At a glance.
- TikTok faces large fine for children’s privacy practices.
- ESET’s H1 threat report: highs and lows.
TikTok faces large fine for children’s privacy practices.
A major EU privacy regulator has hit TikTok with a €345 million fine for violations concerning children’s privacy rights, Security Affairs reports. TikTok’s “family pairing” feature, is intended to allow adults to communicate with children to whom they are related. However, Ireland’s Data Protection Commission (DPC) found that a security flaw could allow unverified adults to send direct messages to teenagers to which they are not related. What’s more, a default account setting could let anyone view the content posted by children under thirteen. Officer of DPC Helen Dixon explained that the flaw meant, “non-child users had the power to enable direct messages for child users above the age of 16, thereby making this feature less strict for the child user. This also meant that, for example, videos that were posted to child users’ accounts were public by default, comments were enabled publicly by default, the Duet and Stitch features were enabled by default.”
The DPC has also accused the leading video-sharing platform of lacking transparency about its processing practices for children’s data and stated that TikTok’s video publishing practices were designed to push users to select options that expose their content to privacy risks. TikTok will be required to make its processing compliant with EU directives within three months. On Friday TikTok issued a statement voicing its objection to the ruling. “We respectfully disagree with the decision, particularly the level of the fine imposed,” it reads. “The DPC’s criticisms are focused on features and settings that were in place three years ago, and that we made changes to well before the investigation even began, such as setting all under-16 accounts to private by default.” TikTok still has the option of appealing.
ESET’s H1 threat report: highs and lows.
The software experts at ESET recently released their threat report covering the first months of 2023, and the data shows that sextortion emails and other text-based cyber threats have steadily become a more popular intrusion vector for cybercriminals. WeLiveSecurity notes that there’s also been an increase in brute force attacks targeting MS SQL servers, as well as the use of malicious Android apps to conduct loan interest scams. On the brighter side, the report shows that activity out of the infamous Emotet botnet has come to all but a standstill, indicating that it was likely sold to another, less successful cyber gang. And researchers at ESET and Flare Systems have disrupted the malware-as-a-service known as Redline Stealer by dismantling a chain of GitHub repositories used to support the operation. Further details can be heard in ESET’s latest podcast.