In this edition of Privacy Insider, I wanted to draw attention to one of our stories in particular — the recent cyberattacks launched against Cloudflare and Twilio.
In both cases, the attackers contacted employees and their family members on their work and home phone numbers, sending text messages disguised as company communications. The messages persuaded employees to log in to a fake site, claiming that their account info or schedule had changed. Once the employees logged in, the site would download and install remote desktop software and harvest their login credentials.
Both Twilio and Cloudflare employees fell for the phishing attack, but Cloudflare managed to avoid having the attackers gain access to their systems. That’s because Cloudflare security requires employees to use physical hardware keys to log into their systems — which some undoubtedly thought was a little paranoid until now.
These attacks are particularly noteworthy considering the security-conscious nature of both companies. Twilio provides communication and authentication solutions, while security lies at the heart of all of Cloudflare’s products and services. If they’re vulnerable to cyberattacks, then what company isn’t?
That’s just it — nobody is impervious to cyberattacks. Companies can and should invest in their cybersecurity, but so long as they’re staffed by imperfect, fallible human beings, hackers will always be able to socially engineer their way into internal systems. The best we can do is reduce the odds of their success (such as by requiring the use of physical hardware keys and other security measures) and mitigate the damage they can do once inside (such as by employing healthy data privacy practices).
Breaches are a common way for businesses' poor data privacy practices to come to light. Just keep your eye on this newsletter — you’ll see plenty of headlines where companies get hit by penalties after exposing customer data to cybercriminals.
Cloudflare and Twilio targeted by similar phishing attacks
Twilio, which provides two-factor authentication and communication services, was recently targeted by a phishing attack in which hackers acquired employees’ credentials and gained access to sensitive internal systems, according to a statement released by the company. Two days later, Cloudflare, a content delivery network and DDoS mitigation company, was attacked in a similar manner, leading security experts to believe the same group was behind the attacks. Cloudflare ultimately avoided a compromise due to their use of hardware-based multi-factor authentication keys.
Amazon acquires iRobot, gaining access to maps of consumers’ home interiors
Amazon and iRobot recently released a joint statement declaring Amazon’s acquisition of iRobot for $1.7 billion. Should the deal go through, Amazon will gain access to interior maps of consumers’ homes gathered by iRobot’s Roomba product. The acquisition will complement other Amazon products centered on gathering household data and the internet of things, such as Ring.
Adtech giant Criteo faces $65M fine in France for GDPR consent breaches
Criteo, a major French adtech company, has been fined €60 million (~$65 million) by French data protection authorities. After receiving complaints from Privacy International and noyb (also known as none of your business, Max Schrems’ privacy advocacy group), the Commission nationale de l'informatique et des libertés (CNIL) found that Criteo lacked sufficient legal bases for using a suite of tracking techniques and data processing practices designed to profile web users.
Facebook catches lucky break in Europe
After Irish data protection authorities released a draft decision that would block Meta’s data transfers from the EU to the US, the social media company indicated that such a block might force them to shut down Facebook and Instagram in Europe. However, other European data protection authorities have issued technical objections against the draft order, which are anticipated to take several months to resolve.
Data privacy (non)compliance: How enforcement works
Ever wanted to know more about how businesses become noncompliant in the first place? Our most recent blog article breaks down what noncompliance looks like and how data privacy enforcement works.
Interested in working at Osano? Check out our Careers page! We might have the perfect opportunity for you.