Privacy Roundup #0144 • July 2018
July 2018 brought a record antitrust fine, the first British penalty over Cambridge Analytica and a run of breaches and leaks that showed how loosely personal data was still being held.
1. UK regulator says it intends to fine Facebook £500,000 over Cambridge Analytica
The Information Commissioner's Office announced a notice of intent to fine Facebook the maximum £500,000 under the old Data Protection Act for letting app developers harvest user data without clear consent. The figure was tiny against Facebook's revenue, yet it marked the first formal British penalty arising from the Cambridge Analytica affair.
→ iapp.org
2. European Parliament rejects fast-track of the copyright directive
Members of the European Parliament voted 318 to 278 to reopen debate on the Copyright Directive rather than wave it through, halting the controversial upload filters and link tax for the time being. Digital rights groups had warned that the text would force platforms to scan and police everything users posted.
3. Timehop discloses July 4 breach affecting 21 million users
The nostalgia app Timehop revealed that an attacker had accessed its cloud environment and stolen names, email addresses and some phone numbers for its entire user base of 21 million. The intruder had used admin credentials that were not protected by two-factor authentication, which the company enabled only after the event.
4. LifeLock bug exposed millions of customer email addresses
A flaw on the LifeLock website tied each subscriber to a sequential numeric key, so anyone could enumerate the numbers and pull down customer email addresses. The irony was sharp, because LifeLock sells identity theft protection, and Symantec took the page offline once it was alerted.
5. Macy's and Bloomingdale's report breach of online shoppers
Macy's confirmed that attackers had viewed the personal and payment card details of customers who shopped at macys.com or bloomingdales.com between late April and mid June. The retailer said a relatively small number of accounts were affected, but the stolen fields were enough to enable fraud.
→ 6abc.com
6. LabCorp takes systems offline after network intrusion
The medical testing giant LabCorp detected suspicious activity over a weekend and pulled systems offline to contain it, raising fears for the records of millions of patients. The incident was later tied to a ransomware attack that had spread across thousands of company workstations.
7. Google hit with record €4.34 billion EU fine over Android
European antitrust regulators fined Google a record €4.34 billion for using Android to entrench its search engine, including by requiring handset makers to pre-install Search and Chrome. The case turned on how control of a dominant operating system shaped the flow of user data and competition.
8. Polar Flow fitness app exposed the homes of soldiers and spies
Researchers showed that the Polar Flow app's Explore feature leaked profile and location data for thousands of users, including military personnel and intelligence officers across dozens of countries. The findings let reporters trace named individuals back to secret bases and private addresses, and Polar suspended the feature.
9. Researcher mines 200 million public Venmo transactions
A privacy researcher used Venmo's open programming interface to download more than 200 million transactions left public by default, then traced people's drug purchases, relationships and daily routines. The study showed how a payment app's social design quietly turned private spending into a public feed.
10. California shopping centres feed licence plate data to an ICE contractor
The Electronic Frontier Foundation reported that the Irvine Company was running automated licence plate readers at its malls and sharing the data with Vigilant Solutions, a vendor that sells access to immigration enforcement. Shoppers had no way of knowing their movements were being logged and fed into a database used to track people.
11. Mueller indicts twelve Russian intelligence officers over election hacking
The special counsel charged twelve GRU officers with hacking the Democratic National Committee and Hillary Clinton's campaign and stealing emails and voter data. The indictment laid out in detail how state agents had spearphished targets and exfiltrated personal information during the 2016 campaign.
12. Bluetooth flaw lets attackers snoop on paired devices
Researchers disclosed CVE-2018-5383, a weakness in the Bluetooth pairing process that let a nearby attacker take a man in the middle position and read traffic between two devices. The flaw stemmed from the specification recommending, but not requiring, that devices validate the public key during pairing.
13. HR firm ComplyRight breach exposed tax form data on 662,000 people
The cloud human resources company ComplyRight disclosed that intruders had accessed names, addresses, email addresses and Social Security numbers drawn from tax forms processed on its platform. The exposed records belonged to roughly 662,000 people whose employers had used the service.
14. Amazon face recognition falsely matched 28 members of Congress
The American Civil Liberties Union ran Amazon's Rekognition against public arrest photos and found it wrongly matched twenty-eight members of Congress, with people of colour over-represented among the errors. The cheap test sharpened calls for limits on police use of unreliable face recognition.
15. Google says physical security keys ended employee phishing
Google reported that none of its eighty-five thousand staff had been successfully phished since it required physical security keys for log in, a striking endorsement of hardware tokens over codes. The disclosure showed how strong second factors can shut down credential theft that drives many breaches.
16. Gentoo Linux GitHub account hijacked with a guessed password
Attackers seized control of the Gentoo Linux organisation on GitHub after guessing an administrator password that was not protected by two-factor authentication. They planted malicious code in distribution files, and the incident underlined how weak account hygiene can poison software supply chains.
17. Singapore reveals SingHealth breach affecting 1.5 million patients
Singapore disclosed a state-linked attack on the SingHealth network that copied the personal particulars of 1.5 million patients and the prescription records of 160,000 more. The attackers specifically targeted Prime Minister Lee Hsien Loong, making it the country's largest known data breach at the time.
18. India's TRAI chairman dares hackers and sees his data exposed
The head of India's telecom regulator posted his Aadhaar number on Twitter and challenged people to prove it could harm him, only for researchers to surface his address, date of birth and bank details. The episode fed the wider argument that a single national identifier creates serious privacy risks.
19. EFF sets out what good privacy rules should and should not do
After the Cambridge Analytica scandal, the Electronic Frontier Foundation published recommendations for new privacy laws built around informed consent, a right to know what data is held and ways to hold companies to account. It also warned lawmakers against measures that would entrench incumbents or chill speech.
20. Author of the LuminosityLink spying tool pleads guilty
A Kentucky man pleaded guilty to writing and selling LuminosityLink, a cheap remote access tool that let thousands of buyers secretly watch and control victims' computers across dozens of countries. The case showed how an off the shelf surveillance product could put ordinary people under covert monitoring.
Enjoyed this post?
Well, you could share the post with others, follow me with RSS Feeds and/or send me a comment via email.
Tags
Category:
Year: