Privacy Roundup #0191 • June 2022
The fall of Roe drove the month's privacy news, as researchers, lawmakers and companies scrambled over location data, health tracking and surveillance spyware.
1. Facebook received sensitive medical data from hospital websites
The Markup found a Meta tracking pixel on a third of the top American hospitals, quietly sending Facebook details about appointments and conditions. The data flowed even from inside password-protected patient portals, raising clear questions about health privacy law.
2. Microsoft retired its emotion-reading facial recognition tools
Microsoft said it would stop selling tools that claim to read emotion, gender and age from faces, citing the lack of scientific basis and the privacy harms. New customers lost access at once, and existing ones were given a year to move off the service.
3. Google warned Android users targeted by Hermit government spyware
Google's Threat Analysis Group exposed Hermit, spyware built by the Italian firm RCS Lab and deployed against people in Italy and Kazakhstan. Attackers sometimes worked with internet providers to cut a target's data, then sent a malicious link posing as a carrier fix.
4. Flagstar Bank breach exposed 1.5 million Social Security numbers
Flagstar told 1.5 million customers that hackers had taken their names and Social Security numbers in an intrusion the bank traced to December 2021. The disclosure came months after the event and named no clear reason for the long delay.
5. OpenSea reported a major email data breach
The NFT marketplace OpenSea said an employee of its email vendor Customer.io had downloaded and shared millions of user email addresses with an outside party. The company told anyone who had ever given OpenSea an email address to assume they were affected and to watch for phishing.
6. Italy's regulator ruled Google Analytics unlawful
Italy's data protection authority found that a website using Google Analytics broke the GDPR by sending personal data to the United States without adequate safeguards. The Garante joined the French and Austrian regulators in declaring the popular tool incompatible with European law.
7. Amazon demonstrated Alexa mimicking the voice of a dead relative
At its re:MARS conference, Amazon showed Alexa reading a story in the cloned voice of a child's late grandmother, built from under a minute of audio. The demonstration drew quick alarm over deception and consent, days after Microsoft restricted similar voice-cloning tools.
8. EFF published security tips for people seeking an abortion
With abortion law shifting, EFF set out practical steps for protecting digital privacy, from locking down location history to choosing private messaging. The guidance warned that search records, app data and phone movements could all become evidence.
9. EFF responded to the Supreme Court's Dobbs ruling
After the court overturned Roe, EFF warned that the vast data trails people leave behind could be turned against those seeking or helping with abortions. The group urged companies to collect less, hold less and resist overbroad demands from law enforcement.
10. Senator Markey pressed Amazon over Ring police cooperation
Senator Ed Markey renewed his investigation into Ring, asking Amazon how far its doorbells record audio and whether it would stop courting police partnerships. He pushed the company to make its surveillance network less friendly to law enforcement by default.
11. Lawmakers unveiled the American Data Privacy and Protection Act
House and Senate leaders released a bipartisan discussion draft of a national privacy bill, the first such effort to win cross-party and cross-chamber backing in years. The draft promised rights to access, delete and correct data, though disputes over enforcement loomed.
12. California exposed the personal data of concealed-carry permit holders
A new California firearms dashboard briefly published the names, addresses and birthdates of roughly 192,000 permit applicants. The records sat open for less than a day, but the leak named home addresses of judges and officers among ordinary citizens.
13. FTC finalised its action against CafePress over a hidden breach
The Federal Trade Commission finalised an order against CafePress for poor security and for covering up a 2019 breach that exposed Social Security numbers and weakly protected passwords. The order required stronger safeguards and a payment to compensate affected small businesses.
14. Meta was sued over patient data collected by its Pixel
A patient of MedStar Health sued Meta in federal court, alleging its Pixel tool harvested medical information from hospital sites without consent. The complaint claimed the technology sat on at least 600 hospital systems, feeding patient activity back to Facebook.
15. EFF backed the My Body, My Data Act
EFF urged Congress to pass the My Body, My Data Act, which would limit how firms collect and keep reproductive and sexual health information. The group framed the bill as a way to shrink the data that could be used against people after Dobbs.
16. Hacked emails led to a Kaiser Permanente health-data breach
A compromised employee email account exposed the protected health information of about 69,000 Kaiser Permanente patients in Washington. The exposed records held names, medical record numbers and lab results, though no Social Security or payment details.
17. Carnival agreed to pay millions over repeated cyberattacks
Carnival settled with dozens of state attorneys general for 1.25 million dollars over a 2019 breach, while New York's financial regulator imposed a separate 5 million dollar penalty. Investigators found the cruise giant had suffered several incidents while leaving customer data poorly protected.
18. TikTok moved US traffic to Oracle amid China-access claims
TikTok said it had routed all American user traffic through Oracle's cloud, just as a report claimed staff in China had repeatedly accessed that data. The timing did little to settle worries about who could reach the records of US users.
19. Canadian regulators found the Tim Hortons app tracked users unlawfully
A joint investigation concluded the Tim Hortons app collected vast amounts of location data, logging where users lived, worked and travelled even when the app was closed. Regulators found the tracking continued for a year after the company had dropped its advertising plans for it.
20. Stealthy Symbiote Linux malware harvested credentials
Researchers disclosed Symbiote, Linux malware that injects itself into every running process and is very hard to spot. It steals login credentials and smuggles them out through disguised DNS requests, while hiding its files, processes and network traffic from view.
Enjoyed this post?
Well, you could share the post with others, follow me with RSS Feeds and/or send me a comment via email.
Tags
Category:
Year: