Privacy Roundup #0218 • September 2024
September 2024 brought record European fines, fresh breach disclosures and a sharp reminder that surveillance reaches from telecom wiretap systems to children's social accounts.
1. Irish regulator fines Meta 91 million euro over plaintext passwords
The Irish Data Protection Commission fined Meta 91 million euro on 27 September for storing some Facebook and Instagram passwords in readable plaintext. The regulator found four breaches of the GDPR, including a failure to notify and document the incident promptly.
2. Dutch watchdog fines Clearview AI 30.5 million euro for illegal face database
The Dutch Data Protection Authority fined Clearview AI 30.5 million euro on 3 September for building a database of more than thirty billion scraped facial images without consent. The regulator added penalties of up to 5.1 million euro if the company does not stop the violations.
→ www.autoriteitpersoonsgegevens.nl
3. FTC report finds vast commercial surveillance across social media platforms
A Federal Trade Commission staff report published on 19 September found that large social media and streaming firms engaged in mass surveillance of users with weak controls. The report criticised inadequate safeguards for children and teenagers and the indefinite retention of personal data.
4. Telegram agrees to hand user IP addresses and phone numbers to police
On 23 September, Telegram changed its privacy policy to share IP addresses and phone numbers of suspects with authorities in response to valid legal requests. The shift followed the arrest of founder Pavel Durov in France and widened cooperation far beyond terrorism cases.
5. MoneyGram says hackers stole customer personal and transaction data
MoneyGram disclosed that attackers accessed customer data between 20 and 22 September, prompting a week of service outages. The stolen records included names, addresses, dates of birth, Social Security numbers, bank account numbers and copies of government identification.
6. Mozilla hit with GDPR complaint over Firefox tracking feature
The privacy group noyb filed a complaint with the Austrian regulator on 25 September over Firefox's Privacy Preserving Attribution feature. The group argued that Mozilla enabled the advertising measurement tool by default without informing users or seeking their consent.
7. Instagram makes teenage accounts private by default
Meta announced Instagram Teen Accounts on 17 September, placing users under sixteen into private profiles with stricter messaging and content settings. Teenagers need a parent's permission to loosen the defaults, and the changes began rolling out in the United States, Canada, the United Kingdom and Australia.
8. AT&T agrees to pay 13 million dollars to the FCC over a vendor breach
The Federal Communications Commission announced a 13 million dollar settlement with AT&T on 17 September over a cloud breach at one of its vendors. The vendor retained the billing data of around nine million customers for years after it should have been destroyed, and attackers exfiltrated it in 2023.
9. China-linked Salt Typhoon hackers breach US broadband and wiretap systems
On 25 September it emerged that the Salt Typhoon group had compromised major US broadband providers and the systems used for court-authorised wiretaps. The intrusion raised fears that a foreign government had gained access to sensitive law enforcement surveillance data.
10. Disney to drop Slack after a 1.1 terabyte data leak
Disney told staff on 20 September that it would stop using Slack following a breach that leaked more than a terabyte of internal messages and files. The leaked trove included unreleased project details, login credentials and crew passport numbers.
11. 23andMe agrees to a 30 million dollar settlement over genetic data breach
On 12 September, 23andMe agreed to a 30 million dollar settlement over the 2023 breach that exposed the data of nearly seven million customers. The case alleged the company failed to protect sensitive genetic information and to warn users targeted by ancestry.
12. Apple moves to drop its lawsuit against spyware maker NSO Group
Apple asked a court on 13 September to dismiss its own case against the Pegasus spyware vendor NSO Group. The company argued that pursuing the suit risked exposing sensitive threat intelligence that could help spyware makers refine their tools.
13. California signs laws extending privacy rules to artificial intelligence
Governor Gavin Newsom signed AB 1008 on 28 September, clarifying that personal information under the state privacy law can exist inside artificial intelligence systems. A companion law, AB 2013, requires generative AI developers to disclose details about their training data.
14. UK regulator reprimands Sky Betting and Gaming over advertising cookies
The Information Commissioner's Office reprimanded Bonne Terre, trading as Sky Betting and Gaming, for setting advertising cookies before users could refuse them. Personal data was shared with advertising technology firms the moment people opened the site, without prior consent.
15. Medicare contractor breach affects more than three million people
The Centers for Medicare and Medicaid Services began notifying affected individuals on 6 September after a breach at contractor Wisconsin Physicians Service. The incident stemmed from the MOVEit file transfer flaw and exposed names, Social Security numbers and Medicare identifiers.
16. Dell investigates leak of employee records on a hacking forum
Dell began investigating a breach after a hacker leaked details of more than ten thousand employees and partners on 19 September. The exposed records included full names, internal identifiers and employment status drawn from the company's systems.
17. EFF warns the FTC report shows commercial surveillance is out of control
The Electronic Frontier Foundation argued on 26 September that the new FTC findings confirmed an unchecked surveillance economy. The group called for comprehensive privacy legislation rather than relying on companies to police their own data practices.
18. Slim CD breach exposes credit card data of 1.7 million people
The payment gateway Slim CD disclosed on 6 September that attackers had access to its systems for almost ten months. The compromised data included names, addresses and credit card numbers and expiry dates of around 1.7 million individuals.
19. Fortinet confirms customer data stolen from a third-party cloud drive
Fortinet confirmed on 13 September that a hacker had stolen customer files from a third-party cloud-based shared drive. The attacker claimed to hold 440 gigabytes of data and published it after the company refused to pay a ransom.
20. ESO Solutions ransomware attack compromises data of 2.7 million patients
The healthcare and emergency services software provider ESO Solutions disclosed a ransomware attack that exposed the records of around 2.7 million patients. Attackers exfiltrated data before encrypting company systems, exposing sensitive medical and personal details.
Enjoyed this post?
Well, you could share the post with others, follow me with RSS Feeds and/or send me a comment via email.
Tags
Category:
Year: