Privacy Roundup #0155 • June 2019
June 2019 was dominated by the cascading American Medical Collection Agency breach, a string of government and corporate data exposures, and a growing public reckoning over facial recognition and surveillance.
1. Customs and Border Protection says traveller photos stolen in cyber-attack
On 10 June, CBP disclosed that images of travellers and their vehicles had been copied from its network and stolen through a subcontractor, later identified as Perceptics. The agency said fewer than 100,000 people were affected, though the data ended up on the dark web.
2. Quest Diagnostics says 11.9 million patients may have had data exposed
On 3 June, Quest Diagnostics revealed that a breach at billing vendor American Medical Collection Agency may have exposed financial, personal and medical information on almost twelve million patients. The intruder had access to the payment page for roughly eight months before discovery.
3. LabCorp says 7.7 million consumers hit by collections firm breach
A day after Quest came forward, LabCorp disclosed that the same American Medical Collection Agency intrusion exposed personal and financial data on some 7.7 million of its own customers. The figure pushed the total number of people affected by the single vendor breach well beyond twenty million.
4. Collections firm behind LabCorp and Quest breaches files for bankruptcy
American Medical Collection Agency filed for bankruptcy in June, citing the costs of notification, investigation and lost clients after the breach unravelled its business. Several of its largest customers, including Quest and LabCorp, had cut ties within days of the disclosures.
5. Breach at cloud solution provider PCM Inc
Brian Krebs reported on 27 June that hackers had broken into PCM Inc, a major cloud solution provider, and stolen administrative credentials used to manage client accounts in Microsoft Office 365. The intrusion gave attackers a path into the email and file sharing systems of some of the firm's customers.
6. Microsoft to require multi-factor authentication for cloud solution providers
Amid a rise in attacks on resellers, Microsoft said in June that it would require all cloud solution providers managing customer Azure and Office 365 accounts to use multi-factor authentication. The change aimed to close a route attackers had used to reach the systems of downstream business customers.
7. Desjardins says insider exposed data on 2.9 million members
On 20 June, the Canadian financial cooperative Desjardins said an employee had improperly shared the personal information of roughly 2.9 million members with people outside the organisation. The exposed data included names, addresses, dates of birth, social insurance numbers and transaction histories.
8. Hackers breach NASA lab using an unauthorised Raspberry Pi
In June, an inspector general report revealed that intruders had roamed NASA's Jet Propulsion Laboratory network for months after compromising an unauthorised Raspberry Pi attached to it. The attackers took around 500 megabytes of data related to Mars missions before being detected.
9. Dominion National discloses nine-year dental data breach
In late June, the dental and vision insurer Dominion National said an investigation had found that intruders may have had access to its servers since August 2010. The compromised records could have included names, social security numbers, taxpayer identification numbers and bank account details.
→ www.healthcareinfosecurity.com
10. Phishing attack exposes data of 645,000 Oregon welfare clients
The Oregon Department of Human Services began notifying around 645,000 clients in June that a phishing attack had exposed their personal information. Nine employees had fallen for a malicious email months earlier, giving the attacker access to their mailboxes.
11. Maine signs the nation's strictest ISP privacy law
On 6 June, Governor Janet Mills signed legislation barring broadband providers in Maine from using, selling or sharing customer data without explicit consent. The law was among the toughest internet service provider privacy measures in the United States.
12. EFF publishes its recommendations for consumer data privacy laws
On 17 June, the Electronic Frontier Foundation set out its priorities for federal consumer privacy legislation. The group urged lawmakers to avoid pre-empting stronger state laws, to give individuals a private right of action, and to ban pay-for-privacy schemes.
13. Bruce Schneier highlights Maciej Cegłowski on ambient privacy
On 19 June, Bruce Schneier drew attention to an essay by Maciej Cegłowski on the idea of ambient privacy. The piece argued that framing privacy as an individual right leaves society without any means of deciding whether to accept a surveillance economy.
14. Riviera Beach pays 600,000 dollars to ransomware attackers
On 20 June, the Florida city of Riviera Beach voted to pay attackers around 600,000 dollars in bitcoin to restore systems crippled by ransomware. The infection had begun weeks earlier when a city employee opened a malicious email attachment.
15. Lake City pays hackers as Florida ransom toll mounts
Days after Riviera Beach, the nearby city of Lake City agreed to pay attackers roughly 460,000 dollars in bitcoin to recover from a ransomware attack. The two payments meant Florida cities had handed over more than a million dollars to criminals in a single month.
16. Facebook unveils Libra and Calibra amid privacy questions
On 18 June, Facebook announced Libra, a planned cryptocurrency, alongside a digital wallet called Calibra built into its messaging apps. Privacy advocates and regulators immediately questioned how transaction data would be handled by a company already under scrutiny for its record.
17. Verizon route leak knocks large parts of the internet offline
On 24 June, a misconfigured network announcement that Verizon failed to filter cascaded into a major routing failure. The leak knocked services including Cloudflare, Amazon and others offline for nearly three hours.
18. Cloudflare details how a BGP optimiser amplified the outage
Cloudflare published a technical account of the 24 June incident, explaining how a small provider's BGP optimiser split routes into smaller prefixes that Verizon then propagated. The post laid out why a single misconfiguration could disrupt so much of the global network.
19. House Oversight Committee scrutinises facial recognition
On 4 June, the House Oversight and Reform Committee held a second hearing on government use of facial recognition, this time pressing the FBI and the TSA over privacy and accuracy. Lawmakers from both parties criticised the agencies for deploying the technology without adequate testing or transparency, with Chairman Elijah Cummings warning that it was evolving without any real guard rails.
20. Senators introduce the DASHBOARD Act on data value
On 24 June, Senators Mark Warner and Josh Hawley introduced the DASHBOARD Act, a bipartisan bill to make large platforms disclose what data they collect and what it is worth. The measure would require companies with more than 100 million monthly users to value the personal data they monetise.
Enjoyed this post?
Well, you could share the post with others, follow me with RSS Feeds and/or send me a comment via email.
Tags
Category:
Year: