At a glance.
- TikTok had tracked users in undisclosed ways.
- CNIL investigating TikTok privacy issues.
- SANS discloses data incident.
- Stalkerware advertisements appear to have endured beyond Google's ban.
- Blackbaud breach foreshadows social engineering campaigns?
TikTok had collected MAC addresses.
The Wall Street Journal reports that TikTok had, until last November, collected MAC addresses in an undisclosed user tracking program, a technique that appears to violate Google’s rules on how apps may collect user data. TikTok told the Journal that it remains “committed to protecting the privacy and safety of the TikTok community. Like our peers, we constantly update our app to keep up with evolving security challenges.” The company added that “the current version of TikTok does not collect MAC addresses.”
French privacy watchdog has an open investigation into TikTok.
In a development unrelated to reports that the social app had collected MAC addresses, Reuters says that TikTok's proposed move of data centers from the US to a presumably friendlier Europe may have also hit a snag, as French regulators—the Commission nationale de l'informatique et des libertés, familiarly, CNIL—acknowledge that they have an open investigation into the service's privacy safeguards. “The CNIL began investigations into the tiktok.com website and the TikTok application in May 2020. The CNIL had indeed received a complaint at that date,” a CNIL spokesman told Reuters, adding that, “To date, the CNIL continues its investigations and participates in ongoing European work.”
SANS Institute discloses data breach.
The SANS Institute, a leading provider of infosec training, disclosed that it had sustained a data breach. It discovered the incident on August 6th and traced its source to a phishing attack that a single employee fell for:
"On August 6th, as part of a systematic review of email configuration and rules we identified a suspicious forwarding rule and initiated our incident response process. This rule was found to have forwarded a number of emails from a specific individual's e-mail account to a suspicious external email address. The forwarded emails included files that contained some subset of email, first name, last name, work title, company name, industry, address, and country of residence. SANS quickly stopped any further release of information from the account.
"As a result of this incident, 513 emails were forwarded to a suspicious external email address. Most of these emails were harmless, but some of these emails contained files with personally identifiable information (PII). As a result, approximately 28,000 records of PII were forwarded to a suspicious external email address...
"Upon discovery of the malicious activity, our IT and security team removed the forwarding rule and malicious O365 add-in. We have also scanned for any similar occurrences within all other accounts and across our systems. We have found no other indications of compromise."
SANS is notifying affected individuals.
The difficulty of excluding stalkerware from legitimate markets.
Yesterday was the deadline Google gave stalkerware vendors to stop advertising on the Mountain View marketing giant’s search platform. But TechCrunch finds that a number of such apps, designed to give you the ability to snoop on someone’s device usage without their knowledge or consent, are still present with ads.
It’s a tough problem, tougher than it would appear. Few people in the civilized world would want to empower stalkers and domestic abusers to keep track of their fixation’s digital exhaust. It’s creepy, sure, but it’s also dangerous. But having said that, there are plenty of parents who want to have some insight into what their minor children are doing online, and that’s far more defensible. Google sought to carve out an exception to its rules to accommodate what we might call in loco parentis software, but that’s proven difficult to do. Monitoring tools are inherently dual-use, and easily repurposed as creepware. (Compare the distinction between lawful intercept tools and spyware.)
Blackbaud breach expected to provide phishbait for attacks on PII.
Victims affected by the Blackbaud data breach should be on the lookout for spearphishing attacks, ESET argues. Blackbaud, to recap a familiar story, is a cloud software provider that primarily serves nonprofits. It disclosed last month that it had thwarted a ransomware attempt in May, but that the attackers were unfortunately able to make off with some customer data before they were kicked out. Blackbaud, with perhaps unrealistic hopes, paid a ransom to induce the attackers to delete the stolen data, but there’s no hard evidence that the information isn’t still out there.
The breach potentially affected more than a hundred universities, charities, and public institutions around the world. Blackbaud is a customer relationship management platform, but one designed for not-for-profits, and thus it’s a donor manager platform. The data it holds are data pertaining to individuals who are already disposed to trust the recipients of their donations, and who have a record of, well, giving. Data lost in a donor management system compromise would seem likely to be especially valuable to people who exploit trust.