Privacy Roundup #0216 • July 2024
July 2024 was dominated by the fallout from the Snowflake breaches, record-breaking fines and bans, and fresh fights over surveillance and online safety law.
1. AT&T says criminals stole phone records of nearly all customers
AT&T disclosed on 12 July that attackers had downloaded call and text records covering almost all of its wireless customers from a third-party cloud workspace. The stolen metadata revealed who contacted whom and, for some accounts, cell tower identifiers that could approximate a person's location.
2. Twilio confirms breach after hackers leak 33 million Authy phone numbers
Twilio confirmed that attackers had abused an unsecured endpoint to harvest the phone numbers of 33 million users of its Authy two-factor authentication app. The exposed numbers gave criminals a ready list of targets for phishing and SIM-swapping attacks.
3. Evolve Bank says ransomware gang stole data on millions of customers
Evolve Bank and Trust confirmed that the LockBit ransomware group had stolen the personal information of more than seven million people after the bank refused to pay. The haul included names, Social Security numbers, and bank account details, which the gang then published on its leak site.
4. HealthEquity says data breach affects 4.3 million people
The health savings account custodian HealthEquity disclosed that a partner's compromised credentials had exposed the protected health information of 4.3 million individuals. The leaked records included names, addresses, Social Security numbers, and employment details.
5. Texas wins 1.4 billion dollar biometric settlement against Meta
Texas secured a record 1.4 billion dollar settlement from Meta over its capture of residents' facial geometry without consent through Facebook's tag suggestions feature. The Electronic Frontier Foundation argued the outcome would have come sooner had individuals been allowed to sue directly.
6. US Commerce Department ban forces Kaspersky out of the country
Kaspersky said it would wind down its United States operations after the Commerce Department barred new sales of its security products from 20 July. Officials warned that the Russian firm could be compelled to gather and weaponise the data of American users.
7. CrowdStrike update bricks Windows machines around the world
A faulty Falcon Sensor channel file from CrowdStrike crashed roughly 8.5 million Windows machines on 19 July, grounding flights and disrupting hospitals and banks. The episode showed how deeply a single security vendor's code is woven into critical infrastructure.
8. The KOSA internet censorship bill passes the Senate
The Senate passed the Kids Online Safety Act by 91 votes to 3, advancing a measure that would create a duty of care for online platforms. The Electronic Frontier Foundation warned the bill would chill protected speech and push services towards privacy-invasive age verification.
9. RockYou2024 leak compiles nearly 10 billion passwords
A forum user published a file containing close to 10 billion unique plaintext passwords gathered from thousands of past breaches. Researchers warned the trove could fuel credential-stuffing and brute-force attacks against almost any unprotected system.
10. Meta's pay or consent model fails EU competition rules
The European Commission found that Meta's choice between paying a fee or accepting tracking breaches the Digital Markets Act because it denies users an equivalent, less personalised option. The case shows regulators turning to competition law to address data protection concerns that privacy rules alone have struggled to resolve.
11. UN cybercrime draft convention dangerously expands surveillance powers
The Electronic Frontier Foundation warned that the draft UN Cybercrime Convention would authorise open-ended evidence gathering with weak privacy safeguards. Civil society groups urged delegates to push back before the final negotiating session opened.
12. AI mass surveillance at the Olympics is a privacy nightmare
Techdirt examined France's deployment of algorithmic video surveillance for the Paris Olympics under a law that civil liberties groups say breaches the GDPR. France became the first EU country to legalise such a sweeping AI-powered monitoring system.
13. Google abandons its plan to drop third-party cookies in Chrome
Google reversed its long-running pledge to phase out third-party cookies, choosing instead to let users make a browser-wide choice about tracking. Privacy advocates and regulators had spent years scrutinising both the cookies and the Privacy Sandbox meant to replace them.
14. FTC bans NGL Labs from offering its anonymous app to minors
The Federal Trade Commission and the Los Angeles District Attorney barred the anonymous messaging app NGL from serving anyone under 18 and secured a five million dollar payment. Regulators said the firm sent users fake messages to push paid subscriptions and falsely claimed its AI filtered out bullying.
15. Supreme Court rules platforms have a First Amendment right to curate
The Supreme Court held in the NetChoice cases that platforms have a constitutional right to decide what speech they carry, free of state mandates. The Electronic Frontier Foundation welcomed the decision while warning that related laws still threaten privacy through age verification.
16. Patelco Credit Union shuts down banking systems after ransomware attack
The California credit union took its online banking, mobile app, and call centre offline after a ransomware attack disrupted its systems at the start of July. The shutdown left more than 400,000 members unable to access many services for days.
17. Rite Aid confirms breach exposing data on 2.2 million people
Rite Aid confirmed that the RansomHub gang had stolen the personal details of 2.2 million customers in a June intrusion that it disclosed in July. The exposed records included names, addresses, dates of birth, and government identification numbers tied to past purchases.
18. Weak Squarespace defaults let attackers hijack domains
Krebs on Security reported that weak authentication defaults in Squarespace's migration of Google Domains let attackers seize at least a dozen organisations' domains. The hijackers exploited accounts that legitimate owners had never claimed, redirecting websites and email to themselves.
19. Email addresses of 15 million Trello users leaked online
A threat actor published more than 15 million Trello email addresses gathered by abusing an unsecured API that linked addresses to public profiles. The combined data of email addresses and real names handed phishers and stalkers a convenient targeting list.
20. ADT confirms breach after customer data leaked on hacking forum
The home security company ADT confirmed that attackers had stolen customer records and posted them on a hacking forum at the end of July. The exposed data included customer emails, addresses, and details of the products they had bought.
Enjoyed this post?
Well, you could share the post with others, follow me with RSS Feeds and/or send me a comment via email.
Tags
Category:
Year: