Privacy Roundup #0182 • September 2021
September 2021 paired spyware revelations and Apple's retreat on phone scanning with record European fines and a long run of breach disclosures.
1. Federal Trade Commission bans SpyFone and its chief from the surveillance business
The FTC barred the maker of the SpyFone stalkerware app and its chief executive from selling any monitoring tool and ordered the firm to delete the data it had secretly gathered. It was the first time the regulator had imposed an outright ban on a surveillance company rather than a narrower penalty.
2. China's Data Security Law takes effect
China's Data Security Law came into force on 1 September, creating a national regime that classifies data by sensitivity and tightens state control over how companies handle it. The law also bars firms from giving data held in China to foreign courts or enforcement bodies without official approval.
3. Ireland fines WhatsApp €225 million for transparency failures
Ireland's Data Protection Commission announced a €225 million penalty against WhatsApp for failing to tell users and non-users clearly how it processed their data. The figure rose sharply after other European regulators objected that an earlier draft sanction was too lenient.
4. Apple delays its plan to scan iPhones for child abuse imagery
Apple said it would pause its plan to scan photos on devices for known child abuse material after a backlash from researchers and rights groups. Critics had warned that the on-device scanning could be repurposed by governments to detect other kinds of content.
5. ProtonMail logs a French activist's address under Swiss order
ProtonMail confirmed it had logged the IP address of a French climate activist after a legally binding order from Swiss authorities, and the data helped lead to an arrest. The case forced the company to drop its claim that it did not record IP addresses.
6. ProPublica reveals how WhatsApp moderators read reported messages
A ProPublica investigation showed that WhatsApp employs more than a thousand contractors who review messages users flag as abusive, undercutting the sense that all content stays private. The reviewers see only forwarded reports, but the system still hands plain text to outside staff.
7. EFF tells a court that FOIA can free ICE deportation records safely
The Electronic Frontier Foundation argued in a federal brief that freedom of information law requires ICE to release deidentified arrest and deportation data while still protecting individuals. The aim was to allow public oversight of the agency without exposing the people in its records.
8. United Nations confirms its computer networks were breached
The United Nations acknowledged that hackers had broken into its systems earlier in the year using a staff member's stolen login bought on a dark web market. Researchers said the intruders kept access for months and gathered data that could be used to target the organisation's agencies.
9. Customer care giant TTEC hit by Ragnar Locker ransomware
The outsourcing firm TTEC, which runs customer support for major banks and carriers, suffered a ransomware attack that began on 12 September and crippled remote access for thousands of staff. Evidence pointed to the Ragnar Locker group, and the company later confirmed that some data had been encrypted across several of its facilities.
10. BlackMatter ransomware hits medical technology firm Olympus
Olympus said it was investigating a cyber incident affecting its European systems after a ransomware attack on 8 September, with a note pointing to the BlackMatter group. The company shut down parts of its network while it assessed the damage.
11. Apple patches a zero-click NSO exploit on every device
Apple issued an emergency update after Citizen Lab found a zero-click iMessage exploit, named FORCEDENTRY, used to plant NSO Group's Pegasus spyware on a Saudi activist's phone. The flaw affected iPhones, iPads, Macs and Watches and needed no action from the victim.
12. EFF warns of the federal government's growing appetite for facial recognition
The EFF highlighted a watchdog finding that federal agencies ran more facial recognition systems than the agencies using them. It urged support for a bill that would halt government use of face surveillance and related biometric tools.
13. FTC warns health apps they must report breaches
The Federal Trade Commission issued a policy statement confirming that health apps and connected devices must tell users when their data is exposed under the Health Breach Notification Rule. The move widened the rule to cover fitness trackers and similar tools that gather sensitive personal data.
14. WhatsApp adds an option for end-to-end encrypted backups
The EFF examined WhatsApp's rollout of encrypted message backups, a feature that keeps copies out of reach of Apple and Google. It noted the change stood in contrast to Apple's plan to scan photos on devices.
15. Alaska says a nation-state attack exposed health records of all residents
Alaska's Department of Health and Social Services disclosed that a sophisticated attack first detected in May may have exposed personal and medical data on any resident. Officials linked the intrusion to a nation-state group but declined to name the country.
16. Apple and Google pull Navalny's voting app in Russia
Apple and Google removed jailed opposition leader Alexei Navalny's tactical voting app from their Russian stores after threats from the state, on the eve of parliamentary elections. Navalny's allies called the removal an act of political censorship.
17. Domain registrar Epik is breached and its data dumped online
Hackers aligned with Anonymous published roughly 180 gigabytes of data taken from the registrar Epik, including customer details and records meant to be shielded by its privacy service. Reporting showed the firm had been warned of a critical flaw weeks before the breach.
18. Apple ships iOS 15 with Private Relay and Mail Privacy Protection
Apple released iOS 15 with new privacy tools, including iCloud Private Relay, which routes Safari traffic through two relays to hide a user's address, and Mail Privacy Protection, which blocks tracking pixels. The features marked a fresh push by Apple to limit how third parties track people.
19. Regulators question Facebook's Ray-Ban smart glasses
European data protection authorities flagged concerns about Facebook's new Ray-Ban Stories glasses, asking the company to show that a small LED was enough to warn bystanders they were being recorded. The glasses can capture photos and video with little outward sign.
20. Neiman Marcus tells 4.6 million customers their data was stolen
The luxury retailer Neiman Marcus said it had notified about 4.6 million customers that their personal and payment details were taken in a breach dating back to May 2020. The exposed data included names, contact details, card numbers and account credentials.
→ whbl.com
Enjoyed this post?
Well, you could share the post with others, follow me with RSS Feeds and/or send me a comment via email.
Tags
Category:
Year: