Privacy Roundup #0201 • April 2023
April 2023 paired heavy regulatory pressure on Big Tech and AI with a steady run of breach disclosures and fresh proof of commercial spyware and corporate surveillance.
1. UK regulator fines TikTok 12.7 million pounds over children's data
The Information Commissioner's Office fined TikTok 12.7 million pounds for processing the data of about 1.4 million children under thirteen without parental consent. The watchdog found the platform had failed to give users proper information about how their data was collected and used.
2. ChatGPT returns to Italy after the Garante lifts its ban
OpenAI restored ChatGPT in Italy on 28 April after the data protection authority suspended the service over its handling of personal data. The company added a privacy disclosure page, an age check and an option to refuse the use of conversations for training.
3. Western Digital says hackers stole data in network breach
Western Digital disclosed on 3 April that an unauthorised party had accessed several internal systems and taken data. The intrusion knocked out the My Cloud storage service and the attackers later claimed to hold ten terabytes of company information.
4. 3CX breach traced to a double supply chain compromise
Investigators found that the attack on telephony vendor 3CX began with a separate tampered installer for trading software called X_TRADER. The case marked the first documented instance of one software supply chain attack leading directly into another.
5. Capita confirms attackers stole data in March ransomware breach
The outsourcing giant Capita admitted on 20 April that criminals had exfiltrated data after breaking into its systems in late March. The firm runs pension administration for hundreds of UK schemes, raising fears about the exposure of millions of records.
6. EFF warns the proposed UN cybercrime treaty could expand surveillance
The Electronic Frontier Foundation and allied groups cautioned that the draft UN cybercrime treaty could legitimise intrusive surveillance and weaken global privacy standards. They urged negotiators in Vienna to add firm human rights safeguards before the text advanced.
7. Washington passes the My Health My Data Act
Washington state lawmakers passed the My Health My Data Act, the first US law to protect consumer health data that falls outside the scope of HIPAA. The measure restricts the collection and sale of such data without consent and grants residents a private right of action.
8. The EARN IT Act returns, threatening encrypted messaging
Senators reintroduced the EARN IT Act, which the EFF warns could push platforms toward scanning every message, photo and file users send. Critics argue the bill undermines end to end encryption while doing little to protect children.
9. NCR ransomware attack knocks out Aloha restaurant systems
NCR disclosed a ransomware attack that took down a data centre running its widely used Aloha point of sale platform. Restaurants lost access to online ordering, payroll and back office tools while the company worked to restore service.
10. Uber driver data stolen through a breached law firm
Uber drivers' names and Social Security numbers were exposed after attackers breached the systems of the law firm Genova Burns. The incident underlined how sensitive data leaks through third parties that handle it on a company's behalf.
11. Kodi confirms forum breach exposing user data
The media centre project Kodi confirmed that attackers had used a trusted administrator account to dump its user forum database. The stolen data included usernames, email addresses, private messages and encrypted passwords.
12. French court suspends invasive exam proctoring software
A court in Montreuil suspended a university's use of the TestWe e-proctoring tool, ruling that its facial recognition, eye tracking and audio monitoring went too far. The judges found that permanent surveillance of bodies and sounds was excessive for preventing cheating.
13. Yum Brands says staff data was stolen in ransomware attack
The owner of KFC, Pizza Hut and Taco Bell disclosed that personal data was taken during a January ransomware attack, reversing its earlier position. Notification letters sent in April showed employee names and identification numbers had been exposed.
14. Shields Health Care breach hits more than two million patients
The Massachusetts medical provider Shields Health Care Group disclosed a breach affecting over 2.3 million people. Attackers had moved through its network and accessed sensitive patient information.
15. Tesla workers shared intimate footage from customer cars
A Reuters investigation found that Tesla employees had privately circulated invasive videos and images captured by customers' car cameras between 2019 and 2022. Some clips showed people inside private garages, and the tooling could reveal where recordings were made.
16. Citizen Lab exposes QuaDream spyware targeting iPhones
Researchers at Citizen Lab and Microsoft uncovered QuaDream, a little known Israeli vendor whose spyware infected iPhones through malicious calendar invites. Victims included journalists, opposition figures and a non governmental organisation worker across several regions.
17. Citizen Lab finds new Pegasus zero-click attacks
Citizen Lab reported that NSO Group customers had deployed at least three new iOS zero-click exploit chains against civil society in 2022. One chain, called PWNYOURHOME, abused the iPhone's HomeKit feature to reach targets without any interaction.
18. American Bar Association breach exposes 1.4 million members
The American Bar Association told members that attackers had accessed legacy login credentials for about 1.4 million accounts. The exposed data consisted of usernames and hashed and salted passwords from an older membership system.
19. Hyundai discloses breach of customer data in France and Italy
Hyundai notified car owners and test drive bookers in France and Italy that attackers had accessed their personal details. The exposed information included email addresses, home addresses, telephone numbers and vehicle chassis numbers.
20. FBI seizes Genesis Market in Operation Cookie Monster
Law enforcement across seventeen countries seized Genesis Market, a marketplace that sold stolen logins and the browser fingerprints needed to use them. The site held data from about 1.5 million infected computers, and the operation led to roughly 120 arrests.
Enjoyed this post?
Well, you could share the post with others, follow me with RSS Feeds and/or send me a comment via email.
Tags
Category:
Year: