Privacy Roundup #0211 • February 2024
February 2024 was dominated by the Change Healthcare ransomware attack, a wave of breach disclosures, fresh fines for data brokers and antivirus firms, and landmark wins for encryption and location privacy.
1. UnitedHealth subsidiary Change Healthcare hit by ransomware attack
On 21 February UnitedHealth Group disclosed that a suspected nation state actor had breached its Change Healthcare unit and isolated the affected systems. The intrusion, later attributed to the ALPHV/BlackCat gang, became the largest known breach of American medical data.
2. Pharmacies across the United States struggle to fill prescriptions
The Change Healthcare outage stopped many pharmacies from processing insurance claims, leaving patients unable to collect medicines for days. More than nine in ten pharmacies set up manual workarounds while the network stayed offline.
3. FTC fines Avast 16.5 million dollars for selling browsing data
On 22 February the Federal Trade Commission ordered the antivirus maker Avast to pay 16.5 million dollars after it sold users' web browsing histories through its Jumpshot subsidiary. The firm had marketed its products as tools that would block online tracking.
4. European Court of Human Rights rules against encryption backdoors
In the case of Podchasov v Russia, decided on 13 February, the Strasbourg court held that weakening end to end encryption violates the right to private life under the European Convention. The judgment was hailed as a blow to mandatory client side scanning proposals.
5. Apple brings post quantum encryption to iMessage
On 21 February Apple announced PQ3, a new cryptographic protocol designed to protect iMessage against future quantum computers. The company described it as the first messaging protocol to reach what it called Level 3 security.
6. Signal launches usernames to hide phone numbers
On 20 February Signal began rolling out usernames so that people no longer have to share a phone number to start a conversation. A new setting also lets users stop others from finding them by searching for their number.
7. International operation seizes LockBit ransomware infrastructure
On 20 February the National Crime Agency, the FBI and partners announced Operation Cronos, which seized the LockBit gang's servers and leak site. Police took control of 34 servers, froze 200 cryptocurrency accounts and released decryption tools to victims.
8. Wyze glitch shows thousands of customers other people's cameras
On 16 February a Wyze outage let about 13,000 users see thumbnail images from cameras that were not their own. Roughly 1,500 of them clicked through and in some cases viewed live footage from strangers' homes.
9. Bank of America warns customers after Infosys vendor hack
On 6 February Bank of America began notifying customers that their data had been exposed through a ransomware attack on its service provider Infosys McCamish Systems. The breach affected about 57,000 people and exposed names, addresses and Social Security numbers.
10. FCC declares AI generated voices in robocalls illegal
On 8 February the Federal Communications Commission ruled that calls using artificial voices are covered by the Telephone Consumer Protection Act. The decision made voice cloning scams illegal and gave state attorneys general new powers to pursue offenders.
11. Senator Wyden says broker sold Planned Parenthood visit data
On 13 February Senator Ron Wyden wrote to the FTC and SEC about Near Intelligence, which he said sold the location data of people who visited 600 Planned Parenthood clinics. An anti abortion group used the data to target advertisements at clinic visitors.
12. Prudential Financial discloses ransomware breach
Prudential Financial reported that an intruder accessed its systems on 4 February, and the ALPHV/BlackCat gang claimed the attack on 13 February. The breach was later found to have exposed the personal data of more than 2.5 million people.
13. Canada announces plan to ban the Flipper Zero
On 8 February the Canadian government said it would prohibit the sale and import of the Flipper Zero and similar devices, blaming them for a surge in car thefts. Security researchers and the device's makers argued the gadget cannot steal modern vehicles.
14. Italian regulator hits Enel Energia with record fine
On 8 February Italy's data protection authority fined the utility Enel Energia 79.1 million euros over unlawful telemarketing. Investigators found that firms used forged forms and illicitly bought phone directories to promote energy contracts.
15. Clearview AI keeps harvesting Australians' faces
In early February it emerged that Clearview AI had continued to scrape images of Australians for its facial recognition database despite an order to stop. The privacy regulator had told the company in 2021 to delete the photographs it held.
16. Pharma giant Cencora discloses theft of patient health data
On 21 February Cencora learned that attackers had stolen data from its systems, and it disclosed the incident to regulators days later. The breach exposed the names, addresses and medical details of more than a million people enrolled in drug maker support programmes.
17. Biden signs order curbing bulk data sales to hostile states
On 28 February President Biden issued an executive order directing the Justice Department to stop data brokers selling sensitive personal information to countries of concern. The order covers genomic, biometric, health, geolocation and financial data.
18. U-Haul notifies 67,000 customers of a data breach
On 22 February U-Haul began telling about 67,000 customers across the United States and Canada that their records had been accessed using stolen login credentials. The exposed data included names, dates of birth and driver's licence numbers.
19. Integris Health confirms breach as hackers email patients directly
Integris Health notified federal regulators in February that a breach had exposed the data of nearly 2.4 million patients, including 255,000 children. The attackers emailed individual patients demanding payment to delete or withhold their stolen records.
20. Verizon discloses insider breach affecting 63,000 staff
In early February Verizon told regulators that an employee had improperly accessed a file holding the personal data of 63,206 workers. The exposed records included names, addresses, Social Security numbers and compensation details.
Enjoyed this post?
Well, you could share the post with others, follow me with RSS Feeds and/or send me a comment via email.
Tags
Category:
Year: