Privacy Roundup #0213 • April 2024
April 2024 brought record health breaches, a near 200 million dollar location data fine, a fresh two year expansion of mass surveillance and a wave of new American privacy statutes.
1. National Public Data hoard of 2.9 billion records put up for sale
A criminal using the name USDoD listed four terabytes of records, some 2.9 billion rows, that he claimed were lifted from nationalpublicdata.com. The teaser samples held names, addresses, telephone numbers and Social Security numbers.
2. FCC fines the big four carriers nearly 200 million dollars for selling location data
The Federal Communications Commission levied close to 200 million dollars against AT&T, Sprint, T-Mobile and Verizon for selling access to customers' location data without valid consent. Each carrier had pushed the duty to gather consent onto downstream buyers, so in many cases no consent was ever obtained.
3. Congress renews and expands FISA Section 702 for two more years
The Senate passed the Reforming Intelligence and Securing America Act and President Biden signed it, extending Section 702 surveillance powers until April 2026. The law widens the range of firms that can be compelled to assist the NSA and FBI, which Senator Ron Wyden called a terrifying expansion of government surveillance authority.
4. CISA orders federal agencies to act after Russia steals Microsoft emails
CISA issued Emergency Directive 24-02 after the Russian group Midnight Blizzard exfiltrated correspondence between federal agencies and Microsoft through compromised corporate email accounts. Agencies were told to reset stolen credentials and analyse the contents of the exposed emails by the end of April.
5. Kaiser Permanente discloses tracker breach affecting 13.4 million people
The healthcare giant told regulators that tracking code embedded in its websites and apps had quietly passed member data to Google, Microsoft and X. The exposed details included names, IP addresses and search terms typed into Kaiser's health encyclopaedia.
6. EU regulators reject Meta's pay or consent advertising model
The European Data Protection Board adopted Opinion 08/2024, finding that large platforms cannot rely on valid consent when they offer users only a binary choice between behavioural advertising and a fee. The board said users must be given a genuine choice that includes a free option without invasive tracking.
7. Apple relabels its threat alerts to name mercenary spyware
Apple sent threat notifications to iPhone users in 92 countries and rewrote its advisory to speak of mercenary spyware rather than state-sponsored attacks. The revised wording explicitly named NSO Group and its Pegasus product as the kind of tool used in these attacks.
8. CISA warns customers after a breach at analytics firm Sisense
CISA said it was investigating a compromise at business intelligence company Sisense and urged every customer to rotate any shared credentials and secrets. Attackers reached a Gitlab repository, used a token found there to read Amazon S3 buckets and copied several terabytes of customer data, access tokens and certificates.
9. Roku reports 576,000 accounts hit by credential stuffing
Roku disclosed that around 576,000 accounts were accessed in credential stuffing attacks that reused passwords stolen elsewhere. In fewer than 400 cases the intruders made purchases with stored payment methods, although full card numbers were not exposed.
10. UnitedHealth chief grilled in Congress over Change Healthcare attack
Lawmakers questioned UnitedHealth chief executive Andrew Witty at two hearings about the ransomware attack on its Change Healthcare unit. Witty conceded that the breached portal lacked multi-factor authentication and estimated that data belonging to a third of Americans may have been taken.
11. Cisco Duo warns a supplier breach exposed MFA message logs
Cisco Duo told customers that a telephony provider handling its SMS and VoIP authentication messages was compromised on 1 April through phished employee credentials. The stolen logs held no message content but did contain phone numbers, carriers and location metadata for messages sent during March.
12. Home Depot confirms a third-party leak of employee data
Home Depot confirmed that a software vendor had inadvertently exposed records for around 10,000 of its workers after the data appeared on a hacking forum. The leaked fields covered names, work email addresses and user identifiers, which could fuel targeted phishing.
13. President signs law restricting data broker sales to foreign adversaries
President Biden signed the Protecting Americans' Data from Foreign Adversaries Act, which bars data brokers from selling sensitive personal data to entities controlled by countries such as China, Russia, Iran and North Korea. The Federal Trade Commission will enforce the ban, which took effect in June.
14. FTC bans telehealth firm Cerebral from using health data for ads
Under a proposed order, mental health platform Cerebral agreed to pay more than 7 million dollars and stop using sensitive health data for most advertising. The complaint said the firm had handed information on nearly 3.2 million people to companies including LinkedIn, Snapchat and TikTok through tracking tools.
15. Maryland passes a strict new consumer data privacy law
Maryland's legislature passed the Maryland Online Data Privacy Act, sending one of the country's tougher consumer privacy bills to the governor. The measure limits the collection of personal data to what is reasonably necessary and sets firmer rules for sensitive information.
→ epic.org
16. Nebraska enacts a comprehensive data privacy statute
Nebraska's governor signed the Nebraska Data Privacy Act, modelled on the Texas law, giving residents rights over their personal data. The act takes effect on 1 January 2025 and applies to a broad range of businesses operating in the state.
17. EFF warns the draft American Privacy Rights Act falls short
EFF criticised the newly published American Privacy Rights Act for threatening to freeze consumer protections in place by pre-empting stronger state laws. The group urged the drafters to make it far easier for people to sue companies that violate their privacy rights.
18. Hacker who extorted Finnish therapy patients sentenced to six years
A Finnish court sentenced Julius Kivimaki to six years and three months for breaching the Vastaamo psychotherapy clinic and extorting its patients. After the clinic refused to pay, he had emailed roughly 22,000 patients threatening to publish their therapy notes unless they each paid a ransom.
19. FTC finalises a ban on data broker X-Mode selling sensitive locations
The Federal Trade Commission finalised its order against data broker X-Mode and its successor Outlogic, barring them from sharing or selling sensitive location data. Regulators said the firm had sold precise location data that could reveal visits to medical clinics and places of worship without adequate safeguards.
20. CMA reviews progress on Google's Privacy Sandbox cookie plans
The UK competition regulator published its latest report on Google's Privacy Sandbox, the project meant to replace third-party tracking cookies in Chrome. The update assessed whether the changes would protect privacy without entrenching Google's advantage in advertising.
Enjoyed this post?
Well, you could share the post with others, follow me with RSS Feeds and/or send me a comment via email.
Tags
Category:
Year: