Privacy Roundup #0159 • October 2019
October 2019 saw European courts redraw the limits of consent and content removal while a steady run of exposed databases, smart-speaker tricks and surveillance fights showed how much personal data still leaks by default.
1. Europe's top court rules pre-ticked cookie boxes are not valid consent
The Court of Justice of the European Union held in the Planet49 case that a pre-checked box does not amount to the active, informed consent that the law requires. The judges also said the rule applies whether or not the cookies hold personal data, and that users must be told how long cookies last and who else can read them.
2. EU court says national courts can order Facebook to remove content worldwide
The Court of Justice ruled that a member state court may order Facebook to take down posts judged illegal, along with identical or equivalent ones, and may extend that order across the whole world. Critics warned that the decision hands censorship-prone governments a tool to push their own speech rules onto the global internet.
3. Zynga hack exposes data on 218 million Words with Friends players
A hacker breached the mobile game maker Zynga and took account details for more than 218 million players of Words with Friends and Draw Something. The stolen records included names, email addresses, login identifiers, hashed passwords and, for some people, phone numbers and Facebook identifiers.
4. Apple pulls Hong Kong protest map after pressure from China
Apple removed HKmap.live, an app that let Hong Kong residents share the locations of police and protests, after Chinese state media accused the company of helping rioters. The developers said there was no evidence the map endangered anyone and called the removal a political move to suppress freedom in Hong Kong.
5. Twitter admits it used security phone numbers for ad targeting
Twitter disclosed that phone numbers and email addresses people had given for two-factor authentication were matched against advertisers' marketing lists to serve targeted ads. The company called it an error, apologised, and said it could not say how many users were affected.
6. California bans face recognition on police body cameras
Governor Gavin Newsom signed Assembly Bill 1215, placing a three-year moratorium on the use of face recognition and other biometric surveillance with police body-worn cameras. The Electronic Frontier Foundation, which backed the bill, called it a win that builds on earlier bans in San Francisco and Oakland.
7. Magecart skimmer hits thousands of stores on the Volusion platform
Attackers injected card-skimming JavaScript into the shared infrastructure of Volusion, an e-commerce host used by roughly 6,500 online shops. The code quietly copied shoppers' names, addresses and full payment card details, with the Sesame Street Live store among the confirmed victims.
8. California signs CCPA amendments and a data broker registry into law
Governor Newsom signed a package of bills refining the California Consumer Privacy Act and creating a public registry that requires data brokers to register with the state. A companion measure widened the breach notification law to cover biometric data and additional government identifiers.
9. Safari quietly sends some browsing data to Tencent
Users found that the Safari fraud-warning feature on iOS could send data to Tencent as well as to Google, raising worries given Tencent's ties to the Chinese government. Apple said the actual web addresses are not shared and that Tencent only receives data from users whose region is set to mainland China, but the feature was on by default.
10. Pixel 4 face unlock works even with the owner's eyes closed
Google confirmed that the Pixel 4's face unlock would open the phone even when the registered owner had their eyes shut. Security researchers warned that someone could unlock a sleeping person's phone, unlike Apple's Face ID, which requires attention by default.
11. Researchers turn Alexa and Google Home into eavesdroppers
Germany's Security Research Labs built voice apps that passed Amazon and Google review yet could keep listening after appearing to stop, or phish for passwords by faking a system update. Both companies pulled the apps and said they would tighten their approval processes after the Smart Spies research.
12. NordVPN confirms a server in Finland was breached
NordVPN acknowledged that an attacker had reached one of its rented servers in Finland through an insecure management tool the data centre had added without telling the company. The provider said no user activity logs, credentials or identities were exposed, but only an expired encryption key.
13. Avast repels a fresh attempt to poison CCleaner
The security firm Avast disclosed that intruders used stolen credentials and a VPN profile without two-factor protection to reach its internal network and try to tamper with CCleaner again. Avast, which named the incident Abiss, said it caught the intrusion, paused releases and re-signed clean software before the attackers could plant anything.
14. Exposed Autoclerk database leaks US military travel records
Researchers found an unsecured database belonging to the hotel booking firm Autoclerk that held 179 gigabytes of reservation data. The trove exposed travel plans and personal details for ordinary guests and for US government and military personnel, including logs of generals visiting Moscow and Tel Aviv.
15. Phishing breach at Kalispell Regional exposes 140,000 patients
The Montana health system Kalispell Regional Healthcare told around 140,000 patients that a sophisticated phishing scam had handed attackers access to staff email accounts. Those accounts held names, treatment details, insurance information and, for a small number of people, Social Security numbers.
16. Unsecured database exposes 7.5 million Adobe Creative Cloud accounts
An open Elasticsearch database left Adobe Creative Cloud account information readable to anyone with a web browser and no password. The exposed records included email addresses, account creation dates, products used and subscription status, though not passwords or payment data.
17. Card-stealing malware found on the American Cancer Society store
A researcher discovered Magecart skimming code hidden in the American Cancer Society's online shop, disguised to look like ordinary analytics. The script scraped shoppers' payment card details and was traced to infrastructure linked to the Magecart groups before the charity removed it.
18. WhatsApp sues NSO Group over Pegasus spyware attacks
WhatsApp filed suit in a US court accusing the Israeli firm NSO Group of exploiting a calling flaw to plant Pegasus spyware on roughly 1,400 phones. The targets included more than 100 journalists, human rights defenders and other members of civil society, and NSO said it would fight the claims.
19. Berlin issues Germany's largest GDPR fine over a data cemetery
The Berlin data protection authority fined the property company Deutsche Wohnen 14.5 million euros for keeping tenants' personal records long after they were needed. Inspectors found an archive system that could not delete obsolete data and held years-old private details with no check on whether the storage was lawful.
20. Facebook agrees to pay the UK's Cambridge Analytica fine
Facebook settled with the UK Information Commissioner's Office and agreed to pay the 500,000 pound penalty issued over the Cambridge Analytica affair. Both sides dropped their appeals, and Facebook paid the maximum allowed under the older law while making no admission of liability.
Enjoyed this post?
Well, you could share the post with others, follow me with RSS Feeds and/or send me a comment via email.
Tags
Category:
Year: