Privacy Roundup #0212 • March 2024
March 2024 brought big breaches at AT&T and Fujitsu, fresh sanctions against spyware makers, and courts and lawmakers pushing back on surveillance and Big Tech.
1. AT&T confirms breach affecting 73 million current and former customers
On 30 March AT&T said a data set posted on the dark web held records on about 73 million people. The leaked fields included names, addresses, Social Security numbers and account passcodes dating from 2019 or earlier.
2. United States sanctions the maker of Predator spyware
On 5 March the Treasury sanctioned the Intellexa group and two executives behind the Predator spyware. It was the first time the United States had used sanctions against a commercial spyware firm whose tools were turned on officials and journalists.
3. House passes bill that could force a TikTok sale or ban
On 13 March the House of Representatives voted 352 to 65 to pass the Protecting Americans from Foreign Adversary Controlled Applications Act. The bill would force ByteDance to sell TikTok or face removal from app stores, with backers citing the handling of Americans' data.
4. Mozilla drops Onerep after its chief admits to running people-search sites
A KrebsOnSecurity report on 14 March showed that the founder of Onerep, a removal service bundled into Firefox, had launched dozens of people-search networks. Mozilla said it would wind down the partnership after the conflict came to light.
5. Fujitsu finds malware on its systems and warns of stolen data
On 15 March Fujitsu said it had found malware on company computers and that files with personal and customer information may have been taken. The malware spread to dozens of machines and used methods built to dodge detection rather than ransomware.
6. European Parliament adopts the AI Act with limits on biometric surveillance
On 13 March members of the European Parliament approved the AI Act by a wide margin. The law bans untargeted scraping of facial images and limits live facial recognition in public spaces, though it carves out exceptions for the police.
7. Justice Department sues Apple and questions its privacy defence
On 21 March the Justice Department and sixteen states sued Apple over its grip on the smartphone market. The complaint argues that some features Apple blocks, such as encrypted messaging to Android phones, would have improved user privacy.
8. Glassdoor adds real names to anonymous profiles without consent
In March users reported that Glassdoor had attached their real names to accounts they had kept anonymous for years. The change followed the firm's purchase of Fishbowl and raised fears that candid reviews could be traced back to workers.
9. American Express warns customers of a third-party breach
On 4 March American Express told customers that account numbers, names and card expiry dates had been exposed through a third-party merchant processor. The company said its own systems were not breached but did not name the processor or the number of people affected.
10. Roku discloses a breach hitting more than 15,000 accounts
In March Roku said attackers had broken into over 15,000 accounts using passwords leaked from other services. The intruders changed account details and, in some cases, used stored card data to make purchases.
11. Incognito dark web market extorts its own buyers and sellers
The Incognito drug market shut down in March after an apparent exit scam, then began extorting its users. Operators threatened to publish hundreds of thousands of orders and transaction records unless people paid fees of up to 20,000 dollars.
12. FCC data breach reporting rules take effect for phone carriers
On 13 March the Federal Communications Commission's updated breach rules came into force. They widen the rules to cover ordinary personal data, not just network records, and require carriers to tell the FCC, the FBI and the Secret Service.
13. Watchdog finds federal agencies used facial recognition without training
A Government Accountability Office report in March found seven federal agencies ran about 60,000 facial recognition searches before setting any training rules. Most still lacked policies to guard civil rights and civil liberties.
14. Krebs uncovers a US-focused people-search network run from China
On 20 March KrebsOnSecurity exposed a web of people-search sites aimed at Americans but run from China. The owners listed on the sites all appeared to be invented, using stock photos and fake biographies.
15. EFF urges a New York court to protect anonymous speakers
On 12 March the Electronic Frontier Foundation filed a brief asking a New York court to keep anonymous online critics from being unmasked too easily. It argued that courts should weigh a person's right to speak before handing over their identity.
16. San Francisco votes on a measure to expand police surveillance
On 5 March San Francisco voters decided Proposition E, which loosens limits on the police trying new surveillance tools. The EFF and other groups warned it would let officers test untested technology on the public with little oversight.
17. Apple and Microsoft patch dozens of flaws in March
On 12 March both Apple and Microsoft shipped fixes for scores of security holes. Apple's macOS update alone closed about 68 weaknesses and patched two flaws already used against iPhones.
18. FTC explains its crackdown on mass data collectors
In a March post the Federal Trade Commission set out the thinking behind its recent cases against Avast, X-Mode and InMarket. The agency said selling sensitive location and browsing data without real consent is unfair to consumers.
19. EFF makes the case for fixing privacy law first
On 6 March the EFF argued that many of today's technology fights, from children's safety to deepfakes, are really privacy problems. It called for a strong baseline privacy law as the place to start.
20. France Travail breach exposes data on up to 43 million people
On 13 March France Travail, the French unemployment agency, said attackers had accessed personal records covering as many as 43 million current and former job seekers. The exposed fields included names, dates of birth, social security numbers, postal addresses, email addresses and phone numbers stretching back two decades.
Enjoyed this post?
Well, you could share the post with others, follow me with RSS Feeds and/or send me a comment via email.
Tags
Category:
Year: