Privacy Roundup #0178 • May 2021
May 2021 was dominated by ransomware, with the Colonial Pipeline and Irish health service attacks driving new policy, alongside fresh fights over messaging data, mass surveillance and facial recognition.
1. Colonial Pipeline ransomware attack shuts a major US fuel line
A ransomware attack by the DarkSide group forced Colonial Pipeline to halt operations on 7 May, disrupting fuel supplies across the south-eastern United States. The company paid a ransom of roughly 4.4 million dollars in bitcoin, and the incident pushed cybercrime to the top of the national agenda.
2. Scripps Health ransomware attack disrupts patient care
The San Diego healthcare provider Scripps Health was hit by a ransomware attack on 1 May that knocked out patient portals and forced staff back onto paper records for weeks. Ambulances were diverted from several hospitals, and the breach later proved to have exposed the data of nearly 1.2 million people.
3. Conti ransomware cripples Ireland's national health service
On 14 May the Health Service Executive of Ireland shut down all of its national IT systems after a Conti ransomware attack, the largest known attack on a health service computer system. Outpatient clinics were cancelled across the country, and the attackers later published confidential medical records of patients online.
4. Biden signs an executive order to overhaul federal cybersecurity
President Biden signed Executive Order 14028 on 12 May, ordering federal agencies to adopt multifactor authentication, zero-trust architecture and software bills of materials. The order was a direct response to the SolarWinds compromise and the Colonial Pipeline attack and set out to secure the software supply chain.
5. Germany orders Facebook to stop processing WhatsApp data
On 11 May the Hamburg data protection authority issued a three-month emergency order barring Facebook from processing German WhatsApp users' data under the new terms. The regulator said the change lacked a valid legal basis and pressed the European Data Protection Board to issue a binding ruling for the whole bloc.
6. WhatsApp's privacy policy deadline arrives amid Indian pushback
WhatsApp's controversial new privacy terms took effect on 15 May, although the company backed away from threats to delete the accounts of users who declined to accept them. India's Competition Commission warned the changes could lead to excessive data collection, and the government demanded a full rollback.
7. Europe's top human rights court rules UK mass surveillance unlawful
On 25 May the Grand Chamber of the European Court of Human Rights found that the United Kingdom's bulk interception regime violated the rights to privacy and free expression. The judgment in Big Brother Watch and Others v. the United Kingdom held that the GCHQ system lacked adequate end-to-end safeguards against abuse.
8. Privacy campaigners file complaints across Europe against Clearview AI
On 27 May Privacy International and allied groups lodged legal complaints against Clearview AI with regulators in the United Kingdom, France, Italy, Greece and Austria. The complaints argued that the firm's scraping of billions of facial images to build its database had no lawful basis under European data protection law.
9. Report details Apple's data and censorship concessions in China
A New York Times investigation published on 17 May described how Apple stored Chinese iCloud data on state-linked servers and moved encryption keys into the country. Critics warned the arrangement made it far harder for Apple to keep the Chinese government from accessing residents' photos, emails and locations.
10. Air India says SITA breach hit 4.5 million passengers
On 23 May Air India confirmed that a breach at its technology supplier SITA had exposed the data of about 4.5 million passengers over a decade. The stolen records included names, dates of birth, passport details, contact information and credit card numbers, although card verification codes were not held.
11. DarkSide ransomware also strikes Toshiba's French unit
Toshiba Tec France Imaging Systems disclosed a ransomware attack carried out on the night of 4 May by the same DarkSide group that hit Colonial Pipeline. The attackers claimed to have stolen more than 740 gigabytes of business and personal data, although Toshiba said it had not paid any ransom.
12. Peloton's leaky API exposed private rider account data
On 5 May TechCrunch reported that a flaw in Peloton's interface let anyone pull users' private account details from the company's servers, even for profiles set to private. The exposed fields included age, gender, location, weight and workout statistics, and Peloton had ignored the researcher's warning for months.
13. Rapid7 discloses exposure in the Codecov supply chain attack
On 18 May the security firm Rapid7 revealed that the Codecov supply chain compromise had let attackers access a subset of its internal source code and customer credentials. The disclosure followed similar admissions from other Codecov customers and underlined the wide blast radius of the tampered uploader script.
14. Facebook's Oversight Board upholds the suspension of Donald Trump
On 5 May the Facebook Oversight Board upheld the platform's suspension of Donald Trump's accounts following the Capitol riot, but criticised the open-ended penalty. The board sent the final decision back to Facebook and gave the company six months to set out clear rules governing such sanctions.
15. Krebs warns that recycling a phone number can hand over your accounts
On 19 May Brian Krebs explained how recycled mobile numbers let strangers reset passwords and seize online accounts through SMS-based authentication. Researchers found that many available numbers were still tied to previous owners' banking, email and social media logins, posing a real privacy risk.
16. Verizon sells Yahoo and AOL to private equity firm Apollo
On 3 May Verizon agreed to sell its media division, including Yahoo and AOL, to Apollo Global Management for about 5 billion dollars. The deal handed control of long-running web brands and the personal data of their many users to a private equity owner.
17. DarkSide ransomware gang goes dark after its servers are seized
On 14 May Krebs reported that the DarkSide group claimed to be shutting down after losing access to its servers and a bitcoin wallet. The retreat followed intense law enforcement attention after the Colonial Pipeline attack, although researchers cautioned that such gangs often rebrand and return.
18. Echelon's leaky API exposed exercise bike riders' account data
On 14 May TechCrunch reported that the Peloton rival Echelon had its own leaky interface that exposed riders' account information. The flaw let outsiders pull users' names, locations and workout details, mirroring the Peloton bug disclosed days earlier and highlighting weak protections across connected fitness gear.
19. Massachusetts sets statewide rules for police facial recognition
On 7 May Massachusetts was reported to have pioneered statewide rules requiring police to seek a court order before running facial recognition searches. The measure, the first of its kind, sought to curb unchecked use of the technology while stopping short of an outright ban.
20. Klarna app bug logs users into strangers' accounts
On 27 May a faulty configuration change in the Klarna app briefly logged customers into other people's accounts, exposing names, addresses and stored payment details. The buy-now-pay-later firm pulled its app offline within half an hour and said the random mix-up had affected a fraction of its users.
Enjoyed this post?
Well, you could share the post with others, follow me with RSS Feeds and/or send me a comment via email.
Tags
Category:
Year: