At a glance.
- The trade in original gangster (OG) accounts.
- Canada finds a privacy issue with Clearview AI.
- Emsisoft sustains breach of a test system.
- Privacy implications of the SolarWInds supply chain incident.
- Hustles, online and elsewhere.
Social media platforms tackle account hijackers.
The market for stolen social media accounts is a thriving underground business, and social media giants Facebook, Instagram, TikTok, and Twitter have joined forces to combat these account hijackers. The platforms are banning hundreds of users involved in the trade, many from a forum called OGUsers, a well-known market where many members serve as middlemen connecting thousands of buyers and sellers in exchange for a percentage of the profits. KrebsOnSecurity details the operations of various banned brokers, like the users known as “Trusted” and “Beam” who negotiate deals totalling millions of dollars a year, earning them commissions equivalent to three-figure salaries.
Canada deems Clearview AI unlawful.
Canadian privacy commissioner Daniel Therrien has officially declared the operations of facial recognition platform Clearview AI a breach of privacy, the New York Times reports. Clearview, which provides facial recognition services, has compiled a database of more than 3 billion images of faces by scraping social media and other websites for photos. The platform has been used by more than two thousand US law enforcement agencies and nearly fifty organizations in Canada, including the national Royal Canadian Mounted Police. Following an investigation into Clearview last year, Therrien is now condemning the company’s practices as unlawful, as the use of personal data in Canada requires consent: “What Clearview does is mass surveillance, and it is illegal.” Clearview says the pics were gathered from publicly accessible websites and are therefore not considered personal data. Though the commissioner does not have the authority to penalize the company or shut it down, he sent a “letter of intention” demanding Clearview stop using Canadian faces in their database. Clearview, which ceased operations in Canada last year when the inquiry began, has stated that they do not plan to delete the images, but will instead give Canadians an opportunity to opt out. SecurityWeek notes that social media platforms including LinkedIn and Facebook have also asked Clearview to stop scraping their users’ images, but SecurityWeek says the company has not yet heeded their requests.
We heard from Christopher Ferguson, a partner at Fasken, a Canadian law firm focused on tech, privacy, intellectual property, and regulation:
“That personal information has been posted publicly or is publicly available does not mean that it is exempt from Canadian privacy laws, which have narrow exceptions in relation to public information. Clearview’s functionality, and that the service is intended for law enforcement use, raised particular concerns. But more broadly, one of the biggest challenges for privacy reform in Canada is to balance the beneficial development of machine learning, AI, and similar technologies, while protecting privacy by, for example, promoting transparency and providing a clear framework for creating and using anonymized information.”
Emsisoft suffers test system breach.
In a case of the protector going unprotected, TechNadu reports that leading security firm Emsisoft was the victim of a data breach this week. Emsisoft’s official announcement disclosed that hackers infiltrated one of the firm’s test systems, which the company used to evaluate their data storage and management solutions. After immediately taking the system offline and investigating the breach, it was determined that the only personal data potentially compromised were fourteen customer email addresses. It also appears the attack was automated and not specially targeted at Emsisoft. The impacted individuals have been contacted and a complete forensic analysis is being carried out.
Privacy attorneys comment on the implications of the SolarWinds incident.
The SolarWinds incident has privacy as well as security implications. We heard from two data privacy partners at Bryan Cave Leighton Paisner who commented on the matter. Amy de La Lama, who leads the firm’s global Data Privacy & Cyber Security team, saw a lesson on the difficulty of investigating such incidents: "The long tail of the investigation demonstrates how difficult these events are to investigate and to meet underlying timing obligations set out by the GDPR, US state laws and other non-US breach notification obligations.”
Christian Auty, a leader of the firm’s US team, thought it important to note the way in which a compromised software supply chain hits organizations at a point of trust:
“This is significant because many organizations have patching policies that require the organization to process updates from software vendors expeditiously. This speaks to the sophistication of the attack and the increasing need for diligence and audits by data owners regarding their vendors. We can expect this investigation to continue for some time and it appears they have not as of yet ascertained the scope of the attack or the universe of affected parties. This makes it very difficult to properly coordinate efforts at remediation, and suggests that the associated cost and expense will be very high relative to an average breach.”
Hackers engage in a different kind of hustle.
Suppose, not that you would, of course, but suppose that you were reviewing what people euphemistically call "escort services." Would you? How would you? Perhaps you're asking for a friend.
Cybercriminals breached escort services forum EscortReviews.com and published the data on the dark web last weekend, BleepingComputer reports. The leaked database includes registration info for over 470,000 members, with display names, MD5 hashed passwords (which can easily be cracked), and IP addresses, personal data which could be used for blackmail or sextortion. The EscortReviews site has gone offline and is currently displaying an error message, but it’s unclear if this is a result of the breach or if the site was voluntarily disabled.