Privacy Roundup #0185 • December 2021
December 2021 closed the year with a landmark stalkerware ban, fresh Pegasus victims among American diplomats and a wave of spyware exposures that reshaped the surveillance debate.
1. FTC finalises order banning SpyFone and its CEO from the surveillance business
The Federal Trade Commission finalised an order barring the stalkerware maker Support King, trading as SpyFone, and its chief executive Scott Zuckerman from offering any monitoring app or service. The order also required the company to delete the data it had secretly harvested and to tell device owners that their phones may have been watched.
2. Pegasus spyware found on the iPhones of US State Department staff
Reuters reported that at least nine American diplomats working on Uganda had their iPhones compromised with NSO Group's Pegasus spyware. The hacks were the widest known intrusions against US officials using the Israeli firm's technology.
3. Leaked FBI document reveals what data police can pull from encrypted apps
A training document obtained through a freedom of information request showed how much US law enforcement can extract from services such as iMessage, WhatsApp, Signal and Telegram. It confirmed that iMessage and WhatsApp metadata is far more exposed than messages on Signal.
4. Norway fines Grindr 7 million dollars over advertising consent
The Norwegian regulator confirmed a penalty against Grindr for sharing user data, including the fact that someone uses the app, with advertising partners without valid consent. Regulators treated that data as revealing sexual orientation and therefore deserving special protection.
5. Meta bans seven surveillance-for-hire firms and warns 50,000 targets
Facebook's parent removed roughly 1,500 accounts tied to spyware vendors based in China, India, Israel and North Macedonia. The company alerted around 50,000 people in more than a hundred countries that they may have been targeted.
6. Citizen Lab exposes Cytrox and its Predator spyware
Researchers at Citizen Lab detailed how the North Macedonian firm Cytrox sold a spyware tool called Predator that was used against Egyptian exiles. The findings underpinned Meta's decision to ban the company the same week.
7. Log4Shell flaw triggers an internet-wide security scramble
A critical vulnerability in the widely used Log4j logging library was disclosed on 10 December and rated the maximum severity. Attackers began exploiting it within hours, exposing the personal data held by countless services that depend on the tool.
8. Apple quietly removes its child-safety photo scanning plans from its site
Apple deleted the explanatory pages describing its planned system to scan iCloud photos against a database of known abuse imagery. The move followed sustained criticism that client-side scanning would create a surveillance backdoor.
9. Apple releases an Android app to detect AirTag stalking
Following reports of AirTags being used to track people without their knowledge, Apple released a Tracker Detect app on the Google Play store. The tool lets Android users scan for unknown trackers, although it cannot run continuously in the background.
10. Hackers wipe Brazil's COVID vaccination database
A group calling itself Lapsus$ took down the Brazilian health ministry website on 10 December and claimed to have deleted 50 terabytes of data. The attack disrupted the ConecteSUS app that millions of Brazilians use for vaccination certificates.
11. Capital One agrees to pay 190 million dollars over its 2019 breach
Capital One settled a class action covering roughly 98 million customers whose personal information was exposed in a cloud intrusion. The settlement fund was set up to reimburse out-of-pocket losses tied to the breach.
12. Reports detail AirTags turning up in stalking and car-theft cases
Police forces across several US states described AirTags being slipped into bags and cars to track victims or steal vehicles. The accounts intensified pressure on Apple over the anti-stalking limits of its tracker.
13. Citizen Lab finds spyware flaws in the Beijing Olympics app
On 3 December Citizen Lab privately disclosed serious encryption weaknesses in MY2022, the app that all Winter Olympics attendees were required to install. The app also carried a censorship keyword list and collected sensitive health and travel data.
14. UK parliamentary committee warns the Online Safety Bill threatens encryption
A joint committee published its report on the draft Online Safety Bill on 14 December, recommending sweeping new duties for platforms. Campaigners warned that the proposals risked undermining end-to-end encryption for private messaging.
15. Booking service FlexBooker exposes 3.7 million accounts
Attackers compromised FlexBooker's cloud servers on 23 December and made off with names, email addresses, phone numbers and hashed passwords. The stolen records, covering more than 3.7 million users, were soon advertised on hacking forums.
16. France orders Clearview AI to stop scraping photos of its residents
The CNIL gave the facial recognition firm formal notice to halt the collection and use of data on people in France and to honour erasure requests. Clearview was given two months to comply or face financial penalties for building its database without a legal basis.
17. US senators press the government to sanction NSO Group
After the State Department hacks emerged, a group of US senators wrote to the Secretary of State and the Treasury urging Magnitsky Act sanctions against NSO Group. The letter reflected growing political anger at the unchecked spread of commercial spyware.
18. Ransomware attack on Kronos knocks payroll systems offline
A weekend ransomware attack on the Kronos Private Cloud disrupted payroll and timekeeping for major employers, with recovery expected to take weeks. The operator UKG warned that attackers may have accessed personal data belonging to affected staff.
19. Planned Parenthood Los Angeles breach exposes 400,000 patients
Planned Parenthood Los Angeles began notifying around 400,000 patients that hackers had stolen their personal and clinical records in an October ransomware attack. The exposed files included names, dates of birth, insurance details and sensitive information such as diagnoses, procedures and prescriptions.
20. Volvo Cars confirms theft of research and development data
Volvo disclosed that intruders had stolen a limited amount of its research and development files during a security breach. A ransomware group later published some of the stolen material on a leak site.
Enjoyed this post?
Well, you could share the post with others, follow me with RSS Feeds and/or send me a comment via email.
Tags
Category:
Year: