FTC secures first databroker settlement banning sale of sensitive location data – Source: go.theregister.com

Infosec in brief The US Federal Trade Commission has secured its first data broker settlement agreement, prohibiting X-Mode Social from sharing or selling sensitive location data.

In its complaint, the FTC accused X-Mode, which sold its assets to successor firm Outlogic in 2021, of selling raw non-anonymized location data collected through its own apps and an SDK for embedding in third-party applications.

The X-Mode SDK has been found in hundreds of apps downloaded billions of times on both Apple and Android devices.

“By securing a first-ever ban on the use and sale of sensitive location data, the FTC is continuing its critical work to protect Americans from intrusive data brokers and unchecked corporate surveillance,” chair Lina Khan said of the settlement.

According to the FTC complaint [PDF], X-Mode/Outlogic has for years collected and sold data associated with mobile advertising IDs, which can easily be matched to an individual mobile device to figure out what locations an individual has visited.

If that sounds familiar, it’s the same allegations the FTC leveled against data broker Kochava when it filed a complaint against that company in 2022.

According to the FTC’s complaints against Kochava and Outlogic, data collected and sold by the companies could easily be used to link individuals to places of worship, homeless and domestic violence shelters, addiction facilities, reproductive health clinics, and other sensitive locations.

The threat of data misuse by governments and individuals since the overturning of Roe vs Wade has made the collection of this data type an even more pressing issue to address.

Per the settlement [PDF], Outlogic will be required to delete all data it has previously collected, and requires the company to honor opt-out requests. The FTC said the company had not previously asked users for consent to have their location data collected.

Additionally, Outlogic will be required to maintain a list of sensitive locations for which it won’t gather data, and must implement procedures to ensure buyers of its location data can’t associate what they’ve purchased with sensitive locations.

“The FTC’s action against X-Mode makes clear that businesses do not have free license to market and sell Americans’ sensitive location data,” Khan said.

• Facebook, Instagram now mine web links you visit to fuel targeted ads
• Iranian cyberspies target US defense orgs with a brand new backdoor
• MongoDB warns breach of internal systems exposed customer contact info
• EU lawmakers finalize cyber security rules that panicked open source devs

iOSpionage campaign used Apple’s own ECC against it

Cast your mind back to summer 2023, and you may recall Kaspersky researchers discovered malware they dubbed “TriangleDB” which had infected their own devices. The nasty code was capable of snooping on all sorts of sensitive data, as well as taking recordings from device microphones and cameras.

Kaspersky said in an update to its breakdown of the TriangleDB malware, that it looks like the miscreants behind it were abusing Apple’s own error correction code to gain access to a device’s memory.

According to Kaspersky, TriangleDB made use of an unknown hardware feature in Apple SoCs that was previously believed to be a debugging feature. Armed with knowledge that it’s actually an error correction code (ECC), the researchers say the hardware feature is designed to provide direct memory access to a device’s cache.

This raises additional questions – specifically how those behind TriangleDB managed to find the feature, Kaspersky said. Russian officials previously accused Apple of working with US officials to develop spyware targeting devices in the country.

Breached healthcare firm says it can’t figure out what data hackers took

Texas-based healthcare services provider HMG is the latest medical organization to be hit by a data breach, but one with a twist: The company said it has no idea what data was actually stolen.

In a statement this week, HMG revealed it didn’t manage to identify an August breach affecting 40 of its facilities until November – three months after the digital break-in occurred. Attackers reportedly gained access to a server containing unencrypted files including medical records and other information such as patient names, dates of birth, SSNs, and additional sensitive personal and healthcare data.

“HMG attempted to identify the specific data that was compromised but we have now determined that such identification is not feasible,” the company said. And it doesn’t appear HMG is even sure it’s resolved the issue, saying only that it “believes that the breach has been mitigated.”

HMG encourages those affected to monitor account statements and credit reports, but unlike similar breaches elsewhere, it doesn’t appear the company is springing for complimentary credit monitoring. ®