Privacy Roundup #0189 • April 2022
Mercenary spyware against Catalans, a wave of token and source code thefts, and fresh privacy laws in Connecticut, India and the EU defined the month.
1. Block confirms Cash App breach after former employee took customer data
Block disclosed in a filing that a former employee had downloaded reports on millions of Cash App Investing users months after leaving the firm. The exposed data included names, brokerage account numbers and portfolio values for roughly eight million people.
2. Mailchimp breach used to phish cryptocurrency holders
Mailchimp confirmed that attackers had used social engineering to reach an internal support tool and view the accounts of about three hundred customers. The intruders exported data from finance and crypto firms, then sent phishing emails to Trezor wallet owners.
3. CatalanGate spyware operation targeted dozens of Catalans
The Citizen Lab reported that at least sixty five Catalan politicians, lawyers and activists had been targeted with NSO Group and Candiru spyware. Many infections used a zero click iMessage exploit, and the targets included serving members of the European Parliament.
4. European Parliament opened its inquiry into Pegasus spyware abuse
A new committee of inquiry held its first meeting to examine breaches of European Union law tied to Pegasus and similar tools. The move followed mounting evidence that member states had deployed mercenary spyware against journalists and politicians.
5. EU negotiators agreed the Digital Services Act
Parliament and Council reached a provisional deal on the Digital Services Act, a sweeping set of rules for online platforms. The agreement banned targeted advertising aimed at children and curbed adverts that rely on sensitive data such as race or religion.
6. Connecticut passed the fifth state consumer privacy law
The Connecticut legislature approved the Connecticut Data Privacy Act, giving residents rights to access, correct and delete their data. The bill also required businesses to honour opt out signals for targeted advertising and the sale of personal information.
7. India ordered VPN providers to log and keep user data
India's computer emergency response team issued directions requiring VPN, cloud and data centre firms to retain subscriber names, addresses and assigned addresses for five years. The rules also forced firms to report security incidents within six hours, threatening the no log promises that many services rely on.
8. Hackers used fake emergency requests, prompting a defence
Krebs on Security reported on Kodex, a startup trying to blunt fraudulent emergency data requests by giving police agencies trust ratings. Criminals had been hijacking police email accounts to file warrantless requests with technology firms and harvest personal data.
9. Stolen OAuth tokens let attackers raid private GitHub repositories
GitHub warned that an attacker had abused OAuth tokens issued to Heroku and Travis CI to download private code from dozens of organisations. The firm said the intruders appeared to be mining the stolen repositories for secrets that could open further systems.
10. Leaked chats showed Lapsus$ stole T-Mobile source code
Brian Krebs published internal Lapsus$ chats revealing that the group had repeatedly breached T-Mobile and downloaded tens of thousands of source code repositories. The hackers reached an internal account tool called Atlas using credentials bought from criminal markets.
11. Globant confirmed a breach after Lapsus$ leaked stolen data
The software firm Globant admitted that part of its code repository had been accessed after Lapsus$ leaked seventy gigabytes of data on Telegram. The dump included customer credentials and source code, exposing the firm's wider client base to risk.
12. Coca-Cola investigated a data theft claim by Stormous
The pro Kremlin group Stormous claimed to have stolen one hundred and sixty one gigabytes of files from Coca-Cola and put them up for sale. The company said it had opened an urgent investigation and contacted law enforcement over the claim.
13. Funky Pigeon paused orders after a security incident
The British greetings card retailer Funky Pigeon halted all orders and took systems offline after detecting a cyber attack. The firm warned that customer names, addresses and email addresses may have been accessed, though payment data was held by third parties.
14. Beanstalk lost a hundred and eighty two million dollars in a governance attack
Attackers used flash loans to seize a controlling share of voting power in the Beanstalk stablecoin protocol, then passed a proposal draining its funds. The exploit netted the thief about eighty million dollars and showed how on chain governance can be gamed in a single transaction.
15. Court let a biometric privacy case against Onfido proceed
A federal judge in Illinois ruled that faceprints created by Onfido's identity software could count as biometric identifiers under the state's privacy law. The decision allowed a class action over scans of uploaded photographs to move ahead.
16. EFF urged Californians to back biometric and student privacy bills
The Electronic Frontier Foundation called on Californians to support two bills, one requiring consent before collecting biometric data and another limiting what remote proctoring firms gather. The group noted a five hundred per cent rise in proctoring tools during the pandemic.
17. Report exposed how data brokers help ICE skirt sanctuary laws
A report from Mijente and allied groups detailed how Immigration and Customs Enforcement reaches deportation targets through data sharing platforms run by LexisNexis. The work showed how commercial brokers provide back doors around local protections for immigrants.
18. John Oliver turned a spotlight on the data broker industry
Bruce Schneier highlighted a Last Week Tonight segment dissecting how data brokers collect and trade personal information for profit. The piece included a stunt that compiled data on members of Congress to press the case for regulation.
19. Black Basta ransomware gang emerged and hit a dozen firms
A new ransomware operation calling itself Black Basta surfaced and breached at least twelve companies within weeks of appearing. The speed of its early extortion suggested experienced operators rather than newcomers to the trade.
20. Maryland required police to be trained to recognise stalkerware
Maryland's legislature unanimously passed a bill requiring law enforcement training on the tactics of electronic surveillance and the laws around it. The measure, backed by EFF, aimed to help officers spot stalkerware used to monitor partners in abuse cases.
Enjoyed this post?
Well, you could share the post with others, follow me with RSS Feeds and/or send me a comment via email.
Tags
Category:
Year: