Cyber Week in Review: April 3, 2020

Zoom Faces Scrutiny for Privacy and Security Practices

On Monday, the attorney general of New York sent a letter to Zoom, the videoconferencing platform that has exploded in popularity as most individuals and businesses switch to remote work, asking for further information on their security and privacy practices. Last week, evidence emerged that the company sends user data to Facebook, regardless of if a user has a Facebook account. Privacy activist Pat Walshe said that the transfer of user data was “shocking” because Zoom’s privacy policy does not specify that it does this. Zoom’s security record is also checkered. A major flaw discovered last year allowed hackers to remotely hijack webcams, and in the past few weeks, internet trolls have misused a screen sharing feature to hijack meetings. A team at Citizen Lab also found the company was using “non-standard” encryption and some data was passing through China. In response to these developments, Zoom says it takes user privacy and security very seriously and that it is “working around the clock to ensure that hospitals, universities, schools and other businesses across the world can stay connected and operational.”

Microsoft Ends Outside Investment in Facial Recognition Technology 

Last Friday, Microsoft announced that it would withdraw its investment in AnyVision, an Israeli facial recognition startup, ending its outside funding of facial recognition technology ventures. The withdrawal follows an investigation into AnyVision that showed its technology was being used to surveil West Bank residents. In 2018, Microsoft laid out principles about the development and uses of facial recognition technology, which critics claim the company violated by investing in AnyVision. M12, Microsoft’s venture capital fund, said in a statement that it would no longer invest in companies that sell facial recognition technology because auditing them has become too difficult.

Marriott Guest Records Stolen in Massive Data Breach

On Tuesday, Marriott confirmed that the systems of one of its franchisees had been breached, resulting in the theft of 5.2 million guest records. The records include names, addresses, phone numbers, and travel-related information. The hotel chain claims no payment data was accessed in the breach. This is Marriott’s second serious attack in less than three years—in 2018, five million passport numbers and eight million credit card records were stolen from the chain during an alleged state-sponsored Chinese hacking campaign, making it one of the largest data breaches in history. No motive or attribution has been released for the recent breach.

Iranian Hackers Target World Health Organization

On Thursday, Reuters reported that hackers affiliated with the Iranian government had targeted World Health Organization (WHO) employees in a phishing campaign, though the WHO says that attack has thus far been unsuccessful. The exact motive is unclear but the WHO has been highly targeted in the past few weeks, and a source close to U.S. intelligence suggested that the attackers may have been after news of effective treatments, information on other countries’ coronavirus response plans, or even WHO estimates of infection rates. Just last week, DarkHotel—an advanced hacking group possibly associated with the South Korean government—also attempted to hack the WHO.

Ethiopia Restores Internet Access Amid Criticism

This week, the Ethiopian government announced that it would restore internet access to Wollega, an area in the west of the country, after criticism that it was depriving residents of vital information about the coronavirus pandemic. The internet had been shut down since January, when the Ethiopian military expanded its operations against the Oromo Liberation Army, a rebel group. Human Rights Watch has criticized Ethiopia, Bangladesh, India, and Myanmar for their internet shutdowns, arguing that they “directly harm people’s health and lives, and undermine efforts to bring the pandemic under control.”