Privacy Roundup #0171 • October 2020
October 2020 brought record regulatory fines, the brutal extortion of therapy patients, election-eve botnet takedowns, and a steady run of breaches that exposed how fragile personal data remained.
1. UK's ICO reduces British Airways data breach fine to £20M, after originally setting it at £184M
On 16 October the UK Information Commissioner's Office issued a £20m penalty over a 2018 cyberattack that exposed the data of more than 400,000 British Airways customers. The fine was a fraction of the £184m the regulator had first proposed, reduced for mitigation and the economic effect of the pandemic.
2. Marriott fined £18.4m over the Starwood megabreach
On 30 October the ICO penalised Marriott for a breach that compromised 339 million guest records worldwide. The regulator cut the fine from a proposed £99m, citing the hotel chain's cooperation and the economic effect of Covid-19.
3. Finnish therapy patients extorted after Vastaamo breach
Hackers stole the session notes of tens of thousands of psychotherapy patients from the Finnish clinic Vastaamo, a theft that surfaced publicly in late October. The attackers then emailed individual patients, demanding bitcoin payments to stop their private records being published.
4. Justice Department sues Google over search monopoly
On 20 October the US Department of Justice and eleven states filed a landmark antitrust lawsuit against Google. The complaint argued that the company spent billions to lock in default search deals, entrenching its grip over the data of millions of users.
5. Zoom launches end-to-end encryption for free meetings, with a catch
On 27 October Zoom began rolling out end-to-end encryption as a technical preview, extending the protection to free accounts as well as paid ones. The feature disabled several conveniences and required free users to verify a phone number, a trade-off the company defended as abuse prevention.
6. H&M fined €35m for spying on warehouse staff
On 1 October the Hamburg data protection authority penalised the retailer H&M for keeping extensive records of employees' private lives. Managers had logged details of holidays, illnesses, and family troubles, building profiles used in employment decisions.
7. Payment cards stolen from Dickey's Barbecue restaurants
On 15 October Krebs on Security reported that more than three million stolen payment cards traced to the Dickey's Barbecue chain had surfaced on a carding marketplace. The theft spanned roughly 156 locations and persisted for over a year because many sites still relied on magnetic stripe readers.
8. Barnes & Noble hit by cyberattack that exposed customer data
The bookseller told customers in mid-October that an intrusion on 10 October had exposed email addresses, billing and shipping details, and purchase histories. The breach bore the hallmarks of a ransomware attack, striking over a weekend and forcing the restoration of servers from backup.
9. Broadvoice leak exposes 350 million records and voicemail transcripts
A researcher found an unsecured Broadvoice database cluster, reported on 15 October, holding the records of more than 350 million customers. One collection contained transcribed voicemails revealing medical prescriptions and financial details.
10. US Cyber Command behind the Trickbot disruption
On 10 October Krebs on Security reported that the US military was behind an operation to cripple Trickbot, a malware network used to spread ransomware. The effort sought to protect the coming presidential election, though the criminals kept much of their stolen data and resumed work.
11. Microsoft wins court order to take down the Trickbot botnet
On 12 October Microsoft announced a court-ordered operation, run with industry partners, to dismantle the Trickbot infrastructure that had infected more than a million machines. The company framed the action as protecting the integrity of the upcoming US elections against ransomware.
12. NSA names 25 vulnerabilities actively abused by Chinese hackers
On 20 October the National Security Agency published an advisory listing 25 software flaws that Chinese state actors were actively exploiting. The agency warned that the bugs gave attackers footholds for stealing intellectual property and government data.
13. Software AG hit with a $23 million ransom by Clop ransomware
The German software giant disclosed in early October that the Clop gang had breached its internal network on 3 October and demanded around $23m. The attackers stole roughly a terabyte of data, and the company refused to pay as files were later leaked.
14. London Borough of Hackney suffers a serious cyberattack
On 13 October the council disclosed a serious cyberattack that disrupted many of its services and IT systems. The Pysa gang later published residents' sensitive records, including health, ethnicity, and criminal data, on the dark web.
15. Massive Nitro data breach impacts Microsoft, Google, Apple and more
On 26 October researchers reported that a threat actor was selling a database stolen from the document firm Nitro Software, containing some 70 million user records. The trove also held a terabyte of documents whose titles exposed financial reports, mergers, and non-disclosure agreements belonging to major corporations.
16. Robinhood hack infiltrates almost 2,000 accounts
On 15 October Bloomberg reported that hackers had broken into nearly 2,000 Robinhood accounts and drained funds from some of them. Many victims could not reach the firm because it offered no customer support phone line, leaving them watching their money disappear.
17. Chowbus delivery service breached and hacker emails data to users
On 6 October BleepingComputer reported that an intruder had compromised the food delivery app Chowbus and emailed the stolen data directly to its customers. The leaked databases held the names, addresses, and phone numbers of more than 800,000 users.
18. Amazon fires an employee for leaking customer emails
In late October Amazon told customers that it had dismissed a worker who disclosed their email addresses to an outside party. The company referred the employee to law enforcement but declined to say how many people had been affected.
19. FBI details Iran's fake Proud Boys voter intimidation emails
On 30 October the FBI shared technical findings on a campaign in which Iranian actors posed as the Proud Boys and sent threatening emails to voters. Officials confirmed the attackers had obtained voter registration data and used it to target Democrats in several states.
20. TikTok stars got a judge to block Trump's TikTok ban
On 30 October a federal judge in Pennsylvania granted a preliminary injunction against the order that would have removed TikTok from US app stores. The case was brought by creators who argued that the ban would cut them off from millions of followers and their livelihoods.
Enjoyed this post?
Well, you could share the post with others, follow me with RSS Feeds and/or send me a comment via email.
Tags
Category:
Year: