Privacy Roundup #0200 • March 2023
March 2023 brought a wave of regulatory action on health data and spyware, record-breaking breaches in healthcare and finance, and a hardening political fight over TikTok, encryption and artificial intelligence.
1. FTC orders BetterHelp to refund customers for sharing therapy data
The Federal Trade Commission required online counselling service BetterHelp to return 7.8 million dollars to customers after it shared sensitive mental health information with Facebook, Snapchat and other advertisers. It was the first time the regulator forced a company to refund people whose health data was disclosed without consent.
2. White House publishes National Cybersecurity Strategy
The Biden administration released a strategy that proposed shifting liability onto software makers and backed federal limits on how companies collect and sell personal data. It marked a move away from voluntary information sharing towards firmer regulation of the technology industry.
3. Watchdog finds ICE and Secret Service ran illegal phone surveillance
A Homeland Security inspector general report concluded that ICE, Homeland Security Investigations and the Secret Service used cell-site simulators without the special court orders the law requires. The devices, known as Stingrays, trick nearby phones into revealing their location and identifying details.
4. DC Health Link breach exposes members of Congress
A misconfigured server at the District of Columbia health insurance marketplace exposed the personal data of 56,415 customers, including 17 sitting members of Congress and many staff. The leaked records held Social Security numbers, dates of birth and contact details, some of which surfaced for sale on the dark web.
5. FBI seizes NetWire spyware service and arrests suspected operator
The FBI took down the website selling NetWire, a remote access trojan used for more than a decade to spy on infected computers and steal passwords. Croatian police arrested the suspected administrator, whom investigators linked to the operation through years of careless registration records.
6. AT&T tells nine million customers their account data was exposed
AT&T notified roughly nine million wireless customers that their account information was accessed through a breach at a third-party marketing vendor. The exposed records included rate plans and the number of lines, although the carrier said no financial data or Social Security numbers were involved.
7. PharMerica discloses breach affecting 5.8 million people
Pharmacy services firm PharMerica and its parent BrightSpring said attackers reached their systems in mid-March and took the personal and medical data of 5,815,591 individuals. The Money Message ransomware gang claimed responsibility and published stolen records when its demands were not met.
8. Independent Living Systems warns 4.2 million patients of a breach
The Florida healthcare provider updated its disclosure to confirm that intruders may have taken the data of more than 4.2 million people during an intrusion the previous summer. The stolen records included Social Security numbers, driving licence details, financial account information and medical histories.
9. Latitude Financial breach grows to 14 million records
The Australian lender first reported a breach of about 328,000 customers, then revised the figure to roughly 14 million people across Australia and New Zealand. The haul included almost eight million driving licence numbers along with names, addresses and dates of birth.
10. Acer confirms breach after data appears for sale
Acer confirmed that an unauthorised party reached a server used by its repair technicians after a seller offered 160 gigabytes of company data on a hacking forum. The stolen files included technical manuals, BIOS images and product documentation, although the firm said it found no sign that consumer data was held there.
11. Clop ransomware gang begins extorting GoAnywhere victims
The Clop gang started naming victims of its mass attack on the GoAnywhere file transfer tool, claiming it had stolen data from more than 130 organisations through a zero-day flaw. The campaign turned a single software vulnerability into one of the largest data extortion sprees of the year.
12. Senators introduce the RESTRICT Act targeting foreign technology
A bipartisan group led by Mark Warner and John Thune unveiled the RESTRICT Act, which would give the Commerce Department power to ban technology tied to hostile states. Although aimed at TikTok, the bill would reach any product from a country deemed a national security concern.
13. TikTok chief faces a hostile congressional hearing
TikTok chief executive Shou Zi Chew testified for about five hours before the House Energy and Commerce Committee over data privacy, child safety and the app's ties to China. Members from both parties pressed him on whether ByteDance could be forced to hand user data to the Chinese government.
14. Utah enacts strict age-verification rules for social media
Governor Spencer Cox signed laws requiring social media services to verify users' ages and obtain parental consent for minors in Utah. Privacy advocates warned that mandatory age checks would push platforms to collect even more personal data and undermine private internet access.
15. Biden signs order limiting government use of commercial spyware
President Biden signed an executive order barring federal agencies from using commercial spyware that poses counter-intelligence or human rights risks. Officials said about 50 devices used by United States personnel across ten countries had been targeted or compromised by such tools.
16. Twitter source code leaks on GitHub
Twitter told a court that parts of its proprietary source code had been posted on GitHub by a user calling themselves FreeSpeechEnthusiast. The company sought a subpoena to unmask the leaker, while researchers warned the code could reveal flaws that expose private user information.
17. A bug lets ChatGPT users see other people's chat titles and billing data
OpenAI confirmed that a flaw in an open-source library briefly let some ChatGPT users view other people's conversation titles and, for a small share of paying subscribers, partial payment details. The exposed information included names, email addresses and the last four digits of credit cards.
18. Italy orders ChatGPT blocked over data protection concerns
The Italian data protection authority ordered OpenAI to stop processing the personal data of people in Italy, citing the lack of a legal basis for training the model and weak age checks. Italy became the first country to impose such a restriction on the service, giving OpenAI 20 days to respond.
19. Clearview AI reveals police ran nearly a million face searches
The facial recognition firm's chief executive said law enforcement had run close to a million searches against its database, which had grown to about 30 billion images scraped from social media. Civil liberties groups condemned the scale of the surveillance and the company's harvesting of photographs without consent.
20. Iowa becomes the sixth state with a consumer privacy law
Governor Kim Reynolds signed a comprehensive consumer privacy bill, making Iowa the sixth American state to enact one after California, Virginia, Colorado, Utah and Connecticut. The law grants residents rights over their data but does not take effect until the start of 2025.
→ iapp.org
Enjoyed this post?
Well, you could share the post with others, follow me with RSS Feeds and/or send me a comment via email.
Tags
Category:
Year: