Privacy Roundup #0184 • November 2021
November 2021 was defined by a reckoning over commercial spyware and facial recognition, set against a run of damaging corporate breaches.
1. Meta shuts down Facebook facial recognition and deletes a billion faceprints
Meta announced on 2 November that it would close Facebook's Face Recognition system and delete the individual templates of more than a billion people. The company cited regulatory uncertainty and mounting privacy concerns over the technology.
2. United States blacklists NSO Group over Pegasus spyware abuses
On 4 November the Commerce Department added NSO Group to its Entity List, barring American firms from supplying it with hardware or software. Officials said the spyware maker had acted contrary to the foreign policy and national security interests of the United States.
3. France orders Clearview AI to delete its citizens' data
On 26 November the CNIL issued a formal notice ordering Clearview AI to stop collecting and using the data of people in France and to delete what it already held. The regulator found no lawful basis for the firm's scraping of biometric data and faulted its handling of access and erasure requests.
4. Robinhood discloses breach affecting seven million customers
Robinhood revealed on 8 November that an attacker had socially engineered a support employee to reach internal systems. Email addresses for roughly five million people and full names for about two million more were exposed, with a smaller group losing further details.
5. Hoax email blast abuses weak coding in an FBI portal
On 13 November an attacker exploited insecure code in an FBI law enforcement portal to send fake cyberattack warnings from a genuine bureau address. The messages reached at least 100,000 recipients before the agency disabled the affected system.
6. GoDaddy breach exposes more than a million WordPress accounts
GoDaddy disclosed on 22 November that an intruder had used a compromised password to reach its Managed WordPress environment since September. Up to 1.2 million customers had email addresses and provisioning passwords exposed, with some losing SSL private keys.
7. Apple sues NSO Group over Pegasus attacks on its users
On 23 November Apple filed suit against NSO Group, accusing it of creating fake Apple accounts to deliver the FORCEDENTRY exploit and Pegasus spyware. The company sought to hold the vendor accountable for surveillance of its customers across borders.
8. Panasonic confirms a months-long intrusion into its network
Panasonic disclosed on 26 November that an attacker had accessed a file server in Japan, with the intrusion detected on 11 November. The firm later confirmed that data on job applicants and interns had been exposed during the breach.
9. Twitter bans sharing private images without consent
Twitter expanded its private information policy on 30 November to prohibit posting images or videos of private individuals without their permission. The company said it would remove media when notified by the person depicted, with exceptions for public figures and newsworthy content.
10. UK regulator signals a seventeen million pound fine for Clearview AI
On 29 November the Information Commissioner's Office announced its provisional intent to fine Clearview AI just over seventeen million pounds and to order it to stop processing UK data. The watchdog's preliminary view was that the firm had no lawful basis for scraping people's images.
11. Ninth Circuit rules NSO Group is not immune from suit
On 10 November the Ninth Circuit held that NSO Group, as a private company, could not claim sovereign immunity simply because it served foreign government clients. The decision cleared the way for WhatsApp's lawsuit over the targeting of users to proceed.
12. Planned Parenthood Los Angeles confirms patient data stolen in ransomware attack
On 4 November Planned Parenthood Los Angeles confirmed that files taken during an October ransomware attack contained patient information. Around 400,000 people had details exposed, including diagnoses, procedures and insurance information.
13. Australian regulator finds Clearview AI broke privacy law
On 3 November the Office of the Australian Information Commissioner found that Clearview AI had breached the country's privacy law by scraping biometric data. The watchdog ordered the firm to stop collecting images of people in Australia and to delete those already held.
14. Trojan Source attack hides malicious code from human reviewers
On 1 November researchers at Cambridge disclosed Trojan Source, a technique that uses invisible Unicode characters to make source code behave differently from how it appears. The flaw affects most modern languages and undermines the assumption that code review can catch tampering.
15. Emotet returns to the threat landscape after a takedown
Researchers observed Emotet rebuilding its botnet from 14 November, almost a year after law enforcement disrupted it. The downloader was seen spreading through the TrickBot network, reviving a major vector for credential theft and data exfiltration.
16. Apple's complaint reveals NSO created scores of fake accounts
Apple's filing detailed how NSO Group registered more than a hundred fake Apple credentials to push malicious messages to targets. The document offered rare technical insight into how state-grade spyware reached victims without any interaction.
17. Squid Game branded apps spread Joker malware on Android
Security researchers warned that apps trading on the popularity of Squid Game were carrying the Joker trojan. The malware signed victims up to unwanted paid subscriptions and committed advertising fraud while harvesting device information.
18. Robinhood account flaw abused to send phishing emails
Beyond the headline breach, a separate flaw in Robinhood's account creation flow was abused to send phishing messages that appeared to come from the company. The issue showed how a weakness in onboarding could be turned into a credible lure against customers.
19. Stolen Robinhood records put up for sale on a hacking forum
Within days of the disclosure, data on roughly seven million Robinhood customers appeared for sale on a criminal marketplace. The seller had also tried to extort the company, underlining how breach data fuels further harm once it leaks.
20. Pegasus complaint highlights zero-click reach of commercial spyware
The detail emerging from Apple's case underscored that FORCEDENTRY required no action from the victim to install Pegasus. It hardened the argument from privacy advocates that the commercial spyware trade poses a structural threat to device security.
Enjoyed this post?
Well, you could share the post with others, follow me with RSS Feeds and/or send me a comment via email.
Tags
Category:
Year: