Privacy Roundup #0165 • April 2020
April 2020 was dominated by Zoom's security reckoning and a global rush to build coronavirus contact tracing, as breaches and state surveillance tested privacy under lockdown.
1. Marriott discloses a second breach affecting 5.2 million guests
Marriott revealed that attackers had used the login credentials of two employees to access the personal data of about 5.2 million guests. The exposed records included names, addresses, email addresses, and loyalty account numbers.
2. Citizen Lab finds Zoom rolled its own weak encryption
Researchers at Citizen Lab found that Zoom secured meetings with a single shared AES-128 key in ECB mode rather than the end-to-end encryption it had advertised. They also found that some keys were distributed through servers in Beijing, even for calls between North American participants.
3. Zoom admits some calls were routed through China
Zoom acknowledged that some video calls and their encryption keys had been mistakenly routed through data centres in China. The company blamed a failure to apply its usual geofencing during a rapid expansion of server capacity.
4. Zoom removes a feature that leaked user data to LinkedIn
Zoom pulled a feature that quietly sent the names and email addresses of meeting participants to LinkedIn for profile matching, without consent. The chief executive announced a ninety day freeze on new features to focus on security and privacy.
5. More than 500,000 Zoom accounts sold on hacker forums
Researchers found over 500,000 Zoom credentials offered for sale on hacker forums and the dark web, some for a fraction of a penny. The accounts were gathered through credential stuffing using passwords leaked in older breaches.
6. US Senate warns members against using Zoom
The Senate sergeant at arms advised senators to avoid Zoom for official work because of data privacy and security concerns. The warning followed reports of meeting hijacking, weak encryption, and calls routed through China.
7. Zoom 5.0 adds stronger encryption and security controls
Zoom released version 5.0 with AES 256-bit GCM encryption and a consolidated set of meeting security controls. The update made passwords and waiting rooms easier to enforce in an effort to curb intrusions.
8. Apple and Google unveil a contact tracing framework
EFF published a detailed analysis of the Exposure Notification system that Apple and Google announced to support COVID-19 contact tracing. The framework used rotating Bluetooth identifiers and on-device storage, though EFF flagged risks of re-identification and function creep.
9. Apple responds to Senate concerns about its COVID-19 app
Apple replied to four senators who had questioned how its coronavirus screening tools handled health data. The company said it collected only non-identifying usage data, did not share it with third parties, and encrypted submissions in transit.
10. Senator says Apple and Google must prove tracing is private
Senator Richard Blumenthal said Apple and Google had a lot of work to do to convince a sceptical public that their contact tracing system was secure. His comments reflected wider unease about handing pandemic surveillance to two technology giants.
11. India's Aarogya Setu tracing app becomes effectively mandatory
India's contact tracing app was promoted as voluntary, yet employers, delivery platforms, and housing complexes began requiring it for daily life. Privacy advocates warned of broad data collection, no governing privacy law, and parallels with the Aadhaar identity scheme.
12. Israel's top court reins in Shin Bet virus surveillance
Israel's High Court ruled that the Shin Bet security agency could not keep tracking the phones of coronavirus patients unless the practice was written into law. The justices said the programme severely violated the constitutional right to privacy.
13. EDPB issues guidelines on location data and contact tracing
The European Data Protection Board adopted guidelines on using location data and contact tracing tools during the pandemic. The board stressed that such apps should be voluntary, rely on proximity rather than movement, and minimise the data they collect.
14. EFF sets out how to judge new surveillance powers
EFF published a framework for evaluating government demands for new surveillance powers during the crisis. It urged officials to prove efficacy and proportionality and to build in safeguards such as data minimisation and expiry dates.
15. Schneier surveys global surveillance in the wake of COVID-19
Bruce Schneier catalogued how around thirty countries had deployed digital surveillance to fight the pandemic. He warned that smartphone location tracking and similar tools, once introduced, tend to outlast the emergency that justified them.
16. Nintendo confirms 160,000 accounts were breached
Nintendo confirmed that attackers had abused a legacy login system to break into about 160,000 accounts since the start of the month. The intruders reached stored payment details and made fraudulent purchases before passwords were reset.
17. Webkinz children's game leaks 23 million credentials
A hacker exploited a SQL injection flaw in the Webkinz World children's game and leaked nearly 23 million usernames and passwords. The passwords were hashed, and no payment or contact information was included in the dump.
18. Italian provider Email.it breached, 600,000 users for sale
The Italian email provider Email.it disclosed a breach after a group put the data of about 600,000 users up for sale on the dark web. The exposed records reportedly included usernames, plain text passwords, security questions, and stored messages.
19. Cognizant confirms a Maze ransomware attack
The IT consulting giant Cognizant confirmed that a Maze ransomware attack had disrupted services for some of its clients. The operators behind Maze were known for stealing data before encryption, and Cognizant later warned that personal information may have been taken.
20. New IRS portal could let thieves intercept stimulus payments
Brian Krebs reported that the new IRS portal for non-filers asked only for data that is widely available on cybercrime markets. He warned that thieves could use stolen names, dates of birth, and Social Security numbers to redirect other people's stimulus payments.
Enjoyed this post?
Well, you could share the post with others, follow me with RSS Feeds and/or send me a comment via email.
Tags
Category:
Year: