Privacy Roundup #0196 • November 2022
November 2022 brought record regulator action against Big Tech, a run of mass scraping and ransomware breaches, and fresh fights over surveillance and encryption.
1. Irish regulator fines Meta 265 million euros over Facebook data scraping
The Irish Data Protection Commission concluded its inquiry into the 2019 leak of personal data belonging to hundreds of millions of Facebook users. It found that Meta had failed to build privacy into its contact import tools by design and default, and imposed a penalty of 265 million euros.
2. WhatsApp scraping claims draw regulators' attention
A seller on a hacking forum advertised a database of phone numbers said to belong to more than 487 million WhatsApp users across eighty-four countries. Meta denied any breach of its systems and attributed the haul to scraping, while data protection authorities in Ireland and Hong Kong opened inquiries.
3. Stolen data on 5.4 million Twitter users leaked online
Records on 5.4 million Twitter accounts, harvested through an API flaw the company patched in January, were dumped for free on a hacking forum. The data combined public profile details with private phone numbers and email addresses, and a far larger set was reported to be circulating in private.
4. LastPass discloses a second breach affecting customer data
The password manager admitted that an intruder had used information taken in an earlier August incident to reach a cloud storage service it shared with its parent company GoTo. This time the company conceded that customer information had been accessed, reversing its earlier reassurance.
5. Medibank attackers begin dumping Australian health records
After the insurer Medibank refused to pay a ransom, the criminals behind the breach started publishing stolen files on the dark web. The leaked records exposed sensitive claims data, including details of customers treated for mental health, addiction and pregnancy terminations.
6. Dropbox loses 130 code repositories to a phishing attack
Dropbox disclosed that an attacker had stolen 130 of its GitHub code repositories after staff were lured to a fake CircleCI login page. The breach also exposed some API keys and a few thousand names and email addresses of employees, customers and vendors.
7. Pediatric software vendor breach hits 2.2 million patients
Connexin Software, which supplies record-keeping tools to children's medical practices, notified parents that an intruder had reached an offline set of patient data. The exposed information included names, dates of birth, Social Security numbers and medical details for around 2.2 million people.
8. AirAsia ransomware attack exposes five million records
The Daixin Team ransomware group claimed an attack on AirAsia and released sample files containing passenger and employee data. The leaked records held names, dates of birth, locations and, for staff, security questions and answers covering roughly five million people.
9. EU's top court strikes down public company ownership registers
The Court of Justice of the European Union ruled that giving the general public open access to beneficial ownership data was a serious interference with the rights to private life and data protection. The judgment invalidated the relevant provision of the anti-money laundering directive and forced several member states to close their registers.
10. Australia passes much larger penalties for privacy breaches
Parliament approved a bill lifting the maximum fine for serious or repeated privacy breaches to the greater of fifty million dollars, three times the benefit gained, or thirty per cent of domestic turnover. The reform followed the Optus and Medibank breaches and granted the privacy commissioner stronger enforcement powers.
11. Leaked documents reveal Iran's phone control system
Internal documents from an Iranian carrier exposed SIAM, a system that lets operators track users, throttle connections and weaken the encryption of calls. The tools appeared designed to help the state monitor and disrupt the phones of protesters.
12. FBI documents show plans to deploy Pegasus spyware
Records released through a freedom of information lawsuit showed that the FBI had gone beyond mere testing of NSO Group's Pegasus spyware. The files described an effort to deploy the zero-click tool in criminal investigations before the bureau ultimately held back.
13. EFF urges the FTC to rein in commercial surveillance
The Electronic Frontier Foundation filed comments backing the trade regulator's plan to write new rules on commercial surveillance and lax data security. It pressed the agency to address worker and student monitoring, stalkerware and location data brokers, arguing that current law leaves Americans poorly protected.
14. Legal opinion warns UK encryption faces a mass surveillance threat
An independent legal analysis of Britain's Online Safety Bill concluded that its scanning powers posed a serious risk to end-to-end encryption. The barrister behind the opinion described the proposed powers as among the broadest mass surveillance measures ever put forward in a Western democracy.
15. FTC voices deep concern as Twitter's privacy chiefs quit
The chief privacy officer, chief information security officer and chief compliance officer all resigned within days of Elon Musk's takeover of Twitter. The trade regulator said it was watching the company with deep concern given its standing privacy consent order.
16. Hospitals face lawsuits over Meta's tracking pixel
UPMC, Advocate Aurora and Duke Health were among the systems sued over use of Meta's tracking pixel on their websites. The suits alleged that the code sent patients' health-related information to Meta without consent, in breach of medical privacy laws.
17. India publishes a fresh draft of its data protection law
The Indian government released a fourth attempt at a privacy law, renamed the Digital Personal Data Protection Bill. The draft set out consent requirements, rights to correction and erasure, and penalties of up to fifty million rupees for non-compliance.
18. DuckDuckGo opens app tracking protection to all Android users
DuckDuckGo moved its App Tracking Protection feature into open beta for every Android user. The tool blocks third-party trackers running inside other apps using a local connection, without routing app data through DuckDuckGo's own servers.
19. Google to pay 391.5 million dollars over location tracking
Forty state attorneys general settled with Google over claims that it had misled users about how it tracked their movements. Investigators found that switching off Location History did not stop the company collecting location data through other settings, and Google agreed to pay 391.5 million dollars.
20. Schrems signals a fresh challenge to EU-US data transfers
At the IAPP Europe congress, Max Schrems warned that he would take a new case to the Court of Justice if the proposed EU-US Data Privacy Framework went ahead. He said an injunction could quickly freeze the European Commission's adequacy decision, raising the prospect of a third transfers ruling.
→ iapp.org
Enjoyed this post?
Well, you could share the post with others, follow me with RSS Feeds and/or send me a comment via email.
Tags
Category:
Year: