At a glance.
- TikTok allegedly planned to track US user data.
- Medibank data breach worsens.
- Another US hospital system reports a Meta Pixel breach.
TikTok allegedly planned to track US user data.
Documents have been discovered indicating that ByteDance, parent company of leading video streaming platform TikTok, had plans to use the app to track the personal location of specific American citizens, Forbes reports. According to TikTok spokesperson Maureen Shanahan, the app collects approximate location data based on users’ IP addresses to “among other things, help show relevant content and ads to users, comply with applicable laws, and detect and prevent fraud and inauthentic behavior.” The main purpose of ByteDance’s Internal Audit and Risk Control department, the team behind the monitoring program, is investigating potential ByteDance employee misconduct, but evidence indicates that in at least two cases, they had plans to collect location data of a US citizen who had never been a TikTok employee, and the purpose of the tracking had nothing to with targeted advertising.
The true goal behind the monitoring has not been disclosed, and it’s unclear whether the plans were actually carried out. TikTok has denied the implications, a spokesperson telling Fox News, "Forbes declined to include our direct statement that disproves the feasibility of its core allegation: the TikTok app does not collect precise GPS location information from US users, meaning TikTok could not monitor US users in the way the article suggested…Furthermore, the company's Internal Audit team has no role in TikTok product development and would not be able to create such functionality." As Business Insider notes, TikTok has long been regarded by the Administration as a security threat, and although TikTok has claimed it does not share its data with the Chinese government, staffers have admitted under congressional testimony that its US data are accessible from China. The Trump administration threatened to ban the app if it wasn’t purchased by a US buyer, and President Joe Biden proposed new rules this year giving the US government more oversight over apps like TikTok that have the potential to pose a threat to national security.
Medibank data breach worsens.
As we noted yesterday, Australian health insurer Medibank was hit with a cyberattack in which a hacker claims to have stolen 200GB of data, offering a database of one hundred customers as evidence. CRN Australia reports that Medibank has confirmed the data in the hacker’s possession are indeed linked to its customers and includes first and last names, street addresses, dates of birth, Medicare numbers, policy numbers, phone numbers, and some claims info that exposes sensitive patient details. As Bank Info Security notes, Medibank says the data appear to have been stolen from its ahm and international student systems.
The threat actor also claims to have stolen credit card data, but that has not yet been verified, and according to Claire O'Neil, Australia's Minister for Cyber Security and Home Affairs, that could be the least of the country’s worries. O’Neil stated yesterday, “Financial crime is a terrible thing but ultimately a credit card can be replaced, the threat that is being made here to make the private personal health information of Australians available to the public is a dog act.” The Guardian adds that several news sources report the hackers have threatened to release the information of the one-thousand most high-profile Australians if their ransom demands are not met. The breach is just the latest in a wave of attacks targeting Australian citizens; telecommunications giant Optus, the nation’s second-largest mobile provider, was hit earlier this month, and just this week online wine retailer Vinomofo suffered an attack.
Another US hospital system reports a Meta Pixel breach.
US healthcare system Advocate Aurora Health (AAH), has disclosed that a breach compromised the data of 3 million patients, Bleeping Computer reports. The 26-hospital system based in the states of Wisconsin and Illinois, says the breach was caused by the improper use of Meta Pixel, a Facebook-powered JavaScript tracker that helps website operators understand how visitors interact with the site in order to make targeted enhancements. Meta Pixel was installed on AAH’s websites, where patients log in and enter sensitive health data, and it was discovered that Facebook then shared the info with its network of advertisers for targeted marketing plans.
AAH is just the most recent hospital to disclose a Meta Pixel-related breach; U.S. healthcare provider Novant Health also confirmed the data of 1.3 million patients had been exposed through the use of its MyChart portal, which is equipped with the Pixel tracker. AAH’s exposed data include patient IP addresses, appointment details, proximity to an AAH location, communications between MyChart users, and insurance info. AAH says it has disabled Meta Pixel on all its systems and is executing protections to prevent future exposure.