Search
Content type: Examples
In 2018 a report from the Royal United Services Institute found that UK police were testing automated facial recognition, crime location prediction, and decision-making systems but offering little transparency in evaluating them. An automated facial recognition system trialled by the South Wales Police incorrectly identified 2,279 of 2,470 potential matches. In London, where the Metropolitan Police used facial recognition systems at the Notting Hill Carnival, in 2017 the system was wrong 98% of…
Content type: Examples
In internet scans conducted between August 2016 and August 2018, Canada's Citizen Lab identified a total of 45 countries in which operators of Israel-based NSO Group's Pegasus spyware may be conducting surveillance operations. Pegasus is mobile phone spyware that targets are coerced into installing via a carefully constructed phishing attack; clicking on the exploit link installs the spyware without the user's knowledge or permission and bypasses the phone's security protections to send the…
Content type: Examples
Following a 2016 hack including names, emails, adresses, and phone numbers of 57 millions Uber users and drivers, the company has paid 100,000 USD to hackers hoping that the data collected would be deleted. This decision was in line with Uber's strategy to try to keep the breach quiet while limiting potential abuses. The company said that they believe the data had not been used without being able to provide any proof. The hack itself was conducted through a GitHub private repositories that the…
Content type: Examples
At the end of September 2018, the sales intelligence company and data aggregator Apollo notified its customers that over the summer Vinny Troia, the founder of Night Lion Security, had discovered that Apollo's database of 212 million contact listings and 9 billion data points relating to companies and organisations was freely accessible via the web. Apollo noted that it collects a lot of its information from public sources around the web; however, it scrapes Twitter and LinkedIn profiles for…
Content type: Examples
By July 2018, ten-year-old Twitter had become such a frequent data resource for social scientists that estimates were that anyone who tweeted publicly on the service was part of a dataset somewhere. The ease and low cost of using Twitter have enabled studies such as analysing bot behaviour during the 2016 US presidential election; studying how people around the globe cope with crises; and tracking geographic health differences. Between 2007 and 2012, scientists collected and analysed at least…
Content type: Examples
In November 2016, the security contractor Krytowire discovered that cheap Chinese Android phones often include pre-installed software that monitors users' locations, messaging, and contacts, and sends the gathered information to China every 72 hours. Shanghai Adups Technology Company, the Chinese firm responsible for the software, said its code had been installed on more than 700 million phones, cars, and other devices without informing users, but that it was not intended for American phones.…
Content type: Examples
In July 2018, researchers at the London-based security and mobile commerce firm Upstream Systems found that millions of cheap smartphones sold in developing countries lacking privacy protections come with pre-installed apps that harvest users' data for the purpose of targeting advertising and that can only be removed with difficulty. One such app, which Singtech includes on the thousands of smartphones it sells in Myanmar and Cambodia, as well as others sold in Brazil or made by Indian and…
Content type: Examples
The US Securities and Exchange Commission announced in April 2018 that it would fine Altaba, formerly known as Yahoo, $35 million for failing to disclose its massive 2014 data breach. Yahoo did not notify the hundreds of millions of customers until the end of 2016, when it was closing its acquisition by Verizon, even though the SEC found that the company knew within days that Russian hackers had stolen their user names, email addresses, phone numbers, birth dates, encrypted passwords, and the…
Content type: Examples
In May 2018, UK-based security researcher Robert Wiggins discovered that the mobile app TeenSafe, marketed as a secure app for iOS and Android, was storing data it collected on servers hosted on Amazon's cloud without a password and openly accessible. The app lets parents monitor their children's text messages, location, browsing history, and apps, as well as who they called and when, and does not require parents to obtain their children's consent. The insecurely stored 10,200 records included…
Content type: Examples
As part of an ongoing hacker vendetta against surveillance apps installed by abusive partners, in July 2018 a hacker targeted SpyHuman, an India-based company that offers software that monitors Android devices, claiming the software should be taken off the market. Once someone gains physical access to a device and installs the software, SpyHuman's app will intercept phone calls and messages, track GPS locations, read social media messages, and even turn on the device's microphone. The collected…
Content type: Examples
In July 2018, the leader of a private Facebook group for women with the BRCA gene, which is associated with high breast cancer risk, discovered that a Chrome plug-in was allowing marketers to harvest group members' names and other information. The group was concerned that exposure might lead to other privacy violations and discrimination from insurers. The company shut down the extension and closed the loophole. The case is of particular concern because the US Heath Insurance Portability and…
Content type: Examples
Between May 18 and May 22, a bug in Facebook's system changed the settings on 14 million users' accounts so that newly posted updates they thought were private might have been made public instead. The company attributed the error to a mistake made in redesigning how the public parts of user profiles are displayed. After Facebook found the bug, it was another five days before all privacy settings were correctly restored.
https://www.washingtonpost.com/news/the-switch/wp/2018/…
Content type: Examples
In June 2018, security researcher Vinny Troia discovered that the Florida-based data broker Exactis had exposed a comprehensive database containing nearly 340 million individual records on a publicly accessible server. The 2TB of data appeared to include detailed information on millions of businesses as well as hundreds of millions of American adults that included as many as 400 highly personal characteristics, including number, age, and gender of children, as well as phone numbers and home and…
Content type: Examples
In July 2018, a hacker attack exposed the personal data of millions of Spanish subscribers Telefónica's Movistar service. The data included identity and payment information, phone and national ID numbers, banks, and calling data. The cause was a basic programming error known as an "enumeration bug" that allowed anyone logged into one account to alter the ID number inside the URL and view others' data. It was not clear that the data had been exploited. However, Telefónica CEO suggested that the…
Content type: Examples
In June 2018, security researchers found that Google's smart speaker and home assistant, Google Home, and its Chromecast streaming device could be made to leak highly accurate location information because they failed to require authentication from other machines on their local network. The attack worked by requesting a list of nearby wireless networks from the Google device and sending that list on to Google's geolocation lookup service, whose map of wireless network names around the world is…
Content type: Examples
In July 2018, attackers broke into the SingHealth Singaporean government health database and stole names, addresses, and various other details of 1.5 million people who visited clinics between May 1, 2015 and July 4, 2018; however, the attackers did not gain access to most medical records with the exception of outpatient prescription medication data relating to about 160,000 patients including Singapore Prime Minister Lee Hsien Loong and several ministers. The government said none of the…
Content type: Examples
In 2014, a team of four Swedish and Polish researchers began scraping every comment and interaction from 160 public Facebook pages. By two years later, they had collected one of the largest sets of user data ever assembled from the social network; it enabled them to track the behaviour of 368 million members. Techniques like those the researchers used have been used by scholars around the world for a decade to compile hundreds of Facebook data sets of all sizes. Many have been used for research…
Content type: Examples
In July 2018, a group of researchers at Northwestern University published the results of two years of studying the collaboration behaviour of tens of thousands of scientists. A controversy rapidly sprang up about the method they used: they had been given access to project folder-related data by the cloud storage company Dropbox. The data was aggregated and anonymised before being handed to researchers. However, customers' consent was not asked; instead, Dropbox relied on their acceptance of its…
Content type: Examples
In September 2018, security researcher Patrick Wardle found that Adware Doctor, the top-selling paid utilities app in the US Mac App Store, was exfiltrating the browser history of anyone who downloaded it and sending it to a developer. Adware Doctor is intended to protect browsers against adware. A month after Wardle notified Apple, the app remained in the store; it and the same developer's AdBlock Master were removed shortly after TechCrunch published his findings.
https://www.macrumors.com/…
Content type: Examples
In April 2018, a researcher at Norway's SINTEF found that the gay-daring app Grindr was sending its 3.6 million users' HIV status and last tested date along with their GPS data, phone ID, and email to two app-optimising companies, Apptimize and Localytics. SINTEF also found that the company was sharing precise GPS position and other information such as "tribe", sexuality, relationship status, and ethnicity with third-party advertising companies, sometimes unencrypted. Grindr said it pays…
Content type: Examples
In March 2018, Trever Feden, the CEO of a property management startup, exposed a flaw in the gay-dating app Grindr that opened access to the location data and other information about its more than 3 million daily users. A website Faden set up allowed Grindr users to see who was blocking them after entering their Grindr name and password. Providing that information, however, also gave Faden access to user data that is not accessible via user profiles, including unread messages, email addresses,…
Content type: Examples
In its May 2018 quarterly filing with the Securities and Exchange Commission, Equifax provided its most detailed analysis to date of the company's 2017 data breach. In the US, nearly 147 million people had their names, dates of birth, and/or Social Security numbers stolen; address information was taken for 99 million. In addition, 209,000 payment cards and expiration dates and 97,500 tax IDs were stolen. Besides the information stored in its databases, the attackers access thousands of images…
Content type: Examples
In September 2018, the GuardianApp group of security researchers discovered that dozens of popular news, weather, and fitness iPhone apps that require access to location data sell the data they collect to companies engaged in businesses such as ad targeting. The group found apps such as ASKfm, NOAA Weather Radar, and Photobucket collecting location information and that the data is being sent to companies such as Reveal, Sense360, Cuebiq, Teemo, Mobiquity, and Fysical, who said customers can opt…
Content type: Examples
In July 2018 the UK's Information Commissioner's Office announced it would fine Facebook £500,000, the maximum under the 1998 data protection law, for failing to safeguard its users' information and lacking transparency about how the data was harvested and used by others, specifically Cambridge Analytica. Under the new General Data Protection Regulation, Information Commissioner Elizabeth Denham said the fine would have been much higher. The inquiry that led to the fine also led the ICO to send…
Content type: Examples
In announcing a data breach in 2018, at first Facebook said 50 million people's data had been accessed, then 30 million - but the data accessed was more sensitive than they thought at first. After investigation, the company explained that it had identified four stages of attack with a different group of victims affected in each one. The attackers used an automated technique to move from the first small group of accounts they controlled to others, stealing access tokens of friends and friends of…
Content type: Examples
In August 2018, Facebook announced it would remove more than 5,000 ad targeting options in order to prevent discrimination. Options specifying the exclusion of people interested in "Passover", "Native American culture", or "Islam" could be used as proxies to allow advertisers to exclude ethnic and religious groups in contravention of the law. The announcement came shortly after the US Department of Housing and Urban Development filed a complaint alleging that the company had enabled…
Content type: Examples
In July 2018, members of the Internal Security Organisation, Uganda's counterintelligence agency, raided South African telecommunications provider MTN's Uganda data centre in Mutundwe. In a letter to the police, MTN said the ISO kidnapped a data manager who worked for the contractor that ran the data centre on MTN's behalf, Huawei Technologies. Moses Keefah Musasizi was taken to the ISO head office in Nakasero and held for four hours before being forced to grant access to the data centre and…
Content type: Examples
The internet provides employers with the opportunity to learn an unprecedented amount about prospective employees by searching social media feeds and other postings. By 2018, DeepSense was taking this a step further by analysing individual's Twitter feeds to predict their personality and employment viability. A journalist trying the service learned that he was "47% anxious", with a "low" potential for stability, and will "run out of patience with lack of achievement or direction". While the…
Content type: Examples
In 2018 industry insiders revealed that the gambling industry was increasingly turning to data analytics and AI to personalise their services and predict and manipulate consumer response in order to keep gamblers hooked. Based on profiles assembled by examining every click, page view, and transaction and incorporating data purchased from third-party sources, gambling operators push customised ads through Google, Facebook, and other platforms. There are also plans to geolocate customers arriving…
Content type: Examples
Although the US rejected a "National Data Center" approach in 1966, eventually instead passing the 1974 Privacy Act, in 2018 the House of Representatives proposed a national database of all 40 million recipients of benefits under the Supplemental Nutrition Assistance Program (SNAP, formerly known as "food stamps"). The proposed legislation assigned the creation of the database to the Department of Agriculture, with help from private vendors and would collect Social Security numbers, birthdates…