vpnMentor reports that a number of African ISPs have sustained a large exposure of customer data. It's a third-party breach: the affected ISPs are themselves customers of South African IT vendor Conor, The data lost was held in a database belonging to Conor, and, vpnMentor says, they included "daily logs of user activity by customers of ISPs using web filtering software built by Conor. It exposed all internet traffic and activity of these users, along with their PII data.' The incident appears to have its roots in bungling, not hacking: Conor, according to vpnMentor, simply failed to secure its database.
Ransomware has tended to represent a greater threat to data availability than to data privacy, but that may be changing as ransomware gangs become more aggressive in pushing their victims to pay. Last month the group running the Maze strain of ransomware hit a manufacturing company in the US state of Georgia, Allied Universal. When the company declined to pay the ransom, the extortionists released a number of Allied Universal's files on a dark web hacking forum, explaining, according to BleepingComputer, that they now made a point of exfiltrating data before encrypting the victims' information. This makes sense, from the criminal enterprise's point-of-view: since better defenses, especially greater awareness of and alertness to the risk of phishing, can render organizations dauntingly harder targets, and since organizations that routinely prepare for the eventuality of ransomware can shrug an attack off if they've securely, effectively, and routinely backed up their data. Microsoft, for one, counsels this sort of preparation, and says it would never advise anyone to pay the ransom. This trend of naming-and-shaming in the service of extortion has continued, as the proprietors of Maze this week posted a list of victims who've declined to pay, along with a selection of the filenames the Maze gang has exfiltrated. KrebsOnSecurity notes that several other prominent ransomware gangs have indicated their intent of following suit.
Among Google's more difficult privacy challenges is compliance with the European Union's poignantly named "right to be forgotten." Mountain View gave Help Net Security an overview of how its coping with mandatory delisting: in the five years since a European court established the legal right, Google has received 3.2 million requests to delist URLs, and it delisted 45% of the URLs in those requests. More than half a million people asked to be forgotten, and Google's decisions were based on its judgment of not only the public domain, but of the public interest as well.
Ever wonder what your car knows about you? A Washington Post reporter did, and took his 2017 Chevy in for a forensic look-see. The Chevy knew a lot: where he'd been, whom he talked to (and what the one he addressed as "Sweetie" looked like), and a whole lot more. Next month your car may well be a moving CCPA violation.