Privacy Roundup #0215 • June 2024
June 2024 was dominated by the sprawling Snowflake credential thefts, fresh curbs on Big Tech artificial intelligence and surveillance, and a run of regulators, courts and breach disclosures reshaping data protection.
1. Snowflake breach exposes 165 customer organisations
Mandiant and Snowflake disclosed in June that a financially motivated group it tracks as UNC5537 had used stolen passwords to raid roughly 165 customer accounts. None of the affected tenants had enforced multi-factor authentication, and many credentials had not been changed for years.
2. Hacker accesses internal Tile tool that hands location data to police
On 12 June a hacker reached an internal tool at the location tracker maker Tile that processes data requests from law enforcement, using the credentials of a former employee. The intruder scraped customer names, physical addresses, email addresses and phone numbers, then attempted to extort the company.
3. Microsoft reverses course and makes Windows Recall opt-in
After security researchers showed that the Recall feature stored unencrypted screenshots of everything a user did, Microsoft announced in June that it would be turned off by default. The company also required Windows Hello and encryption before the tool could be switched on.
4. Apple unveils Private Cloud Compute for on-device and cloud artificial intelligence
At its developer conference on 10 June, Apple announced Private Cloud Compute, a system meant to extend device-level privacy guarantees into the cloud. The company said personal data sent for processing would not be accessible to anyone, including Apple, and pledged to publish the code for public inspection.
5. Meta pauses plans to train artificial intelligence on European user data
On 14 June the Irish Data Protection Commission said Meta had agreed to pause training its models on data from European users. The company had planned to rely on legitimate interests rather than seek explicit consent, prompting regulatory engagement and public criticism.
6. noyb files complaints in eleven countries over Meta artificial intelligence training
On 6 June the privacy group noyb lodged complaints with eleven European data protection authorities, asking them to halt Meta's planned data use through an urgency procedure. It argued that using years of public and non-public posts to train artificial intelligence without consent breached the data protection rules.
→ noyb.eu
7. Truist Bank confirms breach as data appears for sale
Truist Bank confirmed in June that its systems had been breached after a dark web seller offered stolen records. The post claimed to contain data on tens of thousands of employees along with bank transaction details such as names, account numbers and balances.
8. United States bans Kaspersky software
On 20 June the Commerce Department issued a first-of-its-kind determination prohibiting the sale of Kaspersky antivirus and security products to people in the United States. Officials said the Russian firm's software could be exploited to gather sensitive data and pass it to the Russian government.
9. Julian Assange pleads guilty and walks free
The WikiLeaks founder pleaded guilty in June to a single count of conspiring to obtain and disclose classified national defence information. He received a sentence of time served and was freed, ending a long legal battle over the publication of secret documents.
10. Polyfill supply-chain attack hits more than 100,000 websites
In late June the cdn.polyfill.io domain began injecting malicious code into a widely used JavaScript library, redirecting visitors on more than 100,000 sites to scam pages. Cloudflare responded by automatically rewriting requests to serve a safe mirror of the library instead.
11. EFF opposes the American Privacy Rights Act
On 24 June the Electronic Frontier Foundation told Congress it opposed the American Privacy Rights Act in its current form. The group warned that the bill would freeze protections in place, override stronger state laws and stop states from passing tougher rules.
12. FTC refers TikTok children's privacy complaint to the Justice Department
On 18 June the Federal Trade Commission announced it had referred a complaint against TikTok and ByteDance to the Justice Department. The regulator said it had reason to believe the companies were violating the children's privacy law after a review of an earlier settlement.
13. Clearview AI settles biometric privacy case with an equity stake
In June Clearview AI reached an unusual settlement of biometric privacy claims, granting the class a 23 percent ownership stake in the company rather than a cash payment. The fund was valued at roughly 51.75 million dollars and addressed the firm's scraping of billions of facial images.
14. Detroit settles wrongful facial recognition arrest case
On 28 June the city of Detroit agreed to pay 300,000 dollars to Robert Williams, who was wrongly arrested after a false facial recognition match. The settlement also imposed strict limits on police use of the technology, barring arrests based on a match alone.
15. Australian regulator takes Medibank to court over 2022 breach
On 5 June the Australian Information Commissioner began civil penalty proceedings against the insurer Medibank in the Federal Court. The action alleges that the company failed to take reasonable steps to protect the personal information of 9.7 million people exposed in a 2022 attack.
16. Synnovis ransomware attack disrupts London hospitals and exposes patient data
A ransomware attack on the pathology provider Synnovis on 3 June forced major London hospitals to cancel thousands of operations and appointments. On 20 June the attackers published stolen data, including patient names, NHS numbers and test results.
17. Los Angeles County health agency discloses phishing breach affecting 200,000 people
In mid-June the Los Angeles County Department of Public Health disclosed a phishing attack that compromised the credentials of dozens of staff. The intrusion exposed sensitive information on more than 200,000 people, including diagnoses, prescriptions and Social Security numbers.
→ www.infosecurity-magazine.com
18. Alleged leader of the Scattered Spider hacking group arrested
On 15 June Krebs on Security reported that police in Spain had arrested a 22-year-old British man accused of leading the Scattered Spider extortion group. The group has been tied to data theft and phishing attacks against numerous large companies.
19. EU vote on message-scanning Chat Control proposal is withdrawn
A planned Council vote on the child sexual abuse regulation, known to critics as Chat Control, was pulled in late June amid heavy opposition. Campaigners and technical experts warned that the bulk scanning of private messages would undermine encryption for millions of users.
20. Pure Storage confirms breach of its Snowflake workspace
On 11 June the storage company Pure Storage confirmed that attackers had accessed a Snowflake workspace containing telemetry information. The exposed data included company names, usernames and email addresses, though the firm said it did not contain credentials for customer systems.
Enjoyed this post?
Well, you could share the post with others, follow me with RSS Feeds and/or send me a comment via email.
Tags
Category:
Year: