The European Commission has launched formal proceedings against Meta, alleging failure to properly monitor distribution by "foreign actors" of political misinformation before June's European elections.…
Apple's grudging accommodation of European antitrust rules by allowing third-party app stores on iPhones has left users of its Safari browser exposed to potential web activity tracking.…
The FCC on Monday fined four major US telcos almost $200 million for "illegally" selling subscribers' location information to data brokers.…
Google says it stopped 2.28 million Android apps from being published in its official Play Store last year because they violated security rules.…
The U.S. Federal Communications Commission (FCC) today levied fines totaling nearly $200 million against the four major carriers — including AT&T, Sprint, T-Mobile and Verizon — for illegally sharing access to customers’ location information without consent.
The fines mark the culmination of a more than four-year investigation into the actions of the major carriers. In February 2020, the FCC put all four wireless providers on notice that their practices of sharing access to customer location data were likely violating the law.
The FCC said it found the carriers each sold access to its customers’ location information to ‘aggregators,’ who then resold access to the information to third-party location-based service providers.
“In doing so, each carrier attempted to offload its obligations to obtain customer consent onto downstream recipients of location information, which in many instances meant that no valid customer consent was obtained,” an FCC statement on the action reads. “This initial failure was compounded when, after becoming aware that their safeguards were ineffective, the carriers continued to sell access to location information without taking reasonable measures to protect it from unauthorized access.”
The FCC’s findings against AT&T, for example, show that AT&T sold customer location data directly or indirectly to at least 88 third-party entities. The FCC found Verizon sold access to customer location data (indirectly or directly) to 67 third-party entities. Location data for Sprint customers found its way to 86 third-party entities, and to 75 third-parties in the case of T-Mobile customers.
The commission said it took action after Sen. Ron Wyden (D-Ore.) sent a letter to the FCC detailing how a company called Securus Technologies had been selling location data on customers of virtually any major mobile provider to law enforcement officials.
That same month, KrebsOnSecurity broke the news that LocationSmart — a data aggregation firm working with the major wireless carriers — had a free, unsecured demo of its service online that anyone could abuse to find the near-exact location of virtually any mobile phone in North America.
The carriers promised to “wind down” location data sharing agreements with third-party companies. But in 2019, reporting at Vice.com showed that little had changed, detailing how reporters were able to locate a test phone after paying $300 to a bounty hunter who simply bought the data through a little-known third-party service.
Sen. Wyden said no one who signed up for a cell plan thought they were giving permission for their phone company to sell a detailed record of their movements to anyone with a credit card.
“I applaud the FCC for following through on my investigation and holding these companies accountable for putting customers’ lives and privacy at risk,” Wyden said in a statement today.
The FCC fined Sprint and T-Mobile $12 million and $80 million respectively. AT&T was fined more than $57 million, while Verizon received a $47 million penalty. Still, these fines represent a tiny fraction of each carrier’s annual revenues. For example, $47 million is less than one percent of Verizon’s total wireless service revenue in 2023, which was nearly $77 billion.
The fine amounts vary because they were calculated based in part on the number of days that the carriers continued sharing customer location data after being notified that doing so was illegal (the agency also considered the number of active third-party location data sharing agreements). The FCC notes that AT&T and Verizon each took more than 320 days from the publication of the Times story to wind down their data sharing agreements; T-Mobile took 275 days; Sprint kept sharing customer location data for 386 days.
Update, 6:25 p.m. ET: Clarified that the FCC launched its investigation at the request of Sen. Wyden.
Updated Canadian pharmacy chain London Drugs closed all of its stores over the weekend until further notice following a "cybersecurity incident."…
The French government has tabled an offer to buy key assets of ailing IT giant Atos after the company late last week almost doubled its estimate of the cash it will need to stay afloat in the near future.…
Smart device manufacturers will have to play by new rules in the UK as of today, with laws coming into force to make it more difficult for cybercriminals to break into hardware such as phones and tablets.…
The UK Competition and Markets Authority (CMA) still has privacy and competition concerns about Google's Privacy Sandbox advertising toolkit, which explains why the ad giant recently again delayed its plan to drop third-party cookies in Chrome until 2025.…
Sponsored Feature As business enters the 2020s, organizations find themselves protecting fast-expanding digital estates using security concepts that are decades old.…
Updated - Infosec in brief They say sunlight is the best disinfectant, and that appears to have been true in the case of Discord data harvesting site Spy.pet – as it was recently and swiftly dismantled after its existence and purpose became known.…
Banks. They screw us on interest rates, they screw us on fees and they screw us on passwords. Remember the old "bank grade security" adage? I took this saying to task almost a decade ago now but it seems that at least as far as password advice goes, they really haven't learned. This week, Commbank is telling people to use a password manager but just not for their bank password, and ANZ bank is forcing people to rotate their passwords once a year because, uh, hackers? Ah well, as I always end up lamenting, it's a great time to be in this industry! 🤣
Millions of Kaiser Permanente patients' data was likely handed over to Google, Microsoft Bing, X/Twitter, and other third-parties, according to the American healthcare giant.…
Private equity investor Thoma Bravo has successfully completed a second acquisition attempt of UK-based cybersecurity company Darktrace in a $5.3 billion deal.…
The UK's contentious Investigatory Powers (Amendment) Bill (IPB) 2024 has officially received the King's nod of approval and will become law.…
Sponsored Post Ever get nostalgic for the good old days of cybersecurity protection? When attacks were for the most part amateurish and infrequent, and perhaps more in the nature of an occasional nuisance rather than a daily existential threat?…
Many Chinese keyboard apps, some from major handset manufacturers, can leak keystrokes to determined snoopers, leaving perhaps three quarters of a billion people at risk according to research from the University of Toronto’s Citizen Lab.…
Baltimore police have arrested Dazhon Leslie Darien, the former athletic director of Pikesville High School (PHS), for allegedly impersonating the school's principal using AI software to make it seem as if he made racist and antisemitic remarks.…
The FTC today announced it would be sending refunds totaling $5.6 million to Ring customers, paid from the Amazon subsidiary's coffers.…