Privacy Roundup #0210 • January 2024
January 2024 opened the year with a wave of breaches, two landmark location data bans, and the first regulatory and surveillance fights over artificial intelligence.
1. 23andMe tells victims it is their fault that their data was breached
Facing dozens of lawsuits over the theft of 6.9 million users' genetic records, 23andMe told victims that they had recycled passwords and were therefore to blame. Lawyers for the affected customers called the argument shameless and said the company should have guarded against credential stuffing.
2. Health software firm HealthEC discloses breach affecting 4.5 million patients
Population health management company HealthEC revealed that attackers had copied files holding the records of around 4.5 million people. The stolen data included names, Social Security numbers, medical record numbers, and health insurance details.
3. FTC bans data broker X-Mode from selling phone location data
The Federal Trade Commission ordered X-Mode, now known as Outlogic, to stop selling sensitive location data and to delete what it had already gathered. The first of its kind settlement targeted data that could reveal visits to clinics, places of worship, and other private locations.
4. China claims it cracked Apple AirDrop to identify senders
Beijing authorities publicised a technique that reverses the weak hashing AirDrop uses to obfuscate phone numbers and email addresses, letting police trace who shared files. Researchers had warned Apple about the flaw in 2019, yet it remained unfixed.
5. FTC bans data broker InMarket from selling precise location data
In its second such action of the month, the FTC prohibited InMarket Media from selling or licensing precise location data. The agency found the company had failed to tell users that location gathered through its shopping apps would be combined with other data for targeted advertising.
6. CISA issues emergency directive over exploited Ivanti VPN flaws
The Cybersecurity and Infrastructure Security Agency ordered federal agencies to mitigate two actively exploited zero-day flaws in Ivanti Connect Secure VPN appliances. Thousands of devices had already been compromised, including some backdoored by a suspected Chinese state group.
7. SIM swap attack hijacks the SEC's X account before the Bitcoin ETF decision
A SIM swap attack let an intruder seize the Securities and Exchange Commission's account on X and post a false claim that spot Bitcoin exchange traded funds had been approved. The agency had not enabled two factor authentication, leaving the account exposed.
8. LoanDepot ransomware attack exposes data of 16.6 million customers
Mortgage lender LoanDepot disclosed a ransomware attack that exposed the personal information of about 16.6 million customers. The stolen records included names, addresses, dates of birth, and Social Security numbers.
→ www.infosecurity-magazine.com
9. Researchers find 26 billion records in the "mother of all breaches"
Security researchers discovered an open database holding 26 billion leaked records gathered from thousands of earlier breaches. The compilation contained passwords, names, email addresses, and phone numbers drawn from platforms such as LinkedIn, Twitter, and Tencent.
10. Data of 15 million Trello users scraped and offered for sale
A threat actor abused a public Trello interface to match a list of email addresses against profiles, then offered the resulting 15 million records for sale. Atlassian responded by changing the interface so that unauthenticated requests could no longer look up users by email.
11. Ring announces it will no longer facilitate police requests for footage
Amazon's Ring said it would shut down the Request for Assistance tool that let police seek doorbell camera footage from users without a warrant. Privacy advocates who had campaigned against the feature for years welcomed the change.
12. Russian hackers stole Microsoft corporate emails in a month long breach
Microsoft disclosed that the Russian state group it tracks as Midnight Blizzard had used a password spray attack to read the email of senior leaders and security staff. The intruders had targeted accounts for information about what Microsoft knew of the group itself.
13. 23andMe admits it did not detect cyberattacks for five months
A filing to California's attorney general revealed that 23andMe had failed to notice repeated attempts to brute force its way into accounts between April and September 2023. The lapse let attackers reach roughly 14,000 accounts and pull data on 6.9 million people through a relatives feature.
14. Apple announces alternative app stores for the EU under the Digital Markets Act
Apple set out changes that will let developers distribute iPhone apps through alternative marketplaces and use other payment systems in the European Union. The move responded to the Digital Markets Act, though Apple paired it with new fees that drew criticism.
15. EFF urges court to find keyword search warrant unconstitutional
The Electronic Frontier Foundation filed a brief asking the Pennsylvania Supreme Court to strike down a keyword search warrant that forced Google to search its entire store of user data. The group argued that such warrants are dragnets that lack particularity and chill free speech.
16. Explicit AI deepfakes of Taylor Swift spread across X
Sexually explicit deepfake images of Taylor Swift flooded X, with one post seen tens of millions of times before removal. The episode drew the attention of the White House and Microsoft and renewed calls for laws against non-consensual synthetic imagery.
17. Italy tells OpenAI that ChatGPT violates Europe's privacy laws
Italy's data protection authority notified OpenAI that ChatGPT appeared to breach several provisions of the General Data Protection Regulation. The regulator questioned the legal basis for training the model on personal data and its tendency to produce inaccurate information about people.
18. US confirms takedown of China run botnet built from home and office routers
The Justice Department said it had disrupted a botnet that the Chinese group Volt Typhoon had assembled from compromised home and office routers. Officials obtained a court order to delete the malware and cut the infected devices off from the network.
19. Bruce Schneier warns that artificial intelligence enables mass spying
In an interview, the security researcher Bruce Schneier argued that artificial intelligence will turn ordinary surveillance into mass spying. He explained that models can now draw conclusions from vast troves of data at a scale that human analysts could never match.
20. EFF unveils a new Street Level Surveillance hub
The Electronic Frontier Foundation launched a standalone hub documenting the technologies that police use to track people. It gathers updated pages on licence plate readers, face recognition, cell site simulators, drones, and other tools of everyday surveillance.
Enjoyed this post?
Well, you could share the post with others, follow me with RSS Feeds and/or send me a comment via email.
Tags
Category:
Year: