Privacy Roundup #0160 • November 2019
November 2019 showed how casually our most intimate records change hands, as health files, DNA profiles, browsing trails and home camera footage all slipped beyond the reach of the people they describe.
1. Privacy advocates sound the alarm over Google's Fitbit takeover
Google agreed to buy Fitbit for about 2.1 billion dollars, handing the advertising giant the heart rate, sleep and activity records of tens of millions of wearers. Campaigners and regulators warned that the deal was less a business purchase than a grab for sensitive health data.
2. Two former Twitter employees charged with spying for Saudi Arabia
United States prosecutors charged two former Twitter staff with using their access to dig out the private account details of thousands of Saudi government critics. One was accused of taking payments worth hundreds of thousands of dollars to identify dissidents for Riyadh.
3. Florida court lets police search GEDmatch's entire DNA database
A judge granted an Orlando detective a warrant to search the whole GEDmatch genealogy database, overriding the opt-in choices of more than a million users. Legal experts called it a precedent that could open far larger services such as Ancestry and 23andMe to similar demands.
4. Google confirms Project Nightingale access to Ascension patient records
A Wall Street Journal report revealed that Google had quietly gained access to the complete health records of tens of millions of Ascension patients across 21 states. Neither the doctors nor the patients had been told, and federal regulators opened an inquiry within days.
5. Facebook iOS app caught opening the camera in the background
Users found that the Facebook app for iPhone was quietly activating the camera while they scrolled through their feeds. Facebook blamed a bug introduced while fixing a layout fault and said it had found no evidence that images were uploaded.
6. ZoneAlarm forum breached through outdated vBulletin software
Hackers broke into the support forum of the ZoneAlarm firewall by exploiting a known flaw in unpatched vBulletin software. The intrusion exposed the names, email addresses, hashed passwords and dates of birth of around 4,500 members.
7. Magecart card skimmer hits Macy's checkout pages
Macy's disclosed that attackers had slipped a payment skimming script onto its checkout and wallet pages for roughly a week. The code harvested customer names, addresses and full card details from one of the busiest retail sites in the United States.
8. PayMyTab leaves restaurant diners' details on an open server
Researchers found that the mobile payments firm PayMyTab had left a cloud storage bucket open to anyone. The exposed records linked diners' names, email addresses, phone numbers and partial card numbers to the restaurants, times and meals they had ordered.
→ www.infosecurity-magazine.com
9. Senator Markey's probe finds Ring doorbells lack basic privacy safeguards
An investigation by Senator Edward Markey found that Amazon's Ring doorbells had almost no privacy rules or civil rights protections for the footage they captured. The findings raised fresh questions about Ring's growing partnerships with hundreds of police forces.
10. Senators press Amazon over Ring's lax security practices
Five Democratic senators wrote to Jeff Bezos demanding answers about how Ring stored and protected customer video. They pointed to reports that staff in Ukraine had been granted sweeping access to recordings from cameras around the world.
11. Thousands of Disney+ accounts hacked and sold for a few dollars
Within hours of the Disney+ launch, attackers seized user accounts, locked owners out and put the credentials up for sale for as little as three dollars. The takeovers relied on passwords reused from earlier breaches at other services.
12. T-Mobile breach exposes more than a million prepaid customers
T-Mobile said attackers had reached account information belonging to over a million of its prepaid customers. The exposed records included names, billing addresses, phone numbers and plan details, though the company said no passwords or financial data were taken.
13. OnePlus discloses theft of customer order information
The smartphone maker OnePlus told customers that an intruder had reached order records during a security review. The accessed data included names, phone numbers, email addresses and shipping addresses, and OnePlus warned buyers to watch for phishing messages.
14. Transport for London strips Uber of its operating licence
Transport for London refused to renew Uber's licence, ruling the firm not fit and proper after a pattern of safety failures. Regulators found that a flaw had let unauthorised drivers upload their photos to other accounts and carry passengers on thousands of uninsured trips.
15. Ransomware locks 110 nursing homes out of their patient records
A ransomware outbreak struck a Wisconsin firm that hosted data for more than 100 nursing homes across the country. The attack cut care staff off from medication schedules and other records, with the criminals demanding a multi million dollar ransom.
16. Ransomware cripples more than 400 veterinary hospitals
A ransomware infection hit National Veterinary Associates and knocked out systems at hundreds of animal hospitals it runs. Staff lost access to patient records, payment systems and appointment data for days while the company worked to recover.
17. Four million stolen cards traced to four restaurant chains
A leading underground card market began selling four million payment cards stolen from compromised point of sale systems at four restaurant chains. The breaches affected diners across the midwest and eastern United States.
18. Investigation finds it is far too easy to register a .gov domain
A Krebs investigation showed that anyone could obtain a trusted United States government .gov domain with little more than a forged authorisation letter. The weak checks risked letting fraudsters cloak scams in the authority of an official government address.
19. Orvis leaks hundreds of internal passwords on Pastebin
The outdoor retailer Orvis accidentally posted hundreds of internal passwords for its firewalls, servers and security tools to the public paste site Pastebin. The exposed credentials could have handed attackers a map of the company's internal systems.
20. Trend Micro insider sold customer details to tech support scammers
Trend Micro revealed that a rogue employee had improperly accessed a customer support database and sold the records to scammers posing as the firm's own support staff. The stolen data included names, email addresses, support ticket numbers and, in some cases, telephone numbers of consumer subscribers.
Enjoyed this post?
Well, you could share the post with others, follow me with RSS Feeds and/or send me a comment via email.
Tags
Category:
Year: