At a glance.
- Google changes default privacy settings (in the direction of more privacy).
- Apple will require stringent opt-in for apps to use IDFA advertising tool in iOS 14.
- Data leak at Telegram.
- REvil says it will begin selling celebrity law firm data on July 1st.
- Frost and Sullivan data exposed.
- Preen.Me subjected to extortion with a threat to expose personal information.
- Benefits company discloses breach.
- US House committee opens investigation into data broker.
- Updates on the eBay-ECommerceBytes affair.
Google defaults to greater privacy with respect to search and geolocation.
Google yesterday announced changes to its default data handling practices. The Verge describes the new defaults as representing a compromise between privacy and the data it collects for ad targeting (Google's bread-and-butter). The changes affect search history (both on web and in-app), location history, and voice commands given to Google Assistant or Google Home. These data, available for user inspection in the My Activity page, had been retained indefinitely, although last year Google gave users the option of setting their systems to delete the information after either three or eighteen months, depending on their preference. The change announced yesterday makes an eighteen-month autodelete the default. Location history is now off by default, although users will have the option of turning it on. YouTube, owned by the Mountain View tech giant, will default to a three-year autodelete, the better to serve YouTube's recommendation algorithms. These changes affect new users only. Existing users will still have the option of opting for autodeletion, and Google intends to promote that option heavily.
Apple raises advertising opt-in bar in iOS 14.
The keynote at Apple's World Wide Developers Conference (MacRumors has the transcript) said that iOS 14 would feature significantly enhanced privacy protections. Henceforth, according to Naked Security, users will be given the app-by-app option of choosing to “Allow Tracking” or “Ask App Not to Track.” As a condition of using Apple's IDFA mobile advertising tool, app developers will have "to seek consent from iOS device users in order for third parties, aka app monetization partners, to access their data," Adweek explains, adding, "This, in effect, makes IDFA an opt-in feature for users, and advertisers will no longer be able to target them by default."
Data leak at Telegram.
The privacy-focused messaging app Telegram seems to have sustained a privacy incident that exposed the data of "millions" of users. The Russian outlet Kod reported earlier this week that an unspecified but large user database had been posted to a dark net forum. Telegram told Cointelegraph that its contacts-import feature was exploited, but that most of the data were outdated. The effects of the leak may be small, as the data were also apparently confined to connections between phone numbers and Telegram user IDs. Passwords, messages, and other sensitive data were unaffected. Some 70% of the leaks affected users in Iran; the rest of the accounts involved are from Russia.
REvil says it's getting around to auctioning celebrity data stolen from law firm.
According to the Register, the REvil ransomware gang is preparing to post online at least some of the celebrity information it says it took from lawyers-to-the-stars Grubman Shire Meiselas & Sacks back in May. The data, which Variety said at the time the gang had offered to sell back to Grubman for $42 million, is said by REvil in their ShadowBrokeresque patois to contain “big money and social manipulation, mud lurking behind the scenes and sexual scandals, drugs and treachery,” and “bribery by Democratical Party.” No one's really sure what they've got, but the consensus is that the gang's got some of what it claims to have. The first tranche of mud lurking behind the scenes is supposed to involve just three of the celebrities: singers Mariah Carey and Nicki Minaj, and basketball star Lebron James. REvil says the bidding will open on July 1st.
We received comments on the implications this incident has for legal services generally from Ilia Kolochenko, founder and CEO of web security company ImmuniWeb. He wrote:
“Law firms are increasingly becoming desirable targets for sophisticated cyber gangs. It is often much easier and faster to breach a mid-sized law firm to get ultra-confidential data compared to targeting its large clients directly, such as banks or celebrities as reportedly happened in this case.
"In a highly competitive and now digitally-disrupted legal services market, few law firms are prioritising investment into holistic cyber resilience and defense, understand their attack surface, let alone conduct sufficient employee training. Furthermore, a considerable number of law firms have no incident detection and response capacities, often leaving them unable to detect an intrusion in a timely manner. Worse, modern law firms have to deal with diversified digital flow of sensitive and privileged data on their mobile phone, laptops and office computers. Partners and clients exacerbate this convoluted landscape by uploading confidential documents to public cloud or file sharing websites. Moreover, even if a data breach is detected, a not insignificant number of law firms would prefer to keep the incident as silent as possible to avoid disastrous reputational damage and acrimonious lawsuits from their clients.
"Ultimately, law firms are a low hanging fruit for cybercriminals, enabling the latter to get their hands on crown jewels of major organizations without spending much effort.”
Frost and Sullivan data exposed.
Security Affairs reports that consulting and market research firm Frost and Sullivan has been breached by KelvinSecTeam (which InfoArmor assesses as a Russian cybergang, although KelvinSec describes itself as a "business intelligence contractor"). Both employee data (first and last names, login names, email addresses, and hashed passwords) and customer information (name, email address, company contact, and other data) were lost in the incident and are now for sale in dark web souks. There's a simulacrum of responsible disclosure here, as might befit someone claiming to be a business intelligence contractor: BleepingComputer says that KelvinSecTeam told them that the hackers tried to tell Frost and Sullivan about the breach, got no response, and so decided to hawk the stolen data. The breach is thought to originate with an unsecured backup folder found in a Frost and Sullivan public-facing server.
Social media influencers exposed to extortion in Preen.Me incident.
Risk Based Security reports that Preen.Me, a Tel Aviv-based "next generation marketing platform," has sustained a data breach. A known threat actor, not further identified by the researchers, said in a dark web souk that it had personal data on more than 100,000 influencers who worked with Preen.Me. They displayed 250 files on a Pastebin site as evidence of their bona fides. Risk Based Security found the offering on June 6th. On June 14th the criminals leaked data on more than a quarter-of-a-million users of Preen.Me's app, ByteSizedBeauty. The information exposed includes "253,051 records in a user data table including fields such as Facebook name, Facebook ID, Facebook URL, Facebook friends list, Twitter ID, and Twitter name." Also included in the leak are home addresses, email addresses, dates of birth, eye color, skin tone, "and more identifying information."
Benefits company discloses breach.
Grace & Porta, a Michigan-based benefits-package shop, has disclosed a potential data privacy incident. The company detected unauthorized activity in one of its email accounts. They have no evidence that any data were misused, but investigation is ongoing as the company tries to determine what information may have been compromised. It is notifying people who may have been affected, and offering them free credit monitoring and identity protection services.
US House committee opens investigation into data broker.
The Wall Street Journal reports that the House Committee on Oversight and Reform has opened an inquiry into the products sold by Virginia-based Venntel, a data broker that's had contracts with the US Department of Homeland Security, the IRS, the FBI, and other Government agencies. The information Venntel provided the agencies is believed to be cellphone-derived marketing data.
More on the bizarre stalking of ECommerceBytes.
The Wall Street Journal is running a follow-up to coverage of the very strange case in which six eBayers, five employees and one contractor, now face US Federal charges for the stalking of the proprietors of a small blog, ECommerceBytes, run by two collectors (David and Ina Steiner, a married couple) who covered eBay and Amazon marketplaces. Their commentary was sometimes critical of eBay, although not, in our quick look at the site, unreasonable, immoderate, or out-of-bounds. The comments section contained its fair share of the usual over-the-top, know-nothing, drop-the-mic stuff such sections tend to generate ("snarky and personal" in the Journal's characterization) but that was of course generated by readers, not the site's proprietors.
eBay had been feeling pressure from Amazon, which had displaced the online auction market from its former position as a leader. The then-CEO, Devin Wenig, had arrived at eBay in 2015 shortly after the company sold off its PayPal unit, and was determined to recapture its place in online retail. He led an aggressive public relations program that seemed determined to confront coverage deemed inaccurate or unfavorable, and several people report having had sharp elbows thrown their way for things they'd said online that were not to eBay's liking. One of the suspicions that apparently animated eBay's management during Mr. Wenig's tenure as CEO was a belief that Amazon was quietly backing sites like ECommerceBytes. That suspicion wasn't borne out by investigation.
ECommerceBytes evidently became a bête noire for some senior eBay managers, including, in the Journal's account, not only CEO Wenig, but also the then-Chief Communications Officer, Steve Wymer, and the then-Senior Director of Safety and Security, James Baugh. (Mr. Baugh is one of the six who've been indicted in the case.) The harassment of the Steiners began in the summer of 2019, and the eBay board’s audit committee learned of the police investigation into it in late August. The board was briefed in September ("during a five-hour call led by lawyers at Morgan Lewis & Bockius") and were told that there was no evidence that Mr. Wenig was aware of the harassment campaign. The Journal summarizes the outcome: "The company placed Messrs. Baugh and Harville and another member of the security team on administrative leave on Aug. 30. The company later fired all six who were charged, and Mr. Wymer."
The Justice Department's investigation is ongoing, and is said to focus on whether other people were similarly harassed. We must note that neither Mr. Wenig nor Mr. Wymer have been indicted, and that both deny knowing of, still less condoning, the harassment of the Steiners alleged in the charges. But the texts mentioned in the charging documents seem to say the least intemperate, notably Mr. Wenig's "Crush this lady" and Mr. Wymer's "I'll embrace managing any bad fall out. We need to STOP her." The texts are said to have been taken out of context, but it's difficult to see what further context might reveal them to be reasonable and innocent.