Privacy Roundup #0148 • November 2018
November 2018 brought a wave of huge breaches, from Marriott to the postal service, alongside the first GDPR fines and a global reckoning with Facebook.
1. Marriott reveals data on 500 million Starwood guests was stolen
Marriott disclosed that intruders had sat inside the Starwood reservation network since 2014 and made off with records on as many as 500 million guests. The haul included names, addresses, passport numbers and, for some, encrypted payment card details.
2. USPS website flaw exposed account data on 60 million users
A weakness in the United States Postal Service Informed Visibility API let any logged in user pull account details for roughly 60 million others. The postal service had been told about the flaw a year earlier and only fixed it after Krebs reported on it.
3. UK regulator fines Uber £385,000 over its 2016 breach
The Information Commissioner's Office fined Uber for failing to protect customer and driver data during the 2016 attack that exposed 57 million people. Regulators were especially scathing about the company hiding the breach and paying the attackers to stay quiet.
4. UK parliament seizes internal Facebook documents
The Digital, Culture, Media and Sport Committee used rare powers to compel the founder of app maker Six4Three to hand over sealed internal Facebook files during a visit to London. The cache was expected to shed light on the data and privacy decisions that led to the Cambridge Analytica scandal.
5. Amazon exposed customer names and emails then refused to explain
Amazon emailed customers to admit that a technical error had exposed their names and email addresses. The company would not say how many people were affected, when the error happened or whether anyone had accessed the data.
6. HealthCare.gov breach exposed sensitive data on tens of thousands
Federal officials disclosed that attackers abused an agent and broker portal on HealthCare.gov to harvest sensitive applicant records. The exposed data included partial Social Security numbers, immigration status, income and pregnancy details for tens of thousands of people.
7. Dell resets customer passwords after network intrusion
Dell revealed that it had detected and disrupted attackers trying to extract names, email addresses and hashed passwords from its network. The company forced a password reset but waited weeks to tell customers why it had done so.
8. VisionDirect loses payment card data to a Magecart attack
The UK optical retailer VisionDirect disclosed that attackers had planted skimming code disguised as Google Analytics on its site. The script captured full payment card details, names and passwords from customers over a five day window in early November.
9. European consumer groups file GDPR complaints over Google tracking
Consumer groups in seven countries lodged complaints accusing Google of tricking users into enabling location tracking. They argued that hidden defaults, repeated nudging and misleading information meant consent was never freely given under the GDPR.
10. Atrium Health breach exposes 2.65 million patient records
Atrium Health told 2.65 million people that their data may have been accessed through an attack on its billing vendor AccuDoc. The exposed information included names, dates of birth, medical records and around 700,000 Social Security numbers.
11. Facebook appeals the ICO Cambridge Analytica fine
Facebook lodged an appeal against the £500,000 penalty the ICO had imposed over the Cambridge Analytica affair. The company alleged bias and procedural irregularity rather than accepting the regulator's findings.
12. DJI drone flaw could have handed over accounts and live feeds
Researchers at Check Point disclosed a flaw in DJI's account system that could let an attacker hijack a user's session through the company forum. A stolen token would have granted access to photos, flight logs, GPS data and live drone feeds.
13. Nordstrom blames contractor for employee data breach
Nordstrom told staff that a contractor had improperly handled sensitive employee records. The exposed data included names, Social Security numbers, dates of birth and bank account details.
14. Make-A-Wish website hijacked to mine cryptocurrency
Researchers found that the Make-A-Wish Foundation website had been compromised with a hidden Monero mining script. The cryptojacking code arrived through a known Drupal vulnerability and quietly used visitors' devices to generate coins.
15. Urban Massage leaves a customer database open to anyone
The London startup Urban Massage left an unsecured database online exposing more than 300,000 customer records. The files also held sensitive notes flagging clients accused of sexual misconduct or marked as dangerous.
16. Germany issues its first GDPR fine over plain text passwords
A German regulator handed the chat platform Knuddels a €20,000 penalty, the country's first fine under the GDPR. The company had stored user passwords in plain text, which were then leaked in a cyberattack affecting around 1.8 million records.
17. Google and Facebook drop forced arbitration after staff walkouts
Following worldwide employee walkouts, Google and Facebook ended mandatory arbitration for sexual harassment claims. Critics noted that the change covered only individual claims and stopped short of allowing collective action.
18. Lawmakers from nine countries grill Facebook in London
An unprecedented International Grand Committee gathered legislators from nine nations to question Facebook over data misuse and disinformation. Mark Zuckerberg declined to appear, leaving an empty chair beside policy executive Richard Allan.
19. Emails show Sandberg asked staff to research George Soros
Internal emails revealed that Sheryl Sandberg had directed Facebook staff to dig into the financier George Soros after he criticised the company. The disclosure contradicted earlier claims that she was unaware of the opposition research being carried out in her name.
20. Apple pulls Tumblr from the App Store over abuse imagery
Apple removed the Tumblr app after child sexual abuse material slipped past the platform's filters. Tumblr said a routine audit had surfaced content that was not yet recorded in the industry database it relied on.
Enjoyed this post?
Well, you could share the post with others, follow me with RSS Feeds and/or send me a comment via email.
Tags
Category:
Year: