Privacy Roundup #0169 • August 2020
August 2020 was dominated by ransomware crews leaking stolen corporate files, regulators and courts pushing back on facial recognition and cloud security, and governments turning surveillance and app bans on their own citizens.
1. Garmin reportedly paid a multi-million dollar ransom to Evil Corp
Reports confirmed that Garmin paid attackers behind the WastedLocker ransomware to recover from an attack that knocked out its fitness, aviation and support services. The strain is tied to Evil Corp, a sanctioned Russian group, raising questions about the legality of the payment.
2. Twitter warned of a possible FTC fine over misused security data
Twitter disclosed that the FTC had sent a draft complaint alleging it broke a 2011 consent order. Regulators said the company took phone numbers and email addresses given for account security and used them to target advertising between 2013 and 2019.
3. Canon confirmed a ransomware attack in an internal memo
Canon told staff that a wide outage across email, Teams and other systems had been caused by ransomware. The Maze gang claimed it had stolen roughly ten terabytes of data before encrypting the company's network.
4. Capital One was fined 80 million dollars over its 2019 breach
The Office of the Comptroller of the Currency assessed an 80 million dollar penalty against Capital One for the breach that exposed the data of more than 100 million people. Regulators found the bank failed to manage the security risks of moving its systems to the public cloud.
5. Trump signed an executive order targeting TikTok over data fears
President Trump signed an order that would effectively ban TikTok in the United States unless it was sold by its Chinese owner ByteDance. The order claimed the app's data collection could give the Chinese government access to Americans' personal information.
6. A US contractor was found embedding tracking software in hundreds of apps
The Wall Street Journal reported that Anomaly Six, a firm with defence and intelligence ties, drew location data from more than 500 mobile apps. Its software development kit let it track hundreds of millions of phones around the world without users' knowledge.
7. Belarus shut down the internet during disputed election protests
Following the contested presidential election, Belarusian authorities throttled and blocked mobile internet for days as protests spread. The government blamed foreign attacks, but independent monitors attributed the disruptions to deliberate state interference and online censorship.
8. A UK court ruled South Wales Police facial recognition was unlawful
The Court of Appeal found that South Wales Police's use of automated facial recognition breached privacy rights, data protection law and equality duties. The judges said officers had too much discretion over watchlists and camera locations, with no clear legal framework.
9. A class action accused Instagram of harvesting biometric data
An Illinois user sued Facebook and Instagram, alleging the app collected and shared facial recognition data without consent under the state's biometric privacy law. The complaint sought statutory damages that, across the potential class, could in theory reach hundreds of billions of dollars.
10. England scrapped an exam algorithm that downgraded poorer pupils
After A-level results were issued, an Ofqual algorithm cut nearly two in five grades below teacher predictions, hitting students at less advantaged schools hardest. Following protests over the automated profiling, the regulator abandoned the model and reverted to teacher assessments.
11. Carnival disclosed a ransomware attack on its systems
The cruise giant Carnival reported in a regulatory filing that ransomware had accessed and encrypted part of one brand's technology systems. The company said the attackers also downloaded files, putting guest and employee personal data at risk.
12. Experian exposed the data of 24 million South Africans
The credit bureau handed over personal records on around 24 million people and nearly 800,000 businesses to a fraudster posing as a client. Experian admitted it had verified the supposed customer only through a basic online check before releasing the data.
→ www.infosecurity-magazine.com
13. The University of Utah paid 457,000 dollars to ransomware attackers
The university paid attackers to stop them publishing data stolen from its College of Social and Behavioral Science. Although it had backups, it chose to pay because the stolen files contained sensitive student and employee information.
14. TikTok sued the US government over the Trump ban
TikTok filed suit against the Trump administration, arguing the executive order was unconstitutional and ignored its efforts to protect user data. The company said the order denied it due process and rested on unsupported national security claims.
15. A former Cisco engineer admitted deleting 16,000 WebEx accounts
A former Cisco engineer pleaded guilty to accessing the company's cloud systems months after resigning and wiping thousands of WebEx Teams accounts. The intrusion also destroyed hundreds of virtual machines and disrupted the conferencing service for many users.
16. Freepik disclosed a breach of 8.3 million user records
The image site Freepik said an SQL injection attack against its Flaticon service exposed the email addresses of 8.3 million users. Millions of those accounts also had hashed passwords stolen, with some protected only by the weak MD5 algorithm.
17. Maze published stolen data from LG and Xerox
The Maze ransomware gang leaked large troves of internal files from LG and Xerox after the firms refused to pay. The dump included product source code from LG and customer support and employee data from Xerox.
18. EFF warned that proctoring apps subject students to needless surveillance
The Electronic Frontier Foundation said the surge in remote exam proctoring software was forcing students to accept invasive monitoring. The tools collect biometric data and watch faces and movements for supposed signs of cheating, often with little transparency.
19. Bruce Schneier flagged an insecure smart lock that leaked access keys
Schneier highlighted a flaw in the UltraLoq smart lock that let an attacker recover the access key. By sniffing the device's Bluetooth address, a nearby intruder could obtain the credential needed to open the door.
20. Oracle and Salesforce were hit with GDPR class actions over cookie tracking
A privacy group filed mass claims in the Netherlands and the United Kingdom accusing Oracle and Salesforce of breaching GDPR through their BlueKai and Krux tracking cookies. The litigants argued that real-time advertising auctions cannot be reconciled with European consent rules and sought damages that could exceed ten billion euros.
Enjoyed this post?
Well, you could share the post with others, follow me with RSS Feeds and/or send me a comment via email.
Tags
Category:
Year: