Privacy Roundup #0197 • December 2022
December 2022 closed the year with record fines against Meta and Epic Games, fresh breaches at LastPass and TikTok, and a landmark shift towards encryption as Apple finally embraced it and abandoned its photo scanning.
1. LastPass confirms hackers stole customer password vaults
The password manager admitted that attackers had copied a backup containing encrypted customer vaults along with unencrypted data such as website addresses and billing details. The theft used cloud storage keys lifted from a LastPass employee during an earlier intrusion.
2. Apple launches end-to-end encryption for iCloud backups
Apple introduced Advanced Data Protection, an opt-in setting that extends end-to-end encryption to iCloud backups, photos, notes and more. With it enabled, Apple itself cannot read the protected data and cannot hand it to law enforcement.
3. Apple abandons its plan to scan iCloud photos for abuse imagery
After more than a year of criticism from security researchers and rights groups, Apple confirmed it had dropped its proposed tool to scan iCloud photos for child sexual abuse material. Critics had warned the scanning system could be repurposed for broader surveillance.
4. Epic Games to pay $520 million over Fortnite privacy and billing
The FTC secured agreements requiring the Fortnite maker to pay $520 million to settle claims it broke children's privacy law and used dark patterns to trick players into unwanted purchases. The deal included the largest penalty ever obtained for breaking an FTC rule.
5. Meta agrees to $725 million Cambridge Analytica settlement
Meta agreed to pay $725 million to settle a long-running class action over allowing Cambridge Analytica and other third parties to harvest Facebook user data. Lawyers described it as the largest recovery ever achieved in a data privacy class action.
6. TikTok admits ByteDance staff accessed journalists' data
TikTok confirmed that ByteDance employees had improperly accessed the data of journalists at the Financial Times and BuzzFeed while hunting for the source of internal leaks. The staff tracked the reporters' IP addresses to check whether they had been near certain employees, and four people were dismissed.
7. FBI's vetted InfraGard network breached
A hacker using the handle USDoD gained access to InfraGard, the FBI's information-sharing network, by applying with a fake account in the name of a vetted company chief executive. Contact details for more than 80,000 members were then scraped through an exposed API and offered for sale.
8. France fines Microsoft 60 million euros over Bing cookies
The French regulator CNIL fined Microsoft 60 million euros after finding that Bing dropped advertising cookies without consent and made refusing them harder than accepting them. Users needed two clicks to reject cookies but only one to accept.
9. European board rules Meta cannot force behavioural advertising
The European Data Protection Board adopted binding decisions finding that Meta could not rely on its terms of service to justify processing personal data for behavioural advertising. The ruling directed the Irish regulator to order Meta to bring Facebook and Instagram into compliance.
10. European Commission opens path to new EU to US data deal
The European Commission published a draft adequacy decision for the EU to US Data Privacy Framework, the proposed successor to the invalidated Privacy Shield. The draft followed a Biden executive order limiting how US intelligence agencies may access European data.
11. Massive Twitter dataset spurs Irish privacy inquiry
A hacker posted a dataset said to contain the email addresses and phone numbers of hundreds of millions of Twitter users, scraped through a since-patched flaw. Ireland's Data Protection Commission opened an inquiry into the linked breach affecting roughly 5.4 million accounts.
12. Uber data leaked after attack on a third-party vendor
A threat actor calling itself UberLeaks posted source code, asset records and the details of around 77,000 Uber employees on a hacking forum. Uber traced the leak to a breach at Teqtivity, an outside vendor that handles its asset management.
13. Rackspace ransomware attack knocks out hosted email
A ransomware attack on Rackspace's Hosted Exchange service cut off email for thousands of small and medium businesses early in the month. The Play group was blamed, and Rackspace later retired the product and moved affected customers to Microsoft 365.
14. San Francisco reverses course on police killer robots
After a public backlash and a letter from dozens of community groups, the San Francisco Board of Supervisors voted to bar police from using remote-controlled robots to deliver deadly force. The decision overturned an authorisation the board had granted just a week earlier.
15. Apple sued over AirTag stalking
Two women filed a class action accusing Apple of failing to stop its AirTag trackers from being used to stalk and harass people. One plaintiff said a former partner had hidden an AirTag in the wheel well of her car to follow her movements.
16. Slack discloses theft of private code repositories
Slack revealed that attackers had used stolen employee tokens to download some of its private GitHub repositories. The company said its main codebase was untouched and that no customer data or environments were affected.
17. Credential stuffing exposes thousands of PayPal accounts
PayPal began notifying about 35,000 customers that attackers had accessed their accounts in a credential stuffing campaign over a few days in early December. Exposed data could include names, addresses, tax identifiers, birth dates and Social Security numbers.
18. Gemini crypto users hit by data leak and phishing wave
Cryptocurrency exchange Gemini said personal details of millions of customers had surfaced on hacking forums after a breach at a third-party vendor. Affected users reported a surge of targeted phishing attempts in the days that followed.
19. Play ransomware paralyses the city of Antwerp
The Play ransomware group claimed responsibility for an attack that took down IT, email and phone services across the Belgian city of Antwerp. The gang said it had stolen hundreds of gigabytes of data, including passports, identity documents and financial records.
20. Five Guys breach exposes job applicants' details
The burger chain Five Guys began notifying people that a breach of its systems had exposed information submitted during the hiring process. The names, Social Security numbers and driving licence numbers of more than 37,000 applicants were affected.
Enjoyed this post?
Well, you could share the post with others, follow me with RSS Feeds and/or send me a comment via email.
Tags
Category:
Year: