Privacy Roundup #0195 • October 2022
October 2022 was dominated by sprawling data breaches, a wave of Australian hacks and regulators reaching for record fines against tracking, scraping and lax security.
1. Microsoft confirms a misconfigured server exposed customer data
Microsoft admitted that a misconfigured Azure endpoint had left business transaction records and personal details openly accessible on the internet. The firm disputed the researchers' claim that 65,000 companies were affected, but conceded that names, email addresses and signed documents had been exposed.
2. Toyota leaks customer data after an access key sat on GitHub for years
Toyota disclosed that part of the source code for its T-Connect app had been published on GitHub with an embedded server access key. The exposure put the email addresses and customer numbers of almost 300,000 people at risk over a period of nearly five years.
3. France hits Clearview AI with a maximum facial recognition fine
The French regulator CNIL fined Clearview AI 20 million euros for scraping facial images without a legal basis and ignoring an earlier order. Clearview had failed to respond to the formal notice or to delete the data of French residents as required.
4. FTC acts against Drizly and names its chief executive personally
The Federal Trade Commission moved against the alcohol marketplace Drizly over security failures that exposed the data of 2.5 million consumers. The order required data minimisation and, unusually, bound the company's chief executive to its terms even if he moved to another firm.
5. Hospital tracking pixels disclosed three million patients to advertisers
Advocate Aurora Health warned that Meta and Google tracking code on its patient portal may have leaked sensitive medical information to third parties. The exposed details included appointment types, providers and communications sent through the MyChart portal.
6. Medibank attackers strip the health records of millions of Australians
The Australian insurer Medibank revealed that intruders had stolen the personal and health data of its customers after using credentials taken from an infected contractor machine. The haul covered names, Medicare numbers and claims data for around 9.7 million people.
7. Australia moves to raise privacy penalties to fifty million dollars
After the Optus and Medibank breaches, the Australian government introduced a bill to lift maximum penalties for serious privacy failures. The new ceiling would be 50 million Australian dollars, three times the benefit gained, or 30 per cent of turnover.
8. Shein owner fined for hiding the scale of a breach from users
New York fined Zoetop, the owner of Shein and Romwe, 1.9 million dollars for mishandling a breach that compromised 39 million accounts. Investigators found that the firm had notified only a fraction of those affected and understated the number of victims.
9. Meta flags 400 apps built to steal Facebook logins
Meta warned that it had found more than 400 Android and iOS apps designed to harvest Facebook credentials from unsuspecting users. The apps posed as photo editors, games and utilities, and may have compromised the login details of up to a million people.
10. Ransomware gang dumps half a terabyte of Los Angeles schools data
The Vice Society gang published roughly 500 gigabytes of data stolen from the Los Angeles Unified School District after the district refused to pay. The leaked files included Social Security numbers and confidential psychological assessments of students.
11. CommonSpirit ransomware attack disrupts hospitals across the country
The major American health system CommonSpirit disclosed a ransomware attack that forced facilities to take systems offline and postpone patient care. The intrusion later proved to have exposed the records of hundreds of thousands of patients across many states.
12. Verizon prepaid accounts hijacked through SIM swapping
Verizon told prepaid customers that attackers had used the last four digits of their payment cards to break into accounts and swap SIM cards. Such swaps let criminals intercept text codes and seize control of victims' other online accounts.
13. Attacker drains more than a hundred million dollars from Mango Markets
A trader manipulated the price of the MNGO token to borrow and withdraw vast sums from the crypto platform Mango Markets. The exploit wiped out depositors and exposed how thin the protections were on the decentralised exchange.
14. Hive gang leaks data stolen from Indian power giant Tata Power
The Hive ransomware group began publishing data taken from Tata Power after extortion talks appeared to fail. The leak included engineering drawings, financial records and personal client information from one of India's largest energy companies.
15. Mormon church data stolen in suspected state-sponsored attack
The Church of Jesus Christ of Latter-day Saints disclosed that intruders had accessed member and employee data in an attack American investigators believe was state sponsored. The exposed details included names, birthdates, addresses and contact information.
16. UK regulator fines Interserve millions over a phishing breach
The Information Commissioner's Office fined the construction firm Interserve 4.4 million pounds after a phishing email led to the compromise of employee data. The breach exposed the bank details and special category data of up to 113,000 staff.
17. Woolworths subsidiary MyDeal exposes 2.2 million customers
The Australian marketplace MyDeal, owned by Woolworths, disclosed that stolen credentials had given an attacker access to its customer database. Names, addresses, phone numbers and some birthdates were taken and offered for sale online.
18. EFF warns of a national lab selling a digital police officer fantasy
The Electronic Frontier Foundation criticised a national laboratory for promoting a future of police and border agents augmented by artificial intelligence. The group argued that such visions would normalise mass surveillance and erode civil liberties.
19. Optus confirms two million identity numbers exposed in its breach
Optus confirmed that 2.1 million of its customers had government identity numbers compromised in the attack that shook Australia. All 9.8 million affected people also had email addresses, birthdates and phone numbers exposed.
20. NHS supplier Advanced confirms data was stolen but stays silent on scope
The NHS technology supplier Advanced confirmed that attackers had copied and removed data during an August ransomware attack that crippled the 111 helpline. The firm declined to say whether patient records were taken or how many people were affected.
Enjoyed this post?
Well, you could share the post with others, follow me with RSS Feeds and/or send me a comment via email.
Tags
Category:
Year: