Privacy Roundup #0180 • July 2021
July 2021 was dominated by the Pegasus Project, which exposed how government clients of NSO Group spyware targeted journalists, activists and world leaders, while record fines, supply-chain ransomware and a wave of breaches underlined how exposed ordinary people remain.
1. Leak uncovers global abuse of NSO Group's Pegasus spyware
A consortium of seventeen news organisations revealed that a leaked list of fifty thousand phone numbers pointed to widespread targeting of journalists, activists and politicians with NSO Group's Pegasus spyware. The reporting, coordinated by Forbidden Stories and Amnesty International, marked one of the largest surveillance exposés of the decade.
2. Pegasus found on the phones of Jamal Khashoggi's wife and fiancée
Forensic analysis showed that Pegasus had been placed on devices belonging to the wife and the fiancée of murdered journalist Jamal Khashoggi. The fiancée's iPhone was infected just four days after his killing, contradicting NSO Group's denials of any link to the case.
3. Rahul Gandhi among Indian opposition figures on the Pegasus list
The Wire reported that phone numbers used by opposition leader Rahul Gandhi, along with friends and aides, appeared on the leaked database of potential Pegasus targets. The selections clustered around the run-up to the 2019 general election, raising questions about surveillance of political rivals.
4. Hungarian journalists confirmed as Pegasus targets
Direkt36 reported that the phones of investigative journalists and critics of Viktor Orban's government had been infected with Pegasus. The findings made Hungary the first European Union member state shown to have deployed the spyware against the press.
5. Amazon Web Services cut off NSO Group's infrastructure
After the Pegasus revelations, Amazon Web Services said it had shut down infrastructure and accounts linked to NSO Group. The move denied the spyware vendor part of the cloud capacity it had used to support its operations.
6. Israeli authorities open an inquiry into NSO Group
Israel's Ministry of Defence said government representatives had visited NSO Group to examine the allegations of spyware abuse. The visit signalled that the Pegasus scandal had begun to draw scrutiny from the company's home government.
7. Kaseya supply-chain attack spreads REvil ransomware to thousands
The REvil gang exploited a flaw in Kaseya's VSA management software to push ransomware to managed service providers and their customers worldwide. Between eight hundred and fifteen hundred downstream businesses were affected, and the attackers demanded seventy million dollars.
8. Luxembourg hits Amazon with a record 746 million euro GDPR fine
Luxembourg's data protection authority imposed a fine of 746 million euros on Amazon over how it processed personal data for advertising. It was the largest penalty issued under the General Data Protection Regulation at the time, and Amazon said it would appeal.
9. United States and allies blame China for the Microsoft Exchange hack
The White House, joined by the European Union, NATO and other partners, formally attributed the mass exploitation of Microsoft Exchange servers to hackers tied to China's Ministry of State Security. Officials said the contractors involved had also engaged in ransomware and extortion for personal gain.
10. Saudi Aramco faces a 50 million dollar extortion over leaked data
Saudi Aramco confirmed that company data held by third-party contractors had been released, after an extortionist demanded fifty million dollars to delete a hoard of around one terabyte. The stolen files reportedly included employee records, passport scans and customer invoices.
11. Catholic official resigns after Grindr location data is used to track him
A senior official of the United States Conference of Catholic Bishops resigned after a newsletter said it had obtained commercially available app data linking his phone to Grindr and to gay bars. The case showed how readily so-called anonymous location data can be traced back to a single person.
12. EFF argues that data brokers are the problem
The Electronic Frontier Foundation argued that the priest tracking case exposed the broader danger of an unregulated data broker industry. It warned that claims of anonymised data are misleading and called for comprehensive privacy legislation in the United States.
13. Biden executive order links data collection to competition harms
President Biden signed a sweeping executive order on competition that singled out unfair data collection and surveillance by dominant platforms. It encouraged the Federal Trade Commission to begin rulemaking on privacy and to scrutinise the accumulation of data in mergers.
→ iapp.org
14. UC San Diego Health discloses a four-month phishing breach
UC San Diego Health said attackers had accessed employee email accounts through a phishing campaign, exposing data on patients, staff and students. The breach affected close to half a million people and included medical records, Social Security numbers and financial details.
15. Morgan Stanley reports a breach traced to the Accellion vendor hack
Morgan Stanley disclosed that customer data had been exposed after attackers compromised a third-party vendor through the ageing Accellion file transfer appliance. The leaked information included names, addresses, dates of birth and Social Security numbers.
16. Guntrader breach spills the details of 111,000 UK firearms buyers
A database from the UK firearms marketplace Guntrader was stolen and posted online, exposing the records of around 111,000 users. The leak included names, addresses and precise geographic coordinates, raising fears that criminals could target gun owners at home.
17. Facebook disrupts an Iranian group targeting military personnel
Facebook removed roughly two hundred accounts run by an Iranian espionage group known as Tortoiseshell that had posed as recruiters to target defence and aerospace staff. The operators built elaborate fake personas to trick victims into installing malware and surrendering their credentials.
18. Zoom agrees an 85 million dollar privacy settlement
Zoom agreed to pay eighty-five million dollars to settle a class action accusing it of sharing user data with Facebook, Google and LinkedIn and of failing to stop meeting intrusions. The deal also required the company to strengthen its security and privacy practices.
19. China pulls Didi from app stores over data practices
Days after Didi's New York listing, China's cyberspace regulator ordered the ride-hailing app removed from domestic stores, citing serious violations in how it collected personal information. The company was also barred from registering new users during the security review.
20. Amnesty releases a toolkit to detect Pegasus infections
Alongside the Pegasus Project, Amnesty International published the Mobile Verification Toolkit so people could check their phones for signs of NSO Group's spyware. The free command-line tool scanned device backups for the indicators of compromise that researchers had documented.
Enjoyed this post?
Well, you could share the post with others, follow me with RSS Feeds and/or send me a comment via email.
Tags
Category:
Year: