Privacy Roundup #0152 • March 2019
March 2019 saw Facebook's privacy failures pile up while ransomware, leaky databases and new surveillance fights reshaped the data protection landscape.
1. Facebook stored hundreds of millions of user passwords in plain text for years
Facebook admitted that between 200 million and 600 million account passwords had been kept in readable text on internal systems, in some cases dating back to 2012. More than 20,000 employees could search those files, and the logging flaw had gone unnoticed for years.
2. Mark Zuckerberg set out a privacy-focused vision for social networking
Mark Zuckerberg published a long note promising to rebuild Facebook around private, encrypted messaging across Messenger, Instagram and WhatsApp. Critics noted that announcing a plan is far easier than delivering it after a year of scandals.
3. EFF said it would believe a privacy-focused Facebook when it saw it
The Electronic Frontier Foundation responded to Zuckerberg's manifesto with measured scepticism, welcoming end-to-end encryption while questioning the company's record. The group warned that competitive motives, not user protection, may have driven the pivot.
4. Facebook would not let users opt out of phone number look-up
Facebook confirmed that phone numbers handed over for two-factor authentication could also be used to find a user's profile, with no full opt-out. Former security chief Alex Stamos called the practice unconscionable and a betrayal of people seeking better security.
5. Iranian-linked hackers stole terabytes of data from Citrix
The FBI warned Citrix that intruders had broken into its internal network, and researchers tied the attack to an Iranian-linked group known as IRIDIUM. The attackers used password spraying to gain a foothold and made off with around six terabytes of sensitive files.
6. ASUS Live Update was hijacked to push a signed backdoor
Kaspersky disclosed Operation ShadowHammer, a supply chain attack that trojanised the ASUS Live Update utility using legitimate ASUS signing certificates. More than a million users received the tampered software, although hardcoded MAC addresses showed the attackers were hunting specific targets.
7. LockerGoga ransomware forced Norsk Hydro into manual operations
Aluminium giant Norsk Hydro was hit by the LockerGoga ransomware, locking files across thousands of machines and forcing plants worldwide to switch to manual procedures. The company refused to pay and chose to rebuild from backups while keeping the public informed.
8. An email verification firm exposed more than 800 million records
A researcher found an unprotected MongoDB database belonging to Verifications.io holding over 808 million records, including emails, names, phone numbers and addresses in plain text. The company took its site and database offline the same day the exposure was reported.
9. Gearbest left millions of shoppers exposed on an open server
Researchers discovered that Chinese retailer Gearbest had left an unsecured Elasticsearch server accessible to anyone, exposing over 1.5 million customer records. The data included names, addresses, passport and national identity details, payment information and unencrypted passwords.
10. A family tracking app leaked real-time locations for weeks
A misconfigured database behind a Family Locator app exposed the real-time positions of around 238,000 people, accurate to within a few feet. The records also held names, email addresses and plain text passwords, along with labels for places such as home and school.
11. Toyota disclosed a breach affecting 3.1 million customers in Japan
Toyota said unauthorised access to sales subsidiaries in Japan may have exposed the personal details of up to 3.1 million customers. The compromised records held names, addresses, dates of birth and occupations, though no payment card data was involved.
12. Myspace lost twelve years of user music in a server migration
Myspace admitted that a botched server migration had wiped photos, videos and audio files uploaded before 2016, amounting to around 50 million songs. The loss touched the work of an estimated 14 million artists who had relied on the site during its peak.
13. European Parliament approved the Copyright Directive and Article 13
MEPs voted 348 to 274 to approve the Copyright Directive, including the contentious Article 13 that makes platforms liable for users' infringing uploads. Critics warned it would push sites towards automated upload filters and chill free expression online.
14. HUD charged Facebook with housing discrimination over ad targeting
The US Department of Housing and Urban Development charged Facebook with violating the Fair Housing Act by letting advertisers restrict who could see housing ads. Officials argued that the company's own delivery algorithms made the discrimination worse, regardless of advertiser intent.
15. FEMA overshared the sensitive data of 2.3 million disaster survivors
A government watchdog found that FEMA had handed a contractor far more personal data than needed about survivors of hurricanes and wildfires. The overshared records included home addresses and banking details for roughly 2.3 million people.
16. ICE was found tapping a nationwide licence plate surveillance network
The ACLU revealed that ICE was using a vast automated licence plate reader database run by Vigilant Solutions to track immigrants. Dozens of local police departments, including several in Illinois, were feeding location data into the system.
17. Spotify filed an antitrust complaint against Apple in Europe
Spotify lodged a formal complaint with the European Commission, accusing Apple of abusing control of the App Store to disadvantage rivals. It objected to Apple's 30 percent cut and the rules that stopped it pointing users to other ways to pay.
18. Bruce Schneier warned about the spread of workplace surveillance
Bruce Schneier highlighted research on the growing use of monitoring and prediction tools to watch employees. He cautioned that flagging systems sold as management aids can entrench bias and sort workers into opaque risk categories.
19. The Washington State Senate passed a GDPR-style privacy act
The Washington Senate approved the Washington Privacy Act by 46 votes to one, advancing a sweeping consumer data bill modelled on Europe's GDPR. It would have granted residents rights to access, correct and delete personal data held by companies.
20. Utah enacted a law requiring warrants for stored electronic data
Utah's governor signed HB 57, billed as the first US law requiring police to get a warrant before obtaining data people share with electronic service providers. The measure covers location information and other data held by remote computing and communications firms.
Enjoyed this post?
Well, you could share the post with others, follow me with RSS Feeds and/or send me a comment via email.
Tags
Category:
Year: