The 2019 Privacy Scoreboard
With laws like the General Data Protection Regulation (GDPR) coming into effect, as well as increasing awareness and consumer demand for privacy, it’s both necessary and ethical for businesses to evolve with the times. Fortunately, many companies are aware of the problem and have started reexamining their policies and announcing new privacy initiatives. We started out with privacy in mind, so we’re taking a privacy-first approach with our product.
Here we highlight some of the changes being made as the world moves toward a new paradigm for privacy…and some of the missteps along the way.
First Up: Companies Doing Good
Apple has positioned itself as a champion of privacy by restricting access to the App Store and developer tools for companies that violate its strict privacy guidelines. In fact, Apple itself uses a “differential privacy” policy to extract insights from large datasets without compromising individual users’ privacy – and any identifiable information is always encrypted on-device. As Apple CEO Tim Cook puts it, “Privacy to us is a human right. It’s a civil liberty.”
Mozilla is making strides in its effort to increase privacy protection for users of the Firefox browser. The latest version of Firefox now has three options for blocking tracker software and cookies: standard, strict, and custom, in which users can individually fine-tune their settings. To boost privacy even more, third-party trackers will be blocked by default under the standard option. Users will also be able to instantly see what trackers are active on the sites they’re browsing, and a direct link to change privacy settings will be available in the navigation bar.
ADT Security Systems has launched a new consumer privacy initiative in partnership with a coalition of organizations that want to see widespread adoption of privacy best practices and increased transparency in the home security and automation industry. Joining the ADT in this initiative are the Security Industry Association, The Internet Society’s Online Trust Alliance, Electronic Security Association, TrustArc, and The Monitoring Association.
…But as we all know, there’s bad along with the good. Below is our list of major data leaks from this year – which we’ll be updating as events transpire.
And Now the Bad Stuff…
The Megaleak of Jan 17, 2019
January 17, 2019 — A megaleak of 2.2 billion records representing numerous past data breaches from various companies has been freely passed around on hacker forums and torrent sites. 750 million of the unique usernames and associated passwords in the data-dump have likely not been previously leaked and are now available for the first time, according to the Hasso Plattner Institute.
Ascension Banking Leak
January 23, 2019 — Ascension, a data and analytics company for the financial industry, leaked over 24 million loan and mortgage documents from U.S.-based bank accounts. The enormous cache of documents was stored on a server running an Elasticsearch database – but it didn’t even have a password for protection.
More than a decade’s worth of data representing tens of thousands of loans and mortgages was exposed, including people’s names, addresses, phone numbers, Social Security numbers, highly sensitive tax and financial documents, and more… a treasure trove of information for cybercriminals.
FamilyTreeDNA Bait and Switch
January 31, 2019 — FamilyTreeDNA, one of the largest direct-to-consumer genetic testing companies in the United States (used by over a million people to trace their ancestry and find relatives), failed to disclose to users that it was sharing DNA data with the FBI. Although the company claimed it would protect user data and promised not to sell any information to third parties, it voluntarily opened its database to federal investigators without informing users of this change in policy.
A statement from Alan Butler, senior counsel at the Electronic Privacy Information Center, noted that the change in the Terms of Service constituted “‘bait and switch’ behavior that consumer protection laws are meant to prohibit.” FamilyTreeDNA defended its decision.
Houzz Home Improvement Data Leak
January 31, 2019 — Home improvement site Houzz suffered a major data breach in which an unauthorized third party gained access to a file containing internal information about users’ accounts. No financial information or Social Security numbers were exposed, but the data breach included all publicly visible profile information (such as name, location, and profile description) as well as usernames and scrambled passwords.
The hashing algorithm used by Houzz to scramble the passwords could potentially be cracked, so it’s possible that the passwords were (or will be) uncovered in plain text. The company urged users to change their passwords immediately.