell maps of customers' homes to Amazon, Apple or Google, the company faced a privacy backlash. Chief executive Colin Angle insisted any sharing would require customer consent and that no plans had been finalised.
16. EFF backs Senate bill requiring warrants for email and location data
The EFF welcomed the ECPA Modernization Act, which would require police to obtain a probable cause warrant before accessing private content and geolocation data held by service providers. The bill aimed to update a privacy law first written in 1986.
17. Apple removes VPN apps from its China App Store
Following government orders, Apple pulled major VPN apps, including ExpressVPN, from its Chinese store for containing content deemed illegal. The move cut off a key tool that people in China use to bypass state censorship.
18. Anthem suffers a second breach after a contractor's insider theft
Health insurer Anthem said a contractor, LaunchPoint Ventures, had an employee who misused data belonging to around 18,000 Medicare members. The exposed records included Medicare ID numbers, Social Security numbers and enrolment dates.
19. Sabre breach hits Four Seasons, Trump Hotels and other chains
A breach of Sabre's SynXis reservation system exposed guest payment card data across many hotel brands, and affected properties began notifying customers in July. The compromised details included cardholder names, card numbers, expiry dates and, in some cases, security codes.
20. EPIC asks the FTC to halt Google's tracking of in-store credit card purchases
Privacy group EPIC filed a complaint urging the FTC to investigate a Google programme that links online advertising to offline purchases. EPIC said Google used a secret algorithm to match billions of credit and debit card transactions to ad views, without meaningful transparency or opt-out.
Enjoyed this post?
Well, you could share the post with others, follow me with RSS Feeds and/or send me a comment via email.
Tags
Category:
Year: