Privacy Roundup #0146 • September 2018
September 2018 brought a run of mass data breaches, fresh surveillance rulings and a wave of new privacy laws on both sides of the Atlantic.
1. Facebook security breach exposed almost 50 million accounts
Facebook disclosed that attackers had exploited a flaw in its "View As" feature to steal access tokens for nearly 50 million accounts. The company reset tokens for around 90 million users, forcing them to log back in while it investigated.
2. British Airways lost payment card data for 380,000 customers
British Airways revealed that a web-skimming attack had siphoned names, addresses and full payment card details, including CVVs, from roughly 380,000 bookings. The malicious code ran on its site and app for around two weeks before a third party flagged it.
3. European court ruled UK mass surveillance breached human rights
The European Court of Human Rights held that GCHQ's bulk interception regime violated the rights to privacy and free expression. The judgment, brought after the Snowden disclosures, found the safeguards around mass surveillance were inadequate.
4. Uber paid a record $148 million over its concealed breach
All fifty states and the District of Columbia announced a $148 million settlement with Uber over its handling of a 2016 breach. Uber had paid hackers to delete stolen data and hidden the incident for a year rather than notifying the public.
5. California signed the strongest state net neutrality law
Governor Jerry Brown signed SB 822, which restored the open internet protections of the 2015 federal order at the state level. Within hours the Department of Justice sued California, claiming states had no jurisdiction over the internet.
6. California passed the first state law on connected device security
Governor Brown also signed SB 327, the first state law requiring "reasonable" security features in internet-connected devices. The law bans shared default passwords and forces manufacturers to demand a new credential before first use.
7. Newegg payment pages skimmed for more than a month
The retailer Newegg was hit by the Magecart group, which inserted fifteen lines of card-skimming script into its checkout. The code quietly funnelled customer card details to a lookalike domain between mid-August and 18 September.
8. Security experts said Chrome 69's forced login violated privacy
Chrome 69 began signing users into the browser automatically whenever they logged into any Google service. Cryptographer Matthew Green and others argued the change quietly folded browsing identity into a Google account without clear consent.
9. Five Eyes governments demanded encryption backdoors
The intelligence allies of the United States, United Kingdom, Canada, Australia and New Zealand issued a memo declaring that "privacy is not absolute". They threatened legislative or other measures unless technology firms built lawful access into encrypted products.
10. Equifax fined £500,000 over its 2017 mega-breach
The UK Information Commissioner's Office handed Equifax the maximum penalty available under the old Data Protection Act. Investigators found the firm had failed to protect the personal data of up to 15 million British people.
11. Court dismissed the first constitutional challenge to FOSTA
A federal court threw out the lawsuit brought by EFF and partners against the sex-trafficking law FOSTA. The judge ruled the plaintiffs lacked standing and declined to reach the free speech questions the groups had raised.
→ eff.org
12. Mirai botnet authors avoided jail after helping the FBI
The three young men behind the Mirai IoT botnet were sentenced to probation rather than prison. Their cooperation with the FBI on other cybercrime cases earned a lenient outcome, alongside restitution and community service.
13. MEGA's Chrome extension was hijacked to steal credentials
Attackers uploaded a trojaned build of the MEGA file-storage extension to the Chrome Web Store. The malicious version harvested logins for Amazon, Microsoft, GitHub and Google, along with cryptocurrency keys, and sent them to a server in Ukraine.
14. State Department email breach exposed staff data
The US State Department confirmed that intruders had breached its unclassified email system. The personal data of a few hundred employees was exposed, and those affected were offered credit and identity monitoring.
15. GovPayNow leaked 14 million payment receipts
Krebs on Security found that GovPayNow, which processes fines and fees for thousands of government agencies, exposed millions of receipts simply by changing digits in a web address. The leaked records spanned six years and included names, addresses and partial card numbers.
16. Google admitted third-party apps could read and share Gmail
After questions from lawmakers, Google confirmed that outside developers could read users' Gmail and pass what they found to further third parties. Critics said no ordinary user could reasonably expect their messages to travel that far.
17. Tech giants told the Senate to keep privacy rules light
Executives from Amazon, Apple, AT&T, Google, Twitter and Charter testified at a Senate hearing on consumer privacy. They backed a federal privacy law in principle while warning lawmakers not to copy the stricter rules of California or Europe.
18. Veeam left 445 million records open on the internet
A researcher discovered an unsecured Veeam marketing database exposing more than 445 million records. The trove held names, email addresses and other marketing data and sat open on Amazon infrastructure for several days.
19. IBM built skin-tone search using secret NYPD footage
An investigation revealed that IBM had used New York police camera footage to develop surveillance software that could search video by skin tone and other traits. The work happened without public knowledge and raised fears of automated racial profiling.
20. Apple released Safari 12 with stronger tracking prevention
Apple shipped Safari 12, which stopped embedded content and social media buttons from following users across the web without permission. The browser also suppressed ad retargeting by limiting how uniquely advertisers could identify a Mac.
Enjoyed this post?
Well, you could share the post with others, follow me with RSS Feeds and/or send me a comment via email.
Tags
Category:
Year: