At a glance.
- Contact tracing privacy depends upon Bluetooth security.
- Employee data compromised in pharma company ransomware incident.
- Biomedical research firm hacked; data said to be on offer in the dark web.
- GDPR assistance site proves leaky.
- Privacy invasion goes kinetic.
Contact tracing privacy depends upon Bluetooth security.
Apple and Google are rolling out their decentralized contact-tracing app, and it's found favor in some places, Germany among them. Britain's National Health Service will not, however, be using it. The NHS is pursuing its own system that will also use Bluetooth Low Energy signals as a proxy for close approaches to possible sources of infection, but the BBC says NHS wants the data centralized, the better to adapt them to closer management of the pandemic. Whether a decentralized or a centralized system is adopted, both depend upon Bluetooth for proximity determination, and as ZDNet points out that means that users' privacy will significantly depend upon the security of Bluetooth itself.
Employee data compromised in pharma company ransomware incident.
Pharmaceutical company ExecuPharm has disclosed that it was the victim of a ransomware attack in March. The attackers compromised and encrypted personal data belonging to employees of ExecuPharm, as well as information concerning employees of Parexel that was also maintained on ExecuPharm servers. TechCrunch confirmed that CLOP ransomware was specifically involved. No decryptors are yet available for CLOP, and the gang has begun to publish the stolen data on a dark web site.
Biomedical research firm hacked; data said to be on offer in the dark web.
HackRead reports that security firm Cyble says it's found evidence that the biomedical company Huiying Medical has been hacked, and that some of its stolen data are now for sale in the dark web. Cyble's report says that a threat actor, nom de hack "THEOTIME," whose claims Cyble deems "credible," is asking 4 Bitcoin for Huiying data. The stolen information is said to include:
- "Users — 1.5 MB"
- "Technology + source code — 1GB"
- "Knowledge for Covid-19 Experiments information — 150 MB"
Huiying Medical gained a degree of fame (or notoriety) for its strong claims, reported by VentureBeat and others, that it has developed a method of using CT scans to detect COVID-19 infections, and that their technology has a 97% accuracy rate. The US Centers for Disease Control and Prevention recommend against using either CT scans or X-rays for COVID-19 diagnosis, as do radiological professional organizations in Canada, New Zealand, the US, and Australia. They regard the approach as unreliable, the technology incapable of reliably distinguishing COVID-19 from other conditions.
GDPR assistance site proves leaky.
GDPR.EU, a Proton-run site co-funded by the European Union that offers pointers about GDPR compliance, was found by Pen Test Partners to be leaking data. It's now secured. It was a dot-Git repository.
Privacy invasion goes kinetic.
Two cases of misinformation (one driven by initial disinformation) show the ways in which people can be led to violate the privacy of quite innocent neighbors.
In India, a man whose family suffered from COVID-19, properly quarantined themselves, and recovered, is being hounded by people who claim (falsely) that one of the family had in fact died of the virus, and moreover that harsh local restrictions are the family's fault. "When a health officer called me I explained the matter to him. Later, an online news portal carried fake news that the district administration had announced a ‘double lockdown’ at Manacaud and Ambalathara areas which fall under hotspot due to the irresponsibility of my family. We won’t do that,” Bin Sagar, the man whose family was afflicted, told the Indian Express. He's taken legal advice.
And then state-run disinformation finds amplification when it finds an audience. The Chinese Communist Party and government have claimed that COVID-19 was brought to Wuhan in October by US Service Members participating in the World Military Games. Those allegations have been widely broadcast by Chinese official statements (often in the form of a call for investigation, sometimes with the suggestion that the virus was an American bioweapon). US Secretary of Defense Esper calls this allegation "completely ridiculous...and irresponsible," and we're with him on that.
But not everybody is, and "everybody" in this case includes some YouTubers. CNN reports that one US Army Reservist who participated in the games has been called out as the source of infection, and is receiving all the hostile attention one might expect. The charge that the Reservist, Maatje Benassi, is the patient zero of the infection and the prime mover in the pandemic is of course absurd, but that hasn't prevented YouTubers from pushing it, acting in effect as a kind of cyber mob.
Prominent among the YouTubers flacking the story is a man whom CNN calls a "misinformation broker" but who describes himself as "investigative journalist." This particular YouTuber propounded numerous conspiracy theories in the past, to the extent that Google has stopped running ads in his channel. He is, as he would put it, only asking questions, but the questions are specific and damaging, especially to the Benassis, who have nothing to do with the virus at all.