SecureMac, Inc.

Checklist 280: A Checklist of Shame

May 26, 2022

The GM data breach; are e-learning platforms spying on our kids; Apple boosts user privacy with new “easy delete” rule.

Checklist 280: A Checklist of Shame

On this week’s Checklist:

  • Data breach at a Big Three car company
  • EdTech and student privacy
  • Apple’s new “easy delete” rule

The GM data breach of 2022

The Register reports that car manufacturer General Motors recently suffered a serious data breach:

[GM] has confirmed the credential stuffing attack it suffered [in April of 2022] exposed customers’ names, personal email addresses, and destination data, as well as usernames and phone numbers for family members tied to customer accounts.

Credential stuffing happens when bad actors obtain login credentials, typically username and password pairs. They then try them out against different accounts to see if they can gain access.

It’s not clear who initially lost access to the credentials used in the GM breach, or when it happened. But somewhere along the line, someone leaked something they shouldn’t have. Unfortunately, many people reuse credentials across different sites. That means a breach at one website often leads to a breach at another one. This may be what happened in the GM attack. 

Could the GM data breach have been prevented?

GM, for its part, did a lot of things well in the aftermath of the incident. The company disclosed the breach in a timely fashion. They reached out to the authorities. They took steps to mitigate the damage and tried to educate users on how to stay safe going forward. 

But the company could have done better. In fact, they may even have been able to prevent the breach in the first place. How? By requiring two-factor authentication (2FA) for all user accounts.

When 2FA is enabled, a bad actor with your credentials still can’t get into your account. Even though they have your password, they don’t have that crucial second authentication factor required for entry. 

In fairness to GM, the company’s customers probably share a lot of the blame here. If you’re using strong, unique passwords on all accounts, the likelihood of falling victim to a credential stuffing attack is low.

The GM data breach is yet another reason to review password best practices (covered on Checklist 277) and enable 2FA on your accounts if you haven’t done so already!

Remote learning apps and student privacy

An Engadget piece reports that many “remote learning apps collected and sold kids’ data” during the COVID-19 pandemic. The article goes on to say:

…governments across the world exposed young people to the threat of their personal data being collected and sold without their consent. In a report published on Wednesday, Human Rights Watch (HRW) found that many of the apps and services governments either directly procured or recommended for remote learning as recently as 2021 were actively harvesting the data of children or were otherwise engaged in monitoring their activities.

So what kind of data are we talking about? The HRW report says the data included things like physical location, drawing habits on virtual whiteboards, other sites and apps visited online, mobile contact lists and details about personal contacts, and more. 

That’s a lot of monitoring without consent. And unfortunately, HRW says that e-learning platforms often shared or sold the student data to third-party advertising companies. 

The report shines a light on the ongoing problem of student privacy in an age of digital learning. To find out more about the issues—and about how to stay safe—check out Electronic Frontier Foundation’s Surveillance Self-Defense guide to digital privacy for students.   

Easy come, easy go

Starting in July, Apple will require developers to make it just as easy to delete an account as it is to create one.

According to the company’s new policy, if an app lets users create a new account or sign up for a service, that app must allow users to delete their account through the same interface. 

And by delete, we really do mean delete—none of this “temporary pause” stuff that some social media companies like to pull. As The Next Web reports:

…app makers can’t allow just a temporary deactivation option. The company said they need to “delete the entire account record, along with associated personal data.”

That’s good news for user privacy—and for the user experience generally. Will other app platforms follow Apple’s lead? Too soon to say…but this is definitely a step in the right direction. 

Want to ask us a question about security or digital privacy? Send us an email! We may answer your question on a future edition of The Checklist.

Join our mailing list for the latest security news and deals