At a glance.
- FTC reaches agreement with Ring.
- Alexa, stop collecting child data without consent.
- Oops, Toyota did it again.
FTC reaches agreement with Ring.
The US Federal Trade Commission (FTC) announced that it has charged leading home security company Ring with compromising customer privacy. The FTC complaint states that Ring has put customer data at risk by allowing Ring staffers and contractors to access their private videos. As well, the Amazon-owned company neglected to implement other standard privacy protections, despite warnings, that would protect customers from cyber threats like credential stuffing and brute force attacks. A proposed order calls for Ring to delete data from videos that were unlawfully viewed and to adopt a privacy and security program with more stringent controls including multifactor authentication for customer and employee accounts. Ring will also be required to pay $5.8 million to cover consumer refunds. Samuel Levine, Director of the FTC’s Bureau of Consumer Protection, stated, “Ring’s disregard for privacy and security exposed consumers to spying and harassment. The FTC’s order makes clear that putting profit over privacy doesn’t pay.” The proposed order will need to be approved by a federal court before it goes into effect. The agreement between Ring LLC and the US Federal Trade Commission may be found here.
Alexa, stop collecting child data without consent.
Amazon has also agreed to pay a civil penalty of $25 million to settle federal charges concerning the collection of data from minors. The FTC found Amazon to be in violation of the Federal Children’s Online Privacy Protection Act (COPPA) for collecting sensitive data from children, including children’s precise locations and voice recordings, and retaining them for business purposes. Regulators say even after parents asked to have children’s conversations with virtual assistant Alexa deleted, Amazon failed to delete transcripts of the conversations from all its databases. As the New York Times explains, COPPA states that online services aimed at individuals under thirteen must obtain parental consent before collecting a child’s personal data, and parents must also have the ability to delete their children’s data. Samuel Levine, director of the FTC’s Bureau of Consumer Protection, stated, “Amazon’s history of misleading parents, keeping children’s recordings indefinitely, and flouting parents’ deletion requests violated” the children’s online privacy law and “sacrificed privacy for profits. COPPA does not allow companies to keep children’s data forever for any reason, and certainly not to train their algorithms.” Amazon denies it violated the law. The company issued a statement saying, “We built Alexa with strong privacy protections and customer control,” and claims it worked with the FTC before adding Alexa to its children’s content service. The decision will now go before a federal court for approval.
Toyota discloses another data exposure incident.
Automotive giant Toyota Motor Corporation yesterday announced it had discovered two misconfigured cloud storages that have been exposing customer’s personal data for over seven years. As Dark Reading notes, these newly detected unprotected databases are in addition to the misconfigured database the company recently discovered that exposed the location data of over 2 million customers for ten years. The data were managed by Toyota Connected Corporation, which provides Toyota car owners in-vehicle internet services for access to entertainment features, emergency assistance, and location services. "We conducted an investigation for all cloud environments managed by Toyota Connected Corporation (TC), It was discovered that a part of the data containing customer information had been potentially accessible externally," the notice from Toyota reads.
Bleeping Computer explains that the first cloud service exposed the personal information of Toyota customers in Asia and Oceania between October 2016 and May 2023, and the second was exposed between February 2015 and May 2023. While it’s unclear how many individuals were compromised in the first instance, the second instance exposed the data of approximately 26,000 customers, and the compromised data include customer names and contact details, vehicle registration numbers, and in-vehicle device IDs. However, the company says data entries in the cloud environment were periodically deleted automatically, meaning only a limited amount of data were exposed at any particular time, and that the data exposed would not be enough to reveal a customer’s identity or access the vehicle's systems. Toyota says it has implemented a system to monitor cloud configurations and that the company will work with TC to ensure appropriate data handling going forward.
Ani Chaudhuri, CEO of Dasera, commented on the inherent challenges of storing customer information:
"The recent discovery of misconfigured cloud services within Toyota Motor Corp., leading to a significant data breach, is a stark reminder of the inherent risks of storing customer information on the cloud. The breach affected 260,000 Toyota car owners over seven years, exposing personal information such as their car's internet services usage, location, entertainment preferences, and potentially other personal details.
"This incident, occurring just two weeks after the exposure of data of 2.15 million customers due to another misconfigured cloud bucket, underscores the urgency and necessity for meticulous data governance and stringent cybersecurity protocols. The age of digitization carries both promise and peril, and it is incumbent upon organizations to secure their digital assets effectively and efficiently.
"This unfortunate event raises important questions: Why was the misconfiguration not detected for such a long time? Could a proactive and automated monitoring system for data security have mitigated this incident? This illustrates the importance of diligent data governance practices, which include timely detection, alerts, and remediation of such vulnerabilities.
"While it is crucial to leverage cloud technologies for business growth, it is equally critical to ensure the robustness of their security posture. It should be noted that handling sensitive customer data is not just a technical issue; it is a matter of trust. Every breach erodes that trust, and rebuilding it can be a Herculean task.
"As we venture further into the digital age, companies need to view data security not as an afterthought, but as an integral part of their business strategy. Organizations must take a proactive approach, conducting regular audits, risk assessments, and training programs to safeguard their customer data. It is a daunting challenge, no doubt, but one that cannot be avoided in today's interconnected world.
"The Toyota breaches are a wake-up call to every organization handling sensitive data: Ensure your cloud configurations are secure, and protect your customers' data as if it were your own."