Privacy Roundup #0219 • October 2024
October 2024 brought record fines for Big Tech, a wave of mass breaches, and fresh proof that the state and data brokers keep buying their way around warrants.
1. Ireland fines LinkedIn 310 million euros over behavioural advertising
The Irish Data Protection Commission fined LinkedIn 310 million euros on 24 October for processing members' data for behavioural analysis and targeted advertising without a valid legal basis. The regulator found the platform breached the fairness, lawfulness and transparency principles of the GDPR and ordered it to bring its advertising into line within three months.
2. Chinese hackers breached the wiretap systems US law mandates
The Wall Street Journal reported on 5 October that a group known as Salt Typhoon had penetrated the networks of Verizon, AT&T and Lumen and reached the lawful interception systems used to fulfil court ordered wiretaps. The breach exposed exactly the kind of surveillance backdoor that security experts have warned about for decades.
3. Schneier says China is hacking the lawful access backdoor
Bruce Schneier argued on 8 October that the telecom breach proved a long standing point, that a wiretap capability built for the good guys is a capability anyone can abuse. He wrote that the law mandated backdoors under CALEA cannot tell a friendly agency from a hostile one.
4. FTC orders Marriott to overhaul security after three breaches
The Federal Trade Commission announced on 9 October that Marriott and its Starwood subsidiary must build a comprehensive security programme to settle charges over breaches that exposed data on more than 344 million guests. Marriott also agreed to pay 52 million dollars to 49 states and to let customers request deletion of their personal information.
5. Internet Archive breach exposes 31 million accounts
The Internet Archive disclosed on 9 October that attackers had stolen authentication data for around 31 million registered users, including email addresses, screen names and hashed passwords. Days later the same intruders reached the organisation's Zendesk support system and read sensitive support tickets.
6. FTC finalises its click to cancel rule for subscriptions
The Federal Trade Commission announced its final negative option rule on 16 October, requiring sellers to make cancelling a subscription as easy as signing up. The rule also forces clear disclosures and express consent before a company can enrol someone in a recurring charge.
7. CFPB open banking rule gives people control of financial data
The Consumer Financial Protection Bureau finalised its personal financial data rights rule on 22 October, letting consumers move their banking data to another provider for free. The rule limits how authorised third parties may use and retain that data and bars them from exploiting it for unrelated purposes.
8. EFF tells Massachusetts court to limit reuse of monitoring data
The Electronic Frontier Foundation filed a brief on 22 October urging the state's highest court to bar police from mining pretrial electronic monitoring data to investigate unrelated crimes. The group argued that location data gathered for one purpose cannot become a general warrant for fishing expeditions.
9. Cisco takes DevHub portal offline after data leak
A threat actor known as IntelBroker claimed on 14 October to have taken source code, certificates, API tokens and customer files from a Cisco environment. Cisco confirmed on 18 October that the data came from a public facing DevHub instance and took the portal offline after the hacker published stolen files.
10. Hot Topic breach exposes millions of shopper records
A hacker using the alias Satanic posted on 21 October claiming to have taken vast amounts of personal data from Hot Topic and its sister brands. The stolen records included names, addresses, phone numbers and partial payment card details, traced to malware on a third party vendor.
11. California regulator opens data broker registration probe
The California Privacy Protection Agency announced on 30 October that its enforcement division was reviewing whether data brokers had registered as the Delete Act requires. Brokers that fail to register face penalties of 200 dollars a day ahead of a 2026 platform that will let people delete their data from every broker at once.
12. EFF warns age verification laws will harm more than they help
The Electronic Frontier Foundation filed a brief with the Fifth Circuit on 4 October arguing that Mississippi's age verification law violates the First Amendment. The group said the law burdens adults and minors alike, threatens online anonymity and creates fresh privacy risks without protecting children.
13. Fidelity breach exposes data of 77,000 customers
Fidelity Investments told regulators in early October that an intruder using two newly created customer accounts had accessed the data of more than 77,000 people. The exposed records included Social Security numbers and driver's licence details, though the firm said no customer accounts were touched.
14. Indian court orders Telegram to delete Star Health leak bots
The Madras High Court ordered on 25 October that Telegram block chatbots used to leak the medical records and policy documents of Star Health customers. The insurer had sued Telegram and Cloudflare after a hacker offered the data of about 31 million policyholders for sale.
15. Change Healthcare tells 100 million people their data was stolen
Change Healthcare began notifying roughly 100 million Americans on 30 October that their medical, financial and personal data had been stolen in a February ransomware attack. The breach exposed health records, billing information and Social Security numbers in the largest healthcare data theft yet recorded.
16. Mobile ad data fuels a global surveillance free for all
Brian Krebs reported on 23 October that commercial tools such as Babel Street let almost anyone track a person's movements using the advertising identifiers leaking from ordinary phone apps. The investigation showed how police officers, abortion seekers and other vulnerable people can be followed with no warrant and little recourse.
17. EFF warns a sale of 23andMe data would endanger privacy
The Electronic Frontier Foundation cautioned on 9 October that the company's signal it might sell itself put the genetic data of around 15 million customers at risk. The group set out steps people can take to delete their samples and pressed any buyer to honour strong privacy commitments.
18. EFF tells New York that age checks threaten everyone's privacy
The Electronic Frontier Foundation submitted comments in October on New York's plan to enforce its Stop Addictive Feeds Exploitation Act for minors. The group argued that requiring platforms to verify ages would force every user to surrender identity data and chill protected speech.
19. Casio confirms ransomware attack leaked personal data
Casio confirmed on 14 October that a ransomware attack had exposed the personal data of employees, business partners and some customers, alongside sensitive company files. The Underground gang claimed the intrusion and threatened to publish confidential documents after the firm refused to meet its demands.
20. Brazil arrests hacker linked to the National Public Data breach
Brazilian police announced on 18 October the arrest of a man suspected of being USDoD, the cybercriminal tied to the National Public Data breach that leaked Social Security numbers for much of the United States. The same figure was blamed for breaching the FBI's InfraGard programme and leaking the contact details of 80,000 members.
Enjoyed this post?
Well, you could share the post with others, follow me with RSS Feeds and/or send me a comment via email.
Tags
Category:
Year: