Privacy Roundup #0204 • July 2023
July 2023 paired a fresh transatlantic data deal with a wave of MOVEit breach disclosures, surveillance revelations and Big Tech privacy fights.
1. European Commission adopts the EU-US Data Privacy Framework
The Commission adopted its adequacy decision on 10 July, declaring that the United States offers protection essentially equivalent to the European Union for transferred personal data. The framework replaced the invalidated Privacy Shield and rested on new limits to American intelligence access and a redress court.
2. Federal judge bars officials from pressing platforms over content
A Louisiana district court issued a sweeping preliminary injunction on 4 July that restricted several federal agencies from contacting social media companies about removing posts. The ruling in Missouri v. Biden recast routine government communication as unlawful coercion.
3. Meta Threads will not launch in the EU at release
Meta released Threads on 5 July with an App Store data label spanning twenty five categories, including health, finances and precise location. The breadth of collection, all linked to a permanent Instagram identity, alarmed privacy researchers from the first day.
4. Critical Citrix NetScaler flaw exploited as a zero-day
Citrix warned on 18 July that attackers were already exploiting a critical unauthenticated flaw, tracked as CVE-2023-3519, in its NetScaler ADC and Gateway appliances. The company rushed out patches the same day and urged customers to upgrade immediately, as the bug allowed remote code execution without any login.
5. Chinese hackers raided US government email through a Microsoft flaw
Microsoft disclosed on 12 July that a group it tracks as Storm-0558 forged authentication tokens to read the email of roughly twenty five organisations. The victims included United States government agencies, and the intruders had used a stolen consumer signing key.
6. FTC opens an investigation into OpenAI over consumer harms
The agency sent OpenAI a twenty page demand on 13 July, probing whether ChatGPT had endangered personal reputations and data. Regulators asked about a March bug that exposed chat histories and payment details, and about the accuracy of generated claims.
7. HCA Healthcare reports a breach affecting eleven million patients
HCA Healthcare confirmed on 11 July that data on as many as eleven million patients had appeared for sale on a hacking forum. The exposed records held names, addresses, email addresses, phone numbers, dates of birth and appointment details.
8. Maximus says MOVEit hackers accessed data on millions
Government contractor Maximus disclosed on 26 July that the MOVEit attacks had exposed the personal data of between eight and eleven million people. The compromised files held Social Security numbers and protected health information tied to federal programmes.
9. Sam Altman's Worldcoin launches global iris scanning
Worldcoin began wider deployment of its orb shaped iris scanners on 24 July, offering free tokens to people who let the device read their eyes. The project pitched biometric proof of personhood while raising sharp questions about consent and oversight from a Cayman Islands foundation.
10. North Korea-backed hackers breached JumpCloud to target crypto clients
JumpCloud disclosed on 12 July that a sophisticated state actor had compromised its systems, and researchers later attributed the intrusion to North Korea. The attackers used the identity provider as a stepping stone to reach a handful of cryptocurrency customers.
11. Norway bans Meta's behavioural advertising
The Norwegian regulator imposed a temporary ban on 17 July against advertising built on the surveillance and profiling of Norwegian users. Meta faced a coercive fine of up to one million kroner a day if it did not move to a lawful basis.
12. Google rolls out its Privacy Sandbox tracking system in Chrome
With Chrome 115 on 18 July, Google began enabling the Topics interest tracking and ad measurement tools for everyday users. The change moved cross site profiling into the browser itself, a design that privacy advocates argued still surveilled people.
13. SEC adopts mandatory cybersecurity incident disclosure rules
The Securities and Exchange Commission voted on 26 July to require public companies to report material cyber incidents within four business days. The rules also compelled annual disclosures on how firms manage and govern security risk.
14. Tampa General Hospital breach impacts 1.2 million patients
Tampa General Hospital revealed on 19 July that intruders had accessed files on 1.2 million patients over an eighteen day window. The stolen data included Social Security numbers, health insurance details and treatment information.
→ www.infosecurity-magazine.com
15. EFF urges clear limits on government talks with platforms
The Electronic Frontier Foundation filed an appellate brief on 28 July arguing that officials must keep talking to platforms but within firm constitutional boundaries. The group warned that the Missouri v. Biden injunction swept too broadly while genuine pressure deserved scrutiny.
16. Apple warns it would pull iMessage and FaceTime from the UK
Apple told the British government in late July that proposed amendments to the Investigatory Powers Act threatened data security worldwide. The company said it would rather withdraw services such as iMessage and FaceTime than weaken their encryption.
17. Genworth says MOVEit breach exposed 2.7 million people
Genworth Financial disclosed that a MOVEit flaw at its vendor Pension Benefit Information had exposed data on as many as 2.7 million policyholders and agents. Notices sent on 21 July warned that Social Security numbers and dates of birth were among the stolen records.
18. Declassified opinion shows fresh FBI abuse of Section 702
A newly released court opinion confirmed that the FBI had again searched warrantless surveillance data for a senator, a state senator and a judge. The Electronic Frontier Foundation argued on 27 July that the bureau could not be trusted with the power as reauthorisation loomed.
19. Senator Wyden calls for a federal probe of Microsoft's security
Senator Ron Wyden wrote on 27 July to the Justice Department, the FTC and CISA, blaming Microsoft for the Chinese intrusion into government email. He argued that the company's negligence with a signing key warranted formal investigation rather than quiet remediation.
20. Signal rejects the UK's plan to weaken encrypted messaging
Signal president Meredith Whittaker said on 13 July that the Online Safety Bill demanded a backdoor that was mathematically impossible to build safely. She vowed that Signal would leave the United Kingdom rather than undermine the security of its users.
Enjoyed this post?
Well, you could share the post with others, follow me with RSS Feeds and/or send me a comment via email.
Tags
Category:
Year: