Privacy Roundup #0209 • December 2023
December 2023 closed the year with mass breaches, landmark surveillance disclosures and a wave of regulators and courts finally squeezing Big Tech.
1. 23andMe confirms genetic data of 6.9 million users was exposed
23andMe told regulators that attackers using recycled passwords broke into around 14,000 accounts and then harvested profile data on roughly 6.9 million people through its DNA Relatives feature. The stolen records included ancestry estimates, family surnames and, for some users, health related information drawn from their genetic profiles.
2. EU lawmakers strike a deal on the AI Act and biometric surveillance
Negotiators for the European Parliament and the Council agreed the outstanding points of the Artificial Intelligence Act in the early hours of 9 December. The deal bans untargeted scraping of facial images and emotion recognition at work, yet privacy groups condemned the carve outs that permit live facial recognition by police in public spaces.
3. HTC Global Services confirms cyberattack as stolen data leaks
The IT services firm HTC Global confirmed a cybersecurity incident after the ALPHV ransomware gang began posting screenshots of stolen passports, emails and confidential documents. Researchers linked the intrusion to the CitrixBleed flaw that drove a wave of attacks across the closing months of 2023.
4. Senator Wyden reveals governments spy through push notifications
Senator Ron Wyden disclosed that foreign and domestic government agencies had quietly compelled Apple and Google to hand over data tied to smartphone push notifications. Because those alerts pass through central Apple and Google servers, the records can reveal which apps a person uses and sometimes the contents of messages.
5. Meta turns on end-to-end encryption by default in Messenger
Meta began rolling out default end-to-end encryption for one to one chats and calls on Messenger and Facebook, built on the Signal protocol and its own Labyrinth backup scheme. The change means Meta can no longer read the contents of these conversations, a long awaited win for everyday users.
6. Apple blocks Beeper Mini from bringing iMessage to Android
Apple cut off Beeper Mini just days after the app launched, citing the security risks of techniques that rely on fake credentials to reach iMessage. Beeper argued that its messages were genuinely encrypted, framing the clash as a fight over interoperability rather than user safety.
7. Comcast says CitrixBleed breach exposed 35.8 million Xfinity customers
Comcast disclosed that attackers exploited the CitrixBleed vulnerability in October to reach the data of about 35.8 million Xfinity customers, although the notice did not arrive until December. The stolen records included usernames, hashed passwords and, for some people, the last four digits of Social Security numbers and security answers.
8. House holds rival votes on reauthorising Section 702 surveillance
The House weighed two sharply opposed bills to renew Section 702 of the Foreign Intelligence Surveillance Act before its expiry. One measure from the Judiciary Committee sought to require warrants for searches of Americans, while the Intelligence Committee version would have extended the programme with far weaker limits.
9. Insomniac Games hit by ransomware that exposed staff records
The Rhysida ransomware gang stole about 1.67 terabytes of data from the Sony owned studio Insomniac Games and began leaking it after a ransom went unpaid. The dump exposed plans for unreleased titles alongside personal information belonging to employees and former staff.
10. Google moves Maps Location History on to users' own devices
Google announced that Maps Timeline data would be stored on a person's device rather than in the cloud, with encrypted backups for those who want them. The shift gives users more control and has the side effect of making it far harder for police to obtain location histories through geofence warrants.
11. Apple will require a warrant before handing over push notification data
Following the Wyden disclosure, Apple updated its legal guidelines so that law enforcement must obtain a judge approved court order or search warrant to access push notification records. Previously the company released such data on the strength of a subpoena issued without judicial oversight.
12. MOVEit flaw exposes records of nearly 7 million Delta Dental patients
Delta Dental of California began notifying almost 7 million people that their data had been taken through the MOVEit file transfer vulnerability. The exposed information included names, financial account numbers and, in some cases, Social Security numbers and health details.
→ www.infosecurity-magazine.com
13. Mr. Cooper breach hits personal data of more than 14 million people
The mortgage servicer Mr. Cooper disclosed that an October intrusion exposed the data of over 14.6 million current and former customers. The stolen records included names, addresses, dates of birth, bank account numbers and Social Security numbers.
14. VF Corporation ransomware attack exposes 35 million shoppers
VF Corporation, the owner of Vans, The North Face and Supreme, said a ransomware attack had compromised the personal data of about 35.5 million consumers. The stolen information covered names, email addresses, postal addresses and order histories, and the breach disrupted fulfilment during the holiday season.
15. FTC bans Rite Aid from facial recognition over reckless use
The Federal Trade Commission barred Rite Aid from using facial recognition for five years after finding it had deployed the technology without reasonable safeguards. The system generated thousands of false matches and was more likely to misidentify people in predominantly Black and Asian communities.
16. MongoDB discloses breach exposing customer account data
The database company MongoDB confirmed that intruders had accessed corporate systems and customer account metadata, including contact details and phone numbers. The firm urged customers to enable multi factor authentication and watch for phishing attempts that might exploit the stolen information.
17. First American takes systems offline after cyberattack
The title insurance giant First American isolated parts of its network from the internet on 20 December after detecting unauthorised activity. The incident knocked its main website and several subsidiary sites offline and delayed property transactions into the new year.
18. Integris Health patients receive direct extortion emails
Patients of the Oklahoma network Integris Health began receiving emails from attackers who claimed to have stolen their personal data and demanded payment to keep it private. Victims were directed to a dark web site where they could pay a few dollars to view records or more to have their own deleted.
19. Toyota Financial Services warns customers of a data breach
Toyota Financial Services told customers that attackers had reached systems in Europe and Africa and exposed names, addresses and bank account numbers. The Medusa ransomware gang claimed the attack and demanded an eight million dollar ransom before leaking the stolen files.
20. Google settles lawsuit over tracking in Chrome's incognito mode
Google agreed to settle a class action that accused it of tracking users who believed incognito mode kept their browsing private. The company committed to delete billions of records and to let incognito users block third party cookies, though the deal included no direct payout to users.
Enjoyed this post?
Well, you could share the post with others, follow me with RSS Feeds and/or send me a comment via email.
Tags
Category:
Year: