Privacy Roundup #0156 • July 2019
July 2019 was defined by record regulatory penalties, a wave of cloud misconfigurations and breaches, and fresh proof that voice assistants and police camera networks were quietly turning people into data.
1. FTC imposes a record 5 billion dollar penalty on Facebook
The Federal Trade Commission fined Facebook 5 billion dollars and imposed new privacy restrictions to settle charges that the company deceived users about control over their personal information. The penalty was the largest the agency had ever levied for a privacy violation.
2. Facebook agrees to a separate 100 million dollar SEC settlement
On the same day as the FTC announcement, the Securities and Exchange Commission charged Facebook with making misleading disclosures about the risk of misuse of user data. Facebook agreed to pay 100 million dollars to settle the claims tied to the Cambridge Analytica scandal.
3. EFF says the FTC settlement does too little for privacy
The Electronic Frontier Foundation argued that the 5 billion dollar fine was an inadequate deterrent for a company of Facebook's size. The group warned that the deal did not limit how Facebook collects, uses and shares personal information.
4. Equifax agrees to pay up to 700 million dollars over its breach
Equifax reached a settlement with the FTC, the CFPB and dozens of states over the 2017 breach that exposed the data of roughly 147 million people. The agreement included a consumer fund and credit monitoring, with the total reaching as much as 700 million dollars.
5. Capital One breach exposes data on more than 100 million people
A former Amazon Web Services engineer, Paige Thompson, was arrested for stealing personal data from over 100 million Capital One customers and applicants. The intrusion exploited a misconfigured web application firewall and exposed Social Security numbers and bank account details.
6. ICO signals a record 183 million pound fine for British Airways
The UK Information Commissioner's Office announced its intention to fine British Airways 183 million pounds over a 2018 breach that compromised data on roughly 500,000 customers. It would have been the regulator's first major penalty under the GDPR.
7. ICO plans a 99 million pound GDPR fine for Marriott
A day after the airline notice, the ICO said it intended to fine Marriott more than 99 million pounds over a breach affecting around 339 million guest records. Regulators faulted the company for inadequate due diligence when it acquired the compromised Starwood systems.
8. FaceApp goes viral and raises photo privacy fears
The Russian ageing filter FaceApp swept social media, then drew alarm when researchers showed it uploaded photos to the cloud for processing. Its broad terms of service and Russian ties prompted calls for investigations in the United States.
9. Orvibo smart home database leaks billions of records
Researchers at vpnMentor found an unsecured database belonging to Chinese smart home maker Orvibo that exposed more than two billion logs. The records included email addresses, passwords, precise locations and account reset codes.
10. Zoom flaw lets websites hijack Mac webcams
Researcher Jonathan Leitschuh disclosed a vulnerability in the Zoom client that allowed any website to start a video call and switch on a Mac user's camera. The flaw stemmed from a hidden local web server that survived uninstallation.
11. Google contractors caught listening to Assistant recordings
A leak to Belgian broadcaster VRT revealed that Google contractors transcribe audio captured by Google Assistant, including conversations recorded without the wake word. Google confirmed the practice and called the disclosure a breach of its data policies.
12. Apple contractors hear confidential Siri recordings
A Guardian report revealed that Apple contractors regularly heard sensitive content while grading Siri audio, including medical details and intimate moments. Apple said only a small fraction of requests were reviewed and were not tied to user identities.
13. Bulgaria's tax agency hack hits millions of citizens
A hacker stole gigabytes of data from Bulgaria's National Revenue Agency, exposing the records of an estimated five million people. The haul included national identity numbers, income figures, and health and pension information.
14. Sprint accounts breached through Samsung's website
Sprint disclosed that hackers accessed customer accounts through the add a line page on Samsung's website using stolen credentials. The exposed data included names, phone numbers, billing addresses and account details.
15. ICE mined state driver's licence photos with facial recognition
Researchers at Georgetown revealed that Immigration and Customs Enforcement ran facial recognition searches against state driver's licence databases without consent. The searches in several states swept up photos of residents, including undocumented immigrants who had obtained licences legally.
16. Slack resets passwords four years after its 2015 breach
Slack reset the passwords of roughly one percent of its users after learning that credentials from its 2015 breach were circulating. The original incident had let attackers scrape plaintext passwords as users typed them.
17. Amazon Ring partnered with 200 police departments
Documents obtained by Motherboard showed that Amazon's Ring had partnered with at least 200 law enforcement agencies to request doorbell camera footage. The disclosures fuelled concern about a private surveillance network coached by Amazon.
18. Evite breach exposes around 100 million accounts
Party planning service Evite confirmed that attackers had accessed an inactive data store, with a dump of roughly 100 million accounts surfacing online. The exposed records included names, email addresses, hashed passwords and, for some, dates of birth and phone numbers.
19. Honda leaves 134 million records open on the internet
A researcher found an unsecured Honda database that exposed roughly 134 million documents covering about 300,000 employees worldwide. The records detailed machine names, security status and patch levels, including data on the chief executive's own device.
20. La Porte County pays 130,000 dollars to ransomware attackers
La Porte County in Indiana paid about 130,000 dollars in bitcoin after Ryuk ransomware crippled its computer systems. Officials paid the demand despite federal advice against it because an FBI decryption key proved ineffective.
Enjoyed this post?
Well, you could share the post with others, follow me with RSS Feeds and/or send me a comment via email.
Tags
Category:
Year: