Privacy Roundup #0162 • January 2020
January 2020 opened the decade with facial recognition and data brokers under the spotlight, as breach after breach showed how little control people held over their own records.
1. The secretive company that might end privacy as we know it
The New York Times revealed Clearview AI, a startup that had scraped more than three billion photos from social media to build a face search tool. More than six hundred police forces were already using it without public scrutiny.
2. Avast antivirus sold users' browsing histories through Jumpshot
A joint Motherboard and PCMag investigation found that Avast harvested the web activity of hundreds of millions of people and sold it through a subsidiary called Jumpshot. Clients included Google, Microsoft and Home Depot, and the data was detailed enough to risk re-identifying individuals.
3. Wawa breach card data went up for sale on the dark web
Card records stolen in the Wawa point of sale breach surfaced on the Joker's Stash marketplace under the listing BIGBADABOOM-III. Researchers estimated the haul at more than thirty million payment cards taken from stores across dozens of states.
4. Ring doorbell app packed with third-party trackers
The Electronic Frontier Foundation found that the Ring app for Android sent personal data to four marketing and analytics firms, including Facebook. Names, IP addresses and device sensor readings were shared without meaningful notice or consent.
5. Apple refused Barr's request to unlock the Pensacola shooter's iPhones
Attorney General William Barr publicly pressed Apple to help unlock two iPhones tied to the Pensacola naval base shooting. Apple declined to build a backdoor, warning that such a tool would weaken security for every user.
6. Microsoft exposed 250 million customer support records
A misconfigured database left fourteen years of Microsoft customer service logs accessible on the open internet. Researcher Bob Diachenko found the records, which included email addresses, IP addresses and case details, before they were secured.
7. Mitsubishi Electric disclosed a major data breach
Mitsubishi Electric admitted that attackers had stolen personal and corporate information after breaching its networks through an affiliate in China. The intrusion exposed details of thousands of employees and applicants and was blamed on a state-linked group.
8. P&N Bank disclosed a customer data breach in Western Australia
The community-owned P&N Bank told members that a hack during a server upgrade had exposed names, addresses, account numbers and balances. The bank waited about a month after the December intrusion before notifying affected customers.
9. Travelex websites stayed offline after a Sodinokibi ransomware attack
The currency exchange Travelex was hit by the Sodinokibi ransomware on New Year's Eve and forced to take its sites offline across dozens of countries. The attackers demanded six million dollars and claimed to have stolen five gigabytes of customer data.
10. UN experts urged an inquiry into the alleged hack of Jeff Bezos's phone
United Nations human rights experts called for an immediate investigation into claims that Saudi Crown Prince Mohammed bin Salman's WhatsApp account was used to compromise Jeff Bezos's phone. Forensic analysis pointed to a video message in 2018 that preceded a large exfiltration of data.
11. Attackers actively exploited the Citrix ADC and Gateway flaw
Working exploits for the Citrix directory traversal flaw known as CVE-2019-19781 appeared online, and unauthenticated remote code execution attacks spread quickly. Rapid7 reported honeypot hits as early as January and found tens of thousands of vulnerable appliances exposed.
12. The EU weighed a five-year ban on public facial recognition
A leaked European Commission draft showed officials considering a temporary moratorium on facial recognition in public spaces. The pause would give regulators time to study the technology's accuracy gaps and threats to privacy.
13. Hacker offered 49 million records from data broker LimeLeads
A threat actor put up forty nine million business contact records taken from the US data broker LimeLeads. The information came from an exposed Elasticsearch server and included names, job titles, emails and employer details.
14. Google said it would phase out third-party cookies in Chrome
Google announced plans to remove support for third-party cookies in Chrome within two years. The move promised less cross-site tracking, though critics warned it would tighten Google's grip on the advertising market.
15. IAB UK responded to the ICO's real-time bidding concerns
The Interactive Advertising Bureau UK set out six actions meant to address the data protection failings the Information Commissioner's Office found in real-time bidding. The regulator had warned that sensitive data was being broadcast through advertising bid requests without proper consent.
16. Restaurant chain Landry's investigated point of sale malware
Landry's began notifying customers that card-stealing malware had been found on its payment systems across dozens of brands. End to end encryption limited the damage, though cards swiped on the wrong terminals were still exposed.
17. India's Supreme Court ruled on the Kashmir internet shutdown
The Supreme Court of India held that an indefinite suspension of internet access in Kashmir was unlawful and amounted to an abuse of power. The court ordered authorities to review every restriction within a week and to publish reviewable orders, although it stopped short of restoring service itself.
18. Twitter ordered Clearview AI to stop scraping its images
Twitter sent Clearview AI a cease and desist letter demanding that it stop collecting photos and delete any data already taken. The notice followed the revelation that the firm had scraped billions of images from social platforms for facial recognition.
19. Check Point disclosed multiple vulnerabilities in TikTok
Check Point researchers detailed flaws that could let attackers take over TikTok accounts through spoofed text messages and harvest personal data. The bugs allowed video tampering and exposure of email addresses and birthdates before they were patched.
20. Unsecured Estée Lauder database exposed 440 million records
Researcher Jeremiah Fowler found an unprotected Estée Lauder database holding more than four hundred million records open to anyone online. The trove included plain text email addresses, internal reports and infrastructure details that could aid further attacks.
Enjoyed this post?
Well, you could share the post with others, follow me with RSS Feeds and/or send me a comment via email.
Tags
Category:
Year: