At a glance.
- Google agrees to most expensive privacy settlement in US history.
- Data breach at California college.
- Experts warn of cyber football hooliganism.
Google agrees to most expensive privacy settlement in US history.
In a record-breaking settlement, Google yesterday agreed to pay $391.5 million to settle a privacy lawsuit filed by a forty-state coalition of attorneys general, Bleeping Computer reports. The suit alleges that the tech giant misled Android users into thinking they had turned off location tracking in their account settings, when in reality the company continued to collect, store and use the customers' personally identifiable location data. The attorneys general said the agreement, which resulted from a four-year investigation into Google’s practices from 2014-20, was the biggest internet privacy settlement ever in the US. Under the settlement, Google has also agreed to be more transparent about its location tracking settings, implement more user-friendly account controls, and limit its use and storage of some types of location data.
Michigan Attorney General Dana Nessel stated, "The company's online reach enables it to target consumers without the consumer's knowledge or permission…However, the transparency requirements of this settlement will ensure that Google not only makes users aware of how their location data is being used, but also how to change their account settings if they wish to disable location-related account settings, delete the data collected and set data retention limits." As the New York Times notes, Google spokesman José Castañeda indicated that Google had already corrected some of the issues brought forth in the case. “Consistent with improvements we’ve made in recent years, we have settled this investigation, which was based on outdated product policies that we changed years ago,” he stated.
Data breach at California college.
Hartnell College, a public community college located in the US state of California, has disclosed that personal data were compromised in a recent ransomware attack. The school has not specified exactly which data were exposed, but confirmed the attacker gained access to a network that contains personal information. Current and former students and employees were potentially impacted, though, KSBW reports, the school has not released an estimate of how many individuals were affected. Victims will receive a written notification letter from the school in the coming weeks.
Experts warn of cyber football hooliganism.
The 2022 World Cup is scheduled to start this month in Qatar, and Cybernews reports that two official apps required for the games’ attendees have drawn the attention of the cybersecurity community. The first is Ehteraz, a COVID-19 tracking system which is already used in Qatar and asks users to allow remote access to view pictures and videos, track the user’s location, make calls, and read and even modify device data. The second app, called Hayya, controls which fans are allowed entrance to stadiums and schedules viewing and free public transportation to and from the games. Like Ehteraz, Hayya tracks the user’s location, and its permissions ask users to allow unrestricted access to personal data network connections. The app also prevents the device from going into sleep mode.
Øyvind Vasaasen, the head of security at the Norwegian Broadcasting Corporation (NRK), explains, “When you download these two apps, you accept the terms stated in the contract, and those terms are very generous. You essentially hand over all the information in your phone. You give the people who control the apps the ability to read and change things, and tweak it. They also get the opportunity to retrieve information from other apps if they have the capacity to do so, and we believe they do.” French data protection authority CNIL advised those traveling to the World Cup to bring blank smartphones or old devices that have been reset, and they also recommend users to only install the apps just before arrival and delete them as soon as they return home. Indeed, attendees must be diligent, as privacy concerns surrounding the games expand beyond the aforementioned apps. As Intelligent CIO Middle East notes, the Digital Shadows Photon Research Team conducted an analysis to determine how attackers might be targeting individuals associated with the World Cup, and they found that threats include false domains, fake mobile apps, and fraudulent social media pages used to impersonate official World Cup officials. They also said the games create potential for credential harvesting, hacktivism, ransomware attacks, and Initial Access Brokers.