Privacy Roundup #0194 • September 2022
September 2022 paired a wave of high profile breaches with landmark regulation, as Optus, Uber and Rockstar were ransacked while Instagram drew a record fine and California moved to shield children online.
1. Uber confirms hacker breached its internal network
A hacker linked to the Lapsus$ group breached Uber after socially engineering a contractor into approving a multi factor login prompt. The intruder reached Slack, cloud services and internal dashboards, prompting Uber to take systems offline while it investigated.
2. Optus breach exposes data on millions of customers
Australian telecommunications firm Optus disclosed that an attacker reached personal data through an unauthenticated, publicly exposed API. Names, dates of birth, phone numbers, addresses and passport, licence and Medicare identifiers were taken, affecting up to eleven million people.
3. Instagram fined 405 million euros over children's data
Ireland's Data Protection Commission concluded its inquiry into how Instagram handled the data of child users. The regulator imposed a record 405 million euro penalty over public by default settings and the exposure of email addresses and phone numbers through business accounts.
4. GTA 6 footage and source code leaked after Rockstar hack
A threat actor breached Rockstar Games and posted around ninety clips of early Grand Theft Auto 6 development footage. The same hacker, tied to the Uber intrusion, claimed to have taken source code for both Grand Theft Auto 5 and 6.
5. Morgan Stanley to pay 35 million dollars over discarded drives
The SEC fined Morgan Stanley after the bank hired a moving firm with no data destruction experience to decommission thousands of hard drives. Devices holding unencrypted data on roughly fifteen million customers were resold and auctioned online, and most were never recovered.
6. American Airlines discloses phishing related data breach
American Airlines began notifying people after a phishing campaign compromised the mailboxes of several employees. Exposed information may have included names, dates of birth, addresses, driving licence and passport numbers and certain medical details.
7. California enacts first in the nation children's design code
Governor Gavin Newsom signed the California Age Appropriate Design Code Act, modelled on the United Kingdom code. The law requires businesses to assess risks to children, default to high privacy settings and avoid collecting precise geolocation without a compelling reason.
8. Irish regulator advances draft decision on TikTok and children
The Data Protection Commission submitted a draft decision on its inquiry into TikTok's handling of children's data to other European authorities. The inquiry examined public by default settings for under eighteens and age verification for users under thirteen.
9. FTC sues data broker Kochava over location tracking
The Federal Trade Commission pressed its case against Kochava for selling precise location data drawn from hundreds of millions of devices. The EFF welcomed the action, noting the data could reveal visits to reproductive health clinics, places of worship and shelters.
10. Revolut breach exposes details of tens of thousands of users
The digital bank Revolut confirmed that a social engineering attack let an unauthorised party reach the records of around fifty thousand customers. Names, addresses, email addresses, phone numbers and partial payment data were exposed, fuelling a wave of phishing texts.
11. Hacked 2K help desk used to push malware to players
2K Games warned customers after attackers used stolen vendor credentials to access its support desk. The intruders sent emails containing a malicious link that delivered RedLine information stealing malware, and the firm urged players not to open support messages.
12. Chrome and Edge spellcheckers found to leak passwords
Researchers showed that the enhanced spellcheck features in Chrome and Edge can transmit form data, including passwords, to Google and Microsoft. The behaviour, dubbed spell jacking, affected widely used services such as Amazon Web Services, LastPass and Office 365.
13. FTC holds public forum on commercial surveillance rules
The Federal Trade Commission held a public forum as part of its rulemaking on commercial surveillance and data security. Privacy advocates including EPIC urged the agency to use its authority to curb large scale tracking and profiling of consumers.
→ epic.org
14. Iran throttles the internet amid protests over Mahsa Amini
Following the death in custody of Mahsa Amini, Iranian authorities restricted Instagram and WhatsApp and imposed mobile network blackouts. The shutdowns aimed to suppress protests and cut citizens off from outside information and one another.
15. App permissions found to vary by country of download
Bruce Schneier highlighted research showing that Android apps can request different permissions and trackers depending on where they are downloaded. Some apps sought extra dangerous permissions in certain countries, and a few enabled clear text communication that exposed user data.
16. UN warns that spyware and surveillance threaten human rights
The United Nations human rights office published a report warning that intrusive spyware and the constant monitoring of public spaces erode privacy and chill free expression. It urged states to halt the sale and use of tools such as Pegasus until proper safeguards are in place.
17. United States sanctions Iranian officials over internet shutdown
The US Treasury sanctioned Iranian leaders held responsible for the internet shutdown and the violent crackdown on protesters. The action targeted the morality police and security officials in response to the surveillance and repression that followed Mahsa Amini's death.
18. Senators push to rein in police use of Fog Reveal
Following reporting on the Fog Reveal tool, lawmakers pressed for limits on police buying cellphone location data. Senator Ron Wyden's bill sought to regulate how agencies obtain data from brokers, often used to trace people without a warrant.
19. Samsung notifies US customers of summer data breach
Samsung began telling US customers that an unauthorised party had reached some of its systems and exposed personal data. The affected information included names, contact details, dates of birth and product registration data, though no payment card or social security numbers.
20. India's data logging rules push VPN providers to leave
India's CERT-In directive requiring VPN firms to store user identities and activity logs for five years took effect, and providers including ExpressVPN, NordVPN and Surfshark pulled their servers out of the country. Digital rights groups warned that the rules expose ordinary users to broad government surveillance.
→ cdt.org
Enjoyed this post?
Well, you could share the post with others, follow me with RSS Feeds and/or send me a comment via email.
Tags
Category:
Year: