Privacy Roundup #0202 • May 2023
May 2023 brought record European fines, a wave of mass breaches and fresh fights over surveillance, encryption and artificial intelligence.
1. Ireland fines Meta a record 1.2 billion euros for unlawful data transfers
The Irish Data Protection Commission concluded its inquiry on 22 May and ordered Meta to suspend transfers of European user data to the United States. The penalty surpassed the previous record held by Amazon and reflected the unresolved fallout from the Schrems II judgment.
2. Amazon agrees to pay more than 30 million dollars over Ring and Alexa privacy failures
On 31 May the Federal Trade Commission announced settlements alleging that Ring let staff watch customer videos and that Alexa kept children's recordings indefinitely. Amazon agreed to delete unlawfully retained data and to stop training its systems on it.
3. Montana becomes the first state to ban TikTok outright
Governor Greg Gianforte signed Senate Bill 419 on 17 May, making it unlawful for app stores to offer TikTok within the state. The governor framed the measure as a defence of residents' data against the Chinese government.
4. Toyota leaves the location data of millions of vehicles exposed for a decade
On 12 May Toyota disclosed that a cloud misconfiguration had left vehicle and location records of about 2.15 million Japanese customers publicly accessible since 2013. The exposed information included vehicle locations, timestamps and footage from drive recorders.
5. Apple and Google propose a standard to curb unwanted Bluetooth tracking
On 2 May the two companies submitted a joint draft specification to the Internet Engineering Task Force so trackers such as AirTags could alert people being followed. Samsung, Tile and others backed the proposal during the comment period.
6. Discord discloses a breach after a support agent is hacked
On 12 May Discord warned users that an attacker had compromised a third-party customer service account and accessed a support ticket queue. The exposed data included email addresses, support messages and any attachments people had sent.
7. Progress warns of a MOVEit zero-day that would fuel mass extortion
On 31 May Progress Software disclosed a critical flaw in MOVEit Transfer, tracked as CVE-2023-34362, that attackers had already begun exploiting. The Clop ransomware group used it to steal data from hundreds of organisations over the following weeks.
8. The EARN IT bill advances out of committee over privacy objections
On 4 May the Senate Judiciary Committee voted again to send the EARN IT Act to the full Senate. The Electronic Frontier Foundation warned the bill would pressure services to abandon end-to-end encryption, though several senators raised concerns during the markup.
9. The FTC moves to bar Meta from monetising children's data
On 3 May the Federal Trade Commission proposed a blanket prohibition preventing Facebook from profiting from any data collected on users under eighteen. The agency said Meta had repeatedly violated earlier privacy orders and a children's privacy law.
10. German newspaper reports a 100-gigabyte whistleblower leak at Tesla
On 25 May the newspaper Handelsblatt reported that former employees had handed it files exposing the personal data of more than 75,000 staff. The trove also held thousands of customer complaints about braking and acceleration faults, and German regulators opened an inquiry.
11. The Capita breach widens as customers learn their data was stolen
In mid-May the outsourcing giant Capita confirmed that attackers had exfiltrated data during a March intrusion, and organisations began notifying affected people. Personal records of millions, including pension scheme members, were caught up in the incident.
12. Luxottica confirms a 2021 breach exposing 70 million customers
On 20 May the eyewear group acknowledged that contact details for around 70 million customers had surfaced online after a third-party hack. The leaked data included names, addresses, telephone numbers, emails and dates of birth.
13. Twitter restricts content in Turkey before the presidential election
On 13 May, the eve of the vote, Twitter limited access to several accounts and hundreds of tweets after the Turkish government threatened to shut it down. Critics said Elon Musk had capitulated to censorship demands from an autocratic government.
14. A ransomware attack on MCNA exposes nearly nine million dental patients
On 26 May the dental insurer MCNA began notifying about 8.9 million people that the LockBit gang had stolen their personal and health information. The compromised records included names, Social Security numbers and insurance details.
15. Google lets users sign in with passkeys instead of passwords
On 3 May Google made passkeys available across personal accounts, replacing passwords with device-based authentication such as fingerprints or face scans. The company stressed that biometric data stays on the device and is never sent to its servers.
16. Samsung bans staff from using ChatGPT after a source code leak
On 2 May Samsung prohibited employees from using generative AI tools on company devices and networks following an internal data leak. The company feared that confidential information uploaded to such services could not be retrieved.
17. Dish Network notifies nearly 300,000 people after a ransomware attack
On 18 May the satellite broadcaster began sending breach letters tied to a February ransomware intrusion that exposed employee records. The stolen information included names and driver's licence numbers.
18. European lawmakers vote to ban live facial recognition under the AI Act
On 11 May two European Parliament committees approved a negotiating position that would outlaw real-time biometric identification in public spaces. The draft also barred predictive policing, emotion recognition and the scraping of faces from the internet.
19. A reporter finds Google logging her abortion clinic visit despite a promise to delete it
On 9 May The Washington Post reported that Google had retained location data from a clinic trip even though the company had pledged to remove such records. The finding undercut assurances offered after the overturning of Roe v Wade.
20. The Fortra GoAnywhere mass-hack is confirmed to have stolen millions of patients' records
On 4 May reporting confirmed that the Clop group's exploitation of Fortra's file transfer tool had compromised health data across scores of organisations. Brightline alone notified nearly a million people that their information had been taken.
Enjoyed this post?
Well, you could share the post with others, follow me with RSS Feeds and/or send me a comment via email.
Tags
Category:
Year: