Privacy Roundup #0190 • May 2022
May 2022 brought heavy regulatory weight, with a record Twitter fine, a Clearview facial recognition penalty and a new state privacy law, alongside spyware fallout, abortion clinic tracking and a wave of breaches.
1. Twitter to pay $150 million penalty for misusing security data in advertising
The Federal Trade Commission and the Department of Justice announced that Twitter would pay $150 million for using phone numbers and email addresses, collected for account security, to target advertisements. More than 140 million people had handed over that data believing it would only protect their accounts.
2. UK fines Clearview AI over unlawful facial recognition scraping
The Information Commissioner's Office fined Clearview AI just under £7.5 million for scraping images of British residents from the web to build its facial recognition database. The regulator also ordered the company to stop collecting British data and to delete what it already held.
3. Surveillance transparency report shows the FBI querying millions of Americans
The Electronic Frontier Foundation reviewed a new intelligence community report revealing that the FBI ran queries potentially involving more than three million Americans using Section 702 data. The group argued the figures showed an urgent need to close the backdoor that lets agencies search this material without a warrant.
4. SafeGraph stops selling location data on visits to abortion clinics
The data broker SafeGraph said it would stop selling location information about visits to family planning clinics after a report showed the data could be bought for around $160. The reversal raised wider questions about how easily anyone could track people seeking reproductive healthcare.
5. SafeGraph's claims mask a dangerous location data industry
The Electronic Frontier Foundation argued that SafeGraph's defence of its abortion clinic data sales obscured the harm of the wider location data trade. The piece set out how aggregated movement data can still expose individuals and put vulnerable people at risk.
6. DHS pauses its Disinformation Governance Board after backlash
The Department of Homeland Security paused its newly created Disinformation Governance Board following criticism over its remit and its implications for free expression and privacy. The board's executive director resigned, and the project was sent for review before its eventual closure.
7. Connecticut becomes the fifth state with a comprehensive privacy law
Governor Ned Lamont signed Senate Bill 6, making Connecticut the fifth American state to enact a broad consumer data privacy law. The statute granted residents rights to access, correct and delete their personal data and to opt out of targeted advertising.
→ iapp.org
8. European Commission proposes mandatory scanning of private messages
The European Commission unveiled its child sexual abuse regulation, known to critics as Chat Control, which could require services to scan private messages even where they are end to end encrypted. Digital rights group EDRi warned that the proposal put the integrity of secure communications at risk.
→ edri.org
9. Costa Rica declares a state of emergency after Conti ransomware attack
Costa Rica's new president declared a national state of emergency after the Conti gang crippled government systems and demanded a ransom. The attack hit the finance ministry and other agencies, and the gang published a large volume of stolen government data when the ransom was refused.
10. Conti ransomware gang shuts down its public infrastructure
Researchers reported that the notorious Conti gang had taken down its leak site, negotiation tools and other infrastructure as it appeared to wind operations down. Analysts cautioned that the group's people and methods were likely to resurface under new branding.
11. Supreme Court blocks Texas social media law from taking effect
The Supreme Court blocked a Texas law that would have restricted how large platforms moderate and curate content while it was challenged in the lower courts. The decision left the constitutional questions over platform speech and user data unresolved.
12. Shields Health Care Group reports breach affecting two million patients
The Massachusetts imaging provider Shields Health Care Group reported a breach that exposed the personal and medical information of around two million patients across more than fifty facilities. The compromised data included names, Social Security numbers, dates of birth and treatment details.
13. General Motors discloses credential stuffing attack on owner accounts
General Motors disclosed that attackers used credentials stolen elsewhere to break into customer accounts and access personal information. The intruders also redeemed owners' reward points for gift cards before the activity was detected.
14. Ransomware grounds flights at Indian airline SpiceJet
A ransomware attack disrupted the Indian budget airline SpiceJet, slowing morning departures and stranding passengers at several hubs. The carrier said its teams contained the incident, although the disruption underlined how operational data and systems can be held hostage.
15. California Age-Appropriate Design Code passes the state Assembly
California's Assembly unanimously passed the Age-Appropriate Design Code Act, modelled on Britain's children's code, sending it to the state Senate. The bill would extend heightened data protections to people under eighteen and cover services likely to be used by minors.
16. DuckDuckGo defends allowing Microsoft trackers in its browser
DuckDuckGo confirmed that its privacy browser allowed some Microsoft tracking scripts to run because of a search syndication agreement, even as it blocked trackers from Google and Facebook. The disclosure drew sharp criticism and forced the company to defend its tracker blocking claims.
17. Hacker steals a database of Verizon employee records
A hacker claimed to have obtained an internal database of Verizon employee contact details after tricking a worker into granting remote access. The attacker sought a payment to keep the data private, while Verizon said the information was not sensitive.
18. Spain sacks its spy chief over the Pegasus spyware scandal
Spain dismissed the director of its national intelligence agency after revelations that Pegasus spyware had been used against Catalan separatist figures and against senior ministers. The case became a centrepiece of European concern over the abuse of commercial surveillance tools.
19. Verizon report finds a sharp rise in ransomware breaches
Verizon published its annual Data Breach Investigations Report, recording a thirteen per cent rise in ransomware breaches, a jump larger than the previous five years combined. The report found that stolen credentials, phishing and external attackers drove the majority of incidents.
20. Texas insurance agency exposed data on 1.8 million injured workers
A state audit found that the Texas Department of Insurance had left the personal data of around 1.8 million workers' compensation claimants accessible online for nearly three years. The exposed records included Social Security numbers, addresses, birthdates and injury details.
Enjoyed this post?
Well, you could share the post with others, follow me with RSS Feeds and/or send me a comment via email.
Tags
Category:
Year: