At a glance.
- US Small Business Administration inadvertently exposes personal information of loan applicants.
- A list of ransomware gangs who also steal information.
- Privacy implications of COVID-19 contact-tracing apps.
Data exposure at the US Small Business Administration.
The SBA has disclosed that personal information belonging to nearly eight-thousand small business owners who applied for assistance under the agency’s Economic Injury Disaster Loan program (the EIDL) appears to have been accidentally exposed. The data involved include, writes the Washington Post, "names, Social Security numbers, addresses, birth dates, email addresses, phone numbers, citizenship status and insurance information."
Again, this is a distinct program and longer-running program from the Paycheck Protection Program, but small businesses affected by COVID-19 shutdowns have also been eligible to apply for assistance under the EIDL.
Ransomware gangs who also dox.
It's now become a commonplace that ransomware attacks are generally paired with data theft. The threat of revealing sensitive information, especially personal information, intellectual property, or trade secrets, provides the attackers additional leverage for prying ransom out of their victims. ZDNet has published a convenient list of the ransomware gangs who are known to steal their victims' data in addition to encrypting it. It's wise to assume that any successful ransomware attack is also tantamount to a data breach, but if one of these strains of ransomware is involved, it's got a history of information theft: Clop, DoppelPaymer, Maze, Nefilim, Nemty, RagnarLocker, REvil (also known as Sodinokibi), Sekhmet, and Snatch. All of these gangs have maintained leak sites (although Snatch's seems at the moment to be inactive).
Privacy advocates remain uneasy about COVID-19 contact-tracing apps.
Willingness to accept technological approaches to tracing contacts seems predicated on the expectation that such surveillance will end with the pandemic, as SC Magazine summarizes the state of Western opinion. As the Telegraph reports, however, confidence that governments and others won't turn the data collected by contact-tracing apps to other purposes isn't particularly high. One interesting approach to assuring that what goes into contact tracing will stay in contact tracing, and go no further, comes from US Senator Josh Hawley (Republican of Missouri). He's sent an open letter to the CEOs of both Apple and Google asking that they agree to be held personally liable should data collected by their joint contact-tracing project be abused. Neither Apple's Cook nor Google's Pichai had commented by the time Law360 went to press with their story on the request. This is surely an example of grandstanding, but there's a serious privacy point to be made about the technology. As Senator Hawley put it, "Once downloaded onto millions of phones, the interface easily could be edited to eliminate previous privacy protections. The last thing Americans want is to adopt, amid a global emergency, a tracking program that then becomes a permanent feature in our lives."