Privacy Roundup #0198 • January 2023
January 2023 opened the year with record European fines against Meta, a run of credential and API breaches, and ransomware crews crippling postal and gaming firms.
1. Irish regulator fines Meta €390m over the legal basis for personalised ads
The Data Protection Commission ruled that Meta could not rely on the contract legal basis to justify behavioural advertising on Facebook and Instagram. The decision fined the company €390 million and gave it three months to bring its data processing into compliance.
→ iapp.org
2. Email addresses of 200 million Twitter users leaked online
A threat actor posted a dataset of roughly 200 million Twitter profiles on a hacker forum for about two dollars. The data, scraped through a fixed API flaw, linked email addresses to names, handles and account details, raising deanonymisation risks for users.
3. France fines Apple €8m over App Store ad targeting
The French data protection authority CNIL penalised Apple for placing advertising identifiers on iPhones without obtaining users' prior consent. The regulator found the App Store consent mechanism in iOS 14.6 fell short of ePrivacy requirements.
4. Chick-fil-A investigates a wave of hijacked customer accounts
The fast food chain confirmed it was examining suspicious activity after reports that customer loyalty accounts were being taken over. The takeovers stemmed from credential stuffing, with stolen accounts and their rewards balances sold online for as little as two dollars.
5. Seattle Public Schools sues TikTok, Meta and other platforms
The district filed a complaint accusing TikTok, Instagram, Facebook, Snapchat and YouTube of designing addictive products that harmed students' mental health. It is believed to be the first US school district to bring such a suit against the platforms.
6. Royal Mail's overseas post halted by a LockBit ransomware attack
The chief executive confirmed to a parliamentary committee that a cyberattack had crippled Royal Mail's international export systems. The incident, attributed to the LockBit ransomware gang, stopped the company from sending parcels and letters abroad for weeks.
7. Norton LifeLock warns 925,000 accounts hit by credential stuffing
Gen Digital, the parent of Norton LifeLock, locked down hundreds of thousands of accounts after attackers used stolen username and password pairs to log in. The attackers reached thousands of accounts, exposing customer names, phone numbers and mailing addresses.
8. Mailchimp says it was hacked again through social engineering
The email marketing firm disclosed that an intruder had used social engineering against staff to reach an internal support tool. The attacker accessed data across 133 customer accounts, the second such breach against the company in six months.
9. Irish DPC fines WhatsApp €5.5m over transparency failures
The Data Protection Commission concluded that WhatsApp had not clearly explained the legal basis for processing user data when it updated its terms of service. The regulator fined the company €5.5 million and ordered it to bring its operations into compliance.
10. T-Mobile says a hacker accessed data on 37 million customers
The carrier disclosed that an attacker had abused an API to steal personal information from 37 million prepaid and postpaid accounts. The exposed data included names, billing addresses, emails, phone numbers and dates of birth, in T-Mobile's eighth breach since 2018.
11. PayPal warns 35,000 customers after credential stuffing attack
PayPal notified nearly 35,000 customers that attackers had logged into their accounts using credentials stolen elsewhere. The exposed data included names, addresses, social security numbers, tax identification numbers and dates of birth.
12. Ransomware closes around 300 Yum Brands restaurants in Britain
A ransomware attack forced the owner of KFC, Pizza Hut and Taco Bell to take systems offline and shut roughly 300 UK outlets for a day. Yum Brands said data had been taken from its network, though it found no evidence customer databases were stolen.
13. Apple rolls out Advanced Data Protection for iCloud worldwide
With iOS 16.3, Apple extended end-to-end encryption for many iCloud categories beyond the United States to users globally. The optional feature covers backups, photos, notes and messages backups, keeping the keys on a user's own devices rather than Apple's servers.
14. Hack at ODIN Intelligence exposes a trove of police raid files
Attackers breached the police technology firm ODIN Intelligence and exfiltrated gigabytes of sensitive law enforcement material. The stolen files included tactical plans for imminent raids, suspect records, mugshots and biometric data, much of it unencrypted.
15. LastPass owner GoTo confirms customer backups were stolen
GoTo, the parent of LastPass, told customers that hackers had taken encrypted backups for several of its remote access products along with an encryption key. The exposed material could include usernames, hashed passwords and some multi-factor authentication settings.
16. Riot Games refuses a ten million dollar ransom after source code theft
The games studio confirmed that attackers had stolen source code for League of Legends and other titles after socially engineering an employee. Riot Games received a ten million dollar ransom demand and publicly declined to pay, saying no player data was compromised.
17. FBI and Justice Department dismantle the Hive ransomware operation
Officials announced that investigators had quietly infiltrated Hive's infrastructure for months, seizing decryption keys and passing them to victims. The operation spared more than 1,300 victims an estimated 130 million dollars in ransom payments before the servers were seized.
18. JD Sports says hackers stole data on 10 million customers
The UK retailer warned that an attacker had accessed a server holding online order information for about 10 million customers. The exposed data included names, addresses, email addresses, phone numbers and the last four digits of payment cards.
19. EFF files briefs arguing geofence warrants are unconstitutional
The Electronic Frontier Foundation filed amicus briefs in two appellate cases challenging police use of geofence warrants. The group argued these warrants are unconstitutional general searches that sweep up the location data of innocent bystanders.
20. California and Virginia consumer privacy laws take effect
The first day of January brought the California Privacy Rights Act and the Virginia Consumer Data Protection Act into force. The new laws gave residents fresh rights to correct their data and to limit the use of sensitive personal information.
Enjoyed this post?
Well, you could share the post with others, follow me with RSS Feeds and/or send me a comment via email.
Tags
Category:
Year: