WEEK OF APRIL 11, 2022
Utah Privacy Bill signed, marking fourth state with such a law
- The law gives consumers the right to know what personal data is being collected and ask it be deleted.
- The Utah Consumer Privacy Act is more business-friendly than legislation passed in California, Virginia, and Colorado, with no private right of action and the ability for companies to cure alleged violations within a 30-day time frame before the attorney general could conduct an enforcement action.
- The law, which takes effect Dec. 31, 2023, will apply to businesses with annual revenues of $25 million or more that satisfy one or more of the following thresholds: handles personal data of 100,000 or more consumers per year; derives over 50% of gross revenue from the sale of personal data; and processes personal data of 25,000 or more consumers.
- It won’t apply to governmental entities, tribes, higher education institutions, nonprofits, covered entities and business associates under the Health Insurance Portability and Accountability Act, and financial institutions or affiliates governed by Title V of the Gramm-Leach-Bliley Act. The law also won’t apply to protected health data under HIPAA and data collected, processed, sold, or disclosed in accordance with the GLBA.
Apple’s Zero-Day woes continue
- Two new bugs in macOS and iOS disclosed this week add to the growing list of zero-days the company has rushed to patch over the past year.
- he flaws are present in macOS Catalina, BigSur, and Monterey; in devices running iOS and iPadOS; and Apple tvOS and watchOS.s leaked 28GB worth of Central Bank’s data which is now available for public download.
- One of the two zero-days for which Apple issued an update this week exists in the AppleAVD media file decoder that is present in multiple supported macOS versions as well as iOS and iPadOS. Apple’s sparse vulnerability disclosure described the flaw (CVE-2022-22675) as resulting from an out of bounds write issue and providing attackers with an opportunity to execute arbitrary code at the kernel level. Apple said it is aware of a report about the flaw being actively exploited.
NSA employee indicted for sending classified data outside the agency
- A National Security Agency employee is accused of sharing top-secret national security information with an unauthorized individual in the private sector, the US Department of Justice said.
- The DoJ indictment alleges the NSA employee, Mark Unkenholz, shared “classified information relating to national defense” on 13 occasions between February 2018 and June 2020 with the individual, who was identified only as “RF.”
- According to the DoJ, Unkenholz, who held a TOP SECRET/Sensitive Compartmented Information (SCI) clearance, was aware person was not entitled to receive the information and that the information “could be used to the injury of the United States or to the advantage of any foreign information.”
- Because the personal email address is not considered authorized storage location for classified information, Unkenholz faces 13 counts of willful retention of national defense information on top of the 13 counts of “willful transmission.” Each charge carries a maximum of 10 years in federal prison.
Block confirms Cash app breach affecting 8m users
- Fintech giant Block, formerly known as Square, has confirmed a data breach that affected 8.2 million users, involving a former employee who downloaded reports from Cash App that contained some U.S. customer information.
- Block said the reports the former employee accessed did not feature personally identifiable information such as usernames or passwords, Social Security numbers, dates of birth, payment card information, addresses and bank account details.
- In addition, the fintech company confirmed it is working with law enforcement to conduct a formal investigation and bolstering security processes to protect employees and users, and ensure data protection.
Hotel WiFi across MENA compromised and exposing private data
- Cybersecurity researcher uncovers faulty system used by hotels in the Middle East surrendering personal information on millions of guests worldwide.
- The data included that of major hotel chains across the Middle East and North Africa region, including the Kempinski, the Millennium, Sheraton, and St Regis in Qatar, Turkey, the United Arab Emirates (UAE), Saudi Arabia, Lebanon, Egypt, Bahrain, Oman, Jordan, Kuwait and Bahrain.
- The hotels all use an internet system called HSMX Gateway by British company AirAngel. Its clients are among the largest hotel brands worldwide.
Wellstar releases statement to patients after data breach
- In a statement, Wellstar said there was a data security incident involving access to two Wellstar email accounts by an “unauthorized-party.”
- “Upon learning of this issue, Wellstar promptly disabled access to the impacted email accounts and required mandatory password resets to prevent further access by unauthorized parties. Wellstar immediately commenced a prompt and thorough investigation, working closely with external cybersecurity professionals,” the health system said.
- Wellstar added that social security numbers and financial information were not included in the information that may have been accessed during the data breach. The incident does not affect all individuals who have received testing from Wellstar.