Privacy Roundup #0175 • February 2021
February 2021 was dominated by the spreading Accellion file transfer breach, fresh rulings against facial recognition, and a wave of disclosures that showed how supply chain weaknesses keep leaking ordinary people's data.
1. Canadian privacy regulators rule Clearview AI's scraping illegal
Canada's federal and provincial privacy commissioners concluded that Clearview AI's harvesting of billions of facial images amounted to mass surveillance and broke Canadian law. They found the company had gathered sensitive biometric data without consent and demanded that it stop and delete the images of Canadians.
2. Washington State Auditor breach exposes 1.6 million unemployment claimants
The Office of the Washington State Auditor disclosed that hackers had stolen the personal data of about 1.6 million people through the Accellion file transfer appliance it used. The exposed records included names, Social Security numbers, and banking details belonging to unemployment benefit claimants.
3. Intruder tampers with chemical levels at a Florida water plant
An attacker gained remote access to the water treatment plant in Oldsmar, Florida, and briefly raised the level of sodium hydroxide in the supply to a dangerous concentration. A plant operator spotted the change as it happened and reversed it, but the incident exposed how exposed industrial control systems remain.
4. SitePoint discloses breach traced to a compromised GitHub tool
The web development learning platform SitePoint admitted that attackers had stolen a database of more than one million members through a third party tool used to monitor its GitHub account. The stolen records held names, email addresses, dates of birth, IP addresses, and hashed passwords.
5. T-Mobile warns customers of SIM swap attacks on accounts
T-Mobile sent notices revealing that an attacker had used an internal application to target customer accounts in a series of SIM swap attacks. The intrusion exposed account information and PINs and let the attacker port numbers away from victims without their consent.
6. Singtel confirms 129,000 customers caught in Accellion breach
The Singapore telecoms group Singtel told customers that data had been exfiltrated from its Accellion file transfer system. The stolen information covered about 129,000 customers and included names, dates of birth, mobile numbers, and addresses, along with bank details of some former staff.
→ www.infosecurity-magazine.com
7. Stanford researchers find Clubhouse sending raw audio toward China
The Stanford Internet Observatory reported that the Clubhouse app relied on the Shanghai firm Agora and transmitted user identifiers in plaintext. Researchers warned that raw audio and room metadata could be exposed to a partner subject to Chinese government access.
8. Documents show LAPD asked for Ring footage of protests
The Electronic Frontier Foundation obtained emails revealing that the Los Angeles Police Department requested Amazon Ring camera video tied to the 2020 protests against police violence. The department declined to say what crime it was investigating, raising fears that home surveillance was being used to monitor protected speech.
9. Berlin court overturns a 14.5 million euro fine against Deutsche Wohnen
A Berlin court struck down the data protection fine imposed on the property company Deutsche Wohnen for retaining tenant data without a legal basis. The judges held that the penalty was invalid because the regulator had not named an individual employee responsible for the breach.
10. NurseryCam shuts down after a breach exposes parents' logins
The childcare camera service NurseryCam told parents it had suffered a breach and pulled its service offline. A researcher obtained the names, usernames, email addresses, and passwords of roughly 12,000 accounts, and the supposedly hashed passwords turned out to have been stored in plaintext.
11. Kroger reports Accellion breach hitting pharmacy and HR records
The grocery chain Kroger told customers and staff that the Accellion compromise had exposed pharmacy records and employee human resources data. The affected information included names, addresses, dates of birth, Social Security numbers, prescriptions, and medical history for hundreds of thousands of people.
12. Bombardier joins the list of Accellion breach victims
The Canadian aircraft maker Bombardier disclosed that it too had been caught in the Accellion file transfer breach. Attackers accessed a limited number of files and the stolen data was published on a leak site run by the criminals behind the campaign.
13. Myanmar coup brings internet shutdowns and expanded surveillance
After the military seized power on 1 February, the junta ordered internet blackouts and moved to control telecommunications across Myanmar. Within two weeks it amended the Electronic Transactions Law to create vague speech crimes and to widen state access to personal data.
14. Krebs reports the takedown of the ValidCC stolen card bazaar
Brian Krebs reported that ValidCC, a long running marketplace for payment card data stolen from hacked online stores, had abruptly shut down. The site had profited from skimming the card details of countless shoppers before its operators closed it.
15. Microsoft admits some Azure, Exchange, Intune source code snaffled in SolarWinds schemozzle
Microsoft disclosed that the SolarWinds intruders had reached its corporate network and viewed and downloaded a small subset of source code for Azure, Exchange, and Intune components. The company said no single product had all of its repositories accessed and that it found no evidence the attackers used its systems to strike others.
16. Australia passes its News Media Bargaining Code after Facebook's blackout
Australia passed the News Media Bargaining Code that forces large platforms to negotiate payments with news publishers. The law arrived after Facebook briefly blocked Australian news and provoked a wider debate about the power that platforms hold over information and user data.
17. Medical data of 500,000 French residents leaked online
The records of 491,840 patients drawn from around 30 medical laboratories in France appeared on a hacking forum after a dispute among the criminals trying to sell them. The exposed files held names, addresses, social security numbers, and sensitive details such as blood types, HIV status, and pregnancy results.
→ www.infosecurity-magazine.com
18. United States indicts North Korean hackers over 200 million dollar theft
The Department of Justice unsealed charges against three North Korean military hackers accused of stealing and extorting more than 200 million dollars. The campaign spanned bank heists, cryptocurrency thefts, and intrusions that compromised the data of victims worldwide.
19. Minneapolis bans its police department from using facial recognition software
The Minneapolis city council voted unanimously to forbid its police force from buying or using facial recognition technology, including the Clearview AI tool the department had relied upon. The ban arrived in the city that became a centre of racial justice protests after the killing of George Floyd.
20. CD PROJEKT RED gaming studio hit by ransomware attack
The Polish studio behind Cyberpunk 2077 and The Witcher confirmed that the HelloKitty ransomware group had breached its network, encrypted servers, and stolen source code and internal documents. The company refused to pay or negotiate and said the compromised systems did not contain personal data of its players.
Enjoyed this post?
Well, you could share the post with others, follow me with RSS Feeds and/or send me a comment via email.
Tags
Category:
Year: