Privacy Roundup #0207 • October 2023
October 2023 was dominated by the 23andMe genetic data theft and the Okta support breach, alongside landmark moves on data brokers, encryption and Big Tech accountability.
1. Genetics firm 23andMe says user data stolen in credential stuffing attack
On 6 October 23andMe confirmed that attackers had raided customer profiles after reusing passwords leaked in earlier breaches. The intruders reached only a small number of accounts directly, yet the DNA Relatives feature let them harvest data on millions of relatives.
2. Hacker leaks millions of new 23andMe genetic data profiles
Later in the month the same attacker posted a further 4.1 million profiles for people in Britain and Germany on a hacking forum. The leak followed an earlier file that singled out users with Ashkenazi Jewish ancestry, raising fears of targeted abuse.
3. Okta breach affected all customer support users
KrebsOnSecurity revealed on 20 October that intruders had spent weeks inside Okta's customer support case system. They stole session tokens from uploaded files and obtained the names and email addresses of every user of the support portal.
4. Okta support breach reaches Cloudflare and 1Password
The fallout from the Okta intrusion forced several of its own customers to disclose related incidents. Cloudflare, 1Password and BeyondTrust all reported attacker activity on their Okta tenants, though each said no customer data was lost.
5. California governor signs Delete Act into law
On 10 October Governor Gavin Newsom signed Senate Bill 362, the first law in the United States to give people a single button to wipe their records held by data brokers. The act forces brokers to register with the state and honour deletion requests through a free central tool.
→ iapp.org
6. UK Online Safety Act gains royal assent as encryption fears persist
The Online Safety Act became law on 26 October, handing Ofcom powers that could compel firms to scan private messages. Providers of end to end encryption, including Signal and WhatsApp, warned that the measures threaten the security their users depend on.
7. Meta plans paid subscription in the EU to bypass targeted ads
On 30 October Meta announced an ad free subscription for Facebook and Instagram across the European Union, charging users who do not want their data fed to advertisers. Privacy campaigners argued the pay or consent model does not amount to the free and genuine choice that European law requires.
8. Why 42 states came together to sue Meta over kids' mental health
A bipartisan coalition of attorneys general filed suit on 24 October, accusing Meta of designing addictive features that harm young users. The complaint alleges that the company collected data from children under thirteen without parental consent, in breach of federal privacy law.
9. Adtech surveillance and government surveillance are often the same surveillance
The EFF warned on 18 October that the line between corporate and state spying has all but vanished. Agencies routinely buy location data from brokers who sourced it from the advertising industry, sidestepping the warrants the law would otherwise demand.
10. EFF unveils the Red Flag Machine exposing flaws in student surveillance software
On 31 October the EFF published an investigation into GoGuardian, a tool used to monitor around 27 million pupils. Its interactive Red Flag Machine showed how the software floods schools with absurd alerts while quietly invading children's privacy.
11. California declares out of state sharing of licence plate data unlawful
The California Department of Justice issued guidance confirming that police may not pass automated licence plate reader data to out of state or federal agencies. The EFF welcomed the ruling as a shield for immigrants, abortion seekers and protesters whose movements such cameras expose.
12. Sony confirms data breach impacting thousands in the U.S.
On 4 October Sony told nearly 6,800 current and former staff that their personal data had been stolen. The theft stemmed from the wider MOVEit campaign that exploited a flaw in the popular file transfer software.
13. Casio discloses data breach impacting customers in 149 countries
Casio revealed on 19 October that its ClassPad education platform had been breached after security settings were left disabled. The exposed records covered customers across 149 countries, including thousands of pupils and educational institutions.
14. Air Europa warns customers to cancel credit cards after breach
The Spanish airline told affected travellers on 10 October to cancel their payment cards after attackers reached full card details. The exposed data included card numbers, expiry dates and the security codes printed on the back.
15. ID theft service resold access to USinfoSearch data
KrebsOnSecurity reported that a Telegram bot had been quietly selling lookups against records held by the consumer data broker USinfoSearch. For a small fee, anyone could pull the social security number or background report of almost any American.
16. UK regulator fines Equifax over 11 million pounds for 2017 breach failings
On 13 October the Financial Conduct Authority fined Equifax Limited more than eleven million pounds for poor oversight of UK data sent to its American parent. That data was caught up in the 2017 hack that exposed the records of millions of British consumers.
17. Flagstar Bank breach hits more than 800,000 customers through MOVEit
Flagstar Bank notified over 837,000 customers that their data had been stolen via a vendor caught in the MOVEit campaign. The exposed information included names and social security numbers gathered before the underlying flaw was made public.
→ www.infosecurity-magazine.com
18. 23andMe data sold in targeted attack prompts lawsuits
Reporting on the leak that singled out users of Ashkenazi Jewish descent showed the records being offered for sale on a dark web forum. The disclosure triggered a wave of class action suits accusing 23andMe of failing to protect sensitive genetic data.
19. Senator presses 23andMe over genetic data leak
On 20 October Senator Bill Cassidy wrote to chief executive Anne Wojcicki demanding answers about the breach and the company's safeguards. The letter sought detail on how so much sensitive genetic information had been exposed and what the firm would do for those affected.
20. Seiko says ransomware attack exposed sensitive customer data
On 25 October the Japanese watchmaker confirmed that a ransomware attack had compromised around 60,000 items of personal data. The stolen records covered customers, job applicants and business partners, with the BlackCat gang claiming responsibility.
Enjoyed this post?
Well, you could share the post with others, follow me with RSS Feeds and/or send me a comment via email.
Tags
Category:
Year: