Privacy Roundup #0147 • October 2018
October 2018 was dominated by the Facebook and Google+ disclosures, a string of airline, hotel and government breaches, and a louder push for tough privacy law.
1. Facebook discloses a breach affecting at least 50 million accounts
Facebook said attackers had abused a flaw in the "View As" feature to steal access tokens that act as digital keys to user accounts. The company reset tokens for around 90 million people as a precaution while it worked out the true scale.
2. Bruce Schneier picks apart the Five Eyes statement on encryption
Schneier pointed readers to Susan Landau's analysis of the joint Five Eyes statement demanding lawful access to encrypted communications. He noted that the text read as a law enforcement document despite coming from an alliance of intelligence agencies.
3. Apollo sales platform exposes more than 200 million contact records
The sales intelligence firm Apollo confirmed that a database holding over 200 million contact records had been left exposed and copied. The information included names, email addresses, job titles and phone numbers, though no financial data or national insurance numbers.
4. Bloomberg's "Big Hack" claims spark furious denials
Bloomberg Businessweek alleged that Chinese agents had planted tiny spy chips on Supermicro server boards used by Apple, Amazon and others. Apple, Amazon and Supermicro issued blanket denials and called for a retraction, and no hard evidence was ever produced.
5. Google shuts down Google+ after hiding a data exposure
Google admitted that a People API flaw had exposed profile data of up to 500,000 Google+ users and that it had chosen not to disclose the problem when it was found in March. The company announced it would wind down consumer Google+ rather than fix and defend it.
6. Project Strobe tightens third-party access to Gmail and Android data
Alongside the Google+ closure, Google set out Project Strobe, a review of how outside developers reach account data. It restricted consumer Gmail API access to a narrow set of approved app types and curbed Call Log and SMS permissions on Android.
7. ICO fines Heathrow Airport over a lost USB stick
The Information Commissioner's Office fined Heathrow Airport Limited £120,000 after an unencrypted memory stick holding security and personal data was found on a London street. The regulator found that very few staff had received data protection training despite a policy banning removable media.
8. Facebook says 14 million users had a broad array of data stolen
Facebook gave fuller figures for its breach, saying 30 million accounts had tokens taken and that 14 million of those had detailed personal data exposed. The stolen fields included contact details, gender, relationship status, recent searches and location check-ins.
9. Anthem pays a record $16 million HIPAA settlement
The US Office for Civil Rights announced that Anthem would pay $16 million over the 2015 breach that exposed records of almost 79 million people. Regulators called it the largest health data breach in US history and the largest HIPAA settlement to that point.
10. Pentagon breach exposes travel records for 30,000 personnel
The US Department of Defense said a commercial travel vendor had been breached, exposing personal and payment card data for up to 30,000 military and civilian staff. Officials did not name the vendor and said they would stop using its software.
11. US voter records from 20 states offered for sale
Researchers at Anomali Labs and Intel 471 found voter registration data from 20 states advertised on a cybercrime forum. The seller offered roughly 35 million records and claimed to be able to supply weekly updates.
12. Chrome 70 lets users switch off forced sign-in
Google released Chrome 70 with a setting to stop logging into a Google site from also signing the browser into a Google account. The change answered a backlash over the silent linkage that Chrome 69 had introduced.
→ bgr.com
13. Twitter publishes a vast archive of state troll accounts
Twitter released more than 360 gigabytes of data covering thousands of accounts tied to Russia's Internet Research Agency and to operations in Iran. The trove held over 10 million tweets and was opened for researchers to study foreign influence campaigns.
14. Facebook admits Portal data could feed ad targeting
After launching its in-home Portal video device, Facebook corrected an earlier denial and said usage data could be used to target ads. The data about who users called and which apps they opened could inform adverts shown across other Facebook properties.
15. Tumblr patches a bug that exposed account details
Tumblr disclosed and fixed a flaw in its "Recommended Blogs" feature that could have leaked account information. Exposed fields included email addresses, hashed passwords, location and last login addresses, and the company said it found no sign of abuse.
16. Hackers breach HealthCare.gov and take files on 75,000 people
The Centers for Medicare and Medicaid Services said attackers had broken into a HealthCare.gov system used by insurance agents and brokers. The breach exposed personal data for about 75,000 people enrolled through that channel.
17. Tim Cook calls for a comprehensive US privacy law
Speaking in Brussels, Apple's chief executive backed a federal privacy law built on rights to data minimisation, knowledge, access and security. He praised the GDPR and warned that personal data was being weaponised against people with military efficiency.
18. Cathay Pacific reveals a breach hitting 9.4 million passengers
The airline disclosed unauthorised access to systems holding data on up to 9.4 million passengers. Exposed information included names, passport and identity card numbers, dates of birth, contact details and some card numbers.
19. Court of Appeal holds Morrisons liable for a rogue data leak
The Court of Appeal ruled that Morrisons was vicariously liable for an employee who posted payroll data of thousands of colleagues online. The judgment confirmed that an employer could be responsible even where the disclosure happened away from work.
20. Radisson Rewards loyalty programme suffers a breach
Radisson told members that its rewards programme had been breached, exposing names, addresses, email addresses and membership numbers. The hotel group said fewer than ten per cent of members were affected and that no card data or passwords were taken.
Enjoyed this post?
Well, you could share the post with others, follow me with RSS Feeds and/or send me a comment via email.
Tags
Category:
Year: