Privacy Roundup #0173 • December 2020
December 2020 closed the year with the SolarWinds espionage disclosure, record European cookie fines, and fresh scrutiny of how Big Tech and governments hoard personal data.
1. FireEye discloses theft of its red team hacking tools
The security firm FireEye announced on 8 December that a state backed attacker had broken into its network and stolen the offensive tools it uses to test client defences. The disclosure was the first public thread of what would soon unravel into a sprawling supply chain compromise.
2. SolarWinds Orion supply chain backdoor revealed
On 13 December FireEye and the United States government confirmed that attackers had laced SolarWinds Orion software updates with the SUNBURST backdoor, reaching roughly 18,000 customers. Multiple federal agencies, including the Treasury and Commerce departments, were found to have been breached for months.
3. CISA orders agencies to disconnect SolarWinds Orion
The Cybersecurity and Infrastructure Security Agency issued Emergency Directive 21-01 on 13 December, ordering federal bodies to power down affected Orion products at once. The directive underscored that the intrusion threatened the integrity of government networks across the country.
4. France fines Google and Amazon over tracking cookies
The French regulator CNIL imposed a 100 million euro penalty on Google and a 35 million euro penalty on Amazon for placing advertising cookies without consent. The regulator found that both sites dropped trackers automatically and failed to explain how users could refuse them.
5. FTC orders nine platforms to detail their data practices
The Federal Trade Commission issued 6(b) orders to ByteDance, Facebook, Amazon, Snap, Twitter and others, demanding answers on how they gather and use personal information. The study placed particular weight on advertising, engagement and the treatment of children and teenagers.
6. FTC and states sue Facebook for illegal monopoly
The FTC and 48 attorneys general sued Facebook on 9 December, alleging it crushed rivals through its purchases of Instagram and WhatsApp. The complaint asked a court to consider forcing the company to divest both apps.
7. European Commission proposes the Digital Services and Markets Acts
On 15 December the Commission published its draft Digital Services Act and Digital Markets Act, a sweeping rewrite of the rules for online platforms. The package aimed to curb the power of the largest gatekeepers and to set new transparency duties for content moderation.
8. Apple rolls out privacy nutrition labels on the App Store
From 8 December Apple required every app listing to display a label summarising what data it collects and whether that data is used to track users. The labels exposed striking differences between rival messaging apps and advertising heavy services.
9. WhatsApp attacks Apple over the new privacy labels
WhatsApp publicly criticised Apple's label requirement on 9 December, calling it anti competitive because Apple's own iMessage ships preinstalled and avoids the App Store process. The complaint highlighted how much more data Facebook owned apps gathered than smaller rivals.
10. Hacker dumps physical addresses of 270,000 Ledger owners
On 21 December a threat actor posted the full database from Ledger's earlier breach, exposing the names, postal addresses and phone numbers of more than 270,000 cryptocurrency wallet buyers. The leak fuelled a long wave of phishing and extortion against named holders.
11. Apple and Google ban the X-Mode location data broker
Both firms told developers in early December to strip the X-Mode tracking kit from their apps or face removal from the stores. The move followed reporting that X-Mode sold granular location data to military and intelligence contractors.
12. ACLU sues DHS over secret purchases of location data
On 2 December the ACLU filed a Freedom of Information Act lawsuit demanding records on how Homeland Security agencies buy cellphone location data from brokers. The suit argued that the agencies were sidestepping the warrant requirement by purchasing what they could not lawfully seize.
13. Google forces out AI ethics researcher Timnit Gebru
Timnit Gebru, co-lead of Google's ethical AI team, said on 2 December that the company had pushed her out over a paper warning about the risks of large language models. The departure prompted thousands of staff and researchers to protest the firm's treatment of internal critics.
14. Citizen Lab finds dozens of journalists hit by NSO spyware
On 20 December Citizen Lab reported that at least 36 Al Jazeera staff had their iPhones infected by NSO Group's Pegasus through a zero-click iMessage exploit. The attacks, attributed to operators linked to Saudi Arabia and the United Arab Emirates, needed no action from the victims.
15. United States charges Zoom executive over China censorship
Federal prosecutors charged a China based Zoom employee on 18 December with disrupting commemorations of the Tiananmen Square massacre at Beijing's request. The complaint said he handed Chinese authorities the names, emails and other details of users, including people outside China.
16. Report says Huawei tested software to flag Uighur faces
The Washington Post reported on 8 December that Huawei had trialled facial recognition that could send an automated alarm to police when it identified a member of the Uighur minority. The finding drew on internal documents describing an ethnicity detection feature built into the camera systems.
17. T-Mobile breach exposes phone numbers and call records
T-Mobile disclosed on 30 December that intruders had reached customer proprietary network information for around 200,000 subscribers. The exposed data included phone numbers and call records, the sort of metadata that maps who a person speaks to and when.
18. EU Council adopts resolution pushing for lawful access to encryption
On 14 December the Council of the European Union adopted a resolution calling for state authorities to access encrypted content while claiming to oppose backdoors. Privacy advocates warned that the contradictory text laid the groundwork for future measures to weaken end-to-end encryption.
19. GoDaddy dangles a fake holiday bonus in a phishing test
GoDaddy emailed staff in mid December promising a 650 dollar holiday bonus, then told the roughly 500 who responded that they had failed a phishing test. The stunt drew heavy criticism for harvesting hopes of a payout from employees during the pandemic.
20. Broker sells 368 million stolen records from 26 firms
On 31 December a data breach broker began selling roughly 368 million stolen user records drawn from 26 companies on a hacker forum. Eight of the listed firms had not previously disclosed any breach, leaving their customers unaware that their details were on sale.
Enjoyed this post?
Well, you could share the post with others, follow me with RSS Feeds and/or send me a comment via email.
Tags
Category:
Year: