FlagThis

General Motors and OnStar are banned from disclosing consumers’ geolocation and driver behavior data to consumer reporting agencies for five years. The FTC launched an investigation after reports that GM collected data about customers’ vehicle use and sold it to third-party platforms used by insurance companies without adequate consent, specifically from the OnStar Smart Driver program. GM has now stopped sharing sensitive information with data brokers and must take additional steps to increase transparency for its customers.

A massive data breach at location data company Gravy Analytics has exposed sensitive location data of millions of users. The breach affects users of popular apps like Candy Crush, Tinder, and MyFitnessPal, among thousands of others. This incident underscores the risks associated with the collection and sale of location data, particularly from advertising bid streams, without users’ or even app developers’ knowledge. The breach was posted on a Russian-language forum by the hacker using the alias “Nightly” and contained coordinates of devices in the US, Europe, and Russia.

Apple is facing a class-action lawsuit over its Siri voice assistant due to privacy concerns. The lawsuit claims Siri was eavesdropping and recording users without their consent. Apple has agreed to a $95 million settlement to resolve the issue. The settlement impacts millions of users who might have been affected. Some of the recordings have been shared with third parties. Users can disable Siri to avoid being recorded. This settlement highlights the importance of user data privacy and transparency, and it has also resulted in Apple making changes to its Siri privacy policy and functionality.

Washington state is suing T-Mobile over its 2021 data breach, which exposed sensitive information of approximately 79 million people, including 2 million Washington residents. The lawsuit claims T-Mobile was aware of security flaws and failed to take adequate action. It also alleges that T-Mobile’s notifications to affected customers were insufficient, failing to disclose the full extent of the breach. The breach involved the sale of user data on the dark web and inadequate protection of user data.

A critical vulnerability, identified as CVE-2024-8474, exists in OpenVPN Connect prior to version 3.5.0. This flaw can expose users’ private keys by logging them in clear text within the application logs. Attackers with unauthorized access to these logs could decrypt VPN traffic, thereby compromising user confidentiality. Additionally, a separate vulnerability (CVE-2024-5594) in OpenVPN before 2.6.11 allows malicious peers to inject arbitrary data through improperly sanitized PUSH_REPLY messages, leading to potential exploitation of third-party plugins or executables. Both vulnerabilities pose serious risks to the security of OpenVPN users.

A significant data leak exposed the location data of approximately 800,000 Volkswagen electric vehicles (EVs), encompassing models from VW, Audi, Seat, and Skoda. The leak, caused by a cloud misconfiguration, revealed real-time GPS locations of the vehicles, along with other sensitive data. This incident raises serious privacy concerns, particularly as the exposed data could be linked to vehicle owners, including sensitive individuals.

The data leak allowed unauthorized access to vehicle locations, potentially enabling surveillance and tracking of individuals. The incident highlights the critical importance of robust cloud security practices and the need for stringent data protection measures by automotive manufacturers and their software subsidiaries. The incident was brought to light by a whistleblower and security researchers.

Apple is notifying users who are likely targeted by government-sponsored spyware, but is redirecting them to third-party security labs instead of performing forensic analysis. This decision stems from their position that in-depth forensic analysis could inadvertently reveal spyware capabilities to the attackers. This approach is praised by security experts as it balances victim protection and security research.

Microsoft’s new AI feature ‘Recall’ for Copilot+ PCs stores screenshots of sensitive data, including credit cards and social security numbers, even when a ‘sensitive information’ filter is enabled. This has raised serious privacy and security concerns among users. This feature takes continuous screenshots of everything a user does. The data is stored locally but sent off to Microsoft’s LLM for analysis. This has prompted an investigation by the UK Information Commissioner’s Office. This incident highlights the potential risks of AI-powered surveillance features and the importance of user privacy.

The Irish Data Protection Commission (DPC) has fined Meta €251 million (approximately $263 million) for General Data Protection Regulation (GDPR) violations. The fine stems from a 2018 data breach that compromised the personal information of 29 million Facebook accounts. The breach underscores the importance of robust security measures to protect user data and highlights the potential financial repercussions of non-compliance with GDPR regulations. The penalty is one of many such penalties faced by tech giants in recent years, showing a trend of increased enforcement of EU privacy laws.

UnitedHealthcare’s Optum had an AI chatbot used by employees exposed to the internet. This chatbot, designed for employees to inquire about claims, was accessible publicly. The exposure raises concerns about the security of sensitive data and the potential for unauthorized access. This incident highlights the risks associated with deploying AI tools without adequate security measures. The AI chatbot exposure occurred amid broader scrutiny of UnitedHealthcare for its use of AI in claims denials.

The FTC has taken action against data brokers Gravy Analytics and Mobilewalla for illegally collecting and selling sensitive information about American residents, including geolocation data from sensitive locations such as places of worship, abortion clinics, and political events. The FTC’s actions aim to protect consumer privacy and limit the collection of sensitive data from vulnerable locations. This highlights the increasing concerns regarding data privacy and the need for stricter regulations on data brokers. The settlements highlight the importance of responsible data handling and compliance with privacy regulations.

A data broker, SL Data Services, exposed 644,869 sensitive files, including background checks, in a publicly accessible cloud storage container. The files contained personal information like names, addresses, phone numbers, and criminal histories. This highlights the risks of data brokers and the need for individuals to protect their personal information.

Bojangles experienced a data breach between February and March 2024, resulting in the exfiltration of files containing employee and customer names and other personal details. The incident highlights the ongoing risk of data breaches affecting various sectors, emphasizing the need for robust security measures.

This news cluster focuses on a former Discord employee’s insights into the platform’s data retention policies and their implications for political activism. The employee reveals that Discord can retain all user messages, raising concerns about potential surveillance and legal repercussions for users engaging in political discussions. The second paragraph provides details about the former employee’s role within Discord’s Trust and Safety team, highlighting their experience in handling sensitive issues such as child safety and investigations into potential illegal activities. The employee stresses the importance of using more secure platforms, such as Signal, for organizing political activism to protect user privacy and avoid potential legal ramifications.