Privacy Roundup #0221 • December 2024
December 2024 closed the year with record European fines, fresh data broker crackdowns, and a stark warning that lawful surveillance backdoors had become a national security liability.
1. Irish regulator fines Meta €251 million over 2018 Facebook breach
The Irish Data Protection Commission fined Meta €251 million on 17 December for a 2018 flaw that let attackers steal access tokens for around 29 million accounts. The regulator found Meta had failed to document the breach properly and had processed more data than it needed.
2. Italy fines OpenAI €15 million over ChatGPT data collection
Italy's Garante fined OpenAI €15 million on 20 December, ruling that the company trained ChatGPT on personal data without a proper legal basis and without an adequate age check. The watchdog also ordered OpenAI to run a six month public awareness campaign about how it gathers data.
3. FTC bars Gravy Analytics and Venntel from selling sensitive location data
On 3 December the Federal Trade Commission announced a proposed order banning Gravy Analytics and its subsidiary Venntel from selling location data that tracks visits to clinics, churches and other sensitive sites. The companies must build a programme to identify and protect such locations.
4. FTC orders Mobilewalla to stop selling location data without consent
The same day the FTC moved against Mobilewalla, which had collected more than 500 million advertising identifiers paired with precise location data. For the first time the agency treated harvesting bid data from ad auctions for other purposes as an unfair practice.
5. CISA and FBI urge Americans to use encrypted messaging apps
After the Salt Typhoon intrusions into US telecoms, officials on 4 December recommended that people move to end to end encrypted apps such as Signal. The advice marked a notable reversal for agencies that had long pressed for lawful access to encrypted communications.
6. Salt Typhoon shows the danger of surveillance backdoors
Reporting on 11 December argued that the Salt Typhoon breach exposed how the wiretap systems mandated by US law had handed foreign spies a way in. Security experts said the episode proved that no backdoor can be reserved for the good actors alone.
7. Watchdog finds US border surveillance failing privacy rules
A Government Accountability Office assessment published on 20 December found that Customs and Border Protection had met none of six baseline privacy protections for its towers, aerostats and ground sensors. The agency had deployed years of mass surveillance without the required safeguards.
8. Volkswagen leak exposes location data of 800,000 electric cars
A misconfigured cloud store run by Volkswagen's software unit Cariad left the precise location data of about 800,000 electric vehicles open for months. For many of the cars the data was accurate enough to map a driver's daily routine, and it touched politicians and police officers.
9. EU opens formal proceedings against TikTok over election risks
On 17 December the European Commission opened formal Digital Services Act proceedings against TikTok over its handling of risks to the annulled Romanian presidential election. Investigators will examine its recommender systems, coordinated inauthentic behaviour and political advertising.
10. Commission orders TikTok to preserve Romanian election data
Earlier, on 5 December, the Commission issued a retention order requiring TikTok to freeze and keep data tied to systemic risks around elections in the European Union. The order covered national votes between late November 2024 and the end of March 2025.
11. Amnesty exposes Serbian spyware and Cellebrite phone hacking
Amnesty International reported on 16 December that Serbian police and intelligence used Cellebrite tools and bespoke NoviSpy malware to break into the phones of journalists and activists. Devices were often infected while held during ordinary stops and interviews.
12. Krispy Kreme discloses cyberattack disrupting online orders
Krispy Kreme told the Securities and Exchange Commission on 11 December that an intrusion had disrupted online ordering across parts of the United States. The Play ransomware group later claimed the attack, which exposed the personal data of more than 160,000 people.
13. France fines Orange €50 million for ads disguised as emails
The French regulator CNIL announced on 10 December a €50 million fine against Orange for slipping advertisements into users' inboxes that looked almost identical to real emails. More than 7.8 million people had seen the disguised messages.
14. Dutch regulator fines Netflix €4.75 million over transparency
The Dutch Data Protection Authority fined Netflix €4.75 million on 18 December for failing to tell customers clearly what it did with their data between 2018 and 2020. People who asked what information the company held also received insufficient answers.
15. Apple agrees to $95 million settlement over Siri eavesdropping
On 31 December Apple settled a long running class action for $95 million over claims that Siri recorded users without the wake phrase. The plaintiffs said captured snippets were shared with third parties without consent.
16. Ascension confirms ransomware breach hit 5.6 million patients
The health system Ascension disclosed on 19 December that a May ransomware attack had exposed the records of nearly 5.6 million people. The stolen data included Social Security numbers, medical details and payment information.
17. ConnectOnCall breach exposes data of more than 900,000 patients
The telehealth provider ConnectOnCall began notifying patients on 11 December after attackers reached its platform for three months earlier in the year. Names, phone numbers, health conditions and some Social Security numbers were taken.
18. US soldier arrested over AT&T and Verizon extortion
A US Army soldier was arrested on 20 December over the theft and sale of call records from AT&T and Verizon under the alias Kiberphant0m. Investigators linked the case to the wider extortion campaign against Snowflake customers.
19. Bitcoin ATM operator Byte Federal discloses 58,000 person breach
Byte Federal, one of the largest Bitcoin ATM operators in the United States, told 58,000 users on 12 December that attackers had reached their data through a flaw in GitLab. The exposed records included Social Security numbers, identity documents and user photos.
20. Spain fines Telefónica €1.3 million over 2022 data breach
Spain's data protection authority fined Telefónica €1.3 million, in a decision reported on 3 December, for weak safeguards behind a 2022 breach affecting more than a million Movistar and O2 customers. The regulator faulted both the inadequate security and the slow notification.
Enjoyed this post?
Well, you could share the post with others, follow me with RSS Feeds and/or send me a comment via email.
Tags
Category:
Year: