RESEARCH HIGHLIGHTS

• In July 2019, The Guardian reported that Apple hired contractors to go through snippets of recordings of Siri queries, most of which were confidential. In less than a month, Apple responded by suspending its contractor program globally.
• The company revealed that it will "review the process that it uses, called grading, to determine whether Siri is hearing queries correctly, or being invoked by mistake." It also announced a software update that will let Siri users decide whether they would like to participate in the grading process.
• There were no statements made by the FTC, SEC, ICO, FBI, or any other law enforcement agency about this privacy incident.
• After its data breach, Canon immediately alerted the parties affected - GE employees and beneficiaries. Canon also offered financial assistance to everyone affected at GE. As a result, law enforcement agencies did not get release any statement about it.

• In regard to the DJI app scandal, law enforcement agencies such as the National Counterintelligence and Security Centre and the Cybersecurity and Infrastructure Security Agency warned that the research illustrates a broader issue of the risks of using software developed by other countries.
• In regard to the September 2020 Facebook data breach, the Senate Intelligence Committee Chair called for a "full investigation" into the breach, and used the incident to illustrate why Congress should take action to regulate large digital firms. Facebook stated that they are working with the FBI, but no official comments by FBI officials were found.
• No law enforcement agency was found to have been involved in the May 2020 Facebook privacy glitch after reading multiple media accounts of the glitch and looking specifically for FBI, DOJ, and FTC comments on Facebook for that time frame.
• No law enforcement agency was found to have been involved in the April 2019 Facebook data leak on the Amazon Cloud after reading multiple media accounts of the glitch and looking specifically for FBI, DOJ, and FTC comments on Facebook for that time frame.
• No statement from law enforcement was found regarding the November 2019 theft of Facebook hardware containing employee personal information. However, it was reported by Facebook that they were "working with" law enforcement.
• In regard to the Facebook and Cambridge Analytica scandal that took place in March 2018, the FBI, the SEC, the Federal Trade Commission and the Department of Justice all investigated the scandal. According to the Washington Post, the FBI and DOJ did not comment on the investigation. The FTC confirmed it was investigating the incident in 2018, and then in 2019, the FTC issued a massive fine against Facebook due to Facebook intentionally deceiving users into leaving their sharing settings open, so that Facebook could share user data with third-party apps. The SEC also fined Facebook for misleading investors about the risks associated with the company misusing user data. Lastly, the European Information Commissioner’s Office (ICO) also issued a fine to Facebook over the scandal, stating that the company did not comply with the Data Protections Act.

• Based on a statement from a Fitbit representative, the reported stolen email and password incidents last February 2020 did not happen. The last Fitbit security incident happened in 2016.
• As for Fossil, there were no responses found from any law enforcement authority on the data breach incident that happened in June 2019 on its website. The incident impacted 5 users.
• For the Facebook privacy incidents, there were mentions of the various court cases and fines that several law enforcement authorities and federal agencies have imposed on the company. The $5 billion Federal Trade Commission settlement agreement made in 2019 also required Facebook to continue to clean up its data handling practices.
• As for the ransomware attack on Garmin, a statement from the FBI was mentioned where the agency is discouraging cyber victims from paying ransoms to cybercriminals.

Research Strategy

Summary of Findings

• The attorney general of North Carolina, Josh Stein, sent a letter to the chief executive officer (CEO) of Google, Sundar Pichai, and demanded a detailed response concerning safety and security at Google following the revelation that outside app developers obtained private data from Google+ users.
• In this particular letter from the attorney general, he demanded that the company present details on the types of data that were exposed, the volume of individuals residing in his state that were affected, how the breach occurred, how the company intends to investigate the breach, any specific law enforcement investigations that were launched at the time, privacy assessments conducted by Google, among other demands.
• In the year 2020, the attorney general of Arizona, Mark Brnovich, filed a lawsuit against Google, following a probe into the company's tracking of consumer's locations. This lawsuit from the attorney general stated, "Though Google claims to have obtained consent to collect and store its users’ data, that consent is based on a misleading user interface, as well as other unfair and deceptive acts and practices."
• In December 2018, two Chinese nationals were charged by the U.S. Department of Justice for the hacking campaign that targeted dozens of tech corporations and managed services providers in the country such as Hewlett Packard and IBM. The department released the names of the nationals, accusing Zhang Shilong and Zhu Hua of serving as hackers in the campaign.
• The incident involving the data of 52.5 million Google+ users (row 38), along with the software glitch that allowed outside app developers to access private data of Google+ users, led to a class action lawsuit that resulted in a $7.5 million settlement.
• In July 2019, a class action lawsuit was filed against Google in the Northern District of California over the infringement of privacy rights through the Google Assistant product (row 41). The suit alleged that the actions violated the Consumers Legal Remedies Act, the Unfair Competition Law, and the California Invasion of Privacy Act.

Research Strategy:

RESEARCH HIGHLIGHTS

• After the webmail data breach, Microsoft sent out an email to compromised accounts. The company also mentioned that the incident only affected a few Outlook users. It appears law enforcement agencies were not involved as there were no statements or press releases about it. This could be due to Microsoft's quick response.
• According to Microsoft, although internal customer service and support records were exposed, personally identifiable information on most customers was not exposed. There was also no malicious use of these records. This could be why there were no public statements by local or federal law enforcement agencies.
• The Dutch Ministry of Security audited and flagged some Microsoft products. They found that "Microsoft systematically collects data on a large scale about the individual use of Word, Excel, PowerPoint and Outlook" without informing people. They expressed concerns that Microsoft could send this data back to its US servers. The Dutch justice later gave Microsoft a deadline to address the privacy concerns they expressed.
• In response to reports of third party contractors listening to Skype calls, Microsoft revealed that its Privacy Policy includes warnings that it reviews audio of translated calls to enhance its services. The company also indicated that it takes steps to protect user privacy when it sends audio data to contractors, such as de-identifying data, "requiring non-disclosure agreements with vendors and their employees, and requiring that vendors meet the high privacy standards set out in European law and elsewhere." There are no statements by federal or state law enforcement agencies about this. This could be because Microsoft already disclosed this practice in its privacy policy.

RESEARCH STRATEGY

Summary of the Findings

• Following a cloud misconfiguration that exposed 100,000 Razer customers to phishing and fraud, a spokesperson for Singapore’s Personal Data Protection Commission (PDPC) disclosed that the commission was aware of the data breach and had resumed investigations. This was published on 16 September 2020.
• A technical error by Samsung led to the exposure of 150 users data to other users in the UK. In response, the UK's data watchdog, the Information Commissioner's Office (ICO), said that "it had yet to receive a data breach report from Samsung, and that people had the right to expect that organizations would handle their personal information securely and responsibly. Where that doesn’t happen, people can come to the ICO to initiate investigations."
• Research through relevant law agencies such as the U.S. Government Accountability Office (U.S. GAO) and the ICO has shown that the data breach incidents in other companies including Sennheiser , Sonos , Wyze , and Xiaomi are yet to spark any reaction. Hence, we've entered N/A for these cells.