United Kingdom
Four Arrested in Connection with UK Scattered Spider Cyberattacks
- UK authorities arrest 4 people in probe of retail cyberattack spree – the arrests mark the first major break in a case linked to the Scattered Spider cybercrime group.
- The suspects, two 19-year-old men, a 17-year-old man and a 20-year-old woman, have been arrested in relation to the investigation into April’s high-profile cyberattack spree against retail giants Harrods, Marks & Spencer and Co-op.
- The suspects face charges under the Computer Misuse Act 1990, specifically unauthorized access to computer systems and data modification. Additional charges include blackmail, money laundering, and participation in organized crime activities.
- Co-op Group CEO told BBC News that the hackers copied the company’s member list of 6.5 million members. M&S estimates a cost of £300 million in lost profits due to the incident.
Dumfries and Galloway Council Apologises for Data Breach
- Dumfries and Galloway Council has apologised after a data breach saw a number of email addresses disclosed in error.
- It’s believed that the local authority sent the addresses out with a customer survey from its planning department.
- The Council confirmed that the local authority has “taken immediate steps to address the issue and to further strengthen data handling procedures”.
- They declared that they followed the ICO’s recommended assessments of risk to determine the “most appropriate course of action” and apologised to all those affected.
United States
McDonald’s AI Hiring Bot with Password ‘123456’ Leaks Millions of Job-Seekers Data
- McDonald’s AI hiring bot exposed 64 million job applicants’ personal data through weak security using password “123456”.
- Researchers accessed the entire system in 30 minutes using simple password guessing and database manipulation.
- The compromised data included names, emails, phone numbers, IP addresses, some home addresses, chat histories, personality test responses, and resume details. No financial data or social security numbers were exposed.
- Both McDonald’s and Paradox.ai acknowledged the severity of the breach, with McDonald’s expressing disappointment in their third-party provider’s security failures.
The Rise of “Neurorights”: How US States Are Regulating Brain Data
- As neurotechnology advances, particularly with consumer devices like headphones and earbuds that measure brain activity, there’s increasing concern about the privacy of brain data.
- States like Colorado, California, and Montana have passed laws to protect “neural data” collected by these devices outside of traditional medical settings. While current devices collect relatively basic information such as sleep states, advocates worry that future technologies, especially with AI integration, could extract highly sensitive personal information.
- These state laws typically require explicit consent for data collection and use, separate consent for sharing data with third parties (or an opt-out option), and the ability for consumers to delete their data.
- While state laws are a significant step, some experts believe federal regulations are also necessary to ensure comprehensive protection of “neurorights.”
Europe
Noyb Accuses TikTok, AliExpress, WeChat of EU Data Privacy Law Violations
- Austrian advocacy group Noyb has filed new data privacy complaints against China’s AliExpress, TikTok, and WeChat.
- Noyb alleges these companies failed to comply with EU laws that require them to provide users with a full and understandable copy of their personal data.
- In particular, TikTok provided partial data in an unstructured and difficult-to-interpret format, and did not disclose recipients or data transfer details. AliExpress provided a broken file accessible only once and did not respond to follow-up requests. Finally WeChat took six months to provide generic instructions, effectively ignoring the request.
- Noyb is requesting that data protection authorities investigate, compel compliance, and impose fines that could reach up to 4% of the companies’ global revenue. These complaints were filed with data protection authorities in Belgium, Greece, and the Netherlands.
WeTransfer Revises Terms of Service After AI Data Use Concerns
- WeTransfer faced significant backlash on social media due to changes in its terms of service. Users interpreted a clause in the updated terms as allowing WeTransfer to use uploaded files for training AI models.
- The clause mentioned using content to “improve performance of machine learning models that enhance our content moderation process” and the right to “reproduce, distribute, modify,” or “publicly display” files.
- WeTransfer has now confirmed that it does not use files uploaded to its service to train AI models, nor does it sell content or data to any third parties.
- WeTransfer has revised its terms of service again (effective August 8 for existing users) to make the language clearer and avoid confusion.
Denmark Leads Europe in Granting Citizens Copyright Over Their Face, Voice, and Body
- Denmark wants to grant individuals copyright over their own face, voice, and physical likeness to combat AI-generated deepfakes.
- The proposed legislation, supported by most political parties, would amend Denmark’s copyright law to allow individuals to legally own their personal appearance and voice.
- This means individuals could demand the removal of non-consensual deepfakes, synthetic voice clips, or manipulated images using their likeness, and potentially seek financial compensation.
- Tech platforms that fail to remove flagged content could face substantial fines, increasing their responsibility to monitor and respond to AI-generated violations.
International
Mexico’s Biometric ID: A Threat to Privacy?
- Mexico approved changes to laws allowing for a mandatory biometric ID card for all citizens. The law permits the government to collect biometric data, including fingerprints and iris scans.
- Law enforcement agencies, such as the National Intelligence Centre and the National Guard, will have access to databases containing this sensitive personal information. The government states the reforms aim to combat organized crime, drug trafficking, and aid in the search for missing people.
- Digital rights activists and opposition lawmakers are concerned about mass surveillance and a lack of accountability, despite President Claudia Sheinbaum’s assurance that the data will not be used for spying.
- Biometric data will be stored in a “Unique Identity Platform” and linked to other government databases containing information like tax contributions and missing persons data.
