Europe coughs up €400 to punter after breaking its own GDPR data protection rules
Infosec in brief Gravy Analytics, a vendor of location intelligence info for marketers which reached a settlement with US authorities last year over its alleged unlawful sale of location, has reportedly been hacked – potentially exposing millions of smartphone users.
A trove of Gravy Analytics data reviewed and verified by 404 Media apparently indicates that advertisers are leveraging real-time bidding (RTB) processes to collect user data, which is then sold to brokers like Gravy Analytics and Mobilewalla. Both companies settled with the FTC in December over claims they bought and sold highly sensitive personal information without consent.
Startlingly, it appears this data collection occurs through advertising ecosystems, allowing brokers to gather location data without direct integration into apps and often bypassing user privacy permissions.
Apps mentioned in various dumps of data linked to the breach include dating platforms like Tinder and Grindr, Candy Crush, and fitness apps like MyFitnessPal. Tumblr, Yahoo! Mail, Microsoft’s Office365 mobile apps, Flightradar24, religious apps, period tracking apps, and ad-supported VPN services are also mentioned.
Both Android and iOS apps are included in the lists of affected apps.
EU court finds EU violated GDPR, demands settlement
In what appears to be a first, the EU General Court has fined the European Commission for violating its own GDPR data protection regulations by failing to prevent the transfer of a German citizen’s data to the United States.
Per [PDF] the Court of Justice of the European Union (CJEU), the European Commission’s Conference on the Future of Europe website apparently allowed users to sign in with their Facebook credentials. When the unnamed German individual signed into the Commission’s site using his Facebook credentials, he alleged that his data was sent to the US under the control of both Meta and AWS.
While the CJEU dismissed the claims related to AWS, it found that the data transfer to Meta’s US-based servers breached GDPR rules.
“The General Court finds that the Commission committed a sufficiently serious breach of a rule of law that is intended to confer rights on individuals,” the CJEU said. To resolve the matter, the Commission has been ordered to pay the individual €400 – quite the wrist slap.
Critical vulnerabilities of the week: Time to update Cisco ISE
Cisco last week reported a critical security issue with its Identity Services Engine (ISE) stemming from an upcoming change in Microsoft Windows systems. Starting February 11, 2025, Microsoft will enforce stricter certificate mappings to Active Directory to prevent spoofing attacks.
This change could cause older versions of ISE that don’t support the new certificate requirements to fail during authentication processes. Cisco has released updates that resolve the problem. Time to get patching!
Elsewhere:
- CVSS 9.3 – CVE-2024-12757: Nedap Librix Ecoreader, a tool used in digital twins, is missing authentication for critical functions, allowing for remote code authentication. Nedap Librix did not respond to CISA’s attempts to coordinate for a fix, so you’ll need to find another way to mitigate the risk.
- CVSS 8.2 – multiple CVEs: Security appliance vendor SonicWall has identified multiple vulnerabilities in SonicOS including a bypass hole in its SSL VPN and SSH management interfaces. Patches are available.
Hot new ransomware group may be all bark
A new ransomware group calling itself FunkSec emerged late last year and shot to prominence thanks to claims it had more victims than any other gang, but Check Point security researchers have found evidence the group might be exaggerating its abilities.
According to Check Point, FunkSec’s 85 claim of 85 victims in December, and the data it published from them, appears to be at least partially recycled from earlier hacktivism campaigns. Further, analysis of the gang’s activity suggests they’re using at least some AI assistance to program malware.
“The high number of published victims may mask a more modest reality, both in terms of actual victims as well as the group’s level of expertise,” Check Point said, adding that FunkSec’s primary motivation at this point appears to be building a reputation.
Hackers steal cannabis customers’ data, really ruin buzz
Not cool, man: Los Angeles-based cannabis firm Stiiizy admitted last week that customers at several of its retail locations in the Golden State have had their personal data nicked by cybercriminals. The breach occurred between October 10 and November 10, 2024, when cybercriminals compromised the systems of one of Stiiizy’s point-of-sale (POS) processing vendors.
Stiiizy didn’t identify the vendor of the POS platform, or the “organized cybercrime group” that stole the data, but noted that the incident happened sometime between October and November 2024. According to Stiiizy, the compromised data included personal details from government-issued IDs such as names, addresses, dates of birth, and signature. Retail transaction data also leaked. Not all data types were accessed for every customer.
It was reported in November that the Everest ransomware gang was targeting the cannabis industry, though it’s not clear if that’s the gang behind this buzz-harshing hack.
Stiizy retail customers at two San Francisco stores, and one each in Alameda and Modesto are affected, and the company is offering impacted customers 12 months of free credit monitoring services.
That CrowdStrike recruitment email you got might have been fake
CrowdStrike last week warned it has spotted attackers impersonating its recruiters and sending fake job offer emails that suggest downloading and running a fake CRM application that is actually a downloader for the cryptominer XMRig.
“Those interested in applying for a role at CrowdStrike should navigate to our Careers page to learn about our job openings and begin our official application process,” the security shop said. “To verify the authenticity of CrowdStrike recruitment communications, please reach out to recruiting@crowdstrike.com.” ®
READ MORE HERE