At a glance.
- FTC moves to shut down alleged spyware vendor.
- WhatsApp fined for data handling practices.
- WaWa settles a privacy suit.
- Data breach at Illinois healthcare provider.
FTC shuts down spyware app.
The US Federal Trade Commission (FTC) announced it is banning the company Support King, maker of stalkerware app SpyFone, and its CEO Scott Zuckerman from operating any surveillance platform. The ruling follows claims that a device hack on SpyFone allowed users access to a target’s GPS location, phone use, and web activities without the target’s knowledge or consent, allowing stalkers and domestic abusers to secretly track potential victims. The FTC also found that SpyFone’s inadequate security measures exposed users to cyberthreats, and SpyFone never followed through on promises to improve security protocols. The ruling also requires SpyFone to delete any illegally collected data and notify victims that they’d been tracked. CNBC notes that this is the first time the FTC has imposed a ban of this sort, signifying its commitment to restricting stalkerware. Samuel Levine, acting director of the FTC’s Bureau of Consumer Protection, explained, “This case is an important reminder that surveillance-based businesses pose a significant threat to our safety and security. We will be aggressive about seeking surveillance bans when companies and their executives egregiously invade our privacy.”
EU hits WhatsApp with massive fine.
Reuters reports that Ireland's Data Privacy Commissioner (DPC) has fined WhatsApp a whopping 225 million euros for the messaging platform’s failure to adhere to EU data rules relating to transparency in 2018. This marks the conclusion of a years-long inquiry that had some officials concerned the DPC was dragging its heels. EU privacy watchdog the European Data Protection Board urged the DPC to make the decision, which raised the penalty from an initial estimate of 50 million euros. A WhatsApp spokesperson responded, "We disagree with the decision today regarding the transparency we provided to people in 2018 and the penalties are entirely disproportionate.”
Ilia Kolochenko, Founder of ImmuniWeb, and a member of Europol Data Protection Experts Network, wrote to comment that the ruling will almost certainly be appealed:
“The fine will undoubtedly be appealed by Facebook and will likely be significantly reduced in court as we already witnessed with other major cases. The judicial process to get a final and enforceable decision will likely take several years. It's very unlikely any Europeans, whose privacy rights were allegedly violated by WhatsApp, will get any compensation.
"Many privacy experts argue that GDPR does not serve its initial purpose of being a consistent pan-European privacy legislation capable of protecting personal data and deter privacy violations. Given the growing disagreement between European DPAs on GDPR enforcement priorities and imposition of penalties, these concerns become even more real today. Moreover, data subjects are reluctant to enforce their rights under GDPR as it’s always time-consuming and may require a complex and costly process to litigate for penny compensation if any.
"GDPR is a comprehensive, balanced and well-thought law - but its enforcement needs an overhaul, otherwise, impunity for GDPR violations will become a norm.”
Wawa reaches settlement for data breach.
6abc Philadelphia shares that US convenience store chain Wawa is paying up to $9 million in cash and gift cards in a class action lawsuit for a 2019 data breach. "The Settlement Class consists of all customers who reside in the United States and who used a credit or debit card at a Wawa convenience store or fuel pump at any time during the Period of the Security Incident," the Wawa Consumer Data Security Settlement Website states. Any customer who can prove they lost money as a result of the breach is entitled to compensation ranging from a $5 Wawa gift card up to a $500 cash reimbursement.
Illinois medical group breach exposes health data.
ABC 7 Chicago reports that DuPage Medical Group (DMG), a healthcare provider located in the US state of Illinois, suffered a data breach. Threat actors gained unauthorized access to DMG’s network in July, resulting in a disruption to its systems. The subsequent investigation revealed that while only portions of the network were impacted, some patient data including names, dates of birth, and treatment dates were potentially exposed.