Privacy Roundup #0168 • July 2020
July 2020 saw Europe's top court tear down the EU and US data deal while a string of breaches, ransomware raids and surveillance fights laid bare how exposed personal data had become.
1. EU court strikes down the Privacy Shield over US surveillance
On 16 July the Court of Justice of the European Union invalidated the EU and US Privacy Shield, ruling that American mass surveillance left transatlantic transfers without adequate protection. The Schrems II judgment forced thousands of companies to rethink how they move European personal data across the Atlantic.
2. Hackers seize 130 Twitter accounts in an audacious phishing raid
On 15 July attackers used phone spear phishing against Twitter staff to hijack 130 accounts, including those of Barack Obama, Joe Biden and Elon Musk, to push a Bitcoin scam. The intruders also reached the direct messages of several victims, exposing how fragile the platform's internal controls were.
3. Police crack EncroChat and arrest hundreds across Europe
French investigators penetrated the EncroChat encrypted phone network and read more than a hundred million messages, leading to over 800 arrests across Europe in early July. The operation reignited debate over the legality of mass interception and the use of such evidence in court.
4. United Kingdom bans Huawei from its 5G network
On 14 July the British government reversed course and barred telecoms operators from buying Huawei 5G equipment, ordering its removal by 2027. Ministers cited national security and the effect of US sanctions on the company's supply chain.
5. Garmin knocked offline by WastedLocker ransomware
A ransomware attack on 23 July took down Garmin Connect, the company's website, call centres and email for days. The WastedLocker strain, linked to the Russian group Evil Corp, reportedly carried a ten million dollar ransom demand.
6. Hacker dumps 386 million records from eighteen companies
From 21 July the threat actor ShinyHunters began posting databases containing more than 386 million user records on a hacker forum for free. The haul drew together credentials and personal details stolen from a wide spread of online services.
7. Wattpad breach exposes 270 million user records
A database holding more than 270 million Wattpad records surfaced for sale in mid July before being offered for free. The trove included usernames, email addresses, hashed passwords, dates of birth and geographic location.
8. LiveAuctioneers confirms breach of 3.4 million accounts
The online auction marketplace disclosed a breach on 11 July after a broker put 3.4 million user records up for sale. The stolen data covered email addresses, names, phone numbers, addresses and cracked passwords.
9. EARN IT Act advances and still threatens encryption
On 2 July the Senate Judiciary Committee sent an amended EARN IT Act to the Senate floor. The Electronic Frontier Foundation warned that the bill still pressured services to weaken end to end encryption under the banner of fighting child abuse.
10. GEDmatch breach exposes a million DNA profiles to police
On 19 and 20 July a security breach at the genealogy site GEDmatch reset user permissions, briefly making more than a million DNA profiles searchable by law enforcement. Users who had opted out of police matching found their data suddenly available, raising sharp questions about genetic privacy.
11. BlueLeaks exposes the personal data of 700,000 police officers
A hack of 251 law enforcement websites spilled names, ranks, home addresses and password hashes for roughly 700,000 officers. The 269 gigabyte cache, published by Distributed Denial of Secrets, was drawn from fusion centres across the United States.
12. Details of 142 million MGM hotel guests offered for sale
On 15 July researchers found a dark web listing offering records on 142 million former MGM Resorts guests for about 2,900 dollars. The leak, far larger than the breach first disclosed in February, included contact details for celebrities and government officials.
13. United Kingdom admits NHS Test and Trace broke data protection law
The Department of Health and Social Care conceded that it had launched NHS Test and Trace without completing a legally required data protection impact assessment. The admission, reported on 20 July, followed pressure from the Open Rights Group over the scheme's handling of personal data.
14. EFF launches the Atlas of Surveillance
On 13 July the Electronic Frontier Foundation released a searchable database mapping the surveillance technology used by thousands of police agencies. The Atlas of Surveillance let people check whether their local force used facial recognition, drones, licence plate readers and similar tools.
15. Clearview AI pulls out of Canada amid privacy investigation
On 6 July Canada's privacy authorities announced that Clearview AI would stop offering its facial recognition service in the country. The company suspended its last Canadian contract, with the Royal Canadian Mounted Police, while regulators continued their joint inquiry.
16. Blackbaud discloses a ransomware breach affecting universities and charities
On 16 July the fundraising software firm Blackbaud began telling customers that attackers had stolen a copy of donor and constituent data in a May ransomware attack. The company admitted it had paid the ransom in exchange for assurances that the stolen files were destroyed, leaving universities and charities across Britain, the United States and Canada to warn affected supporters.
17. Regulators warn Google could abuse Fitbit data
As the Google and Fitbit deal came under European scrutiny in July, regulators pressed the company over whether merging health data with its advertising empire would harm competition and privacy. Privacy International and a coalition of advocacy groups urged officials to block or constrain the takeover.
18. Promo.com discloses breach of 22 million records
The marketing video platform Promo.com confirmed on 27 July that 22 million user records had leaked online. The exposed data included names, email addresses, gender, location and a batch of hashed passwords, many of which had already been cracked.
19. Fintech app Dave breached through a third party
The personal finance app Dave disclosed that a breach at a former service provider exposed 7.5 million user records, which were dumped on a hacker forum on 24 July. The stolen data covered names, email addresses, birth dates, addresses and hashed passwords.
20. Alcohol delivery service Drizly confirms a breach of 2.5 million accounts
The startup Drizly confirmed on 28 July that hackers had taken data on about 2.5 million customers, which surfaced for free on a hacker forum. The stolen records held email addresses, dates of birth, delivery addresses and hashed passwords.
Enjoyed this post?
Well, you could share the post with others, follow me with RSS Feeds and/or send me a comment via email.
Tags
Category:
Year: