Skip to main content

Regulatory Roundup, Twilio/ Cloudflare Social Engineering Attacks: August 2022 Newsletter

August 29, 2022

In the August 2022 edition of our business privacy newsletter, you’ll find our take on:

Regulatory Roundup: Interest Groups Take Competing Sides on ADPPA; FTC Begins Process for Privacy Rule-Making

Over the past month privacy advocates, think tanks, editorial boards, and state privacy agencies have each voiced support or opposition to the American Data Privacy and Protection Act, which was delivered to the House in July but remains pending any formally scheduled vote.  

In other regulatory news, FTC issued an advance notice of proposed rule-making (ANPR) on commercial surveillance and data privacy and will be holding a forum for public comment on September 8th. Over the past year, FTC has been pressured repeatedly by congress and the president to increase its oversight of commercial data collection and use.

Our Take

We disagree with the position currently taken by EFF and California’s own privacy agency, that state preemption should be a key deal-breaker for the ADPPA. ADPPA provides many consumer rights (like limited private right of action) and civil rights protections that California does not, and its data minimization requirements go farther than any state law to date.  We do think, however, that the likelihood of passage still remains slim.  

Whether it does or not, FTC will remain the most important data privacy regulator in the US and we will be watching closely how it independently expands its mandate over the coming months.  Earlier this year, Consumer Reports provided its own recommendations on how FTC rule-making could be used to impose new data-minimization requirements.

Twilio and Cloudflare Hit by Social Engineering Attacks Using Employee and Family Member Home Phone Numbers

On August 4, API communications provider, Twilio, and Cloudflare, a content delivery and security service were hit with simultaneous targeted social engineering (phishing) attacks that compromised the credentials of 74 employees and ultimately led to the breach of 1900 Signal user accounts. The timing of the messages was done in such a way that it bypassed automated systems designed to identify and block spoofed company assets.

Our Take

While the breach wasn’t particularly large or technically unique, it provides a concrete example of what we have argued for years: that publicly available employee PII is a real attack vector, and that open-source scraping of PII for use in social engineering is becoming increasingly sophisticated.  While dumb, broad-net ‘spam’-like phishing attacks are still common, it is easier than ever to create highly convincing and targeted phishing attacks using improved open-source intelligence tools.

Illuminate Education Breach Leads to Scrutiny of Student Surveillance Practices

A cyberattack on Illuminate Education earlier this year – which provides K–12 technology systems with tools for instruction, assessment, and data analytics – compromised personal information of students across the nation’s largest public school systems.  The list of schools exposed in the breach has grown steadily, now encompassing millions of students across dozens of districts.

The event has drawn more attention to the surveillance practices of schools, many of which expanded during the pandemic.  A recent New York Times feature story reviewed the range of sensitive data now being tracked and highlighted the lack of oversight over EdTech providers.

Our Take

Educational institutions – both K-12 and Universities – have been among the top sectors targeted by cyberattacks in recent years. The mix of lax IT security, increased scope of data collection practices, limited liability, and growing reliance on 3rd party cloud service providers, make them both uniquely vulnerable and poorly resourced to address the issue.

DeleteMe in The News

Check out our log of where DeleteMe has been featured in the news this month; including interviews and quotes where we discuss privacy, cybersecurity, our solution, and everything in between.

If you have any suggestions for next month’s edition, please let us know

DeleteMe was created in 2010 when we realized the difficulty of navigating privacy issues in today’s interconnected and digital world. Our mission is to provide everyone with the power to control their digital identity.

How does DeleteMe privacy protection work?

  1. Employees, Executives, and Board Members complete a quick signup 
  2. DeleteMe scans for exposed personal information
  3. Opt-out and removal requests begin
  4. Initial privacy report shared and ongoing reporting initiated
  5. DeleteMe provides continuous privacy protection and service all year

    Your employees’ personal data is on the web for the taking.

    DeleteMe is built for organizations that want to decrease their risk from vulnerabilities ranging from executive threats to cybersecurity risks.

    Related Posts

    10 Ways to Reboot Your Privacy at Work

    When personal data is out there on the open web it can lead to privacy and security incidents at…

    Our 2022 Cybersecurity Excellence Award Speech: How We Started, Where We’re Going

    We are excited to announce that DeleteMe was recognized (twice!) with 2022 Cybersecurity Ex…

    The Time is Now to Limit Russian Hacker Access to Publicly Available PII

    Although the launch of ContiLeaks and the information revealed there didn’t slow the Russian Hac…