Privacy Roundup #0143 • June 2018
June 2018 paired a landmark Supreme Court win for location privacy and California's sweeping new consumer law with a relentless run of breaches and fresh fights over surveillance and corporate data sharing.
1. Supreme Court rules police need a warrant for cell phone location data
In Carpenter v. United States the court held that gathering historical cell site location records counts as a search under the Fourth Amendment. The 5 to 4 ruling rejected the third party doctrine for sustained location tracking and marked a major shift in digital privacy law.
2. California passes a sweeping new consumer privacy law
Governor Jerry Brown signed the California Consumer Privacy Act on 28 June, granting residents rights to know, delete and opt out of the sale of their data. Lawmakers rushed the bill through to head off a tougher ballot initiative, setting a 2020 effective date.
→ iapp.org
3. Facebook shared user data with dozens of device makers
Reporting revealed Facebook had given at least sixty device manufacturers, including Apple, Samsung, BlackBerry and Amazon, deep access to user and friend data. Critics said the arrangements may have breached a 2011 settlement with the Federal Trade Commission.
4. A Facebook bug made up to 14 million users' posts public
Facebook disclosed that a software fault had switched the audience for new posts to public for around fourteen million people. The bug ran from 18 to 27 May before the company caught it and reverted the affected posts.
5. MyHeritage breach exposes 92 million accounts
The genealogy service confirmed that a researcher had found a file on an outside server holding the email addresses and hashed passwords of more than ninety two million users. DNA results and family trees were stored separately and were not part of the exposed archive.
6. NSA deletes hundreds of millions of call records
The agency announced it was purging call detail records gathered since 2015 after finding technical irregularities in data supplied by telephone companies. It said it could not separate records it was entitled to keep from those it had no authority to receive.
7. Exactis leak exposes data on nearly every American
A researcher found that the Florida marketing firm Exactis had left around 340 million records on a publicly reachable server. The trove held phone numbers, home addresses and hundreds of personal attributes covering most US adults and businesses.
8. Carriers pledge to stop selling location data to aggregators
After scandals at Securus and LocationSmart, Verizon said it would end its deals with location aggregators, and AT&T, Sprint and T-Mobile quickly followed. The pledges came after data brokers were caught exposing real time customer location to outsiders.
9. VPNFilter malware infects half a million routers
Researchers detailed VPNFilter, a botnet linked to Russian state actors that had compromised around five hundred thousand routers and network storage devices worldwide. The malware could log credentials, survive reboots and even brick infected hardware on command.
10. Apple builds a USB lockout to thwart phone cracking tools
Apple confirmed a new USB Restricted Mode that blocks data transfer over the port an hour after a device was last unlocked. The feature aimed to frustrate forensic tools such as GrayKey, and police weighed warrantless unlocks to beat it.
11. Google says it will not renew its Project Maven contract
Following protests and resignations by staff, Google told employees it would not extend its Pentagon contract to analyse drone surveillance footage with artificial intelligence. More than four thousand workers had signed a petition demanding the company drop the work.
12. Amazon workers urge Bezos to stop selling face recognition to police
In a letter to chief executive Jeff Bezos, Amazon employees demanded the company stop selling its Rekognition system to law enforcement. They wrote that they refused to build tools for surveillance of marginalised communities, echoing earlier objections from civil rights groups.
13. EU committee backs upload filters and a link tax
The European Parliament's legal affairs committee voted to advance the copyright directive's Article 13 filtering rules and Article 11 link licensing requirement. Campaigners warned the measures would force costly content scanning and a charge for linking to news.
14. Ticketmaster breach traced to a hijacked chat widget
Ticketmaster told customers that malicious code planted in a third party chat tool from Inbenta had skimmed names, addresses, payment details and login data. The theft was later tied to a much wider Magecart card skimming campaign across many sites.
15. Adidas warns millions of US shoppers of a breach
The sportswear firm said an unauthorised party had claimed to obtain data belonging to customers who shopped on its US website. The exposed information included contact details, usernames and encrypted passwords, though Adidas said no payment or fitness data was taken.
16. Dixons Carphone discloses a large card and data breach
The retailer revealed that intruders had targeted 5.9 million payment cards and accessed 1.2 million records holding names, addresses and email addresses. Most cards carried chip and pin protection, but around 105,000 non European cards were left exposed.
17. PageUp breach hits major employers across Australia
The recruitment software provider PageUp confirmed that, on the balance of probabilities, personal data had been accessed during a malware infection of its systems. Clients including Coles, Telstra, Australia Post and NAB suspended their hiring portals while the firm investigated.
18. FastBooking breach exposes guest data at hundreds of hotels
Attackers used a web vulnerability to plant malware on servers run by the hotel booking firm FastBooking, stealing guest names, addresses and payment card details. The intrusion affected hundreds of hotels worldwide, with at least 380 properties named in Japan alone.
19. DHS reveals signs of Stingray surveillance near the White House
In a letter to Senator Ron Wyden, the Department of Homeland Security disclosed that a pilot project had detected anomalous activity consistent with IMSI catcher technology around sensitive Washington sites including the White House. The agency said it had not attributed the rogue cell site simulators to any specific operator, fuelling fears that foreign spies were intercepting officials' phones.
→ www.infosecurity-magazine.com
20. ICO fines Yahoo over its 2014 mega breach
Britain's Information Commissioner's Office fined Yahoo UK Services £250,000 for systemic security failures behind the 2014 attack that hit hundreds of thousands of British accounts. Regulators said the company had failed to monitor for credential theft or large data transfers.
Enjoyed this post?
Well, you could share the post with others, follow me with RSS Feeds and/or send me a comment via email.
Tags
Category:
Year: