Privacy Roundup #0186 • January 2022
January 2022 opened the year with record European cookie fines, a wave of breach disclosures, and fresh fights over facial recognition and spyware.
1. France fines Google and Facebook over cookie consent
The French regulator CNIL fined Google 150 million euros and Facebook 60 million euros for making it harder to refuse tracking cookies than to accept them. The watchdog gave both firms three months to fix the dark patterns or face daily penalties.
2. FlexBooker breach exposes 3.7 million accounts
The appointment scheduling service FlexBooker disclosed that attackers had stolen data on more than 3.7 million customers after compromising its Amazon servers. The exposed records included names, email addresses, phone numbers and password hashes.
3. Bernalillo County hit by ransomware
Bernalillo County in New Mexico became the first United States local government to disclose a ransomware attack in 2022, knocking out county websites and internal systems. Staff at the county jail could not use automated doors or surveillance cameras, confining inmates to their cells for days.
4. EU Parliament broke data protection rules on cookies
The European Data Protection Supervisor found the European Parliament had broken EU rules on tracking cookies and data transfers through a COVID testing website. The site dropped Google and Stripe trackers and sent personal data to the United States without adequate safeguards.
5. Broward Health breach affects 1.3 million people
The Florida hospital system Broward Health began notifying more than 1.3 million patients and staff that intruders had stolen their data in an October intrusion. The compromised records included names, dates of birth, Social Security numbers and medical information.
6. IRS plans to require selfies through ID.me
The Internal Revenue Service confirmed it would soon require people to verify their identity with the facial recognition firm ID.me to access online tax tools. The plan drew immediate criticism from privacy advocates and lawmakers worried about coercing citizens into face scans.
7. Red Cross cyberattack exposes data on half a million people
The International Committee of the Red Cross revealed that hackers had compromised servers holding records on more than 515,000 highly vulnerable people. The victims included separated families, missing persons and detainees served by the organisation's family reunification work.
8. Crypto.com confirms 483 accounts hacked
The cryptocurrency exchange Crypto.com confirmed that attackers had drained roughly 34 million dollars from 483 user accounts. The thieves bypassed two-factor authentication to approve withdrawals without the codes that should have stopped them.
9. Google replaces FLoC with the Topics API
Google scrapped its controversial FLoC tracking proposal and announced a replacement called the Topics API for its Privacy Sandbox. Critics including DuckDuckGo and Brave had warned that FLoC could become a powerful fingerprinting identifier.
10. DeadBolt ransomware encrypts QNAP storage devices
A new ransomware strain called DeadBolt began encrypting internet-exposed QNAP network storage devices and demanding payment in Bitcoin. The gang also asked QNAP itself for 50 Bitcoin in exchange for a master decryption key.
11. FBI tested NSO Group's Pegasus spyware
A New York Times investigation revealed that the FBI had secretly bought and tested NSO Group's Pegasus spyware between 2019 and 2021. The agency also saw a demonstration of Phantom, a version built to hack any phone number inside the United States.
12. Morgan Stanley settles data breach suit for 60 million dollars
Morgan Stanley agreed to pay 60 million dollars to settle claims that it exposed the data of nearly 15 million customers. The bank had failed to wipe decommissioned servers and storage devices before disposing of them.
13. FluBot and TeaBot campaigns target Android worldwide
Researchers tracked widespread campaigns spreading the FluBot and TeaBot banking trojans through fake delivery and app messages. FluBot steals banking and card details and uses infected phones to send further malicious text messages.
14. European Parliament backs limits on tracking ads
Members of the European Parliament voted to restrict surveillance advertising in the Digital Services Act, banning the targeting of minors and the use of sensitive data for behavioural profiling. The vote also backed parity in consent flows so that refusing tracking would be as easy as accepting it.
15. Clearview AI wins United States facial recognition patent
The face surveillance firm Clearview AI was awarded a United States patent for matching photos scraped from the open internet to identify people. The grant drew alarm because the company's database already held more than ten billion images taken without consent.
16. Maryland weighs limits on police facial recognition
Maryland lawmakers heard a bill that would sharply restrict how police use facial recognition technology in the state. The measure would limit its use to violent crimes, human trafficking and serious threats to public safety.
17. QNAP urges users to secure exposed storage devices
Earlier in the month QNAP warned customers to take network storage devices off the open internet as ransomware crews scanned for targets. The company pointed to rising Qlocker and eCh0raix campaigns hitting exposed NAS boxes.
18. OpenSubtitles admits paying ransom over breach
The subtitle site OpenSubtitles disclosed that a hacker had stolen data on about seven million users and that it had paid a ransom to keep quiet. The stolen records surfaced anyway and were added to the Have I Been Pwned breach database.
19. Goodwill ecommerce platform breached
The nonprofit Goodwill warned that intruders had hacked its ShopGoodwill ecommerce platform and accessed customer account details. The exposed information included names, email addresses, phone numbers and mailing addresses, though not payment cards.
20. Austrian regulator rules Google Analytics use breaches GDPR
The Austrian Data Protection Authority found that a health website's use of Google Analytics broke EU rules by sending visitor data to the United States. The watchdog held that IP addresses and cookie identifiers were personal data and that Google's safeguards could not shield them from US intelligence access.
Enjoyed this post?
Well, you could share the post with others, follow me with RSS Feeds and/or send me a comment via email.
Tags
Category:
Year: