The Risk Report
The Risk Report - Jan. 21
Your web browser could be leaking your personal information all over the web, yet the biggest names in tech are still fighting the need for federal data privacy laws. And if you're an iPhone user, there's a good chance this means bad news for you. Keep reading to learn why.
BREACHES OF THE WEEK
🧹Cleanup on aisle three
Goodwill, an American nonprofit best known for its thrift stores, has suffered a data breach that led to the exposure of customer data. In a letter mailed to customers, the organization stated that the breach only impacted customers of shopgoodwill.com and that the comprised PII was limited to full name, email address, phone number, and mailing address, but that no credit card information was exposed. Goodwill has since fixed the vulnerability and has set up an email hotline for those impacted.
😳 "Rich customers"
Moncler, a luxury fashion brand, has announced that it suffered a ransomware attack during the final week of 2021. Initially calling it a simple IT interruption, the retailer has since changed its tune, confirming in a press release that PII relating to employees, business partners, and customers was leaked on the dark web. Moncler adds that no payment information was compromised and that they are working closely with the Italian Data Protection Authority on recovery efforts. The attack was carried out by ALPHV, a well-known hacking group, who knows plans to sell the data of the “rich customers” to other criminal groups.
🐛 Second-hand breach
Entira Family Clinics, a network of medical clinics throughout Minnesota has notified individuals this week of a data breach at a third-party vendor that compromised the PII of nearly 200,000 Entira patients. In its letter to those impacted, Entira explains that the breach, which occurred on December 7th of last year, was experienced by Netgain Technology, a cloud IT service provider that processes much of Entira’s data. Among the PII access includes Social Security numbers and medical history. Entira has set up a phone and online hotline and is offering complimentary credit monitoring to those impacted.
NOTEWORTHY THIS WEEK
🪨 The keystone of data privacy
The Pennsylvania State Senate has advanced a bill this week that would change the rules of data breach reporting. If passed, Senate Bill 696 would require any state agency or contractor that suffers a breach to notify victims within just one week of the breach’s discovery. The bill would also prohibit government agencies from using public funds to pay off ransomware attacks, putting increased pressure on the state to strengthen its overall security infrastructure. Bill 696 will now go to the Pennsylvania House of Representatives for further deliberation.
🍎 Fighting for your data
Apple is fighting hard against the American Innovation and Choice Online Act, a proposed US antitrust bill that is being debated in the Senate this week. In a letter to the Senate Judiciary Committee, the tech giant wrote that federal privacy legislation would stifle its own user privacy initiatives, ultimately leading to even more commercialization of user data. U.S. Senator Amy Klobuchar’s doesn’t buy the argument, calling the letter a, "desperate attempt to preserve [Apple’s] app store monopoly”
🐘 Trouble on the Safari
A bug discovered in Apple’s Safari web browser could be leaking your personal information, browsing history, and Google account information. The bug, first discovered by security research group FinerprintJS, is related to a method by which Safari, and many other web browsers, cache information on your personal device known as IndexedDB. Normally, this information is supposed to only be accessible by the website that create the data, kind of like how a browser cookie works. But this bug causes Safari to not keep track of which data belongs to which site, and just ends of giving all of it to any website that requests it. Apple has announced that it is working on a fix, but it might be a good idea to stop using Safari for the time being.
Want to receive this newsletter weekly? Subscribe for the latest news on data breaches and privacy legislation.
DOWNLOAD THE EBOOK
Shift Left: Turn Security into Revenue and join the security revolution.
Join 300+ companies using Trustpage to communicate security.
Following the acquisition of Trustpage by Vanta, the information collected by Trustpage is now governed by Vanta's Privacy Policy.