At a glance.

  • Lending Tree says leaked data aren’t theirs.
  • One year after the Pegasus Project, the spyware remains at large. 
  • US child privacy legislation updates.

LendingTree says leaked data aren’t theirs.

Researchers discovered 200,000 loan applications allegedly belonging to financial services firm ​​LendingTree for sale on the dark web, but the financial services giant is denying any link to the data. The Record by Recorded Future notes that the company did send out breach notification letters last month, but Megan Greuling, LendingTree’s director of communications, says the notifications are tied to an unrelated “code vulnerability” that exposed the data of some 70,000 customers in February. Referencing the newly found loan applications, Greuling stated, “Our investigation determined that this data leak did not originate at LendingTree. In fact, we obtained the full data set and found there to be no match when compared to our consumer database.” She went on to say that the hacker selling the data might have mislabeled it intentionally to increase its value on the black market.

One year after the Pegasus Project, the spyware remains at large. 

Israeli spyware maker NSO Group is under fire yet again, this time for allegedly withholding information about the surveillance of an employee of human rights advocacy group Human Rights Watch. The nongovernmental organization wrote to NSO in January with evidence that NSO’s controversial Pegasus spyware had been used to target Human Rights Watch’s Middle East and North Africa director Lama Fakih. NSO promised to conduct an investigation, but came up dry. NSO’s vice president for compliance Chaim Gelfand responded that there was no evidence of surveillance from their current customers, and that the issue “has been investigated to the best of our ability based on the information provided to us.” Based on Gelfand’s careful wording, Human Rights Watch feels NSO’s investigation was inadequate, and that perhaps a former client targeted Fakih.

The Guardian notes that this month marks one year since the Pegasus Project revealed the spyware was being used to spy on journalists, activists, political leaders, and lawyers all over the world, but in the intervening years, little change has been seen. Though there have been several official investigations in countries like France, India, Mexico, Poland and Spain, as well as a number of lawsuits (including a high-profile case from tech giant Apple), governments still have access to the spyware and, and as Human Rights Watch can attest, activists are still living in fear of surveillance. Amnesty International, who helped to coordinate the Pegasus Project, agrees there is still much to be done. “One year after the Pegasus spyware revelations shocked the world, it is alarming that surveillance companies are still profiting from human rights violations on a global scale,” states Amnesty Tech’s Deputy Director Danna Ingleton. 

Indeed, just today AP News reports that at least thirty Thai activists involved in the country’s pro-democracy protests were allegedly targeted from October 2020 to November 2021 by an unnamed government entity. iLaw, a Thai human rights group that was enlisted to help with the investigation, found that two of its own participants were among the targets. Law representative Yingcheep Atchanont told The Washington Post, “I was surprised later when I found out that I was infected so many times during late 2020 and early 2021. That time I was just an observer of the protests, my role is just campaigning on the constitutional amendment.”

US child privacy legislation updates.

Cooley’s cyber/data/privacy insights offers an overview of US lawmakers’ efforts to protect the privacy of minors on the web. In his State of the Union address in March, President Joe Biden urged legislators to “strengthen privacy protections, ban targeted advertising to children, [and] demand tech companies stop collecting personal data on our children.” And in May, the Federal Trade Commission released a policy statement emphasizing its commitment to child privacy, warning the FTC would begin to prioritize the enforcement of the Children’s Online Privacy and Protection Act of 1998 (COPPA), the preeminent US law protecting children’s privacy. Also in May, the California Assembly passed the California Age-Appropriate Design Code Act, which will require companies to “consider the best interest of children,” and “maintain the highest level of privacy possible for children by default” when designing products and services. On the federal level, the House of Representatives has introduced the Preventing Real Online Threats Endangering Children Today Act which, among other things, would amend COPPA to increase the age of “child” to 16 and extend COPPA to mobile app operators.