Privacy Roundup #0164 • March 2020
The coronavirus turned March 2020 into a month of state phone tracking and rushed video apps, even as old fashioned breaches kept exposing millions of records.
1. Princess Cruises confirms a breach of employee email accounts
Princess Cruises disclosed that attackers had read employee inboxes containing passenger and staff names, passport numbers, financial details and health data. The cruise line said it found no evidence of misuse but offered affected people identity protection.
2. Let's Encrypt prepares to revoke three million certificates
A bug in the Boulder software meant Let's Encrypt rechecked one domain repeatedly instead of every domain on a certificate, so it announced the revocation of roughly three million certificates. The certificate authority later held back the mass revocation to avoid breaking large numbers of websites.
3. T-Mobile says an email vendor hack exposed customer data
T-Mobile disclosed that a sophisticated attack on its email provider gave intruders access to employee inboxes holding customer information. The exposed records included names, addresses and, for some accounts, Social Security numbers, financial details and government identification numbers.
4. Virgin Media leaves 900,000 customer records open for months
Virgin Media admitted that a marketing database holding the details of about 900,000 customers sat unsecured on the open web for ten months. The records included names, addresses, phone numbers and dates of birth, and at least one unauthorised party had accessed them.
5. Whisper exposes years of intimate confessions online
The secret sharing app Whisper left nearly 900 million records on an unprotected database that anyone could query. The exposed data tied confessions to age, ethnicity, hometown and precise location, putting children and service members at particular risk.
6. EFF warns the EARN IT Bill is a plan to scan every message
The EARN IT Bill would let officials draft best practices that providers must follow or lose their legal protections. The EFF argued that this design would pressure companies to abandon strong encryption and scan private messages on behalf of the government.
7. Open Exchange Rates discloses a breach affecting well known clients
The currency data provider Open Exchange Rates told customers that an intruder had used a compromised access key to reach its systems for weeks. The exposed data included names, email addresses, hashed passwords, IP addresses and account API keys belonging to users at major firms.
8. Fake coronavirus tracker app locks Android phones for ransom
Researchers found a malicious Android app called CovidLock that posed as a virus tracking tool and then locked the screen until victims paid a Bitcoin ransom. The campaign showed how quickly criminals were exploiting pandemic fear to push mobile malware.
9. EFF warns that smart city scooter rules become surveillance
The EFF argued that cities forcing scooter and bike operators to share granular trip data through the Mobility Data Specification were building real time tracking of residents. The group warned that authorities could not show a single use case that justified collecting such sensitive individual location data.
10. Israel approves Shin Bet phone tracking to fight the virus
Israel authorised its Shin Bet security agency to use cellphone location data to retrace the movements of people infected with the coronavirus. Rights groups challenged the measure because it placed ordinary citizens under the watch of a secretive intelligence service.
11. Data on 538 million Weibo users goes up for sale
A hacker advertised the personal details of more than 538 million Weibo users on the dark web for about 250 dollars. The records included real names, usernames, gender, location and, for 172 million accounts, phone numbers.
12. UK mobile operators discuss sharing movement data with government
British mobile networks confirmed talks with the government about handing over aggregated location data to model how people moved during the lockdown. The plan raised concern about how broad crowd tracking could be repurposed once the emergency passed.
13. EFF says location surveillance is not shown to contain COVID-19
The EFF argued that governments demanding sweeping location surveillance powers had not shown those powers would meaningfully slow the virus. It called on officials to prove effectiveness before imposing intrusions that fall hardest on vulnerable groups.
14. General Electric discloses a breach through a service provider
General Electric told current and former employees that an intruder had reached an email account at its provider Canon Business Process Services. The exposed documents included names, addresses, Social Security numbers, passport numbers, bank account details and dates of birth.
15. Tupperware website hit by a live credit card skimmer
Researchers found that the Tupperware site had been compromised with a hidden payment form that harvested card numbers during checkout. The skimmer loaded dynamically and showed a fake error so that victims would never notice their details had been stolen.
16. Zoom sends iPhone data to Facebook without disclosure
An investigation found that the Zoom iOS app shared device details with Facebook even for users who had no Facebook account. The data included the device model, time zone, city and a unique advertising identifier, none of which the privacy policy mentioned.
17. NHS hands Palantir and Google data for its virus response
NHS England engaged Palantir, Microsoft, Google and Faculty to build a data platform drawing on sources such as 111 calls and test results. Civil liberties groups questioned why a firm with a history of work for law enforcement should hold patient data.
18. FBI warns of teleconference and classroom hijacking
The FBI warned that uninvited intruders were breaking into video meetings and online classes to display abuse and threats, a practice that became known as Zoombombing. It urged users to make meetings private, require passwords and limit who could share their screen.
19. Marriott discloses a second breach hitting 5.2 million guests
Marriott said attackers had used the login credentials of two franchise employees to reach an internal system holding guest data. The exposed records covered names, contact details and loyalty account information for about 5.2 million people.
20. Houseparty offers a million dollars over hacking rumours
Viral claims that the Houseparty app had compromised users' other accounts spread across social media as lockdown drove downloads. Epic Games denied any breach and offered a one million dollar reward for proof that the rumours were a paid smear campaign.
Enjoyed this post?
Well, you could share the post with others, follow me with RSS Feeds and/or send me a comment via email.
Tags
Category:
Year: