Privacy Roundup #0172 • November 2020
November 2020 paired a wave of breach disclosures and ransomware with landmark votes and regulatory action on consumer privacy, location data and encryption.
1. Maze ransomware gang announces it is shutting down
The operators behind Maze, the crew that pioneered the double extortion tactic of stealing data before encrypting it, posted a message on 2 November declaring an end to their operation. Maze had spent the year publishing victims' files when ransoms went unpaid, and its closure marked the retirement of one of the most damaging extortion brands of the era.
2. California voters approve Proposition 24 and the Privacy Rights Act
On 3 November Californians passed Proposition 24, enacting the California Privacy Rights Act and expanding the consumer protections of the earlier CCPA. The measure created a dedicated California Privacy Protection Agency and gave residents new rights over sensitive personal information such as precise location, race and health data.
→ fpf.org
3. Jackson police pilot a programme to live-stream Amazon Ring cameras
The Electronic Frontier Foundation revealed that police in Jackson, Mississippi planned a 45 day pilot to pipe residents' Ring doorbell feeds directly into a real time crime centre. Critics warned that the scheme would create a round the clock surveillance network without warrants or community oversight, even capturing people who had not opted in.
4. Folksam leaks the data of one million Swedes to Big Tech
Sweden's largest insurer, Folksam, disclosed on 4 November that an internal audit had found it was sharing the personal data of around one million customers with Facebook, Google, Microsoft and LinkedIn. The leaked details included social security numbers and the fact that some customers had bought pregnancy insurance, and the company asked the recipients to delete the data.
5. Portland, Maine votes to strengthen its facial recognition ban
Voters in Portland, Maine approved a referendum that barred the city and its officials from using or authorising facial surveillance software on members of the public. The measure went further than most municipal bans by giving residents the right to sue and to claim damages when facial recognition data was gathered or used unlawfully.
6. FTC settles with Zoom over deceptive encryption claims
On 9 November the Federal Trade Commission announced a settlement resolving allegations that Zoom had misled users by advertising end to end, 256 bit encryption it did not actually provide. The order required Zoom to build a comprehensive security programme and submit to independent audits every two years for the next two decades, though it carried no monetary penalty.
7. Leaked EU Council draft seeks lawful access to encrypted messages
A draft Council of the European Union resolution titled "Security through encryption and security despite encryption" leaked in early November, reigniting fears of mandated backdoors. The text called for a "balance" between strong encryption and lawful access for authorities, which digital rights groups read as a threat to the end to end encryption used by Signal and WhatsApp.
8. German court slashes a 1&1 GDPR fine by ninety per cent
On 11 November the Regional Court of Bonn cut a 9.55 million euro fine against telecoms firm 1&1 to just 900,000 euros. The court accepted that the company had breached Article 32 but rejected the regulator's turnover based calculation model as disproportionate, in the first German ruling on how GDPR fines should be sized.
→ www.dataprotectionreport.com
9. Vertafore exposes the records of 27.7 million Texas drivers
Insurance software firm Vertafore disclosed that three data files holding information on 27.7 million Texas drivers had been left on an unsecured external storage service. The exposed records included driver licence numbers, names, dates of birth and addresses, and the company blamed human error for storing the files insecurely.
10. Capcom confirms gamers' data stolen in Ragnar Locker attack
Games publisher Capcom confirmed on 16 November that a Ragnar Locker ransomware attack had compromised personal data, contradicting its earlier claim that no customer information was affected. The attackers said they had stolen a terabyte of files, and Capcom later assessed that names, addresses, phone numbers and email addresses for thousands of people had been exposed.
11. Animal Jam children's game breach exposes 46 million accounts
WildWorks, the studio behind children's virtual world Animal Jam, learned on 11 November that some 46 million account records had been posted on a hacker forum. The stolen data included around seven million parent email addresses, player usernames, encrypted passwords and birth years entered by young children at sign up.
12. Muslim Pro cuts ties with data broker selling location to the military
A Motherboard investigation published on 17 November found that the prayer app Muslim Pro had been feeding granular location data to broker X-Mode, which in turn sold it to United States military contractors. Following the report the app announced it was immediately terminating its relationships with X-Mode and other data partners.
13. Cit0day collection of 23,000 breached sites dumped online
In mid-November a vast collection known as Cit0day, assembled from more than 23,000 hacked websites, was made available for free download on hacking forums. Security researcher Troy Hunt verified that the trove held roughly 226 million unique email and password pairs, many from previously undisclosed breaches.
14. Manchester United hit by sophisticated cyberattack
On 20 November the football club Manchester United disclosed that sophisticated attackers had struck its internal network, forcing systems offline while the UK National Cyber Security Centre assisted. The club said it had no evidence that fan or customer personal data had been breached, but email and other services were disrupted for days.
15. GoDaddy staff tricked into aiding attacks on cryptocurrency sites
Krebs on Security reported on 21 November that fraudsters had social engineered GoDaddy employees into handing over control of domains belonging to cryptocurrency platforms including Liquid and NiceHash. The attackers redirected email and web traffic and then tried to reset passwords on third party services such as Slack and GitHub.
16. More than 300,000 Spotify accounts hijacked in credential stuffing
Researchers uncovered an exposed database of around 380 million login records being used to break into Spotify accounts through credential stuffing. The attack, reported on 24 November, is believed to have compromised between 300,000 and 350,000 accounts by reusing passwords leaked from other services.
17. Event platform Peatix breached, 6.7 million users put up for sale
Event organising service Peatix disclosed a breach in which the records of up to 6.77 million users were offered for sale online. The stolen data included full names, usernames, email addresses and hashed passwords, and was advertised across Instagram stories, Telegram channels and hacking forums.
18. Home Depot agrees a 17.5 million dollar multistate breach settlement
On 24 November Home Depot agreed to pay 17.5 million dollars to settle a multistate investigation into its 2014 breach, which exposed the payment card data of 40 million customers. The retailer also committed to appointing a chief information security officer and to adopting encryption, multi-factor authentication and other safeguards.
19. BigBasket confirms breach exposing 20 million customer records
Indian online grocer BigBasket confirmed in November that it had suffered a breach after the details of more than 20 million users surfaced for sale on a hacking forum. The exposed data included names, email addresses, hashed passwords, phone numbers, addresses, dates of birth and login IP addresses.
20. Mashable breach surfaces with 1.4 million email addresses
A breach of the technology news site Mashable surfaced publicly in November, exposing about 1.4 million unique email addresses. The leaked data, tied to a social sign in feature, also included names, genders, expired authentication tokens, physical locations and partial dates of birth.
Enjoyed this post?
Well, you could share the post with others, follow me with RSS Feeds and/or send me a comment via email.
Tags
Category:
Year: