Privacy Roundup #0142 • May 2018
GDPR arrived as the defining event of the month, while leaked phone location data, broken email encryption and fresh chip flaws kept the pressure on everyone else.
1. The General Data Protection Regulation took effect across the EU
The European Union's sweeping data protection law became enforceable on 25 May, giving residents stronger rights over their personal data. Penalties of up to twenty million euros or four per cent of global turnover gave the rules real teeth.
2. Max Schrems filed first GDPR complaints over forced consent
On the very first day of GDPR, the NOYB group lodged complaints against Google, Facebook, Instagram and WhatsApp. The complaints argued that bundling consent with access to a service did not amount to the free choice the law requires.
3. Twitter told all users to change passwords after a logging bug
Twitter disclosed on 3 May that a bug had written user passwords in plain text to an internal log before they were hashed. The company said it had fixed the flaw and found no sign of misuse, but urged all 336 million users to change their passwords anyway.
4. EFAIL flaws exposed plaintext from encrypted email
Researchers disclosed the EFAIL attacks in mid May, showing how flaws in OpenPGP and S/MIME could reveal the plaintext of encrypted messages. The attack abused active content in HTML email to exfiltrate decrypted text to a remote server.
5. LocationSmart leaked real-time phone location data
Brian Krebs reported on 17 May that the data aggregator LocationSmart had exposed the live location of customers of every major US carrier. A flawed demo on its website let anyone query a phone's whereabouts without any authentication or consent.
6. US prison telco accused of selling your phone's location to the cops
Senator Ron Wyden revealed in early May that prison phone firm Securus could pinpoint the live location of almost any US handset through the major carriers. He pressed the FCC and the networks to explain how the broker had obtained the data without proper consent or oversight.
7. Cambridge Analytica shut down and filed for bankruptcy
The data firm at the centre of the Facebook scandal announced on 2 May that it was ceasing operations. It blamed a siege of media coverage that had driven away its clients, then filed for bankruptcy in the United States days later.
8. FBI urged everyone to reboot routers over VPNFilter malware
On 25 May the FBI warned that foreign actors had infected hundreds of thousands of home and office routers with malware known as VPNFilter. The bureau told users to reboot at-risk devices to disrupt the malware, which researchers tied to a Russian state group.
9. Researchers disclosed Spectre Variant 4 chip flaw
Microsoft and Google revealed a fourth speculative execution flaw on 21 May, dubbed Speculative Store Bypass. The bug affected processors from Intel, AMD, Arm and IBM, and mitigations carried a further performance cost.
10. ACLU revealed Amazon was selling face recognition to police
The ACLU disclosed on 22 May that Amazon was marketing its Rekognition tool to law enforcement as a surveillance system. More than forty civil liberties groups signed a letter demanding Amazon stop selling the technology to governments.
11. Vermont enacted the first US data broker law
On 22 May Vermont passed the nation's first law regulating data brokers. It required brokers to register with the state, pay an annual fee and maintain minimum data security standards.
12. Teen monitoring app TeenSafe exposed thousands of accounts
TechCrunch reported on 21 May that the parental monitoring app TeenSafe had left servers open without a password. The exposed records included parents' email addresses along with children's Apple ID credentials stored in plain text.
13. Z-Shave downgrade attack threatened millions of smart home devices
Pen Test Partners detailed an attack on the Z-Wave protocol that could force devices to use the weak older S0 security standard. With its key widely known, an attacker could decrypt traffic and even take control of a smart door lock.
14. Chili's disclosed a payment card breach
The restaurant chain Chili's announced on 11 May that malware had harvested customers' payment card data. The company said the compromise appeared limited to March and April but did not yet know how many people were affected.
15. Comcast website bug leaked customers' router passwords and addresses
TechCrunch reported on 21 May that a flaw in Comcast's Xfinity activation site exposed home addresses along with the names and passwords of customers' wireless routers. An attacker needed only an account number and a house number to pull the credentials back in plain text.
16. Facebook suspended 200 apps in its data misuse audit
Facebook said on 14 May that it had suspended around 200 apps as part of an audit prompted by the Cambridge Analytica scandal. The review targeted apps that had access to large amounts of user data before earlier policy changes.
17. Rail Europe disclosed a three-month payment card breach
Rail Europe North America notified customers in May that attackers had accessed its website for almost three months. The intrusion exposed names, addresses and full payment card details, including security codes.
18. US news sites blocked European readers on the GDPR deadline
As GDPR took effect on 25 May, several US publishers cut off access for European visitors rather than risk non-compliance. Sites owned by Tronc and Lee Enterprises, including the Los Angeles Times, went dark across the EU.
19. California Senate passed the SB 822 net neutrality bill
On 30 May the California Senate voted to pass SB 822, described as the strongest state net neutrality law in the country. The bill barred internet providers from blocking, throttling and paid prioritisation.
20. Zuckerberg faced the European Parliament over data privacy
Mark Zuckerberg appeared before EU lawmakers on 22 May to answer for the Cambridge Analytica scandal. The short format let him dodge many pointed questions just days before GDPR took effect.
Enjoyed this post?
Well, you could share the post with others, follow me with RSS Feeds and/or send me a comment via email.
Tags
Category:
Year: