Privacy Roundup #0157 • August 2019
August 2019 was dominated by the voice assistant listening scandal as Apple, Google, Amazon, Microsoft and Facebook were each caught letting humans review private recordings, while a run of careless breaches spilled biometric, payment and hotel data.
1. Apple suspends Siri response grading after privacy backlash
Apple halted its programme of having contractors listen to Siri recordings to grade accuracy, following a Guardian report that the snippets captured intimate moments and confidential information. The company said it would pause grading worldwide and later add a way for users to opt out.
2. Poshmark confirms a breach of user account data
The clothing resale marketplace Poshmark disclosed that an unauthorised third party had taken profile information including names, usernames, email addresses and bcrypt hashed passwords. The company said financial data and physical addresses were not affected and that it had engaged forensic investigators.
3. German regulator orders Google to stop human review of voice clips
Hamburg's data protection commissioner ordered Google to halt manual transcription of Google Assistant recordings across the European Union for three months while it investigated. The order followed a leak in which a contractor handed more than a thousand Dutch audio snippets to Belgian journalists.
4. Amazon adds a no human review option to Alexa settings
Amazon quietly added a setting that lets Alexa owners remove their voice recordings from the pool reviewed by employees and contractors. Unlike Apple and Google, Amazon chose to keep human review running and offer an opt out rather than suspend the practice.
5. Appeals court lets the Facebook face recognition lawsuit proceed
The Ninth Circuit ruled that Illinois users had standing to sue Facebook under the state biometric privacy law over its Tag Suggestions face recognition feature. The court held that building a face template without consent invades concrete privacy interests, allowing a class action that exposed Facebook to billions in potential damages to move forward.
→ eff.org
6. StockX comes clean about a breach hidden behind a password reset
The sneaker trading platform StockX admitted that a forced password reset blamed on system updates was actually a response to a breach affecting roughly 6.8 million accounts. Stolen records included names, email addresses, hashed passwords and shoe sizes, and were already being sold on the dark web.
7. CafePress breach exposed 23 million accounts months before disclosure
The custom merchandise retailer CafePress was found to have exposed around 23 million user records in a February intrusion that it never properly disclosed. Email addresses, names and physical addresses sat in plaintext while passwords were protected only by weak unsalted SHA-1 hashes.
8. Microsoft contractors caught reviewing Skype and Cortana audio
Internal documents and recordings showed that Microsoft paid contractors to transcribe personal Skype translator calls and Cortana voice commands, sometimes including intimate conversations. Microsoft's terms did not clearly state that humans would listen to the audio, joining the wider voice assistant scandal.
9. Twitter admits it shared user data with advertisers without consent
Twitter disclosed two bugs that had let it pass data to advertising partners even when users had opted out of such sharing. The flaws meant the company may have shared engagement details and served ads based on tracking inferences since 2018, overriding the privacy choices that people had explicitly made.
10. Facebook paid contractors to transcribe Messenger voice chats
Facebook was reported to have hired hundreds of outside contractors to transcribe audio clips from Messenger, with the workers given little idea of where the recordings came from. The company said it had paused human review of audio more than a week earlier, mirroring the moves by Apple and Google.
11. Biometric leak exposes fingerprints of more than a million people
Researchers found that the BioStar 2 platform operated by Suprema had left an unencrypted database exposing fingerprint and facial recognition records for over a million people. Because biometric identifiers cannot be reset like passwords, the affected individuals face a permanent loss of control over that data.
12. Choice Hotels leaks 700,000 customer records from an open database
The hotel chain Choice Hotels exposed around 700,000 customer records after a MongoDB database was left accessible without a password. The records held names, addresses, email addresses and phone numbers, and attackers had already left a ransom note demanding payment in Bitcoin.
13. MoviePass leaves tens of thousands of card numbers exposed
A critical MoviePass server was found sitting online without a password, exposing a database with tens of thousands of customer card numbers and personal credit card details. The unencrypted records had been accessible for months and contained enough information to make fraudulent purchases.
14. Mastercard loyalty programme breach hits 90,000 members
Mastercard reported a breach of its German Priceless Specials loyalty scheme to the German and Belgian data protection authorities after the data appeared online. The leaked files held names, partial card numbers, email and home addresses, phone numbers and dates of birth for around 90,000 members.
15. Web host Hostinger resets 14 million accounts after intrusion
Hostinger disclosed that an attacker used an access token to reach an internal database holding details on 14 million customers. Usernames, email addresses, first names and SHA-1 hashed passwords were exposed, prompting a forced reset of every client password.
16. Imperva discloses theft of cloud firewall customer data
The security firm Imperva revealed that a breach had exposed email addresses, hashed passwords, API keys and SSL certificates for some customers of its cloud web application firewall. Possession of those keys and certificates could let an attacker tamper with the very firewall meant to protect a customer's traffic.
17. Federal grand jury indicts the alleged Capital One hacker
A federal grand jury indicted Paige Thompson on wire fraud and computer abuse charges over the Capital One intrusion and the theft of data from more than thirty other organisations. The indictment added an allegation that she used the hacked servers to mine cryptocurrency.
18. Ring's police partnerships reach more than 400 departments
Reporting revealed that Ring had quietly signed surveillance partnerships with more than 400 police departments across the United States. The deals gave officers a portal to request doorbell footage and extended a private camera network into a tool for law enforcement.
19. Monzo asks customers to reset PINs after exposure to staff
The digital bank Monzo revealed that a bug had recorded around 480,000 customers' card PINs in internal log files that engineers could read. The bank deleted the data and pushed app updates within hours of finding the fault, then urged affected customers to change their PINs at a cash machine as a precaution.
20. Telegram moves to cloak phone numbers for Hong Kong protesters
Telegram said it would add a setting to hide users' phone numbers after evidence that authorities had uploaded large batches of numbers to identify Hong Kong protesters in group chats. The change aimed to stop strangers from matching a number to a real identity and tracing activists.
Enjoyed this post?
Well, you could share the post with others, follow me with RSS Feeds and/or send me a comment via email.
Tags
Category:
Year: