FCC Slaps Major U.S. Carriers with $196 Million in Fines for Illegally Selling Customer Location Data
The US Federal Communications Commission (FCC) has imposed fines totaling $196 million on U.S. wireless carriers T-Mobile, AT&T, and Verizon for illegally selling customer location data.
The breakdown of the fines includes $80.1 million for T-Mobile, $57.3 million for AT&T, and $46.9 million for Verizon. This enforcement action stems from the carriers’ unauthorized sharing of sensitive customer data to aggregators, who then sold it to third parties without obtaining proper consent.
The issue was initially uncovered in 2018, revealing that location data was misused to track individuals for a Missouri Sheriff via a service offered by Securus. Investigations highlighted that carriers continued to sell data without effective safeguards even after recognizing their protection measures were inadequate.
FCC Chairwoman Jessica Rosenworcel stated,
“This ugly practice violates the law—specifically Section 222 of the Communications Act, which protects the privacy of consumer data.”
All three carriers have announced intentions to appeal the fines, arguing the penalties are excessive and citing that the data-sharing practices had ceased over five years ago.
(To which we say, “Don’t do the crime, if you can’t pay the fine”.)
Read: https://www.tftc.io/fcc-fines-us-carriers-196-million-location-data/
Kaiser Permanente Notifies Millions of Members Following Major Data Breach Involving Third-Party Advertisers
U.S. health insurance giant Kaiser Permanente is notifying millions of its members about a data breach caused by sharing personal information with third-party advertisers, including major companies like Google, Microsoft, and Twitter. This breach involved sharing details such as member names, IP addresses, and interaction data from Kaiser’s websites and mobile apps.
The breach was discovered through an internal investigation that tracking code embedded in their digital platforms inadvertently transmitted this sensitive data to advertisers. Following this discovery, the company has removed the tracking codes.
Diana Yee, a spokesperson for Kaiser, announced that the organization would start notifying the 13.4 million affected individuals in May, covering all regions where Kaiser operates. This breach notification aligns with the legal requirements under the U.S. health privacy law HIPAA, which mandates that covered entities report such incidents to the U.S. Department of Health and Human Services.
The breach, also reported to California’s attorney general, is considered the largest health-related data breach of 2024 so far, according to the Department of Health and Human Services’ records. Kaiser Permanente, part of the Kaiser Foundation Health Plan, is one of the U.S.’s largest healthcare providers, serving over 12.5 million members as of late 2023.
Read: https://techcrunch.com/2024/04/25/kaiser-permanente-health-plan-millions-data-breach/
Active Exploitation of GitLab’s Email Verification Vulnerability
A severe security loophole, identified as CVE-2023-7028, in GitLab’s process of verifying email addresses is currently under attack. This vulnerability enables cybercriminals to dispatch password reset emails to unverified email addresses, thereby potentially seizing control of accounts. GitLab issued a fix for this security issue in January 2024, and it impacts GitLab Community Edition (CE) and Enterprise Edition (EE) versions from 16.1 to 16.7.1.
The US cybersecurity agency, CISA, has included this bug in its catalog of Known Exploited Vulnerabilities (KEV), indicating that there is proof of ongoing exploits in the wild.
The Shadowserver Foundation disclosed that more than 5,300 GitLab servers accessible via the internet were still vulnerable to this security flaw at the end of January. However, this figure has reduced to approximately 1,400 by the start of May.
In compliance with the Binding Operational Directive (BOD) 22-01, federal agencies are required to identify and patch any vulnerable GitLab instances in their systems by May 22. While BOD 22-01 is specifically for federal agencies, it is recommended that all organizations review GitLab’s advisory and implement the available patches and mitigations promptly to prevent further exploitation of the vulnerability.
Read: https://www.securityweek.com/1400-gitlab-servers-impacted-by-exploited-vulnerability/
Mysterious Apple ID lockouts across numerous systems
On the evening of April 26, 2024, multiple Apple users reported being unexpectedly logged out of their Apple IDs across various devices. This incident, highlighted by journalist Chance Miller from 9to5Mac, saw users forced to reset their passwords to regain access. Despite the Apple System Status webpage showing no service disruptions, the sudden sign-outs suggest a hidden issue within Apple’s system.
Social media platforms, including Twitter and Mastodon, quickly filled with user complaints and confusion.
The problem has disrupted not only personal device access but also app-specific passwords linked to users’ iCloud accounts. The mass logout raises questions about its connection to recent password reset attacks that Apple has been investigating. Apple has yet to provide an official explanation or solution.
Developing…
Read: https://9to5mac.com/2024/04/26/signed-out-of-apple-id-account-problem-password/
School Boards Sue Social Media Giants Over Youth Mental Health Harms
Recently, school boards across the United States and Canada have initiated a series of lawsuits against social media companies, seeking compensation and systemic changes due to the alleged negative impacts of these platforms on students’ mental health. Professor Robert Diaz, a law expert at Thompson Rivers University, discusses these legal battles in detail, highlighting the complex legal and regulatory landscape now confronting social media giants.
In a recent podcast, Diaz explains that the lawsuits mirror similar legal actions taken against vaping companies, where school boards successfully claimed that e-cigarette manufacturers created a public nuisance. These school boards argue that social media platforms are similarly responsible for addictive designs that harm the mental health of young users, demanding billions in compensation to cover increased educational support costs caused by these impacts.
Diaz notes,
“This isn’t just about recovery of funds; it’s about compelling these companies to make substantive changes to their operations.”
These cases raise crucial questions about the responsibility of social media companies to mitigate their platforms’ potentially harmful effects, especially on young users. As these legal battles unfold, they could set significant precedents for how digital platforms engage with younger audiences and are regulated in terms of design and functionality.
Read: https://www.michaelgeist.ca/2024/04/law-bytes-podcast-episode-201/
Elsewhere Online:
EU Launches Investigation into Facebook and Instagram for Disinformation Ahead of Elections
Read: https://www.infosecurity-magazine.com/news/eu-probe-faceboo-instagram/
TikTok Under Fire: Biden Signs Bill Requiring Sale or Shutdown Amid Security Concerns
Read: https://www.securityweek.com/how-tiktok-grew-from-a-fun-app-for-teens-into-a-potential-national-security-threat/
Beware of Fake Chrome Updates: New Android Malware “Brokewell” Targets Banking Data
Read: https://www.hackread.com/fake-chrome-updates-android-brokewell-malware/
Millions of ‘Imageless’ Malicious Containers Uncovered on Docker Hub in Supply Chain Threat
Read: https://thehackernews.com/2024/04/millions-of-malicious-imageless.html
London Drugs Shuts Down Stores Across Canada Following Cybersecurity Incident
Read: https://www.darkreading.com/cyberattacks-data-breaches/canadian-drug-chain-in-temporary-lockdown-mode-after-cyber-incident
Previously on #AxisOfEasy
