Privacy Roundup #0220 • November 2024
November 2024 was dominated by the Salt Typhoon telecom espionage revelations, a wave of breach disclosures, and fresh fines and surveillance fights on both sides of the Atlantic.
1. FBI and CISA confirm China-linked hackers breached multiple US telecoms
The two agencies acknowledged a broad espionage campaign in which Salt Typhoon stole call records and tapped court-ordered wiretap systems at several carriers. They confirmed that the intruders targeted communications belonging to people involved in government and politics.
2. T-Mobile detects intrusion attempts tied to the telecom spying campaign
T-Mobile said it spotted hackers probing its network through a connected wireline provider and severed the link before customer data was reached. The company reported the activity to the government while declining to name Salt Typhoon as the culprit.
3. Canadian man arrested over the Snowflake data extortions
Alexander Moucka, who used aliases including Judische, was held in Ontario on a US warrant tied to the theft of data from more than 160 Snowflake customers. Victims of the campaign included AT&T, Ticketmaster, and Neiman Marcus.
4. Fintech giant Finastra investigates a file-transfer breach
Finastra, which serves most of the world's largest banks, found that an intruder used stolen credentials to take roughly 400 gigabytes of data from an internal transfer platform. A criminal then advertised the haul for sale on a cybercrime forum.
5. South Korea fines Meta over sharing sensitive Facebook data
The Personal Information Protection Commission penalised Meta about 15.6 million dollars for handing advertisers data on roughly 980,000 users without consent. The shared categories included religion, political views, and whether a person was a North Korean defector.
6. Unsealed documents reveal how much NSO Group controls Pegasus
Court filings in WhatsApp's lawsuit showed that NSO, not its government clients, ran the data retrieval process behind its spyware. The papers also revealed that the firm cut off ten customers for abusing the tool.
7. EFF documents force disclosure of immigrant social media surveillance
A Freedom of Information lawsuit revealed that the government rebranded its extreme vetting effort and kept spending over 100 million dollars to monitor immigrants online. The records show a hunt for vague derogatory information that raises clear free speech concerns.
8. EFF warns the national security state will make AI even less accountable
A White House directive pushed the security apparatus to lead on artificial intelligence, which EFF argued would deepen secrecy around already opaque systems. The group cautioned that classified AI used for consequential decisions would escape public scrutiny.
9. Criminals abuse the FBI emergency data request system
Schneier highlighted how attackers used compromised police accounts to send fake emergency requests and trick companies into handing over user data. Some fraudulent requests cited invented threats such as human trafficking to add urgency.
10. Hot Topic breach exposes the data of 57 million customers
A breach notification service alerted tens of millions of shoppers that their details had been stolen from the retailer and its sister brands. The exposed records included email addresses, dates of birth, and partial payment card data.
11. Satellite giant Maxar confirms a breach of employee data
Maxar said a hacker using a Hong Kong address reached files holding staff names, addresses, and Social Security numbers. More than half of the firm's workers hold US security clearances for classified projects.
12. Andrew Tate's online platform is breached and its members exposed
Intruders copied chat servers and lifted hundreds of thousands of usernames and registered email addresses from the subscription site The Real World. They disrupted a live stream and passed the data to a breach notification service.
13. SelectBlinds discovers payment-skimming malware on its website
The retailer said malware had sat on its checkout page since early in the year, scraping the details of more than 200,000 customers. The harvested data included names, addresses, and full payment card numbers.
14. Amazon confirms employee data leaked through a contractor
Amazon acknowledged that staff records appeared on a crime forum after a breach at a vendor using the MOVEit file transfer tool. The exposed information covered names, work contact details, and office locations across millions of records.
15. Senators demand an audit of airport facial recognition
A bipartisan group of twelve senators pressed the Department of Homeland Security to evaluate the accuracy and privacy effects of facial scanning before it spreads to hundreds of airports. They warned that mandatory scans could build a federal surveillance database without congressional approval.
16. British software firm Microlise confirms staff data stolen
Microlise said a cyberattack with the hallmarks of ransomware took some employee data and disrupted tracking systems used by DHL and Serco. The incident temporarily disabled vehicle tracking and panic alarms on prisoner transport vans.
17. Ford investigates breach claims and blames a third-party supplier
After criminals advertised a database of customer records, Ford said it found no breach of its own systems. The company traced the small exposed batch to publicly available dealer business addresses held by a supplier.
18. Nokia investigates a claimed theft of its source code
A pair of criminals said they obtained Nokia source code, keys, and credentials through a contractor that worked with the firm. Nokia investigated the claim, which raised questions about why outside contractors could reach such material.
19. India fines Meta and bans WhatsApp data sharing for ads
The Competition Commission of India penalised Meta about 25 million dollars and barred it from using WhatsApp data for advertising for five years. The regulator tied the order to the 2021 privacy policy change that expanded mandatory data sharing.
20. Secret Service tracks phone locations without a warrant
Schneier flagged reporting that the Secret Service used the Locate X tool to follow people through location data harvested from ordinary apps. The agency argued that opaque terms of service mean it does not need a warrant for the practice.
Enjoyed this post?
Well, you could share the post with others, follow me with RSS Feeds and/or send me a comment via email.
Tags
Category:
Year: