Reading view
Johnson & Johnson Reports Data Breach Potentially Linked to Massive Cencora Breach
Johnson & Johnson Data Breach Notice
On May 29, Johnson & Johnson filed a notice of data breach with the Attorney General of Texas, indicating that an unauthorized party accessed confidential patient information. The breach affected approximately 175,000 Texans, but the total number of victims nationwide could be much higher. The breach affects two Johnson & Johnson entities: Johnson & Johnson Patient Assistance Foundation, Inc., and Johnson & Johnson Services, Inc. The following data was compromised in the attack: Name of individual, Address, Medical Information, and Date of Birth. Data breach notification letters have been sent to all the affected individuals, while limited information is available on the Texas Attorney General's data breach reports page. The incident is potentially linked to a much larger breach involving Cencora, which has affected over a dozen major pharmaceutical companies so far.Link to Cencora Data Breach
The Johnson & Johnson data breach bears several similarities to other large third-party pharmaceutical company data breaches affected by the Cencora/Lash Group data breach, which was first discovered on February 21. Cencora’s Lash Group division aids pharmaceutical companies in running patient support programs that try to ensure that costly medication is available to disadvantaged patients, regardless of their ability to pay for them. At least 15 clients of Cencora/Lash Group have notified state authorities of data breach incidents, with databreaches.net listing the following victims:- AbbVie: 54,344 Texans affected
- Acadia Pharmaceuticals: 753 Texans affected
- Bayer: 8,822 Texans affected
- Bristol Myers Squibb and/or the Bristol Myers Squibb Patient Assistance Foundation: 256,237 Texans and 11,503 New Hampshire residents affected
- Dendreon: 2,923 Texans affected
- Endo: no numbers provided
- Genentech: 5,805 Texans affected
- GlaxoSmithKline Group of Companies and/or the GlaxoSmithKline Patient Access Programs Foundation: no numbers provided
- Incyte Corporation: 2,592 Texans affected
- Marathon Pharmaceuticals, LLC/PTC Therapeutics, Inc.: 466 Texans and 27 New Hampshire residents affected
- Novartis Pharmaceuticals: 12,134 Texans affected
- Pharming Healthcare, Inc.: 314 Texans and 9 New Hampshire residents affected
- Regeneron Pharmaceuticals: 91,514 Texans affected
- Sumitomo Pharma America, Inc.: 24,102 Texans affected
- Tolmar: 1 New Hampshire resident
“There is no evidence that any of this information has been or will be publicly disclosed, or that any information was or will be misused for fraudulent purposes as a result of this incident, but we are communicating this so that affected individuals can take the steps outlined below to protect yourself.”The Leash Group is offering free credit monitoring and remediation services to affected individuals, and additional guidance on dealing with suspected breaches of personal information. No perpetrator has been identified or named as being responsible for the attack, and the potential impact of the breach is still being assessed. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.
Data leak site BreachForums is back, boasting Live Nation/Ticketmaster user data. But is it a trap?
Notorious data leak site BreachForums appears to be back online after it was seized by law enforcement a few weeks ago.
At least one of BreachForums domains and its dark web site are live again. However, questions have been raised over whether it is a genuine attempt to revive the forums once again or set up as a lure by law enforcement to entrap more data dealers and cybercriminals.
The administrator of the new forum posts under the handle ShinyHunters, which is a name associated with the AT&T breach and others, and believed to be the main administrator of the previous BreachForums.
Yesterday, ShinyHunters posted a new dataset for sale that allegedly stems from Live Nation/Ticketmaster.
“Live Nation / Ticketmaster
Data includes
560 million customer full details (name, address, email, phone)
Ticket sales, event information, order details
CC detail – customer last 4 of card, expiration date
Customer fraud details
Much more
Price is $500k USD. One time sale.”
But, an avatar and a handle are easily copied, and there are a few things that raised our spidey-senses that something is up.
First, the data set was offered for sale on another dark web forum by a user going by SpidermanData with the exact same text.
Second, this data set seems way too big for its nature. Live Nation and Ticketmaster are big enough to be considered a monopolist, but 560 million users seems like a stretch.
After looking at the shared evidence, security researcher CyberKnow tweeted:
“While there is some new data in the shared evidence there is also old customer information, making it possibly this is a series of data jammed together.”
Third, a new feature is that visitors need to register before they can see any content. Why would the administrators change that?
And, last but not least, would the FBI let the cybercriminals regain control over the domains that easily? That would be quite embarrassing.
So, we dare conclude that this dataset’s goal is to generate some attention and act as a lure to let old forum users know that BreachForums is alive and kicking. But who is running the show, is the question that we hope to answer soon.
Stay tuned for updates on this developing story.
Protecting yourself after a data breach
There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.
- Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
- Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
- Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
- Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify the identity of anyone who contacts you using a different communication channel.
- Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
- Consider not storing your card details. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
- Set up identity monitoring. Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.
Check if your data has been breached
Our Digital Footprint portal allows you to quickly and easily check if your personal information has been exposed online. Just enter your email address (it’s best to submit the one you most frequently use) to our free Digital Footprint scan and we’ll give you a report.
We don’t just report on threats – we help safeguard your entire digital identity
Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.
Hacker Claims Ticketmaster Data Breach: 560M User Details and Card Info at Risk
Ticketmaster Data Breach: The Worst Time to Have a Cybersecurity Incident
SpidermanData claims to have access to a staggering 560 million records brimming with personally identifiable information (PII) of customers, including sensitive payment card details. This breach couldn't have come at a worse time for Ticketmaster, coinciding with the onset of several major music festivals scheduled between May 2024 and January 2025. Among these highly anticipated events is the FOREIGNER concert, featuring legendary rock acts led by Mick Jones and Kelly Hansen. The musical act will begin on June 11, 2024, in the United States and will conclude on November 9, 2024. Following suit is the iconic band HEART, set to perform across the United States from July to November 2024, culminating in an international concert in Calgary, AB, Canada. Meanwhile, Allison Russell and Hozier are primed to perform from May to August 2024. Adding to this list of bands performing this year, artists like Ian Munsick, Prateek Kuhad, and Kathleen Hanna will also go on tours across North America between 2024 and 2025. However, the jubilant atmosphere surrounding these events is now overshadowed by the threat of, one of the biggest data breaches, threatening millions of users globally. The purportedly compromised data, amounting to a staggering 1.3 terabytes, has been divided into 15 parts, with the hacker offering samples from two segments. One dataset, extracted from a 'PATRON' database, contains a plethora of personal information, including names, addresses, emails, and phone numbers. Meanwhile, the other dataset includes information about customer sales, encompassing crucial details like event IDs and payment methods.The Aftermath and Industry Implications
SpidermanData has listed the entire dataset for sale, quoting a hefty price tag of USD 500,000, and restricting the sale to a single buyer. The gravity of this situation cannot be overstated, with the compromised data posing significant risks of identity theft, financial fraud, and other criminal activities - something we've already seen in previous data breaches like the MOVEit File Transfer incident. Live Nation Entertainment, the parent company of Ticketmaster, stands as a global juggernaut in the live entertainment domain, organizing and promoting thousands of shows annually across more than 40 countries. Meanwhile, Ticketmaster's pivotal role in facilitating ticket sales for musical and non-musical events highlights its significance within the industry, making it a prime target for cybercriminals seeking to exploit vulnerabilities for personal gain. The current Ticketmaster data breach is not the first time that the organization has faced a cyberattack. In November 2020, the company faced a hefty £1.25 million fine from the Information Commissioner's Office (ICO) following a payment data breach in 2018. The breach, stemming from a vulnerability in a third-party chatbot, compromised the personal and payment details of over nine million customers in Europe, triggering widespread fraud and financial losses. Whether the current data breach represents a resurgence of previously compromised data or the acquisition of freshly stolen data, the premise origin of the information about the databases remains unclear. Nevertheless, The Cyber Express will be closely monitoring the situation and we’ll update this post once we have more information on the Ticketmaster data leak or any official confirmation from the organization. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.What is Cloud Penetration Testing? – Source: securityboulevard.com
Source: securityboulevard.com – Author: Riddika Grover The digital era is constantly evolving, and businesses are rapidly migrating towards cloud-based solutions to leverage the agility, scalability, and cost-effectiveness they offer. However, this transition also introduces new security challenges. As more sensitive data and applications reside in the cloud, ensuring their security becomes paramount. This is where […]
La entrada What is Cloud Penetration Testing? – Source: securityboulevard.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.
What is Cloud Penetration Testing?
The digital era is constantly evolving, and businesses are rapidly migrating towards cloud-based solutions to leverage the agility, scalability, and cost-effectiveness they offer. However, this transition also introduces new security challenges. As more sensitive data and applications reside in the cloud, ensuring their security becomes paramount. This is where Cloud Penetration Testing (Cloud Pentesting) steps […]
The post What is Cloud Penetration Testing? appeared first on Kratikal Blogs.
The post What is Cloud Penetration Testing? appeared first on Security Boulevard.
Anthropic’s Generative AI Research Reveals More About How LLMs Affect Security and Bias – Source: www.techrepublic.com
Source: www.techrepublic.com – Author: Megan Crouse Because large language models operate using neuron-like structures that may link many different concepts and modalities together, it can be difficult for AI developers to adjust their models to change the models’ behavior. If you don’t know what neurons connect what concepts, you won’t know which neurons to change. […]
La entrada Anthropic’s Generative AI Research Reveals More About How LLMs Affect Security and Bias – Source: www.techrepublic.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.
Hiring Kit: GDPR Data Protection Compliance Officer – Source: www.techrepublic.com
Source: www.techrepublic.com – Author: The European Union’s General Data Protection Regulation requires every business enterprise and public authority that collects personal data from EU customers and clients to protect that data from unauthorized access. Finding ideal candidates for the GDPR data protection compliance officer position will require thorough vetting, and potential candidates may be difficult […]
La entrada Hiring Kit: GDPR Data Protection Compliance Officer – Source: www.techrepublic.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.
Apple API Allows Wi-Fi AP Location Tracking
Privacy FAIL: Apple location service returns far more data than it should, to people who have no business knowing it, without your permission.
The post Apple API Allows Wi-Fi AP Location Tracking appeared first on Security Boulevard.
University of Siena Cyberattack: LockBit Claims Responsibility, Sets Deadline
University of Siena Data Breach and Ransom Demand
According to the new LockBit 3.0 leak site, the group has allegedly exfiltrated 514 GB of sensitive data from the university's systems. Screenshots of the stolen data were shared on both the leak site as well as the group's Telegram channel. The stolen data reportedly includes: Financial Documents including :Confidential Information including:
- Budgets detailing expenses by month from 2020 to 2024.
- Board-approved documents regarding project and tender financing from 2022 to 2026, including funding amounts.
- Documents related to extraordinary construction works, contractor appointments, and a €1.7 million budget allocation.
[caption id="attachment_69276" align="alignnone" width="803"] Source: LockBit leak site[/caption] [caption id="attachment_69277" align="alignnone" width="323"] Source: LockBit Telegram[/caption] With a looming ransom deadline set for May 28, the university is racing against limited time to deal with the consequences of the digital assault. Earlier on May 10th, the University of Siena acknowledged the cyber attack on its website, informing the public about the suspension of various of its services due to a 'massive cyber attack by an international group of hackers.'
- Non-disclosure agreements for the upcoming WineCraft 2024 event.
- Tender design contracts for 2023, including contract budgets.
- Contractor's investment plan for 2022, encompassing expenses, rents, and the overall financial plan.
University's Response and Restoration Efforts
The website acknowledged that several of its services including its website for international admissions, ticketing services, and payment management platforms had been affected and were taken down as a preventative measure. The notice assured users that payments made prior to the attack had been registered despite a temporary disconnect between the website's payment confirmation and application processing. [caption id="attachment_69271" align="alignnone" width="2800"] Source: www.apply.unisi.it[/caption] However, the notice also stated that the volume of assistance requests being received from international candidates following the incident was found to be overwhelming to its staff. The notice advised students to refrain from sending multiple inquiries, promising to respond as soon as possible. The notice provided separate advice to both candidates who had already paid university fees but did not submit applications and candidates who submitted admission applications but had not yet paid their application fees. The site stated in bold that students who fall in the above mentioned categories should avoid unnecessary contact with staff, while apologizing for the inconvenience caused by the issue. The attack on the University of Siena is one of the largest attacks claimed by the LockBit group following the recent disruption to its activities after its coordinated takedown by law enforcement groups. The incident underscores the group's persistent efforts to remain active in their efforts despite these operational challenges, while emphasizing their ability to still cause massive disruption to victims. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.Slack users horrified to discover messages used for AI training
After launching Slack AI in February, Slack appears to be digging its heels in, defending its vague policy that by default sucks up customers' data—including messages, content, and files—to train Slack's global AI models.
According to Slack engineer Aaron Maurer, Slack has explained in a blog that the Salesforce-owned chat service does not train its large language models (LLMs) on customer data. But Slack's policy may need updating "to explain more carefully how these privacy principles play with Slack AI," Maurer wrote on Threads, partly because the policy "was originally written about the search/recommendation work we've been doing for years prior to Slack AI."
Maurer was responding to a Threads post from engineer and writer Gergely Orosz, who called for companies to opt out of data sharing until the policy is clarified, not by a blog, but in the actual policy language.
SEC Updates 24-Year-Old Rule to Scale Customers’ Financial Data Protection
The Debate on SEC's Tight Guidelines
The introduction of these amendments coincides with the implementation of new incident reporting regulations for public companies, compelling timely disclosure of “material“ cybersecurity incidents to the SEC. Public companies in the U.S. now have four days to disclose cybersecurity breaches that could impact their financial standing. SEC’s interest in the matter stems from a major concern: breach information leads to a stock market activity called informed trading, currently a grey area in the eyes of law. Several prominent companies including Hewlett Packard and Frontier, have already submitted requisite filings under these regulations, highlighting the increasing scrutiny on cybersecurity disclosures. Despite pushback from some quarters, including efforts by Rep. Andrew Garbarino to The SEC’s incident reporting rule has however received pushback from close quarters including Congressman Andrew Garbarino, Chairman of the Cybersecurity and Infrastructure Protection Subcommittee of the House Homeland Security Committee and a Member of the House Financial Services Committee. Garbarino in November introduced a joint resolution with Senator Thom Tillis to disapprove SEC’s new rules. “This cybersecurity disclosure rule is a complete overreach on the part of the SEC and one that is in direct conflict with congressional intent. CISA, as the lead civilian cybersecurity agency, has been tasked with developing and issuing regulations for cyber incident reporting as it relates to covered entities. Despite this, the SEC took it upon itself to create duplicative requirements that not only further burden an understaffed cybersecurity workforce with additional and unnecessary reporting requirements, but also increase cybersecurity risk without a congressional mandate and in direct contradiction to public law that is intended to secure the homeland,” Garbarino said, at the time. Senator Tillis added to it saying the SEC was doing its “best to hurt market participants by overregulating firms into oblivion.” Businesses and industry leaders across the spectrum have expressed intense opposition to the new rules but the White House has signaled its commitment to upholding the regulatory framework. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.Mental Health Apps are Likely Collecting and Sharing Your Data
May is mental health awareness month! In pursuing help or advice for mental health struggles (beyond just this month, of course), users may download and use mental health apps. Mental health apps are convenient and may be cost effective for many people.
However, while these apps may provide mental health resources and benefits, they may be harvesting considerable amounts of information and sharing health-related data with third parties for advertising and tracking purposes.
Disclaimer: This post is not meant to serve as legal or medical advice. This post is for informational purposes only. If you are experiencing an emergency, please contact emergency services in your jurisdiction.
Understanding HIPAA
Many people have misconceptions about the Health Insurance Portability and Accountability Act (HIPAA) and disclosure/privacy.
According to the US Department of Health and Human Services (HHS), HIPAA is a "federal law that required the creation of national standards to protect sensitive patient health information from being disclosed without the patient's consent or knowledge." There is a HIPAA Privacy Rule and a HIPAA Security Rule.
The Centers for Disease Control and Prevention (CDC) states the Privacy Rule standards "address the use and disclosure of individuals' health information by entities subject to the Privacy Rule." It's important to understand that the Privacy Rule covers entities subject to it.
Entities include healthcare providers, health plans, health clearing houses, and business associates (such as billing specialists or data analysts). Many mental health apps aren't classified as either; also, though there are a few subject to HIPAA, some have been documented not to actually be compliant with HIPAA rules.
What does this mean? Many mental health apps are not considered covered entities and are therefore "exempt" (for lack of better word) from HIPAA. As such, these apps appear to operate in a legal "gray area," but that doesn't mean their data practices are ethical or even follow proper basic information security principles for safeguarding data...
Even apps that collect PHI information protected by HIPAA may still share/use your information that doesn't fall under HIPAA protections.
Mental health apps collect a wealth of personal information
Naturally, data collected by apps falling under the "mental health" umbrella varies widely (as do the apps that fall under this umbrella.)
However, most have users create accounts and fill out some version of an "intake" questionnaire prior to using/enrolling in services. These questionnaires vary by service, but may collect information such as:
- name
- address
- phone number
- employer information
Account creation generally and at minimum requires user email and a password, which is indeed routine.
It's important to note your email address can serve as a particularly unique identifier - especially if you use the same email address everywhere else in your digital life. If you use the same email address everywhere, it's easier to track and connect your accounts and activities across the web and your digital life.
Account creation may also request alternative contact information, such as a phone number, or supplemental personal information such as your legal name. These can and often do serve as additional data points and identifiers.
It's also important to note that on the backend (usually in a database), your account may be assigned identifiers as well. In some cases, your account may also be assigned external identifiers - especially if information is shared with third parties.
Intake questionnaires can collect particularly sensitive information, such as (but not necessarily limited to):
- past mental health experiences
- age (potentially exact date of birth)
- gender identity information
- sexual orientation information
- other demographic information
- health insurance information (if relevant)
- relationship status
Question from BetterHelp intake questionnaire found in FTC complaint against BetterHelp
These points of sensitive information are rather intimate and can easily be used to identify users - and could be disasters if disclosed in a data breach or to third party platforms.
These unique and rather intimate data points can be used to exploit users in highly targeted marketing and advertising campaigns - or perhaps even used to facilitate scams and malware via advertising tools third parties who may receive such information provide to advertisers.
Note: If providing health insurance information, many services require an image of the card. Images can contain EXIF data that could expose a user's location and device information if not scrubbed prior to upload.
Information collection extends past user disclosure
Far more often than not, information collected by mental health apps extends past information a user may disclose in processes such as account creation or completing intake forms - these apps often harvest device information, frequently sending it off the device and to their own servers.
For example, here is a screenshot of the BetterHelp app's listing on the Apple App Store in MAY 2024:
The screenshot indicates BetterHelp uses your location and app usage data to "track you across apps and websites owned by other companies." We can infer from this statement that BetterHelp shares your location information and how you use the app with third parties, likely for targeted advertising and tracking purposes.
The screenshot also indicates your contact information, location information, usage data, and other identifiers are linked to your identity.
Note: Apple Privacy Labels in the App Store are self-reported by the developers of the app.
This is all reinforced in their updated privacy policy (25 APR 2024), where BetterHelp indicates they use external and internal identifiers, collect app and platform errors, and collect usage data of the app and platform:
In February 2020, an investigation revealed BetterHelp also harvested the metadata of messages exchanged between clients and therapists, sharing them with platforms like Facebook for advertising purposes. This was despite BetterHelp "encrypting communications between client and therapist" - they may have encrypted the actual message contents, but it appears information such as when a message was went, the receiver/recipient, and location information was available to the servers... and actively used/shared.
While this may not seem like a big deal at first glance - primarily because BetterHelp is not directly accessing/reading message contents - users should be aware that message metadata can give away a lot of information.
Cerebral, a mental health app that does fall under the HIPAA rules, also collects device-related data and location data, associating them with your identity:
According to this screenshot, Cerebral shares/uses app usage data with third parties, likely for marketing and advertising purposes. Specifically, they...
The post Mental Health Apps are Likely Collecting and Sharing Your Data appeared first on Security Boulevard.
Banco Santander Confirms Data Breach, Assures Customers’ Transactions Remain Secure
Customer and Employee Data Compromised in Santander Data Breach
The bank reported that upon becoming aware of the data breach, it had immediately implemented measures to contain the incident, such as blocking access to its database from the compromised source as well as establishing additional fraud prevention mechanisms to protect impacted customers and affected parties. After conducting an investigation, the bank had determined that the leaked information stemmed from a thid-party database and consisted of details of customers from Santander Chile, Spain and Uruguay regions along with some data on some current and former Santander employees. Despite the third-party database breach, customer data from Santander markets and businesses operating in different regions were not affected. [caption id="attachment_68444" align="alignnone" width="2422"] Source: santander.com[/caption] The bank apologized for the incident and acknowledged concerns arising from the data breach, taking action to directly notify the affected customers and employees. The security team also informed regulators and law enforcement of the incident details, stating that the bank would continue to work with them during the investigation. Santander assured its customers that no transactional data, nor transaction-facilitating credentials such as banking details and passwords were contained in the database. The statement reported that neither the bank's operations nor systems were affected, and that customers could continue with secure transaction operations. Along with the official statement in response to the data breach, the bank had provided additional advice on its site on dealing with the data breach:
- Santander will never ask you for codes, OTPs or passwords.
- Always verify information your receive and contact us through official bank channels.
- If you receive any suspicious message, email or SMS report it to your bank directly or by contacting reportphishing@gruposantander.com.
- Never access your online banking via links from suspicious emails or unsolicited emails.
- Never ignore security notifications or alerts from Santander related to your accounts.
Financial and Banking Sector Hit By Data Breaches
Increased cyber threats or third-party database exposure as in the Santander data breach pose serious concerns for stability within the financial and banking. The International Monetary Fund noted in a blog post last months that these incidents could erode confidence in the financial system, disrupt critical services, or cause spillovers to other institutions. In March, the European Central Bank instructed banks within the European region to implement stronger measures in anticipation of cyber attacks. Earlier, the body had stated that it would conduct a resilience stest on at least 109 of its directly supervised banks in 2024. The initiatives come as part of broader concern about the security of European banks. Last year, data from the Deutsche Bank AG, Commerzbank AG and ING Groep NV were compromised after the CL0P ransomware group had exploited a security vulnerability in the MOVEit file transfer tool. The European Central Bank's site states that its banking supervisors rely on the stress tests to gather information on and assess how well the banks would able to cope, respond to and recover from a cyberattack, rather than just their ability to prevent attacks. The response and recovery assessments are described to include the activation of emergency procedures and contingency plans as well as the restoration of usual operations. The site states that these test results would then be used to aid supervisors in identifying weaknesses to be discussed in dialogue with the banks. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.UnitedHealth, Ascension Attacks Feed Debate Over Health Care Security
The Biden Administration is moving to cybersecurity standards for hospitals, but the AHA is pushing back, saying voluntary models are enough.
The post UnitedHealth, Ascension Attacks Feed Debate Over Health Care Security appeared first on Security Boulevard.
Why car location tracking needs an overhaul
Across America, survivors of domestic abuse and stalking are facing a unique location tracking crisis born out of policy failure, unclear corporate responsibility, and potentially risky behaviors around digital sharing that are now common in relationships.
No, we’re not talking about stalkerware. Or hidden Apple AirTags. We’re talking about cars.
Modern cars are the latest consumer “device” to undergo an internet-crazed overhaul, as manufacturers increasingly stuff their automobiles with the types of features you’d expect from a smartphone, not a mode of transportation.
There are cars with WiFi, cars with wireless charging, cars with cameras that not only help while you reverse out of a driveway, but which can detect whether you’re drowsy while on a long haul. Many cars now also come with connected apps that allow you to, through your smartphone, remotely start your vehicle, schedule maintenance, and check your tire pressure.
But one feature in particular, which has legitimate uses in responding to stolen and lost vehicles, is being abused: Location tracking.
It’s time car companies do something about it.
In December, The New York Times revealed the story of a married woman whose husband was abusing the location tracking capabilities of her Mercedes-Benz sedan to harass her. The woman tried every avenue she could to distance herself from her husband. After her husband became physically violent in an argument, she filed a domestic abuse report. Once she fled their home, she got a restraining order. She ignored his calls and texts.
But still her husband could follow her whereabouts by tracking her car—a level of access that Mercedes representatives reportedly could not turn off, as he was considered the rightful owner of the vehicle (according to The New York Times, the husband’s higher credit score convinced the married couple to have the car purchased in his name alone).
As reporter Kashmir Hill wrote of the impasse:
“Even though she was making the payments, had a restraining order against her husband and had been granted sole use of the car during divorce proceedings, Mercedes representatives told her that her husband was the customer so he would be able to keep his access. There was no button she could press to take away the app’s connection to the vehicle.”
This was far from an isolated incident.
In 2023, Reuters reported that a San Francisco woman sued her husband in 2020 for allegations of “assault and sexual battery.” But some months later, the woman’s allegations of domestic abuse grew into allegations of negligence—this time, against the carmaker Tesla.
Tesla, the woman claimed in legal filings, failed to turn off her husband’s access to the location tracking capabilities in their shared Model X SUV, despite the fact that she had obtained a restraining order against her husband, and that she was a named co-owner of the vehicle.
When The New York Times retrieved filings from the San Francisco lawsuit above, attorneys for Tesla argued that the automaker could not realistically play a role in this matter:
“Virtually every major automobile manufacturer offers a mobile app with similar functions for their customers,” the lawyers wrote. “It is illogical and impractical to expect Tesla to monitor every vehicle owner’s mobile app for misuse.”
Tesla was eventually removed from the lawsuit.
In the Reuters story, reporters also spoke with a separate woman who made similar allegations that her ex-husband had tracked her location by using the Tesla app associated with her vehicle. Because the separate woman was a “primary” account owner, she was able to remove the car’s access to the internet, Reuters reported.
A better path
Location tracking—and the abuse that can come with it—is a much-discussed topic for Malwarebytes Labs. But the type of location tracking abuse that is happening with shared cars is different because of the value that cars hold in situations of domestic abuse.
A car is an opportunity to physically leave an abusive partner. A car is a chance to start anew in a different, undisclosed location. In harrowing moments, cars have also served as temporary shelter for those without housing.
So when a survivor’s car is tracked by their abuser, it isn’t just a matter of their location and privacy being invaded, it is a matter of a refuge being robbed.
In speaking with the news outlet CalMatters, Yenni Rivera, who works on domestic violence cases, explained the stressful circumstances of exactly this dynamic.
“I hear the story over and over from survivors about being located by their vehicle and having it taken,” Rivera told CalMatters. “It just puts you in a worst case situation because it really triggers you thinking, ‘Should I go back and give in?’ and many do. And that’s why many end up being murdered in their own home. The law should make it easier to leave safely and protected.”
Though the state of California is considering legislative solutions to this problem, national lawmaking is slow.
Instead, we believe that the companies that have the power to do something act on that power. Much like how Malwarebytes and other cybersecurity vendors banded together to launch the Coalition Against Stalkerware, automakers should work together to help users.
Fortunately, an option may already exist.
When the Alliance for Automobile Innovation warned that consumer data collection requests could be weaponized by abusers who want to comb through the car location data of their partners and exes, the automaker General Motors already had a protection built in.
According to Reuters, the roadside assistance service OnStar, which is owned by General Motors, allows any car driver—be they a vehicle’s owner or not—to hide location data from other people who use the same vehicle. Rivian, a new electric carmaker, is reportedly working on a similar feature, said senior vice president of software development Wassym Bensaid in speaking with Reuters.
Though Reuters reported that Rivian had not heard of their company’s technology being leveraged in a situation of domestic abuse, Wassym believed that “users should have a right to control where that information goes.”
We agree.
We don’t just report on threats—we remove them
Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.
Elon Musk’s X can’t invent its own copyright law, judge says
US District Judge William Alsup has dismissed Elon Musk's X Corp lawsuit against Bright Data, a data-scraping company accused of improperly accessing X (formerly Twitter) systems and violating both X terms and state laws when scraping and selling data.
X sued Bright Data to stop the company from scraping and selling X data to academic institutes and businesses, including Fortune 500 companies.
According to Alsup, X failed to state a claim while arguing that companies like Bright Data should have to pay X to access public data posted by X users.
Big Three carriers pay $10M to settle claims of false “unlimited” advertising
T-Mobile, Verizon, and AT&T will pay a combined $10.2 million in a settlement with US states that alleged the carriers falsely advertised wireless plans as "unlimited" and phones as "free." The deal was announced yesterday by New York Attorney General Letitia James.
"A multistate investigation found that the companies made false claims in advertisements in New York and across the nation, including misrepresentations about 'unlimited' data plans that were in fact limited and had reduced quality and speed after a certain limit was reached by the user," the announcement said.
T-Mobile and Verizon agreed to pay $4.1 million each while AT&T agreed to pay a little over $2 million. The settlement includes AT&T subsidiary Cricket Wireless and Verizon subsidiary TracFone.
Massive Online Shopping Scam Racks Up 850,000 Victims
Chinese crooks are running a global network of more than 75,000 fake online shops to steal credit card data and process fraudulent payments.
The post Massive Online Shopping Scam Racks Up 850,000 Victims appeared first on Security Boulevard.
Hacker Duo Allegedly Strikes HSBC, Barclays in Cyberattacks
Hacker Duo Claims Barclays and HSBC Bank Data Breach
Barclays Bank PLC and The Hong Kong and Shanghai Banking Corporation Limited (HSBC) are the primary organizations reportedly affected by this breach. With operations spanning across the United Kingdom, United States, and regions including Europe and North America, the threat actor threatens the banking systems and probably targets customers' data, however, there has been no evidence of such data getting leaked. [caption id="attachment_67347" align="alignnone" width="2084"] Source: Dark Web[/caption] In a post on Breachforums, one of the threat actors, IntelBroker, shared details of the Barclays and HSBC Bank data breach, offering the compromised data for download. The post, dated May 8, 2024, outlined the nature of the breach and the types of data compromised, including database files, certificate files, source code, and more. The post also provided a sample of the leaked data, revealing a mixture of CSV data representing financial transactions across different systems or entities.While talking about the stolen data, IntelBroker denoted that he is "uploading the HSBC & Barclays data breach for you to download. Thanks for reading and enjoy! In April 2024, HSBC & Barclays suffered a data breach when a direct contractor of the two banks was breached. Breached by @IntelBroker & @Sanggiero".
A Closer Look at the Sample Data
A closer look at the sample data reveals three distinct datasets, each containing transaction records with detailed information about financial activities. These records encompass a range of information, from transaction IDs and timestamps to descriptions and account numbers involved. The datasets provide a comprehensive view of various transactions, offering valuable insights for financial analysis and tracking. The Cyber Express has reached out to both the banks to learn more about these alleged data breaches. HSBC Bank has denied these allegations about the breach, stating, "We are aware of these reports and confirm HSBC has not experienced a cybersecurity incident and no HSBC data has been compromised.” However, at the time of writing this, no official statement or response has been shared by Barclays, leaving the claims of the data breach related to Barclays stand unverified. Moreover, the two hackers in question, IntelBroker and Sanggiero, have claimed similar attacks in the past, targeting various global organizations. In an exclusive interview with The Cyber Express, one of the hackers, IntelBroker shed light on their hacking activities and the motivations behind their operations. IntelBroker had also praised Sanggiero from BreachForums for “his exceptional intellect and understated contributions to the field are deserving of far greater recognition and respect.” Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.User Behavior Analytics: Why False Positives are NOT the Problem
The axiom “garbage in, garbage out” has been around since the early days of computer science and remains apropos today to the data associated with user behavior analytics and insider risk management (IRM). During a recent Conversations from the Inside (CFTI) episode, Mohan Koo, DTEX President and Co-Founder, spoke about how organizations are often quick … Continued
The post User Behavior Analytics: Why False Positives are NOT the Problem appeared first on DTEX Systems Inc.
The post User Behavior Analytics: Why False Positives are NOT the Problem appeared first on Security Boulevard.