Privacy Roundup #0149 • December 2018
December 2018 closed the year with a flood of breach disclosures, fresh Facebook data scandals and a sweeping new Australian law against encryption.
1. Chinese state hackers blamed for the Marriott Starwood breach
Investigators told reporters that the breach of Marriott's Starwood reservation system, which exposed up to 500 million guest records, was the work of hackers tied to China's Ministry of State Security. The attribution pointed to a wider data-mining effort aimed at identifying American intelligence officers.
2. Quora discloses breach affecting 100 million users
Quora announced that a malicious third party had gained unauthorised access to its systems, exposing data on around 100 million users. The stolen information included names, email addresses, encrypted passwords and content imported from linked accounts.
3. Google brings forward the Google+ shutdown after a second bug
Google revealed that a software fault had exposed the data of 52.5 million Google+ users to app developers, including information people had marked as private. The company moved its planned closure of the consumer network forward by four months in response.
4. Australia passes its Assistance and Access Act
The Australian Parliament passed a law letting agencies compel technology firms to help access encrypted communications. Critics warned that the powers could force companies to build backdoors and undermine security for everyone.
5. National Republican Congressional Committee says it was hacked
The NRCC disclosed that an unknown intruder had read the email accounts of four senior aides for several months during the 2018 election cycle. The committee had quietly hired CrowdStrike to investigate and notified the FBI rather than going public at the time.
6. Tumblr announces a blanket ban on adult content
Tumblr said it would permanently remove adult content from 17 December, weeks after Apple had pulled its app over child abuse imagery. The decision reshaped how the site was used and drove a sharp fall in its traffic.
7. Facebook gave partners deep access to user messages and data
The New York Times reported that Facebook had granted more than 150 companies, including Netflix, Spotify, Amazon and Microsoft, special access to user data. Some partners could read, write and delete private messages, going far beyond what people had been told.
8. Washington DC sues Facebook over Cambridge Analytica
The District of Columbia Attorney General filed suit against Facebook for failing to protect residents' data and for misleading privacy settings that let an app harvest information without consent. It was the first regional legal action in the United States arising from the Cambridge Analytica scandal.
9. Amazon sends 1,700 Alexa recordings to the wrong person
A German Amazon user who exercised his GDPR right to a copy of his data received 1,700 voice recordings belonging to a complete stranger. The files revealed the victim's habits, home life and even moments recorded in the shower.
10. New York Times exposes the trade in precise location data
An investigation found that dozens of apps collect detailed location histories and sell them to companies that track hundreds of millions of devices. Reporters showed that supposedly anonymous data could be traced back to named individuals through their daily routines.
11. House report calls the Equifax breach entirely preventable
A House Oversight Committee report concluded that Equifax's breach of around 148 million people could have been stopped with basic security measures. It singled out the firm's failure to patch a known Apache Struts flaw despite a public warning.
12. Twitter support form leaks phone number country codes
Twitter said a bug in one of its support forms could reveal the country code attached to an account and whether it had been locked. The company found suspicious activity from IP addresses in China and Saudi Arabia that may have ties to state actors.
13. EFF warns over the TSA airport surveillance roadmap
The TSA set out plans to expand biometric collection at airports, including face recognition for travellers flying domestically. EFF argued that the scheme threatened the right to privacy, the right to travel and the right to anonymous association.
14. Italy fines Facebook 10 million euros over data practices
The Italian Competition Authority fined Facebook two sums of 5 million euros each for unfair commercial practices involving user data. Regulators said the company hid the fact that it collects and sells personal data while presenting the service as free.
15. Exposed Elasticsearch servers leak data on 82 million people
Researchers found unprotected Elasticsearch instances holding records on nearly 83 million people in the United States. The data included names, email addresses, home addresses, phone numbers and employer details left open to anyone.
16. Senate reports detail Russian social media manipulation
Two reports released through the Senate Intelligence Committee laid out how Russia's Internet Research Agency targeted Americans across every major platform. The analysts highlighted heavy use of Instagram and a focused effort to suppress and divide voters.
17. Facebook bug exposed private photos of 6.8 million users
Facebook disclosed that a flaw in its photo interface had given app developers access to images from up to 6.8 million users over twelve days. The fault even exposed pictures that people had uploaded but chosen never to post.
18. NASA tells staff their personal data may have been stolen
NASA sent an internal memo warning current and former employees that hackers may have stolen personal records, including social security numbers, from its servers. The agency had begun investigating the intrusion in late October but only notified affected staff in December.
19. France fines Uber over its concealed 2016 breach
The French data protection regulator CNIL fined Uber 400,000 euros for security failings behind the 2016 breach that exposed millions of accounts. The penalty followed similar action by the British and Dutch regulators over the same hidden incident.
20. Huawei finance chief arrested in Canada at US request
Canadian authorities arrested Huawei chief financial officer Meng Wanzhou over alleged sanctions violations, amid Western unease about the firm's role in critical networks. The arrest deepened a wider standoff between governments and Huawei over surveillance and security risks.
Enjoyed this post?
Well, you could share the post with others, follow me with RSS Feeds and/or send me a comment via email.
Tags
Category:
Year: