Data Breaches & Privacy Incidents, Pt. 3

Part
01
of six
Part
01

Data Breaches, Privacy Incidents, Pt. 1

Law enforcement agencies responded to the data breach Amazon suffered before Black Friday in 2018 and the Alexa privacy incident that Amazon had in 2019. Their response can be found in the attached spreadsheet.

The research team scoured news articles about the privacy incidents and data breaches in the spreadsheet for any statements made by law enforcement agencies. In cases where this was unsuccessful, the websites and databases of federal, state, and local law enforcement agencies like the Federal Trade Commission, the Department of Justice, and the Federal Bureau of Investigation were examined. For incidents that occurred in Europe or affected people in this region, resources provided the the ICO and GDPR were scanned.

RESEARCH HIGHLIGHTS

  • In July 2019, The Guardian reported that Apple hired contractors to go through snippets of recordings of Siri queries, most of which were confidential. In less than a month, Apple responded by suspending its contractor program globally.
  • The company revealed that it will "review the process that it uses, called grading, to determine whether Siri is hearing queries correctly, or being invoked by mistake." It also announced a software update that will let Siri users decide whether they would like to participate in the grading process.
  • There were no statements made by the FTC, SEC, ICO, FBI, or any other law enforcement agency about this privacy incident.
  • After its data breach, Canon immediately alerted the parties affected - GE employees and beneficiaries. Canon also offered financial assistance to everyone affected at GE. As a result, law enforcement agencies did not get release any statement about it.
Part
02
of six
Part
02

Data Breaches, Privacy Incidents, Pt. 2

All information found regarding law enforcement actions or statements for the selected data breaches or privacy incidents has been provided in the project spreadsheet.
  • In regard to the DJI app scandal, law enforcement agencies such as the National Counterintelligence and Security Centre and the Cybersecurity and Infrastructure Security Agency warned that the research illustrates a broader issue of the risks of using software developed by other countries.
  • In regard to the September 2020 Facebook data breach, the Senate Intelligence Committee Chair called for a "full investigation" into the breach, and used the incident to illustrate why Congress should take action to regulate large digital firms. Facebook stated that they are working with the FBI, but no official comments by FBI officials were found.
  • No law enforcement agency was found to have been involved in the May 2020 Facebook privacy glitch after reading multiple media accounts of the glitch and looking specifically for FBI, DOJ, and FTC comments on Facebook for that time frame.
  • No law enforcement agency was found to have been involved in the April 2019 Facebook data leak on the Amazon Cloud after reading multiple media accounts of the glitch and looking specifically for FBI, DOJ, and FTC comments on Facebook for that time frame.
  • No statement from law enforcement was found regarding the November 2019 theft of Facebook hardware containing employee personal information. However, it was reported by Facebook that they were "working with" law enforcement.
  • In regard to the Facebook and Cambridge Analytica scandal that took place in March 2018, the FBI, the SEC, the Federal Trade Commission and the Department of Justice all investigated the scandal. According to the Washington Post, the FBI and DOJ did not comment on the investigation. The FTC confirmed it was investigating the incident in 2018, and then in 2019, the FTC issued a massive fine against Facebook due to Facebook intentionally deceiving users into leaving their sharing settings open, so that Facebook could share user data with third-party apps. The SEC also fined Facebook for misleading investors about the risks associated with the company misusing user data. Lastly, the European Information Commissioner’s Office (ICO) also issued a fine to Facebook over the scandal, stating that the company did not comply with the Data Protections Act.
Part
03
of six
Part
03

Data Breaches, Privacy Incidents, Pt. 3

There were no reactions found from law enforcement authorities on the reported data breaches for Fitbit and Fossil. Some Fitbit representatives denied that the February 2020 security breach happened. With regard to the Garmin ransomware attack, there was a blanket statement mentioned from the FBI that discourages ransomware targets from handing out ransoms to the cybercriminals. The rest of the available law enforcement reactions or statements surrounding the data breaches or privacy incidents were inputted in the shared spreadsheet, rows 26 - 28, 33 - 34, and 36, and under columns H, I, J, K, and L.
  • Based on a statement from a Fitbit representative, the reported stolen email and password incidents last February 2020 did not happen. The last Fitbit security incident happened in 2016.
  • As for Fossil, there were no responses found from any law enforcement authority on the data breach incident that happened in June 2019 on its website. The incident impacted 5 users.
  • For the Facebook privacy incidents, there were mentions of the various court cases and fines that several law enforcement authorities and federal agencies have imposed on the company. The $5 billion Federal Trade Commission settlement agreement made in 2019 also required Facebook to continue to clean up its data handling practices.
  • As for the ransomware attack on Garmin, a statement from the FBI was mentioned where the agency is discouraging cyber victims from paying ransoms to cybercriminals.

Research Strategy

To determine the law enforcement’s reaction to the data breaches and privacy incidents, we looked through the given companies' websites, reports, press releases, and other similar sources. We also searched media publications such as Forbes and Business Insider, technology-oriented sources such as Wired and Tech Crunch, and other similar sources. Based on this search approach, we were able to find some indirect statements or accounts of law enforcement authorities' reactions to the data breaches and privacy incidents. However, direct statements from these law enforcement bodies that were specific to these data breaches were extremely limited.
We then checked the websites of the law enforcement agencies (FBI, FTC, SEC, ICO, and others) and some government bodies such as the U.S. Congress to determine if there were direct statements made that were specific to the indicated data breaches and privacy incidents of the given companies. However, most of the statements found were for the bigger cybersecurity incidents of these companies that happened in the past. Law enforcement reactions or statements for the latest incidents listed in the spreadsheet were indirectly referenced from earlier statements or reactions that encompass all future data or privacy infractions of the companies.
We also searched for interview excerpts, studies, and surveys that tackle data breaches and privacy incidents to determine if we can find statements or reactions from law enforcement representatives or officers that specifically tackle the latest cybersecurity incidents of the given companies. However, what we found were mostly general statements on the bigger data breaches or privacy concerns of these companies. There were very limited mentions of the latest incidents that were indicated in the spreadsheet.
Given these search outcomes, we have compiled the relevant findings and helpful information on the insights found with regard to the reactions of law enforcement bodies on the cybersecurity incidents in these companies.
Part
04
of six
Part
04

Data Breaches, Privacy Incidents, Pt. 4

Much of the requested information regarding the reaction from law enforcement agencies to the specified data breaches and incidents has been entered into rows 37 through 41 and row 45, columns I through K and column H of the attached spreadsheet. Please note that many of the data breaches and incidents did not receive aggressive responses from law enforcement or merely resulted in class action lawsuits.

Summary of Findings

  • The attorney general of North Carolina, Josh Stein, sent a letter to the chief executive officer (CEO) of Google, Sundar Pichai, and demanded a detailed response concerning safety and security at Google following the revelation that outside app developers obtained private data from Google+ users.
  • In this particular letter from the attorney general, he demanded that the company present details on the types of data that were exposed, the volume of individuals residing in his state that were affected, how the breach occurred, how the company intends to investigate the breach, any specific law enforcement investigations that were launched at the time, privacy assessments conducted by Google, among other demands.
  • In the year 2020, the attorney general of Arizona, Mark Brnovich, filed a lawsuit against Google, following a probe into the company's tracking of consumer's locations. This lawsuit from the attorney general stated, "Though Google claims to have obtained consent to collect and store its users’ data, that consent is based on a misleading user interface, as well as other unfair and deceptive acts and practices."
  • In December 2018, two Chinese nationals were charged by the U.S. Department of Justice for the hacking campaign that targeted dozens of tech corporations and managed services providers in the country such as Hewlett Packard and IBM. The department released the names of the nationals, accusing Zhang Shilong and Zhu Hua of serving as hackers in the campaign.
  • The incident involving the data of 52.5 million Google+ users (row 38), along with the software glitch that allowed outside app developers to access private data of Google+ users, led to a class action lawsuit that resulted in a $7.5 million settlement.
  • In July 2019, a class action lawsuit was filed against Google in the Northern District of California over the infringement of privacy rights through the Google Assistant product (row 41). The suit alleged that the actions violated the Consumers Legal Remedies Act, the Unfair Competition Law, and the California Invasion of Privacy Act.

Research Strategy:

Though we were able to find responses from law enforcement from the federal, state, or local level to the events listed in rows 37, 40, and 45 of the attached spreadsheet, we were unable to any reactions for those in rows 38, 39, and 41. Our research commenced by searching from reports and articles published by prominent news and media sources. These sources included the Washington Post, the New York Times, CNBC, Reuters, Business Insider, Forbes, and the Wall Street Journal, among many others. While all of those outlets discussed the data breaches and privacy incidents, most of the reporting did not offer insight into responses from law enforcement.

Next, we searched for reports and press releases from major government law enforcement agencies to see if they issued statement surrounding the events in rows 38, 39, and 41 of the spreadsheet. These agencies included the Federal Trade Commission (FTC), the U.S. Department of Justice, and the Securities and Exchange Commission (SEC), among others. This research strategy did not yield the results we were seeking, as none of the agencies offered useful statements on the matter.

We also conducted a general search to find responses or actions from state attorneys general and district attorneys. We came across reporting from organizations such as CreativeFuture, which provided a timeline of recent scandals involving Google, CSO Online, which offered information on fines, penalties, and settlements from data breaches, and the law firm Gibson Dunn, which addressed some developments regarding data privacy and cybersecurity. This research path did not produce any meaningful results. Again, we were unable to identify any responses or actions related to the cases listed in rows 38, 39, and 41 of the spreadsheet.

During our research, we found that some of the incidents have, so far, not elicited a significant response from law enforcement at the federal, state, or local levels and only resulted in class action lawsuits.
Part
05
of six
Part
05

Data Breaches, Privacy Incidents, Pt. 5

The requested information regarding law enforcement actions or statements for the selected data breaches or privacy incidents can be found in the attached spreadsheet.  

RESEARCH HIGHLIGHTS

  • After the webmail data breach, Microsoft sent out an email to compromised accounts. The company also mentioned that the incident only affected a few Outlook users. It appears law enforcement agencies were not involved as there were no statements or press releases about it. This could be due to Microsoft's quick response.
  • According to Microsoft, although internal customer service and support records were exposed, personally identifiable information on most customers was not exposed. There was also no malicious use of these records. This could be why there were no public statements by local or federal law enforcement agencies.
  • The Dutch Ministry of Security audited and flagged some Microsoft products. They found that "Microsoft systematically collects data on a large scale about the individual use of Word, Excel, PowerPoint and Outlook" without informing people. They expressed concerns that Microsoft could send this data back to its US servers. The Dutch justice later gave Microsoft a deadline to address the privacy concerns they expressed.
  • In response to reports of third party contractors listening to Skype calls, Microsoft revealed that its Privacy Policy includes warnings that it reviews audio of translated calls to enhance its services. The company also indicated that it takes steps to protect user privacy when it sends audio data to contractors, such as de-identifying data, "requiring non-disclosure agreements with vendors and their employees, and requiring that vendors meet the high privacy standards set out in European law and elsewhere." There are no statements by federal or state law enforcement agencies about this. This could be because Microsoft already disclosed this practice in its privacy policy.

RESEARCH STRATEGY

In order to find law enforcement statements on the data breaches and privacy incidents Microsoft and Nintendo had, reports on these incidents were thoroughly reviewed. When this was an unfruitful attempt, the websites and databases provided by federal and local law enforcement agencies like the Federal Trade Commission, the Department of Justice, and the Federal Bureau of Investigation were examined. For incidents that occurred in Europe or affected people in this region, resources provided by the ICO and GDPR were scanned. In a few cases, such as that of contractors listening to Skype calls, no statements by law enforcement agencies could be found because the company already disclosed this information in its Privacy Policy.
Part
06
of six
Part
06

Data Breaches, Privacy Incidents, Pt. 6

The various law enforcement reaction to the data breaches and privacy incidents for Razer , Samsung , Sennheiser , Sonos , Wyze , and Xiaomi have been provided in rows 78, 80, 82, 84, 93, and 94, columns H, I, J, and K of the attached spreadsheet. Of these companies, only the data breach incidents for Razer and Samsung prompted the reaction of government law enforcement agencies.

Summary of the Findings

  • Following a cloud misconfiguration that exposed 100,000 Razer customers to phishing and fraud, a spokesperson for Singapore’s Personal Data Protection Commission (PDPC) disclosed that the commission was aware of the data breach and had resumed investigations. This was published on 16 September 2020.
  • A technical error by Samsung led to the exposure of 150 users data to other users in the UK. In response, the UK's data watchdog, the Information Commissioner's Office (ICO), said that "it had yet to receive a data breach report from Samsung, and that people had the right to expect that organizations would handle their personal information securely and responsibly. Where that doesn’t happen, people can come to the ICO to initiate investigations."
  • Research through relevant law agencies such as the U.S. Government Accountability Office (U.S. GAO) and the ICO has shown that the data breach incidents in other companies including Sennheiser , Sonos , Wyze , and Xiaomi are yet to spark any reaction. Hence, we've entered N/A for these cells.
Sources
Sources