Privacy Roundup #0176 • March 2021
March 2021 was dominated by the Microsoft Exchange mass hacking, a wave of ransomware breaches, and fresh fights over facial recognition, location brokers and browser tracking.
1. At least 30,000 US organisations hacked through Microsoft Exchange flaws
A Chinese state-backed group named Hafnium used four zero-day flaws in Microsoft Exchange to break into tens of thousands of email servers. The attackers planted web shells that gave them lasting administrative control over victim networks.
2. Hackers expose live feeds from 150,000 Verkada surveillance cameras
A hacking collective broke into the cloud platform of camera maker Verkada and reached live feeds inside hospitals, schools, prisons and a Tesla factory. The intruders used an administrator password that had been left exposed online, and they argued the breach showed how pervasive and fragile video surveillance had become.
3. MobiKwik investigating data breach after 100M user records found online
A dark web seller claimed to hold roughly 8.2 terabytes of data on nearly 100 million users of the Indian payments app MobiKwik, including phone numbers, email addresses, encrypted passwords and partial card details. The company denied that its systems had been breached and questioned the authenticity of the data, even as the exposure also appeared to include know your customer documents on millions of people.
4. EFF warns that Google's FLoC is a terrible idea
Google began testing FLoC, a system meant to sort browsers into behavioural groups so advertisers could target people without third-party cookies. The Electronic Frontier Foundation argued the scheme would enable fingerprinting and expose sensitive traits rather than protect privacy.
5. Google says it will not build new trackers to follow individuals
Google announced that once it phased out third-party cookies in Chrome it would not create alternative identifiers to track people across the web. Privacy advocates noted that the pledge applied only to cross-site tracking and did not cover the vast data Google already gathers inside its own products.
6. Apple and Google eject location data broker X-Mode from their app stores
Both companies banned the X-Mode software kit after reporting linked the broker to United States defence contractors. The EFF welcomed the move but argued the stores should expel every location broker rather than only the ones that attract bad press.
7. Virginia signs the Consumer Data Protection Act into law
Governor Ralph Northam signed Virginia's Consumer Data Protection Act, making the state the second after California to pass a broad privacy statute. The law gives residents rights to access, correct and delete their data, but it lacks a private right of action and leaves enforcement to the attorney general.
→ iapp.org
8. Minneapolis bans government use of facial recognition
The Minneapolis City Council unanimously voted to bar city agencies, including the police, from acquiring or using facial recognition technology. The ordinance also stopped the city from buying access to such systems through third parties.
→ blog.tenthamendmentcenter.com
9. Immigrant rights groups sue Clearview AI in California
Mijente, NorCal Resist and four activists sued Clearview AI, arguing that its database of billions of scraped images violated Californians' privacy. The complaint said the surveillance tool fell hardest on immigrants and communities of colour.
10. France's privacy watchdog opens an investigation into Clubhouse
The CNIL launched a probe into the audio app Clubhouse after a complaint and a petition that drew thousands of signatures. Regulators focused on how the app harvested users' phone contacts and handled recorded conversations.
11. REvil gang demands a record $50 million ransom from Acer
The computer maker Acer was hit by REvil ransomware, with the attackers demanding fifty million dollars in what was then the largest known ransom. Leaked screenshots showed financial spreadsheets and bank documents the gang claimed to have stolen.
12. Sierra Wireless halts production after ransomware attack
The internet-of-things hardware maker Sierra Wireless disclosed a ransomware attack that forced it to stop production at its manufacturing sites. The company said the damage was confined to its internal systems and did not reach customer-facing products.
13. Cyberattack shuts down Molson Coors brewing operations
The brewer Molson Coors disclosed a cybersecurity incident that disrupted production and shipments across its breweries. Industry sources told reporters the outage stemmed from a ransomware attack, though the company did not name the gang involved.
14. Qualys caught up in the Accellion file transfer breach
The security firm Qualys confirmed that attackers had stolen data through vulnerable Accellion file transfer servers, joining a roster of victims that included law firms, universities and government bodies. The Clop extortion gang exploited the legacy appliance and posted stolen files to pressure victims.
15. Researchers expose tracking weaknesses in Apple's Find My network
A security analysis of Apple's Find My protocol revealed flaws in the crowdsourced system used to locate lost devices. The findings showed how the design could be abused to track people rather than simply recover hardware.
16. SMS hijacking lets attackers seize accounts for a few dollars
Reporting showed how cheap message-forwarding services could quietly redirect a target's text messages without their knowledge. The technique let attackers intercept one-time codes and take over online accounts that relied on SMS for security.
17. Security agency PDFs found leaking sensitive metadata
A study found that documents published by security and intelligence agencies still carried hidden metadata revealing software, usernames and internal details. The leftover data offered attackers and researchers clues that the agencies had not meant to publish.
18. CNA Financial hit by Phoenix CryptoLocker ransomware
The insurance giant CNA Financial suffered a ransomware attack that knocked systems offline and encrypted thousands of devices. The intruders entered through a fake browser update and later stole data on tens of thousands of people before deploying the ransomware.
19. Fake "System Update" app hides powerful Android spyware
Researchers uncovered Android malware that masqueraded as a system update while secretly stealing messages, tracking location and recording audio. The spyware ran quietly in the background and exfiltrated data whenever the victim's phone connected to the internet.
20. Scholars Under Surveillance: How Campus Police Use High Tech to Spy on Students
The Electronic Frontier Foundation published an investigation documenting more than 250 surveillance technology purchases by over 200 universities across 37 states. The report showed campus police adopting body cameras, drones, facial recognition and gunshot detection in ways that threaten student privacy and academic freedom.
Enjoyed this post?
Well, you could share the post with others, follow me with RSS Feeds and/or send me a comment via email.
Tags
Category:
Year: