At a glance.
- Life360 will limit sale of location data.
- Data Privacy Day.
- New Pegasus installations investigated.
- Ransomware as a threat to personal data.
Life360 to limit the sale of user location data.
Following a report revealing that family safety app Life360 was selling the tracking data of its 35 million users to over a dozen data brokers, the Markup reports that the app has announced it will stop sharing precise user location data. CEO Chris Hulls announced that Life360 will put an end to the majority of its location data deals, stating “Life360 recognises that aggregated data analytics (for example, 150 people drove by the supermarket) is the wave of the future and that businesses will increasingly place a premium on data insights that do not rely on device-level or other individual user-level identifiers.” It’s worth noting that the app will continue to sell location data to Arity, an affiliate of Allstate insurance that supports Life360’s driving event history and crash detection features, as well as to the firm Placer.ai, but in an aggregate form that Hull says will “reduce business risk” for the company. In 2020, location data sales netted the company $16 million, almost 20% of Life360’s total revenue.
Experts share their Data Privacy Day wishes.
Today is Data Privacy Day (in the US and Canada, also known as Data Protection Day in the EU) an event started in 1981 to commemorate the first legally binding international treaty dealing with privacy and data protection, and celebrated annually to promote privacy best practices. To celebrate, Digital Journal interviewed Matt Sanders, Director of Security at LogRhythm, who urges businesses to take privacy more seriously. “Organizations must do their part in ensuring the valuable information they are entrusted with – including customer, employee, partner and corporate data — remains properly protected,” he states. Sanders notes that a recent LogRhythm report showed 93% of security leaders don’t directly report to their company’s CEO, and only 37% of respondents feel security leaders’ expertise is valued. “This significant misalignment is leaving ample room for shortcomings in cybersecurity initiatives that can lead to data breaches,” he explains.
TechHQ also asked experts to weigh in on the importance of this holiday. Veeam's VP of Enterprise Strategy Dave Russell says data privacy is currently at greater risk than ever before, as data leakage – both accidental breaches as the result of company negligence and purposeful breaches resulting from attacks – poses a major security risk. Ramsés Gallego, International Chief Technology Officer at CyberRes, says that with the recent surge in remote work, “a big part of the challenge of keeping data private is knowing what data you have in the first place. Companies were already combating huge data bloat and sprawl – lots of it unstructured or spread across multiple systems.” Simon Marchand, Chief fraud prevention officer for Nuance Communications, agrees that the pandemic has increased the exchange of data online, and he posits that biometrics could be a key fraud prevention tool.
The CyberWire's summary of industry comment on Data Privacy Day may be found here.
Pegasus spyware updates.
And on this holiday, it seems the Pegasus scandal is the privacy “gift” that keeps on giving. Advocacy group Human Rights Watch says their Beirut office director Lama Fakih, who also oversees crisis response in countries including Syria, Myanmar, and Israel, was targeted last year with NSO Group’s controversial surveillance software. NDTV Gadgets 360 explains that Apple notified Fakih of the breach in November, after which a forensic investigation confirmed the presence of the spyware. “It is no accident that governments are using spyware to target activists and journalists, the very people who uncover their abusive practices,” Fakih said.
Meanwhile, the Washington Post reports that Hungarian Civil Liberties Union (HCLU) has launched a legal campaign representing six surveillance victims who are challenging the government’s alleged use of Pegasus to spy on Hungarian rights activists and journalists. The HCLU will push for an investigation of NSO Group in Israel and will file lawsuits with the European Court of Human Rights. Adam Remport, legal officer for the HCLU’s Privacy Project, explains, “We believe that this case is a turning point…The breach of rights is obvious. This is going to be a test of the Hungarian legal system as a whole regarding whether it is capable of giving redress to the victims of such abuses.”
Ransomware infestations continue.
With REvil's disappearance appearing more theoretical than actual, with QNAP network attached storage devices under attack by Deadbolt, and with BlackCat ransomware establishing itself in the wild, this variety of attack has remained widespread in the first month of 2022. David Mahdi, CSO and CISO Advisor, Sectigo, wrote to offer some perspective on ransomware as a data security problem:
“Ransomware isn’t solely a malware problem, bad actors want access to your data, so it really is a data security and access problem. However, many organizations are missing the point. For instance, with the elusive “White Rabbit” strain of ransomware threatening U.S. financial institutions, this one appears to be much more difficult to find and weed out than previous strains. Typically, organizations that approach ransomware as a malware issue are left chasing shadows. And for more advanced ransomware strains like White Rabbit, they aim to render traditional defenses useless.
"When we look at what ransomware does, it leverages a users’ access within an organization to encrypt sensitive files (and often also steal such data as well – another monetization stream for the bad actors). The access and entitlements given to a user defines the level of damage the hacker will do. Therefore, a least-privilege approach combined with zero-trust and identity-first security is critical. To prevent ransomware, you can’t just lock down data, you need a clear method of verifying all identities within an organization, whether human or machine.
"This is where the combination of identity-first approaches combined with PKI and digital certificates enable immutable proof that ‘this person (or entity) is who they say they are.’ When combining identity-first principles with least privilege data access security, ransomware attacks can be mitigated, and in some cases prevented entirely. Ultimately, ransomware attacks are mitigated, or even cut off at the source, and organizations aren’t left endlessly chasing shadows or putting out fires.”