At a glance.
- FCC probe reveals mobile companies are violating data tracking rules.
- NSO’s new Italian competitor.
- Grubhub might be seeing a spike in takeout orders.
FCC probe reveals mobile companies are violating data tracking rules.
On Thursday the US Federal Communications Commission (FCC) shared the results of a survey asking mobile carriers about the geolocation data handling processes, and their report found that ten of the top fifteen mobile carriers collect users’ geolocation data and provide no way for users to opt-out. CyberScoop explains that the inquiry was conducted in July in response to concerns, with the overturning of Roe vs. Wade, that law enforcement agencies could use such phone data to track abortion-seekers in states where the procedure is outlawed. Leading mobile providers including AT&T, Comcast, Google FI, H2O Wireless, and T-Mobile were among the respondents. FCC chairwoman Jessica Rosenworcel summarized, “Our mobile phones know a lot about us. That means carriers know who we are, who we call, and where we are at any given moment. This information and geolocation data is really sensitive. It’s a record of where we’ve been and who we are. That’s why the FCC is taking steps to ensure this data is protected.”
FCC rules require mobile companies “to fully disclose to consumers how they are using and sharing geolocation data.” and the investigation, which also asked how much data is collected and for how long, was conducted to assess the companies’ compliance. Public Knowledge Vice President Harold Feld told The Record by Recorded Future, ”These letters show that, despite the constant invocation of carriers of ‘industry standards’ and ‘best practices,’ carrier geolocation data practices are all over the map.” The Record by Recorded Future notes that a privacy bill currently being deliberated by Congress could curtail much of the FCC’s authority over broadband privacy, as well as preempt state-level privacy laws like the stronger protections included in the California Consumer Privacy Act (CCPA).
NSO’s new Italian competitor.
While NSO Group’s Pegasus has become the household name of commercial surveillance software, another, lesser-known spyware maker has been making waves in Europe. Rome-based Tykelab uses a system of phone networks, some on remote Pacific Islands, to send “tracking packets” targeting individuals in southeast Asia, Africa, Latin America, and closer to home in the EU. An investigation from Lighthouse Reports has revealed that Tykelab is subleasing dozens of network access points, or “global titles,” from telecom operators around the world in order to find vulnerabilities in countries' networks. Like NSO Group, Tykelab’s spyware exploits these unresolved bugs to infiltrate targets’ devices and exfiltrate personal information, including geolocation data, without any trace. The company’s sales brochure promises to "track the movements of almost anybody who carries a mobile phone, whether they are blocks away or on another continent," clients include countries with a history of human rights abuses. EUobserver reports that EU parliamentarians, telecom industry leaders, and privacy experts say Lighthouse’s findings are ominous and present further evidence for the need for tighter regulation on spyware vendors and surveillance software. MEP Sophie In 't Veld stated, “This is a story of a large spyware vendor abusing the rule of law, this time based within Europe. It is high time that the entire spyware industry within the EU, which acts in a sort of twilight zone of legality, is regulated and sees the light of day. Limits have to be set, otherwise our democracy is broken.”
Grubhub might be seeing a spike in takeout orders.
Leading food delivery platform DoorDash has disclosed that customer and employee data were exposed as a result of the recent breach of a third-party vendor. SecurityWeek reports that the compromised data include customer and driver names, email addresses, delivery addresses, and phone numbers, as well as partial payment card information for a “smaller subset” of users. Though the company’s public breach notice does not identify the impacted third-party vendor, the company has told the media that it’s related to the recent attack on telecom company Twilio, one of over 130 companies recently hit in a massive phishing operation that relies on SMS-based messages convincing employees of targeted organizations to hand over their company credentials. Cybersecurity firm Group-IB has named the campaign 0ktapus (referencing the scam’s focus on Okta identity service credentials), and according to their findings, the operators have obtained nearly 10,000 credentials. DoorDash has not specified when the breach occurred, but a spokesperson told TechCrunch that the company took time to “fully investigate what happened, which users were impacted and how they were impacted” before announcing the breach.