Privacy Roundup #0205 • August 2023
August 2023 was defined by long delayed breach disclosures, a wave of insider and supply chain failures, and fresh fights over surveillance, encryption and the legal basis for tracking.
1. Electoral Commission hack exposed data of 40 million UK voters
The UK Electoral Commission revealed that attackers had sat inside its systems for more than a year, with access to registers covering as many as 40 million voters. The body did not detect the intrusion until October 2022 and waited ten further months before telling the public.
2. Northern Ireland police accidentally publish data on all 10,000 staff
The Police Service of Northern Ireland mistakenly embedded the surname, rank, location and department of nearly 10,000 serving officers and staff in a spreadsheet released under freedom of information rules. The file was online for around two hours, and dissident republicans were later confirmed to have accessed it.
3. Tesla says breach affecting 75,000 employees was an insider job
Tesla disclosed that the personal data of more than 75,000 current and former staff had leaked, and blamed two former employees who passed files to a German newspaper. The exposed records included names, addresses, Social Security numbers and employment details.
4. Tornado Cash founders charged with money laundering and sanctions violations
US prosecutors charged Roman Storm and Roman Semenov over the cryptocurrency mixer Tornado Cash, alleging it laundered more than a billion dollars. The case sharpened the long running dispute over whether writing privacy preserving code can amount to running a money transmitting business.
5. India enacts the Digital Personal Data Protection Act, 2023
India's president gave assent to the Digital Personal Data Protection Act, the country's first comprehensive privacy law. The statute sets out duties for data fiduciaries and rights for individuals, but critics warned of broad exemptions for the state.
6. Zoom reverses terms that let it train AI on customer data
After a public outcry, Zoom walked back service terms that appeared to grant it sweeping rights to use audio, video and chat content to train artificial intelligence models. The company called the wording a process failure and promised not to use such content without consent.
7. Meta says it will offer Europeans a free choice to deny tracking
Meta announced it would move to a consent based legal basis for targeted advertising across the European Union. The shift followed regulatory rulings that the company could no longer claim contractual necessity or legitimate interest to justify behavioural ads.
8. Twitter says it may harvest biometric, employment data from its addicts
X, formerly Twitter, updated its privacy policy to allow the collection of biometric information along with education and job history. The company framed the change around safety and identification, but the move alarmed privacy advocates given the platform's troubled record.
9. Kroll employee SIM swapped for crypto investor data
A SIM swapping attack on an employee at the advisory firm Kroll exposed personal data of bankruptcy claimants tied to FTX, BlockFi and Genesis. The stolen names, addresses and account balances quickly fed a fresh wave of phishing aimed at affected investors.
10. Forever 21 data breach affects half a million people
The fashion retailer Forever 21 began notifying more than 539,000 people that intruders had accessed their data during a three month intrusion earlier in the year. The exposed records included names, dates of birth, bank account numbers, Social Security numbers and health plan details.
11. Mom's Meals says data breach affects 1.2 million customers
PurFoods, the parent of the meal delivery service Mom's Meals, disclosed a breach affecting roughly 1.2 million people seven months after the intrusion. The stolen information included names, Social Security numbers and financial account details.
12. Clorox says cyberattack caused widespread disruption
The cleaning products maker Clorox told regulators it had identified unauthorised activity on some of its information technology systems and had taken certain systems offline in response. The disclosure marked the start of an incident that dented production and left shelves short of its goods for months.
13. Discord.io confirms theft of 760,000 members' data
The third party service Discord.io shut down after a hacker stole a database holding the details of more than 760,000 members. The exposed records included usernames, Discord IDs, email addresses and, for some users, billing addresses and hashed passwords.
14. US and Norway say hackers exploited Ivanti zero-day since April
US and Norwegian authorities warned that attackers had been abusing a zero-day flaw in Ivanti mobile management software since April, having earlier used it to breach a dozen Norwegian government ministries. The bug let anyone on the internet read personal data and alter affected servers without credentials.
15. US hacks QakBot, quietly removes botnet infections
Law enforcement seized control of the QakBot botnet and pushed a removal tool to infected machines without their owners' knowledge. The operation dismantled one of the most prolific malware networks used to deploy ransomware against businesses.
16. ICO and CMA warn against harmful website design that erodes choice
The Information Commissioner's Office and the Competition and Markets Authority published a joint paper attacking online choice architecture that nudges people into surrendering data. They singled out harmful nudges, confirmshaming and default settings that make rejecting tracking harder than accepting it.
17. The impending privacy threat of self-driving cars
The Electronic Frontier Foundation warned that autonomous vehicles amount to roving sensor platforms that constantly record the streets and people around them. It argued that the resulting footage and location data create a powerful surveillance archive ripe for police and corporate use.
18. Karma catches up to global phishing service 16Shop
International investigators dismantled 16Shop, a phishing as a service operation that supplied ready made kits used to steal credentials worldwide. The takedown disrupted a market that had let low skilled criminals mount convincing attacks on banking and retail customers.
19. Meet the brains behind the malware-friendly AI chat service WormGPT
Reporting traced the people behind WormGPT, a chatbot marketed to criminals for writing convincing phishing emails and malware. The investigation showed how generative tools are lowering the barrier to large scale fraud and data theft.
20. How malicious Android apps slip into disguise
Researchers detailed a technique that let malicious Android apps evade scrutiny by abusing how the operating system handles compressed package files. The trick allowed harmful apps to masquerade as legitimate software and reach users undetected.
Enjoyed this post?
Well, you could share the post with others, follow me with RSS Feeds and/or send me a comment via email.
Tags
Category:
Year: