Privacy Roundup #0141 • April 2018
April 2018 was dominated by the widening Cambridge Analytica fallout, a run of large retail and app breaches, and a scramble to comply with the looming GDPR deadline.
1. Panerabread.com leaked millions of customer records for eight months
Brian Krebs reported that Panera Bread left customer names, email and physical addresses, birthdays and partial card numbers exposed in plain text on its website. A researcher had warned the company in August 2017, yet the data stayed open until the site was pulled offline in April.
2. Saks and Lord & Taylor suffered a payment card breach affecting five million cards
Hudson's Bay disclosed that point of sale systems at Saks Fifth Avenue, Saks Off 5th and Lord & Taylor had been compromised since May 2017. The JokerStash syndicate put around five million stolen cards up for sale on the dark web.
3. Grindr came under fire for sharing users' HIV status with third parties
Researchers found that Grindr passed users' HIV status and last tested date, alongside GPS coordinates and device identifiers, to analytics firms Apptimize and Localytics. After a public backlash the company said it would stop sharing the sensitive health data.
→ www.infosecurity-magazine.com
4. Facebook said up to 87 million people were caught in the Cambridge Analytica scandal
Facebook revised its estimate of affected users sharply upward, from about 50 million to as many as 87 million. The figure was disclosed by chief technology officer Mike Schroepfer in a blog post near the foot of a long list of changes.
5. Facebook disabled search by phone number and email after mass scraping
Facebook switched off the feature that let anyone look up a profile using a phone number or email address. The company admitted that malicious actors had abused it and that most users could have had their public profiles scraped this way.
6. Sears and Delta customer data was exposed through the [24]7.ai breach
Sears and Delta Air Lines disclosed that a breach at chat software supplier [24]7.ai had exposed payment card details from an incident in late 2017. Fewer than 100,000 Sears customers and a number of Delta customers had names, addresses and card data accessed.
7. Facebook quietly retracted Zuckerberg's old messages from people's inboxes
Recipients found that messages Mark Zuckerberg had sent them years earlier had vanished from their Facebook inboxes, while their own replies remained. Facebook said it had removed the executive messages for security reasons after the 2014 Sony Pictures hack.
8. Mozilla extended its Facebook Container to Instagram and Messenger
Mozilla updated its Firefox Facebook Container extension to isolate Instagram and Facebook Messenger as well as the main site. The tool keeps a user's Facebook identity in a separate container so the company cannot track browsing on other sites through third party cookies.
9. Best Buy confirmed it was caught in the same [24]7.ai breach
Best Buy said a portion of its online customers may have had payment details exposed through the chat supplier [24]7.ai. The retailer became the third major brand, after Sears and Delta, to report being affected by the same 2017 compromise.
10. Facebook suspended the myPersonality quiz app over data sharing
Facebook suspended the academic myPersonality app, which had collected detailed quiz results from more than three million users. The data had been left loosely protected for years and was accessible to hundreds of people who registered as project collaborators.
11. Facebook suspended CubeYou and AggregateIQ as the scandal widened
Facebook suspended the analytics firm CubeYou after a CNBC investigation found it ran personality quizzes marketed as academic research while selling the results to marketers. It also suspended the Canadian firm AggregateIQ over its reported links to Cambridge Analytica.
12. The EFF warned the CLOUD Act started a privacy race to the bottom
The Electronic Frontier Foundation argued that the newly passed US CLOUD Act and parallel EU proposals were weakening cross border privacy protections together. Both schemes let police seize data held abroad without following the privacy rules of the country where it is stored.
13. Zuckerberg was pressed on Facebook's shadow profiles in Congress
During his House testimony, Mark Zuckerberg was asked about the data Facebook holds on people who never signed up for the service. He said he was not familiar with the term shadow profiles and acknowledged that non users must create an account to find out what is held on them.
14. Facebook rolled out new privacy controls ahead of GDPR
Facebook announced new consent screens and data tools, asking everyone to review how their information is used regardless of where they live. The changes covered partner advertising, profile data and face recognition, and were timed for the GDPR deadline of 25 May.
15. Data scraping firm LocalBlox exposed 48 million personal profiles
Researchers at UpGuard found a publicly accessible Amazon storage bucket holding around 48 million records assembled by the data broker LocalBlox. The profiles stitched together names, addresses, dates of birth and information scraped from Facebook, LinkedIn, Twitter and Zillow.
16. TaskRabbit went offline after a security breach
The Ikea owned gig work platform TaskRabbit took its app and website down after discovering that an unauthorised party had accessed its systems. The company warned users that personal information may have been compromised and urged them to change reused passwords.
17. A former SunTrust employee stole data on 1.5 million clients
SunTrust said a former employee had tried to download details on around 1.5 million customers and hand them to a criminal third party. The exposed records included names, addresses, phone numbers and account balances, although the bank said the most sensitive identifiers were not involved.
18. Ride hailing app Careem disclosed a breach affecting 14 million people
The Dubai based ride hailing firm Careem revealed that attackers had stolen the names, email addresses, phone numbers and trip data of about 14 million riders and drivers. The company had detected the incident in January but waited until April to tell its customers.
19. The SEC fined Yahoo 35 million dollars for hiding a data breach
The Securities and Exchange Commission penalised the company now called Altaba 35 million dollars for failing to tell investors about the 2014 theft of data from 500 million Yahoo accounts. It was the first time the regulator had punished a public company for a cybersecurity disclosure failure.
20. WhatsApp raised its minimum age to 16 in Europe ahead of GDPR
WhatsApp lifted the minimum age for its service from 13 to 16 across the European region to align with the new data protection rules. New users were asked to confirm they were at least 16 as they accepted updated terms from a new WhatsApp Ireland entity.
Enjoyed this post?
Well, you could share the post with others, follow me with RSS Feeds and/or send me a comment via email.
Tags
Category:
Year: