Privacy Roundup #0170 • September 2020
September 2020 brought courtroom defeats for mass surveillance and the Trump app bans, a wave of insider and misconfiguration breaches, and the first death linked to a hospital ransomware attack.
1. NSA bulk phone records collection ruled illegal by appeals court
The Ninth Circuit Court of Appeals held that the National Security Agency's mass collection of telephone metadata violated the Foreign Intelligence Surveillance Act and was possibly unconstitutional. The ruling vindicated the surveillance exposed by Edward Snowden in 2013, although the judges still upheld the convictions of the four men who had challenged the programme.
2. Apple delays its iOS 14 anti-tracking opt-in until early 2021
Apple postponed the App Tracking Transparency requirement that would have forced every app to ask permission before tracking users through the advertising identifier. The reprieve handed Facebook, Snapchat and the wider advertising industry several more months to adjust their data collection practices.
3. Warner Music discloses a months-long card-skimming attack on its stores
The record label conglomerate told customers that hackers had planted skimming code on its US e-commerce sites and harvested payment details between late April and early August. Names, card numbers, expiry dates and security codes were among the data exposed before the company spotted the intrusion.
4. Portland passes the strictest facial recognition ban in the country
Portland's city council voted unanimously to bar both municipal bureaus and, from January 2021, private businesses from using facial recognition in public spaces. The measure made Portland the first jurisdiction in the United States to forbid commercial use of the technology in stores, restaurants and hotels.
5. Ireland's regulator moves to halt Facebook's EU to US data transfers
The Irish Data Protection Commission issued a preliminary order telling Facebook to suspend transfers of European user data to the United States in the wake of the Schrems II judgment. Facebook responded by launching a High Court challenge, and the dispute threatened a fine of up to four per cent of global turnover.
6. Razer leak exposes the personal data of around 100,000 customers
A misconfigured Elasticsearch server left names, email addresses, phone numbers and shipping details from the gaming hardware company's online store openly accessible. The researcher who found the database said it took Razer more than three weeks to secure it after he reported the exposure.
7. Leaked Zhenhua database details 2.4 million influential people worldwide
A cache from the Chinese firm Shenzhen Zhenhua revealed an "Overseas Key Information Database" profiling politicians, officials and their families across many countries. While much of the material was scraped from public sources, researchers estimated that ten to twenty per cent came from places that were not publicly available.
8. Facebook sued over claims Instagram spies through phone cameras
An Instagram user filed suit in San Francisco alleging that the app accessed iPhone cameras even when they were not in use, in order to harvest valuable data. Facebook denied the accusation and blamed a bug for the camera notifications that had triggered the complaint.
9. Federal judge blocks the Trump administration's WeChat ban
A magistrate judge in California halted the order that would have removed WeChat from app stores, citing serious First Amendment questions raised by the app's users. The decision came just before the ban was due to take effect and dealt an early blow to the government's campaign against Chinese apps.
10. Patient dies after ransomware cripples a German hospital
A ransomware attack disabled systems at Düsseldorf University Hospital, forcing a critically ill woman to be diverted to a more distant facility where she later died. Prosecutors opened a negligent homicide inquiry in what was reported as the first death directly linked to a cyberattack.
11. Shopify discloses an insider breach affecting around 200 merchants
The e-commerce platform said two members of its support team had improperly accessed and stolen customer records, including names, email addresses and order details. Shopify cut off the employees' access and referred the matter to the FBI for a criminal investigation.
12. Federal judge blocks the TikTok app store ban hours before it took effect
A judge in Washington granted a preliminary injunction halting the order that would have pulled TikTok from American app stores at midnight. The court found the company likely to succeed on the merits, marking the second judicial setback for the administration's app crackdown that month.
13. Google removes seventeen apps carrying the Joker billing fraud malware
Researchers found a fresh wave of Joker infected apps on the Play Store that signed victims up to premium services and harvested text messages and contacts. Google pulled the offending utilities, scanners and messaging tools, which had together been downloaded around 120,000 times.
14. Ryuk ransomware knocks out Universal Health Services hospitals nationwide
One of the largest hospital operators in the United States was hit by a country wide ransomware attack that forced staff back to pen and paper across hundreds of facilities. Some hospitals diverted ambulances and relocated patients awaiting surgery while systems were offline.
15. Activision faces claims that half a million Call of Duty accounts were hacked
Reports circulated that more than 500,000 player accounts had been compromised through reused passwords, with attackers locking owners out by changing email addresses. Activision disputed the claims of a breach, but the episode underlined how the platform lacked easy two factor protection for its accounts.
16. CISA orders federal agencies to patch the Zerologon flaw within days
The Cybersecurity and Infrastructure Security Agency issued a rare emergency directive demanding that agencies fix the critical Netlogon vulnerability by midnight on 21 September. The flaw carried the maximum severity score because it let an attacker on a network seize complete control of a Windows domain in seconds.
17. Encrypted email provider Tutanota weathers a run of DDoS attacks
The privacy-focused German email service was knocked offline repeatedly through September as attackers flooded its website and later its DNS providers. The company declined to hand its encryption keys to commercial mitigation firms, and an aggressive block of malicious traffic briefly shut out legitimate users as well.
18. Homeland Security stops compiling intelligence reports on journalists
The acting secretary of Homeland Security ordered the department's intelligence office to halt collection on members of the press after it had circulated dossiers summarising reporters' tweets. The reversal followed disclosures that analysts had profiled two journalists who published leaked documents about the agency's operations in Portland.
19. EFF warns that COVID era workplace monitoring threatens worker privacy
The Electronic Frontier Foundation documented how employers were buying repurposed surveillance tools, from camera based distancing software to occupancy sensors, in the name of pandemic safety. The group cautioned that much of this equipment tracks staff without consent and risks outlasting the health emergency that justified it.
20. EFF shows how private donors quietly fund police surveillance technology
The Electronic Frontier Foundation traced how grants from businesses and federal programmes let police acquire cameras and tracking gear without public debate or council approval. The group argued that this funding model sidesteps the oversight that communities would otherwise demand before such tools were deployed.
Enjoyed this post?
Well, you could share the post with others, follow me with RSS Feeds and/or send me a comment via email.
Tags
Category:
Year: