Privacy Roundup #0208 • November 2023
November 2023 brought a wave of mass breach disclosures, fresh regulatory action on surveillance and tracking, and renewed fights over encryption and government data buying.
1. Okta says October breach affected all customer support users
Okta revised its earlier assessment and admitted that attackers had taken the names and email addresses of nearly all of its customer support users, not the small fraction first reported. The wider exposure stemmed from an unfiltered report that the intruder downloaded from the support system.
2. Maine government says MOVEit breach affects 1.3 million people
The State of Maine disclosed that the Clop ransomware gang had stolen the personal data of roughly 1.3 million residents through the MOVEit file transfer flaw. Exposed records included names, Social Security numbers, dates of birth and driving licence details across numerous state agencies.
3. Medical transcription firm hack exposes data of nine million patients
Perry Johnson and Associates, a medical transcription provider, disclosed that hackers had stolen the records of nearly nine million patients across several US hospital systems. The compromised data included names, Social Security numbers, dates of birth and clinical details.
4. Hackers access sensitive health data of 8.5 million Welltok patients
Welltok, a healthcare engagement platform, confirmed that attackers exploiting the MOVEit flaw had reached the data of more than eight million people. The stolen records included names, Social Security numbers, health information and insurance identifiers.
5. Samsung admits hackers accessed UK customer data during year-long breach
Samsung told UK online store customers that an intruder had exploited a third-party application to reach personal data over a period spanning July 2019 to June 2020. Exposed information included names, phone numbers, postal addresses and email addresses, though the company said no financial details were taken.
6. Medusa ransomware gang claims hack of Toyota Financial Services
The Medusa ransomware group claimed responsibility for breaching Toyota Financial Services and threatened to publish stolen files unless the company paid an eight million dollar ransom. Toyota confirmed unauthorised activity on systems in Europe and Africa, with leaked samples pointing to German operations.
7. LockBit leaks data allegedly stolen from Boeing
After Boeing declined to pay, the LockBit ransomware gang published more than forty gigabytes of files it claimed to have taken from the aerospace giant. The leaked material reportedly included supplier lists, backups and internal documents, with researchers linking the intrusion to the Citrix Bleed flaw.
8. DP World confirms data stolen in cyberattack on Australian ports
Logistics giant DP World confirmed that attackers had exfiltrated data during an intrusion that disrupted operations at several Australian ports. The company said no ransomware was used, but some personal information of current and former employees was taken.
9. Mr. Cooper says customer data exposed during cyberattack
The mortgage and loan giant Mr. Cooper confirmed that personal data had been exposed after a cyberattack forced it to lock down systems and left customers unable to make payments. The firm later determined the breach reached substantially all of its current and former customers.
10. American Airlines pilot union hit by ransomware attack
The Allied Pilots Association, which represents fifteen thousand American Airlines pilots, disclosed a ransomware attack that encrypted systems and took down its website. The union said it was restoring services from backups and investigating whether sensitive member data had been stolen.
11. Meta's EU ad-free subscription faces early privacy complaint
The privacy group noyb filed a complaint with the Austrian regulator arguing that Meta's pay-or-consent model fails the test of freely given consent under EU law. The challenge contends that charging users a monthly fee to avoid tracking turns a fundamental right into a paid privilege.
12. FCC adopts new rules to combat SIM swapping and port-out fraud
The Federal Communications Commission adopted rules requiring carriers to authenticate customers securely before transferring a number and to alert subscribers when changes occur. The measures aim to curb account takeovers that let criminals hijack phone numbers and the accounts tied to them.
13. FTC launches challenge to prevent harms of AI voice cloning
The Federal Trade Commission announced an exploratory challenge seeking ideas to protect consumers from AI-enabled voice cloning. The agency warned that cheap and convincing synthetic voices raise serious risks of fraud, impersonation and other harms.
14. EFF warns against tying Section 702 renewal to government funding
The Electronic Frontier Foundation cautioned against a rushed effort to attach renewal of the Section 702 mass surveillance authority to must-pass government funding legislation. The group argued that the controversial power demands genuine reform rather than a procedural shortcut around debate.
15. EFF argues online harms should be tackled with privacy first
The Electronic Frontier Foundation published a report proposing strong data privacy legislation as the foundation for addressing a range of online harms. The framework would restrict behavioural advertising, minimise data collection and bar pay-for-privacy schemes rather than relying on scattered measures.
16. EFF tells Ninth Circuit that activists' data collected by DHS must be expunged
The Electronic Frontier Foundation filed an amicus brief arguing that personal information the Department of Homeland Security collected on activists was gathered unconstitutionally and should be deleted. The case has implications for the First Amendment rights of journalists and advocates at the border.
17. Leaked documents show global reach of India's alleged death squads
The Intercept reported on secret intelligence documents indicating that an Indian agency had planned assassinations of activists living abroad. The reporting drew on leaked Pakistani intelligence assessments and raised fresh concerns about transnational surveillance and targeting of dissidents.
18. NSO Group lobbies US State Department amid Gaza war
The Intercept revealed that the Israeli spyware firm NSO Group had sent an urgent request for a meeting with Secretary of State Antony Blinken as part of a lobbying push. The maker of Pegasus remained on a US trade blacklist over the abuse of its surveillance tools against journalists and activists.
19. Sumo Logic discloses potential breach via compromised AWS credential
The analytics company Sumo Logic disclosed that an attacker had used a stolen credential to reach one of its Amazon Web Services accounts. The firm urged customers to rotate access keys as a precaution while it investigated the extent of any exposure.
20. General Electric investigates claims of cyberattack and data theft
General Electric said it was investigating claims by a threat actor who advertised access to the company's development pipelines and allegedly stolen files on a hacking forum. The listing referenced military research material, raising concerns about the sensitivity of any data taken.
Enjoyed this post?
Well, you could share the post with others, follow me with RSS Feeds and/or send me a comment via email.
Tags
Category:
Year: