Privacy Roundup #0199 • February 2023
February 2023 paired aggressive enforcement, from the first FTC health breach penalty to a landmark Illinois biometrics ruling, with a steady drumbeat of breaches, ransomware and surveillance disputes.
1. FTC fines GoodRx for sharing health data with Facebook and Google
The Federal Trade Commission brought its first ever action under the Health Breach Notification Rule, fining the prescription discount service 1.5 million dollars. Regulators said GoodRx had promised never to share personal health information yet handed users' medications and conditions to advertising platforms.
2. Italy orders the Replika AI companion to stop processing data
The Italian data protection authority issued an emergency order halting the chatbot maker Luka from processing the data of Italian users. The Garante cited an absent legal basis, risks to minors and the lack of any age verification on the service.
3. Background check firms confirm a breach hitting 20 million people
PeopleConnect, the owner of TruthFinder and Instant Checkmate, confirmed a breach after a 2019 backup database surfaced on a hacking forum. The leaked records held names, email addresses, phone numbers and encrypted passwords for more than 20 million accounts.
4. ESXiArgs ransomware sweeps thousands of VMware servers worldwide
An automated campaign encrypted more than 3,000 internet exposed VMware ESXi servers using a new strain dubbed ESXiArgs. The attackers exploited a two year old OpenSLP flaw, with France, the United States and Germany among the worst hit.
5. United States and United Kingdom sanction seven Trickbot members
Authorities in both countries imposed financial sanctions on seven men accused of running the Russia based Trickbot cybercrime platform. The action marked the first such ransomware sanctions for the United Kingdom and tied Trickbot to the Conti and Ryuk operations.
6. Reddit breached after an employee phishing attack
Reddit disclosed that a targeted phishing attack on 5 February tricked an employee into surrendering credentials and a two factor token. Intruders reached internal documents, source code and dashboards, though the company said production systems and user passwords were untouched.
7. Pepsi bottler discloses malware breach exposing sensitive records
Pepsi Bottling Ventures notified individuals that an intruder had installed information stealing malware on its systems in late December. The stolen data included names, addresses, driving licence numbers, Social Security numbers and passport information for more than 28,000 people.
8. Microsoft patches three exploited zero-day flaws
Microsoft's February Patch Tuesday fixed dozens of holes, including three zero-day vulnerabilities already under active attack. The flaws spanned the Windows logging driver, an Office security bypass and a Windows graphics component weakness.
9. Illinois Supreme Court rules each biometric scan is a separate violation
In Cothron v. White Castle the Illinois Supreme Court held that a claim under the state biometric privacy law accrues with every scan or transmission. The 4 to 3 decision exposed companies to potentially vast damages for repeated fingerprint collection.
→ epic.org
10. Twitter moves SMS two-factor authentication behind a paywall
Twitter announced that only paying Twitter Blue subscribers would keep text message based two factor authentication, with the feature removed from other accounts from 20 March. Critics warned the change pushed a basic security protection out of reach for many users.
11. GoDaddy reveals a multi-year breach of its hosting systems
GoDaddy disclosed in a securities filing that a sophisticated group had maintained access to its network for several years. The attackers stole source code and installed malware on cPanel servers, redirecting customer websites to malicious domains.
12. State attorneys general fine DNA Diagnostics Center over a breach
The attorneys general of Ohio and Pennsylvania reached a 400,000 dollar settlement with the testing laboratory over a 2021 breach affecting 2.1 million people. Investigators found the firm had misrepresented its security in its privacy policy and left legacy databases exposed.
13. Activision confirms an employee data breach kept quiet for months
Activision confirmed that hackers had phished a human resources employee in December, reaching internal employee and game data. The publisher had not told affected staff for months, and the leaked records held names, phone numbers, email addresses and office locations.
14. Coalition urges DHS to cancel the LexisNexis contract with ICE
EPIC and more than 80 civil rights and privacy groups called on the Department of Homeland Security to drop ICE's 22.1 million dollar data deal with LexisNexis. They argued the data broker let the agency conduct warrantless surveillance of immigrant and Black communities at vast scale.
→ epic.org
15. European Commission orders staff to remove TikTok from work devices
The European Commission directed its roughly 32,000 staff to delete TikTok from corporate devices and from personal phones enrolled in its mobile service. Officials cited cybersecurity threats and concerns over data collection by the app's Chinese owner.
16. Dish Network confirms ransomware behind a multi-day outage
Dish Network confirmed that a ransomware attack had caused a multi-day outage across its websites, apps and internal systems beginning on 23 February. The company later acknowledged that attackers had extracted data, which proved to include records on nearly 300,000 people.
17. California health network breach exposes 3.3 million patients
The Heritage Provider Network began notifying patients on 1 February that a December ransomware attack had exposed deeply sensitive records. The 3.3 million affected people had data including Social Security numbers, diagnoses, test results and prescription information put at risk.
18. Coinbase repels an 0ktapus style phishing attack
Coinbase disclosed that attackers had used SMS phishing to lure an employee into entering credentials, though multi factor authentication blocked deeper access. The exchange tied the attempt to the 0ktapus campaign that had already hit Twilio, Cloudflare and Signal, with limited employee directory data exposed.
19. Namecheap email system hijacked to send phishing
The registrar Namecheap confirmed that an unauthorised party had abused its email platform to send phishing messages to customers. The fraudulent emails impersonated DHL and the MetaMask crypto wallet in an effort to harvest credentials and personal details.
20. Atlassian data exposed through a third-party app breach
Atlassian confirmed that staff data had leaked after attackers compromised the workplace app Envoy using credentials an employee had posted publicly. The exposed records covered names, email addresses, departments and phone numbers for around 13,200 employees, along with office floor plans.
Enjoyed this post?
Well, you could share the post with others, follow me with RSS Feeds and/or send me a comment via email.
Tags
Category:
Year: