Privacy Roundup #0206 • September 2023
September 2023 paired Europe's largest children's data fine with Britain's encryption-busting Online Safety Act, while social-engineering crews ransacked casinos and spyware chased an Egyptian opposition candidate.
1. Ireland's regulator fines TikTok 345 million euros over children's accounts
Ireland's Data Protection Commission fined TikTok 345 million euros for setting child users' profiles to public by default and for a family pairing feature that let unverified adults link to children's accounts. The decision covered settings in place during the second half of 2020 and gave the platform three months to comply.
→ iapp.org
2. UK Online Safety Bill passes with its encryption-busting clause intact
Parliament passed the Online Safety Bill on 19 September, keeping Clause 122, which lets Ofcom order platforms to scan the contents of encrypted messages for illegal material. The government conceded that such scanning is not currently feasible but refused to promise that it would never invoke the power.
3. Ministers signal a retreat on scanning encrypted messages
Days before the vote, a ministerial statement said Ofcom would not order scanning of encrypted services until a technology existed that could do so without breaking privacy. Signal and WhatsApp, which had threatened to leave the country, treated the wording as a meaningful climbdown.
4. MGM Resorts shuts down systems after a social-engineering breach
MGM Resorts took large parts of its network offline on 11 September after the Scattered Spider crew talked its way past a help desk and deployed BlackCat ransomware. Slot machines, room keys, booking systems and ATMs failed across its properties for roughly ten days.
5. Caesars confirms a ransomware hack and a stolen loyalty database
Caesars Entertainment told the SEC that attackers stole its loyalty programme database, including driver's licence and Social Security numbers for many members. Reports said the company paid roughly half of a 30 million dollar ransom demand to limit the fallout.
6. Microsoft AI researchers accidentally expose 38 terabytes of data
Researchers at Wiz found that a Microsoft AI team had published a GitHub link backed by a misconfigured Azure access token that exposed 38 terabytes of private data. The trove included disk backups, passwords, private keys and more than thirty thousand internal Teams messages.
7. Judge blocks California's Age-Appropriate Design Code Act
A federal judge in California granted NetChoice a preliminary injunction on 18 September against the state's Age-Appropriate Design Code Act. The court held that requiring websites to estimate users' ages and restrict content likely violated the First Amendment.
→ epic.org
8. Google turns on its Privacy Sandbox tracking APIs for most users
Google announced general availability of its Privacy Sandbox advertising APIs, including Topics and Protected Audience, enabling them for more than half of Chrome users. Critics argued the system replaced third-party cookies with a different form of in-browser tracking rather than ending it.
9. Chrome adds real-time Safe Browsing checks for all standard users
Google began rolling out real-time phishing and malware checks to Chrome's standard Safe Browsing, replacing a local list that refreshed too slowly to catch short-lived sites. The company said partially hashed URLs travel through a privacy relay so that no single party sees both the address and the user's identity.
10. Sony investigates after a group claims it breached all of its systems
Sony said it was investigating after the RansomedVC group claimed to have compromised all of the company's systems and offered to sell roughly 260 gigabytes of data. The claim quickly drew doubt as a second actor disputed it and released a sample for free, leaving the true scope unclear.
11. Citizen Lab catches Predator spyware aimed at an Egyptian candidate
Citizen Lab and Google reported that former MP Ahmed Eltantawy was targeted with Cytrox's Predator spyware after he announced a presidential run in Egypt. Network injection on his Vodafone Egypt connection redirected him to an exploit chain, which the researchers attributed to the Egyptian government.
12. Apple patches iPhone zero-days abused to plant spyware
Apple shipped emergency updates for three flaws that the Predator exploit chain used to take over fully patched iPhones through iOS 16.6.1. The fixes followed an earlier September patch for the zero-click BLASTPASS chain that delivered NSO Group's Pegasus.
13. Court lets a State Department social-media disclosure rule stand
A federal judge dismissed a challenge to the State Department rule that requires visa applicants to register their social-media handles. EFF warned that forcing travellers to hand over their accounts chills expression and exposes them to surveillance long after entry.
14. Hacker dumps stolen Airbus employee data on the anniversary of 9/11
A figure known as USDoD leaked sensitive employee records taken from Airbus and threatened to do the same to large US defence contractors. Researchers traced the access to credentials stolen through a malware-infected computer at a third-party vendor.
15. Experts warn crooks are cracking vaults stolen in the LastPass breach
Security researchers reported a run of six-figure cryptocurrency thefts that appeared to trace back to master passwords cracked from the 2022 LastPass vault theft. The pattern suggested that the stolen vaults, long dismissed as well protected, were now being opened.
16. EFF urges an appeals court to revisit the gag on X over Trump's account
EFF filed a brief asking the full DC Circuit to rehear a case in which X was barred from telling anyone about a search warrant for the former president's account. The group argued that the secrecy order amounted to an unconstitutional prior restraint on speech.
17. Snatch ransomware site leaks the IP addresses of its own visitors
KrebsOnSecurity found that the dark-web site run by the Snatch ransom group was inadvertently exposing the IP addresses of everyone who browsed it. The slip offered a rare window into the victims, partners and curious onlookers passing through the extortion operation.
18. Schneier flags the quiet spread of automatic facial recognition at work
Bruce Schneier highlighted a wall-mounted tablet that automatically identifies employees as they approach to clock in and out. He warned that such systems normalise constant face capture and rarely make clear how much footage they keep or who can see it.
19. LastPass lengthens master passwords to limited applause
LastPass began requiring longer master passwords months after attackers made off with customer vaults in the 2022 breach. Critics called the change a belated gesture that did little for the users whose encrypted data was already in criminal hands.
20. EFF takes its surveillance work to Africa's internet freedom forum
EFF joined the Forum on Internet Freedom in Africa in Dar es Salaam, where activists pressed back against expanding state monitoring across the continent. The group used the gathering to share its Atlas of Surveillance methods and to support local efforts to document police technology.
Enjoyed this post?
Well, you could share the post with others, follow me with RSS Feeds and/or send me a comment via email.
Tags
Category:
Year: