At a glance.
- Privacy advocates may resist expanded government surveillance, even during a public health emergency.
- GE discloses third-party data security incident.
- University of Utah Health discloses data breach.
- Privacy-breaking malware abuses Android accessibility features.
Are privacy advocates with a dry cough like atheists in foxholes?
The short answer would seem to be, apparently not. Governments and mobile carriers in many countries are working out various approaches to using device geolocation data as a means of determining whether people have been near a source of infection, or even if people under quarantine have been out and about, and there's been speculation that in the case of a pandemic, at least, public health will inevitably override privacy. But, if the discussion in Reason's Cyberlaw Podcast is correct, there seems to be a relatively enduring, spontaneously formed coalition of privacy advocates from both the political left and the political right that seems able to maintain a principled opposition to extension of government surveillance, even (perhaps especially) during an acknowledged emergency.
General Electric discloses third-party breach.
General Electric has circulated a letter warning affected parties that Canon Business Process Services, a vendor GE uses to "process documents of GE employees, former employees and beneficiaries entitled to benefits," experienced a "data security incident." In the first two weeks of February an unauthorized party gained access to a Canon email account that contained GE personnel documents. The documents represented the kind of grab bag one would expect of emails dealing with benefits: "direct deposit forms, driver’s licenses, passports, birth certificates, marriage certificates, death certificates, medical child support orders, tax withholding forms, beneficiary designation forms and applications for benefits such as retirement, severance and death benefits with related forms and documents, [that] may have included names, addresses, Social Security numbers, driver’s license numbers, bank account numbers, passport numbers, dates of birth, and other information contained in the relevant forms."
None of GE's systems themselves were compromised, the company's letter says, and it also emphasized that Canon was working hard to assess and contain the damage. But this is an instance of a third-party breach that has potentially significant consequences for employees' personally identifiable information.
Breach at University of Utah Health traced to compromised employee email accounts.
University of Utah Health on Friday disclosed that compromised employee email accounts appear to have exposed patient data to unauthorized third parties. The unauthorized access occurred from January 7th through February 21st of this year. The data at risk include names, dates of birth, medical record numbers, and "limited clinical information about care received at University of Utah Health." The university says it's seen no sign that the data have been misused, and that it notified affected patients on March 20th. The incident was an attack, not a simple exposure: University of Utah Health says that a phishing attack may have installed "a common type of malware" (not further identified) on at least one employee's workstation. Investigation is in progress.
TrickMo: Android TAN-stealing malware.
IBM X-Force researchers describe what they call a relatively sophisticated bit of Android malware being pushed by TrickBot. They call the malware “TrickMo,” and say that, while it’s been used against targets in Germany, it appears to be still under active development. It’s a transaction authentication number stealer. Transaction authentication numbers (TANs) are one-time passwords used for authentication, and so TrickMo is designed to get around this useful security measure. There are of course measures in place to defeat TAN-stealers, but TrickMo abuses Android accessibility features to identify and control the dialog screens Android uses to manage permissions.