Privacy Roundup #0153 • April 2019
April 2019 stacked breaches, fresh content laws and facial recognition fights as Facebook, Microsoft and Toyota all lost grip on user data.
1. Researchers found 540 million Facebook records on exposed servers
UpGuard found that the Mexican firm Cultura Colectiva had left more than 540 million Facebook records, including comments, likes and account names, on an unprotected Amazon S3 bucket. A second app, At The Pool, exposed plaintext passwords for 22,000 users.
2. Georgia Tech breach exposed data on 1.3 million people
Georgia Tech disclosed that an intruder had reached a web application database holding names, addresses, dates of birth and Social Security numbers for up to 1.3 million current and former students, staff and applicants. The access began in December 2018 through a vulnerable custom form and was traced after a performance drop in March.
3. Toyota disclosed a breach affecting up to 3.1 million customers
Toyota said hackers had reached servers at several of its Tokyo sales subsidiaries, exposing data on as many as 3.1 million customers. The records included names, dates of birth and employment information, though the company said no payment card data was involved.
4. Australia passed a law on abhorrent violent material
Weeks after the Christchurch attack, Australia's parliament rushed through a law making it a crime for platforms to fail to remove "abhorrent violent material" quickly. Executives could face prison and companies fines of up to 10 per cent of annual profit, with no time allowed for consultation.
5. SEC cleared Amazon shareholders to vote on Rekognition
The Securities and Exchange Commission rejected Amazon's attempt to block shareholder proposals on its Rekognition facial recognition service. One resolution sought to halt government sales until rights risks were assessed, and another asked for an independent study of the technology.
6. Amazon workers were found listening to Alexa recordings
A Bloomberg report revealed that thousands of Amazon staff and contractors review voice recordings captured by Echo devices to improve Alexa. Reviewers sometimes heard private moments, and Amazon did not clearly tell customers that humans might listen.
7. New York Times exposed Google's Sensorvault location dragnet
Reporting revealed that police use geofence warrants to mine Google's Sensorvault, a database of location data from hundreds of millions of devices. The technique works backwards from a place and time, sweeping in innocent bystanders as suspects.
8. Microsoft confirmed an Outlook and Hotmail account breach
Microsoft admitted that attackers had stolen a support agent's credentials and used them to read email metadata for affected Outlook, Hotmail and MSN accounts. The company later conceded that around 6 per cent of victims also had message content exposed.
9. Krebs reported a multi-month breach at Wipro
Brian Krebs revealed that systems at the IT outsourcing giant Wipro had been compromised and used to launch phishing attacks against the company's own customers. The intrusion, suspected to be state sponsored, relied on common remote access and red team tools.
10. The European Parliament backed one-hour removal of terrorist content
Parliament adopted a position requiring hosting firms to remove flagged terrorist content within one hour of a national authority's order. Persistent failures could draw fines of up to 4 per cent of global turnover, though mandatory upload filtering was rejected.
11. The EU Council adopted the controversial copyright directive
Member states gave final approval to the Copyright in the Digital Single Market directive, with six countries voting against. Critics warned that the rules pushed platforms towards upload filters that could erode user privacy and free expression.
12. Britain set a July start date for porn age verification
The government confirmed that, from 15 July 2019, commercial pornography sites would have to verify visitors' ages or face sanctions. Privacy campaigners warned that the scheme could create sensitive databases linking people to the content they viewed.
13. Facebook admitted storing millions of Instagram passwords in plain text
Facebook quietly updated an earlier disclosure to say that millions of Instagram passwords, not tens of thousands, had been stored in readable form. Staff could in principle have accessed them, though the company said it found no evidence of abuse.
14. Bodybuilding.com disclosed a phishing-driven breach
The retailer revealed that a phishing email opened in July 2018 had given attackers access to systems holding customer information. The company could not rule out that names, addresses and other personal data had been reached.
15. Sri Lanka blocked social media after the Easter bombings
Following the 21 April attacks that killed more than 250 people, the government cut access to Facebook, WhatsApp, Instagram and YouTube to curb misinformation. The blackout lasted around nine days and was lifted on 30 April.
16. Facebook reserved 3 billion dollars for an expected FTC fine
In its first quarter results, Facebook disclosed a 3 billion dollar charge against a looming Federal Trade Commission privacy penalty. The company said the eventual settlement could reach 5 billion dollars over its handling of user data.
17. Microsoft dropped password expiration from its security baseline
Microsoft removed periodic password expiry from its Windows security baseline, calling it an obsolete measure of very low value. The firm argued that forced resets push people towards weak, predictable changes and pointed instead to multi-factor authentication.
18. Docker Hub breach exposed data on 190,000 accounts
Docker disclosed that an intruder had reached a database holding usernames, password hashes and repository tokens for roughly 190,000 accounts. The exposed GitHub and Bitbucket tokens raised the risk of tampering with code and automated image builds.
19. EFF urged reversal of a ruling that threatened CalECPA
EFF and the ACLU of Northern California asked a California appeals court to overturn a Monterey County decision that refused to suppress evidence gathered under an over-broad warrant. They warned that letting the ruling stand would gut the state's electronic communications privacy law.
20. Ireland opened an inquiry into Facebook's plaintext passwords
The Irish Data Protection Commission launched a statutory inquiry into Facebook after the firm admitted storing hundreds of millions of passwords in readable form. As Facebook's lead EU regulator, the DPC could pursue fines of up to 4 per cent of global turnover under GDPR.
Enjoyed this post?
Well, you could share the post with others, follow me with RSS Feeds and/or send me a comment via email.
Tags
Category:
Year: