Privacy Roundup #0203 • June 2023
June 2023 was dominated by the MOVEit mass hack, with regulators in the United States and Europe handing down fines over children's data, adtech tracking and warrantless surveillance.
1. Clop gang claims the MOVEit file transfer mass hack
On 6 June the Clop ransomware crew claimed responsibility for stealing data from MOVEit Transfer servers worldwide using a zero-day flaw. The gang told victims to contact it or see their files published on its leak site.
2. CISA and the FBI warn federal agencies hit by the MOVEit flaw
On 7 June CISA and the FBI published a joint advisory on the Clop exploitation of CVE-2023-34362, and the agency confirmed several federal bodies had been breached. The United States Energy Department was named among the affected departments.
3. Oregon and Louisiana driver records stolen in the MOVEit breach
On 12 and 15 June the Oregon and Louisiana motor vehicle agencies disclosed that millions of driving licence holders had their records taken through the MOVEit flaw. The stolen files included names, addresses, Social Security numbers and licence numbers.
4. Genworth and CalPERS confirm MOVEit data theft
On 16 June the insurer Genworth Financial said attackers had taken records on roughly 2.5 million customers through its vendor PBI Research Services. The same supplier breach also struck the California pension fund CalPERS, exposing data on hundreds of thousands of retirees.
5. American and Southwest pilot applicants exposed
In June American Airlines and Southwest Airlines disclosed that a breach at the recruitment vendor Pilot Credentials had exposed thousands of pilots and applicants. The leaked files held names, Social Security numbers, passport numbers and airman certificate numbers.
6. University of Manchester confirms a separate cyberattack
On 9 June the University of Manchester warned staff and students that attackers had broken into its systems and stolen data. The university stressed that the intrusion was not part of the wider MOVEit campaign.
7. Microsoft to pay $20 million over Xbox children's data
On 5 June the FTC announced that Microsoft would pay $20 million for collecting personal data from children who signed up to Xbox without parental consent. The company had also retained the data of children who never finished creating an account.
8. France fines adtech firm Criteo €40 million
On 22 June the French regulator CNIL fined the behavioural advertising company Criteo €40 million for tracking users without valid consent. Regulators found that Criteo had never checked whether its partners had actually obtained consent before its trackers fired.
9. FTC bolsters its case against data broker Kochava
In June the FTC unsealed an amended complaint against the data broker Kochava, adding detail on how its location data can identify and track people. Regulators said the firm sold precise location feeds that could expose visits to abortion clinics and other sensitive places.
10. Declassified court order reveals 278,000 improper FBI searches
A declassified opinion from the surveillance court showed that the FBI had run more than 278,000 Section 702 queries that broke its own rules. The improper searches swept in Black Lives Matter protesters, January 6 suspects, journalists and campaign donors.
11. Civil liberties groups demand a halt to licence plate data sharing
On 15 June the EFF and two ACLU affiliates set a deadline for 71 California police agencies to stop sharing licence plate reader data with out-of-state forces. The groups warned that the feeds could be used to track people travelling to states with abortion restrictions.
12. Stalkerware app LetMeSpy breached and dumped online
On 21 June the phone monitoring app LetMeSpy admitted that a hacker had stolen its database and posted victim data online. The leaked records held the messages, call logs and locations harvested from thousands of monitored devices.
13. European Parliament adopts its Pegasus spyware findings
On 15 June the European Parliament adopted the final recommendation of its inquiry into Pegasus and similar mercenary spyware. Members called for tighter rules after finding that several governments had abused the surveillance tools against journalists and opponents.
14. The United Kingdom and United States agree a data bridge in principle
On 8 June the two governments announced a commitment in principle to a UK extension of the EU-US Data Privacy Framework. Critics warned that the deal rested on the same surveillance concerns that had sunk earlier transatlantic data pacts.
15. Suncor hack leaves Petro-Canada drivers unable to pay at the pump
On 24 June the Canadian energy firm Suncor disclosed a cyberattack that knocked out card readers across Petro-Canada filling stations. The outage left motorists unable to use loyalty apps or pay electronically for days.
16. EU ministers push a CSAM scanning law that worries privacy groups
On 8 and 9 June EU justice ministers discussed a draft position on the proposed child sexual abuse material regulation. Privacy campaigners warned that the so-called chat control plan would force the mass scanning of private and encrypted messages.
→ edri.org
17. Honda e-commerce flaws exposed customer and dealer data
In June a researcher disclosed flaws in a Honda e-commerce platform that had allowed access to thousands of customer orders and dealer accounts. A simple password reset weakness exposed customer emails, dealer panels and internal documents before Honda fixed it.
18. Reddit communities go dark over data access charges
On 12 June thousands of Reddit communities went private to protest at new charges for access to the site's data interface. The fees forced several third-party tools to close and raised concerns about moderation and accessibility software losing access.
19. Schneider Electric and Siemens Energy named among MOVEit victims
In late June Schneider Electric and Siemens Energy confirmed they were investigating data theft after the Clop gang listed them as MOVEit victims. The disclosures showed how a single file transfer flaw had reached deep into industrial and energy supply chains.
20. Nova Scotia warns 100,000 staff hit by the MOVEit breach
In June the government of Nova Scotia said the MOVEit flaw had exposed data on as many as 100,000 current and former public employees. Officials warned that Social Security numbers and banking details were among the records taken.
Enjoyed this post?
Well, you could share the post with others, follow me with RSS Feeds and/or send me a comment via email.
Tags
Category:
Year: