Privacy Roundup #0188 • March 2022
March 2022 was dominated by the Lapsus$ extortion spree against Big Tech, a wave of regulatory action across the Atlantic, and fresh evidence that data brokers and police impersonation are quietly hollowing out everyone's privacy.
1. EU and US agree in principle on a new Trans-Atlantic Data Privacy Framework
The European Commission and the White House announced a political deal to replace the struck-down Privacy Shield and keep personal data flowing across the Atlantic. The agreement promised new limits on US intelligence access and a redress court, but campaigners warned it remained a vague promise rather than binding law.
→ bidenwhitehouse.archives.gov
2. Ireland fines Meta 17 million euros over a series of 2018 Facebook breaches
The Irish Data Protection Commission imposed a 17 million euro penalty on Meta after a self-started inquiry into twelve breach notifications from 2018. Regulators found the company had failed to put in place measures it could demonstrate were protecting the data of European users.
3. Samsung confirms hackers stole Galaxy device source code
Samsung acknowledged that intruders had taken internal source code relating to the operation of its Galaxy phones, including parts of its security framework. The company insisted no customer or employee personal data was caught up in the leak, which the Lapsus$ group had dumped publicly as a torrent.
4. Microsoft confirms Lapsus$ stole source code for Bing and Cortana
Microsoft confirmed that a single compromised account gave the Lapsus$ group limited access to its systems and let them take source code for Bing, Bing Maps and Cortana. The attackers leaked 37 gigabytes of code, though Microsoft said no customer data was exposed.
5. Okta admits hundreds of customers were exposed in a January breach
Authentication giant Okta confirmed that a January intrusion at a third-party support contractor had potentially affected around 366 corporate customers. The firm later conceded it had mishandled the disclosure and left clients in the dark for months.
6. Nvidia breach exposes credentials of more than 71,000 employees
Nvidia confirmed that an intrusion claimed by Lapsus$ had exposed email addresses and password hashes for over 71,000 staff. Many of those hashes were quickly cracked and circulated, and the attackers also leaked code-signing certificates that could be abused to sign malware.
7. London police arrest seven over the Lapsus$ hacking spree
City of London Police arrested seven people aged 16 to 21 in connection with the Lapsus$ group behind the run of corporate breaches. Researchers traced the operation to a teenager living with his mother near Oxford.
8. Criminals gain the power of subpoena through fake emergency data requests
Brian Krebs revealed how hackers compromise police email accounts to send forged emergency data requests, tricking platforms into handing over names, addresses and phone numbers without any warrant. Apple, Discord, Snapchat and Google were among the firms duped into disclosing subscriber details.
9. Ubisoft resets staff passwords after a cyber incident
The games publisher confirmed a security incident that briefly disrupted some games and services and forced a company-wide password reset. Ubisoft declined to explain the cause, though the Lapsus$ group hinted online that it was responsible.
10. Anonymous leaks hundreds of thousands of files from Russia's censorship agency
Hacktivists linked to Anonymous claimed to have taken roughly 360,000 files from Roskomnadzor, the body that polices Russian media and online speech. The documents, published by DDoSecrets, exposed orders forbidding outlets from calling the invasion of Ukraine an invasion.
11. Ukraine begins using Clearview AI facial recognition during the war
Ukraine's defence ministry started using Clearview AI to identify dead Russian soldiers and trace their social media accounts. The firm offered its tool free of charge, drawing warnings from civil liberties groups about misidentification and the normalisation of battlefield face surveillance.
12. Utah becomes the fourth US state with a comprehensive privacy law
Governor Spencer Cox signed the Utah Consumer Privacy Act, giving residents rights to access, delete and opt out of the sale of their data. Analysts noted the law took a lighter, more business-friendly approach than its counterparts in California, Virginia and Colorado.
→ iapp.org
13. noyb launches a second wave of complaints against deceptive cookie banners
Privacy group noyb sent 270 draft complaints to website operators whose consent pop-ups used dark patterns to push people into accepting tracking. Operators that did not redesign their banners within the grace period faced formal complaints to data protection authorities.
→ noyb.eu
14. Biden signs the Cyber Incident Reporting for Critical Infrastructure Act
The new law requires operators of critical infrastructure to report serious cyber incidents to CISA within 72 hours and ransom payments within 24 hours. It marked one of the most significant federal moves yet to compel disclosure of breaches that often stay hidden.
15. FTC orders Weight Watchers to delete children's data and destroy its algorithms
The Federal Trade Commission took action against WW International, formerly Weight Watchers, and its Kurbo subsidiary for collecting health data from children as young as eight without parental consent. The order required the firm to delete the unlawfully gathered information, destroy any algorithms derived from it, and pay a 1.5 million dollar penalty.
16. FTC acts against CafePress over a covered-up breach
The Federal Trade Commission moved against the merchandise platform CafePress for weak security and for hiding a 2019 breach that exposed Social Security numbers and unencrypted data. The order required stronger safeguards, data minimisation and redress for affected customers.
17. Clearview AI launches version 2.0 and courts law enforcement
Clearview AI unveiled a new release of its platform built on a database it said held more than 20 billion scraped facial images. The expansion underlined how rapidly the firm was growing its reach across thousands of US police agencies despite mounting legal challenges.
18. Anonymous claims a Nestle data dump that the company calls a self-inflicted leak
Hacktivists claimed to have stolen gigabytes of Nestle records as part of a campaign pressuring firms to quit Russia, including emails, passwords and customer details. Nestle countered that the information was mostly public test data it had briefly exposed by accident, underlining how messy attribution can be in wartime hacktivism.
19. Google revives its Privacy Sandbox with new ad-targeting APIs
Google announced origin trials for its Topics and FLEDGE interfaces, the proposed replacements for third-party cookies that move some tracking into the browser. Rivals such as Brave warned the design would let Google decide what counts as sensitive data and entrench its grip on the advertising market.
20. DuckDuckGo starts down-ranking sites it links to Russian disinformation
The privacy-focused search engine said it would demote results from sites spreading Russian disinformation after the invasion of Ukraine. The move drew an immediate backlash from users who argued that a tool sold on neutrality and privacy should not be quietly editorialising what people are allowed to find.
Enjoyed this post?
Well, you could share the post with others, follow me with RSS Feeds and/or send me a comment via email.
Tags
Category:
Year: