Privacy Roundup #0139 • February 2018
February 2018 was dominated by leaky cloud buckets, hijacked websites mining cryptocurrency, and European courts and regulators putting Facebook and other trackers on notice.
1. The FTC settles with Venmo over a series of privacy and security violations
The Federal Trade Commission announced a settlement with PayPal over charges that its Venmo payment service had misled users about privacy controls and the security of their funds. Regulators said Venmo made transactions public by default and falsely claimed bank-grade security, and the company agreed to clearer disclosures and a decade of independent audits.
2. Equifax hackers may have stolen more data than originally revealed
Documents submitted to the Senate Banking Committee showed that the Equifax breach had exposed more information than the company first admitted. The newly acknowledged data included tax identification numbers, email addresses, phone numbers and additional driving licence and credit card details for affected consumers.
3. Marketing firm Octoly exposed the personal data of 12,000 social media influencers
UpGuard revealed that the Paris marketing startup Octoly had left an Amazon S3 bucket open, exposing the real names, addresses, phone numbers and emails of more than 12,000 creators. The exposure undid the efforts these largely young and female influencers had made to keep their identities private.
4. Chinese police start wearing facial-recognition glasses
Officers at a Zhengzhou railway station began using smart glasses that match faces against a database of 10,000 suspects in about a tenth of a second. Rights groups warned that putting recognition technology on individual officers could make China's surveillance state far more pervasive.
5. Partners HealthCare notifies patients after a data breach
The Boston hospital network told roughly 2,600 patients that malware had exposed their information, including names, diagnoses, medications and, for some, Social Security and financial account data. The provider said it found no evidence that the records had been misused.
6. Data of 800,000 Swisscom customers compromised in breach
Switzerland's largest telecoms company disclosed that an attacker had abused a sales partner's access to reach the records of about 800,000 customers, nearly a tenth of the country's population. The exposed details included names, home addresses, dates of birth and telephone numbers.
7. Sacramento Bee leaks 19.5 million California voter records
A firewall left unrestored after maintenance exposed a database of 19.5 million California voter files, which attackers then deleted and held for ransom. The newspaper refused to pay and removed the databases, which had also contained details on tens of thousands of its own subscribers.
8. Cryptojacking attack hits about 4,000 sites, including the UK's data watchdog
A compromised version of the BrowseAloud accessibility script injected Coinhive mining code into thousands of websites, including the Information Commissioner's Office and US court pages. Visitors had their processors quietly used to mine cryptocurrency until the supplier took the script offline.
9. German court finds fault with Facebook's default privacy settings
A Berlin court ruled that several of Facebook's default settings and parts of its terms breached German data protection law. The judges found that the company hid privacy-unfriendly defaults and that its real-name requirement was unlawful.
10. Facebook's 'Protect' feature on iOS turns out to be data-harvesting software
Facebook began promoting a "Protect" option inside its iOS app that installed Onavo Protect, a VPN the company uses to watch what other apps people run. Reporters described it as spyware, noting the data collection was buried beneath a "read more" link rather than clearly disclosed.
11. EFF report says law enforcement face recognition threatens civil liberties
The EFF published a report arguing that police face recognition is being deployed with little oversight and disproportionately harms people of colour. It noted that around half of American adults already sit in law enforcement face recognition databases.
12. Scanned IDs of 119,000 FedEx customers exposed online
Researchers found an unsecured Amazon bucket, inherited from the firm Bongo International, holding scans of passports, driving licences and other identity documents for about 119,000 people. The files had sat publicly accessible for years before FedEx secured them.
13. Belgian court orders Facebook to stop tracking web users
A Brussels court ordered Facebook to stop following the browsing of people in Belgium, including non-members, through cookies and social plug-ins. The company faced penalties of 250,000 euros a day, up to 100 million euros, and was told to destroy data it had gathered unlawfully.
→ phys.org
14. Hackers hijack Tesla's Amazon cloud account to mine cryptocurrency
Researchers discovered that intruders had broken into a Tesla AWS account through an unsecured administration console and used it to mine cryptocurrency. The same environment held sensitive telemetry data, raising concerns about what else the attackers could have reached.
15. LA Times homicide site hijacked to mine cryptocurrency
An open Amazon S3 bucket let attackers slip Coinhive mining code into the Los Angeles Times interactive homicide map. Visitors had their processors used to mine Monero for weeks before a security researcher spotted the hidden script.
16. Mandatory data breach notification begins in Australia
From 22 February 2018 Australian organisations had to report eligible data breaches likely to cause serious harm to both the privacy commissioner and affected individuals. The scheme set a thirty-day assessment window and fines for hiding or failing to report a qualifying breach.
→ www.dataprotectionreport.com
17. San Francisco weighs community broadband to protect privacy and net neutrality
A municipal fibre panel recommended that San Francisco build community broadband with strong privacy rules baked in. The plan would require any provider to obtain opt-in consent before selling or sharing a customer's personal information.
18. Supreme Court hears the Microsoft Ireland cross-border data case
The US Supreme Court heard argument on whether a warrant could force Microsoft to hand over emails stored on servers in Dublin. The case put the privacy of cross-border data, and the reach of decades-old surveillance law, before the justices.
19. Can India's Aadhaar biometric identity programme be fixed?
The EFF examined India's Aadhaar system and argued that its weak oversight, repeated data exposures and authentication failures could not be patched away. The piece warned that other governments were watching Aadhaar as a model for their own biometric databases.
20. Apple moves Chinese iCloud data and keys to a state-linked company
Apple transferred operation of Chinese users' iCloud accounts, and the encryption keys, to a firm tied to the provincial government in Guizhou. Rights groups warned this made it far easier for Chinese authorities to demand access to people's stored data.
Enjoyed this post?
Well, you could share the post with others, follow me with RSS Feeds and/or send me a comment via email.
Tags
Category:
Year: