Hawk Eye, a popular citizen-friendly crime reporting app of Telangana State Police in India, appears to have been hit by a massive data breach, a claim that sources have unofficially confirmed for The Cyber Express. The Hawk Eye app data breach was reportedly masterminded by a threat actor who goes by the name "Adm1nFr1end." The claim that the Hawk Eye app had been hacked emerged May 29 on the data leak site BreachForums. The threat actor claimed that they were revealing the stolen database, which consists of the Personally Identifiable Information (PII) of users, including the names, email addresses, phone numbers, physical addresses, IMEI numbers, and their location coordinates. To substantiate the data breach claim, the threat actor attached sample records, with the latest timestamp of May 2024, while disclosing that the database includes 130,000 SOS records, 70,000 incident reports, and 20,000 travel detail records (screenshot below).

Login Data Exposes Hawk Eye App Data Breach

The Hawk Eye App was launched by the Telangana Police in December 2014 for both Android and iPhone users as part of its initiative to become a citizen-friendly and responsive police force. Denizens were encouraged to use the app to report on a wide range of activities, including traffic violations, passing on information about criminals, violations by police, and crime against women, and also to pass on suggestions to the lawmen for improved policing and to credit the good work done by them. A key feature of the app is the SOS button for accessing help in case of emergencies. While logging into the App, users are required to share their personal details, including name, email ID, mobile number and password for registration. The app currently has a 4.4 rating on the Google Play Store, with more than 500,000 downloads on Android alone. [caption id="attachment_73712" align="alignnone" width="720"] Source: Hawk Eye App on Android[/caption]

Hawk Eye App Data Breach Samples

A few of the samples exposed by the threat actor revealed that one woman had filed a complaint on the Hawk Eye App to share that a man had initially promised to marry her and is now facing threats from him and his family. Alarmingly, the data leak revealed her name, mobile number, location, date, and time of complaint, potentially putting her at risk. In several other cases, citizens had filed complaints of traffic violations, and their data used initially to login to the App, including name, email address, and phone numbers, were revealed in the data breach. What is noteworthy about the above examples is that all these users had filed complaints only in May 2024, which suggests that the data from the Hawk Eye App was hacked this month.

Cops Wary of Hawk Eye App Data Breach

When The Cyber Express downloaded the “Hawk Eye -Telangana Police” app on Android on May 31, the app remained non-functional after the tester entered the primary details. Surprisingly, the app did not appear when the user tried to download it from the Apple Store. Sources in the Telangana Police have confirmed to The Cyber Express that there was a failure to upgrade the app and the process for updating a patch is an ongoing exercise. Police sources in the Telangana IT wing shared that they were working with vendors to install an updated patch. This, the police officials shared, could be a reason for the app details being breached. Additional Director General of Police (Technical Services) VV Srinivasa Rao of the Telangana Police shared that the task of upgrading Hawk Eye has been given to developers and that it should be available for the latest Android versions shortly. DGP Shikha Goel, who is also the director of the Telangana State Cyber Security Bureau, was unavailable for comment. We update this story as we get more information. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Pharmaceutical giant Johnson & Johnson recently announced a data breach that may stem from a larger data breach affecting Lash Group, a division of Cencora. In February, Cencora reported a data breach incident to the U.S. Securities and Exchange Commission (SEC) after learning that data had been exfiltrated from its information systems, some of which contained personal information. The breach may have compromised some sensitive information of patients registered with Johnson & Johnson Patient Assistance Foundation, Inc.

Johnson & Johnson Data Breach Notice

On May 29, Johnson & Johnson filed a notice of data breach with the Attorney General of Texas, indicating that an unauthorized party accessed confidential patient information. The breach affected approximately 175,000 Texans, but the total number of victims nationwide could be much higher. The breach affects two Johnson & Johnson entities: Johnson & Johnson Patient Assistance Foundation, Inc., and Johnson & Johnson Services, Inc. The following data was compromised in the attack: Name of individual, Address, Medical Information, and Date of Birth. Data breach notification letters have been sent to all the affected individuals, while limited information is available on the Texas Attorney General's data breach reports page. The incident is potentially linked to a much larger breach involving Cencora, which has affected over a dozen major pharmaceutical companies so far.

Link to Cencora Data Breach

The Johnson & Johnson data breach bears several similarities to other large third-party pharmaceutical company data breaches affected by the Cencora/Lash Group data breach, which was first discovered on February 21. Cencora’s Lash Group division aids pharmaceutical companies in running patient support programs that try to ensure that costly medication is available to disadvantaged patients, regardless of their ability to pay for them. At least 15 clients of Cencora/Lash Group have notified state authorities of data breach incidents, with databreaches.net listing the following victims:

• AbbVie: 54,344 Texans affected
• Acadia Pharmaceuticals: 753 Texans affected
• Bayer: 8,822 Texans affected
• Bristol Myers Squibb and/or the Bristol Myers Squibb Patient Assistance Foundation: 256,237 Texans and 11,503 New Hampshire residents affected
• Dendreon: 2,923 Texans affected
• Endo: no numbers provided
• Genentech: 5,805 Texans affected
• GlaxoSmithKline Group of Companies and/or the GlaxoSmithKline Patient Access Programs Foundation: no numbers provided
• Incyte Corporation: 2,592 Texans affected
• Marathon Pharmaceuticals, LLC/PTC Therapeutics, Inc.: 466 Texans and 27 New Hampshire residents affected
• Novartis Pharmaceuticals: 12,134 Texans affected
• Pharming Healthcare, Inc.: 314 Texans and 9 New Hampshire residents affected
• Regeneron Pharmaceuticals: 91,514 Texans affected
• Sumitomo Pharma America, Inc.: 24,102 Texans affected
• Tolmar: 1 New Hampshire resident

Data breach notices have also been filed with California officials too. While the full extent of the damage has yet to be determined, it has affected over 540,000 patients so far. Cencora stated in its notification to the Securities and Exchange Commission that it had not yet been able to determine if the incident had a material impact on its operations. In in a notice on its website, the Leash Group indicated that personal information as well as personal health information had been potentially affected, including first name, last name, date of birth, health diagnosis, and/or medications and prescriptions. The Leash Group said in a statement that no personal data appears to have been exposed because of the incident:

“There is no evidence that any of this information has been or will be publicly disclosed, or that any information was or will be misused for fraudulent purposes as a result of this incident, but we are communicating this so that affected individuals can take the steps outlined below to protect yourself.”

The Leash Group is offering free credit monitoring and remediation services to affected individuals, and additional guidance on dealing with suspected breaches of personal information. No perpetrator has been identified or named as being responsible for the attack, and the potential impact of the breach is still being assessed. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Analyzing my text messages with my ex-boyfriend by Teresa Ibarra

Notorious data leak site BreachForums appears to be back online after it was seized by law enforcement a few weeks ago.

At least one of BreachForums domains and its dark web site are live again. However, questions have been raised over whether it is a genuine attempt to revive the forums once again or set up as a lure by law enforcement to entrap more data dealers and cybercriminals.

The administrator of the new forum posts under the handle ShinyHunters, which is a name associated with the AT&T breach and others, and believed to be the main administrator of the previous BreachForums.

Yesterday, ShinyHunters posted a new dataset for sale that allegedly stems from Live Nation/Ticketmaster.

“Live Nation / Ticketmaster

Data includes

560 million customer full details (name, address, email, phone)

Ticket sales, event information, order details

CC detail – customer last 4 of card, expiration date

Customer fraud details

Much more

Price is $500k USD. One time sale.”

But, an avatar and a handle are easily copied, and there are a few things that raised our spidey-senses that something is up.

First, the data set was offered for sale on another dark web forum by a user going by SpidermanData with the exact same text.

Second, this data set seems way too big for its nature. Live Nation and Ticketmaster are big enough to be considered a monopolist, but 560 million users seems like a stretch.

After looking at the shared evidence, security researcher CyberKnow tweeted:

“While there is some new data in the shared evidence there is also old customer information, making it possibly this is a series of data jammed together.”

Third, a new feature is that visitors need to register before they can see any content. Why would the administrators change that?

And, last but not least, would the FBI let the cybercriminals regain control over the domains that easily? That would be quite embarrassing.

So, we dare conclude that this dataset’s goal is to generate some attention and act as a lure to let old forum users know that BreachForums is alive and kicking. But who is running the show, is the question that we hope to answer soon.

Stay tuned for updates on this developing story.

Protecting yourself after a data breach

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

• Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
• Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
• Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
• Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify the identity of anyone who contacts you using a different communication channel.
• Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
• Consider not storing your card details. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
• Set up identity monitoring. Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

Check if your data has been breached

Our Digital Footprint portal allows you to quickly and easily check if your personal information has been exposed online. Just enter your email address (it’s best to submit the one you most frequently use) to our free Digital Footprint scan and we’ll give you a report.

---

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

A cybercriminal going by the alias "SpidermanData" has claimed to breach and advertise a massive database purportedly linked to Ticketmaster Entertainment, LLC. The claim of the Ticketmaster data breach, dated May 27, 2024, was posted on the cybercrime forum Exploit and shares threatening information about the organization, including database of “560M Users + Card Details”. The threat actor has also claimed to have access to 1.3TB of stolen data and is currently selling it for $500k. The post, accompanied by sample data, suggests that the data indeed belongs to Ticketmaster Entertainment. However, the American ticket sales and distribution company has yet to share any information about this alleged Ticketmaster data breach.  Additionally, apart from the Ticketmaster data breach, the company is also facing a lawsuit from The Justice Department for anti-competitive practices, limiting venue options, and threatening financial consequences. The lawsuit follows public outcry, including ticketing issues during Taylor Swift's tour. High prices, fueled by post-pandemic demand, have intensified scrutiny. Live Nation denies monopolistic behavior, but the lawsuit contends their dominance drives up prices. The Ticketmaster data breach poses another threat to the organization since databases of this caliber are usually the hot-selling items on the dark web. 

Ticketmaster Data Breach: The Worst Time to Have a Cybersecurity Incident

SpidermanData claims to have access to a staggering 560 million records brimming with personally identifiable information (PII) of customers, including sensitive payment card details. This breach couldn't have come at a worse time for Ticketmaster, coinciding with the onset of several major music festivals scheduled between May 2024 and January 2025.  Among these highly anticipated events is the FOREIGNER concert, featuring legendary rock acts led by Mick Jones and Kelly Hansen. The musical act will begin on June 11, 2024, in the United States and will conclude on November 9, 2024. Following suit is the iconic band HEART, set to perform across the United States from July to November 2024, culminating in an international concert in Calgary, AB, Canada. Meanwhile, Allison Russell and Hozier are primed to perform from May to August 2024. Adding to this list of bands performing this year, artists like Ian Munsick, Prateek Kuhad, and Kathleen Hanna will also go on tours across North America between 2024 and 2025. However, the jubilant atmosphere surrounding these events is now overshadowed by the threat of, one of the biggest data breaches, threatening millions of users globally.  The purportedly compromised data, amounting to a staggering 1.3 terabytes, has been divided into 15 parts, with the hacker offering samples from two segments. One dataset, extracted from a 'PATRON' database, contains a plethora of personal information, including names, addresses, emails, and phone numbers. Meanwhile, the other dataset includes information about customer sales, encompassing crucial details like event IDs and payment methods.

The Aftermath and Industry Implications

SpidermanData has listed the entire dataset for sale, quoting a hefty price tag of USD 500,000, and restricting the sale to a single buyer. The gravity of this situation cannot be overstated, with the compromised data posing significant risks of identity theft, financial fraud, and other criminal activities - something we've already seen in previous data breaches like the MOVEit File Transfer incident.  Live Nation Entertainment, the parent company of Ticketmaster, stands as a global juggernaut in the live entertainment domain, organizing and promoting thousands of shows annually across more than 40 countries. Meanwhile, Ticketmaster's pivotal role in facilitating ticket sales for musical and non-musical events highlights its significance within the industry, making it a prime target for cybercriminals seeking to exploit vulnerabilities for personal gain. The current Ticketmaster data breach is not the first time that the organization has faced a cyberattack. In November 2020, the company faced a hefty £1.25 million fine from the Information Commissioner's Office (ICO) following a payment data breach in 2018. The breach, stemming from a vulnerability in a third-party chatbot, compromised the personal and payment details of over nine million customers in Europe, triggering widespread fraud and financial losses. Whether the current data breach represents a resurgence of previously compromised data or the acquisition of freshly stolen data, the premise origin of the information about the databases remains unclear. Nevertheless, The Cyber Express will be closely monitoring the situation and we’ll update this post once we have more information on the Ticketmaster data leak or any official confirmation from the organization.  Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Source: securityboulevard.com – Author: Riddika Grover The digital era is constantly evolving, and businesses are rapidly migrating towards cloud-based solutions to leverage the agility, scalability, and cost-effectiveness they offer. However, this transition also introduces new security challenges. As more sensitive data and applications reside in the cloud, ensuring their security becomes paramount. This is where […]

La entrada What is Cloud Penetration Testing? – Source: securityboulevard.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

The digital era is constantly evolving, and businesses are rapidly migrating towards cloud-based solutions to leverage the agility, scalability, and cost-effectiveness they offer. However, this transition also introduces new security challenges. As more sensitive data and applications reside in the cloud, ensuring their security becomes paramount. This is where Cloud Penetration Testing (Cloud Pentesting) steps […]

The post What is Cloud Penetration Testing? appeared first on Kratikal Blogs.

The post What is Cloud Penetration Testing? appeared first on Security Boulevard.

Source: www.techrepublic.com – Author: Megan Crouse Because large language models operate using neuron-like structures that may link many different concepts and modalities together, it can be difficult for AI developers to adjust their models to change the models’ behavior. If you don’t know what neurons connect what concepts, you won’t know which neurons to change. […]

La entrada Anthropic’s Generative AI Research Reveals More About How LLMs Affect Security and Bias – Source: www.techrepublic.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

Source: www.techrepublic.com – Author: The European Union’s General Data Protection Regulation requires every business enterprise and public authority that collects personal data from EU customers and clients to protect that data from unauthorized access. Finding ideal candidates for the GDPR data protection compliance officer position will require thorough vetting, and potential candidates may be difficult […]

La entrada Hiring Kit: GDPR Data Protection Compliance Officer – Source: www.techrepublic.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

Privacy FAIL: Apple location service returns far more data than it should, to people who have no business knowing it, without your permission.

The post Apple API Allows Wi-Fi AP Location Tracking appeared first on Security Boulevard.

The University of Siena, a distinguished Italian academic institution established in 1240, is currently grappling with a significant cybersecurity incident. The LockBit 3.0 ransomware group has claimed responsibility for the attack that has disrupted multiple university services, leading to the temporary suspension of its systems. As one of Europe's oldest universities, Siena offers extensive programs in sciences, medicine, engineering, economics, and social sciences. In response to the crisis, the university has initiated recovery operations with the support of the Italian National Cybersecurity Agency (Agenzia per la Cybersicurezza Nazionale), although the involvement of LockBit has not yet been officially confirmed.

University of Siena Data Breach and Ransom Demand

According to the new LockBit 3.0 leak site, the group has allegedly exfiltrated 514 GB of sensitive data from the university's systems. Screenshots of the stolen data were shared on both the leak site as well as the group's Telegram channel. The stolen data reportedly includes: Financial Documents including :

• Budgets detailing expenses by month from 2020 to 2024.
• Board-approved documents regarding project and tender financing from 2022 to 2026, including funding amounts.
• Documents related to extraordinary construction works, contractor appointments, and a €1.7 million budget allocation.

Confidential Information including:

• Non-disclosure agreements for the upcoming WineCraft 2024 event.
• Tender design contracts for 2023, including contract budgets.
•  Contractor's investment plan for 2022, encompassing expenses, rents, and the overall financial plan.

[caption id="attachment_69276" align="alignnone" width="803"] Source: LockBit leak site[/caption] [caption id="attachment_69277" align="alignnone" width="323"] Source: LockBit Telegram[/caption] With a looming ransom deadline set for May 28, the university is racing against limited time to deal with the consequences of the digital assault. Earlier on May 10th, the University of Siena acknowledged the cyber attack on its website, informing the public about the suspension of various of its services due to a 'massive cyber attack by an international group of hackers.'

University's Response and Restoration Efforts

The website acknowledged that several of its services including its website for international admissions, ticketing services, and payment management platforms had been affected and were taken down as a preventative measure. The notice assured users that payments made prior to the attack had been registered despite a temporary disconnect between the website's payment confirmation and application processing. [caption id="attachment_69271" align="alignnone" width="2800"] Source: www.apply.unisi.it[/caption] However, the notice also stated that the volume of assistance requests being received from international candidates following the incident was found to be overwhelming to its staff. The notice advised students to refrain from sending multiple inquiries, promising to respond as soon as possible. The notice provided separate advice to both candidates who had already paid university fees but did not submit applications and candidates who submitted admission applications but had not yet paid their application fees. The site stated in bold that students who fall in the above mentioned categories should avoid unnecessary contact with staff, while apologizing for the inconvenience caused by the issue. The attack on the University of Siena is one of the largest attacks claimed by the LockBit group following the recent disruption to its activities after its coordinated takedown by law enforcement groups. The incident underscores the group's persistent efforts to remain active in their efforts despite these operational challenges, while emphasizing their ability to still cause massive disruption to victims. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Read 34 remaining paragraphs | Comments

The SEC is tightening its focus on financial data breach response mechanisms of very specific set of financial institutions, with an update to a 24-year-old rule. The amendments announced on Thursday mandate that broker-dealers, funding portals, investment companies, registered investment advisers and transfer agents develop comprehensive plans for detecting and addressing data breaches involving customers’ financial information. Under the new rules, covered institutions are required to formulate, implement, and uphold written policies and procedures specifically tailored to identifying and mitigating breaches affecting customer data. Additionally, firms must establish protocols for promptly notifying affected customers in the event of a breach, ensuring transparency and facilitating swift remedial actions. “Over the last 24 years, the nature, scale, and impact of data breaches has transformed substantially,” said SEC Chair Gary Gensler. “These amendments to Regulation S-P will make critical updates to a rule first adopted in 2000 and help protect the privacy of customers’ financial data. The basic idea for covered firms is if you’ve got a breach, then you’ve got to notify. That’s good for investors.” According to the amendments, organizations subject to the regulations must notify affected individuals expeditiously with a deadline of no later than 30 days following the discovery of a data breach. The notification must include comprehensive details regarding the incident, the compromised data and actionable steps for affected parties to safeguard their information. While the amendments are set to take effect two months after publication in the Federal Register, larger entities will have an 18-month grace period to achieve compliance, whereas smaller organizations will be granted a two-year window. However, the SEC has not provided explicit criteria for distinguishing between large and small entities, leaving room for further clarification.

The Debate on SEC's Tight Guidelines

The introduction of these amendments coincides with the implementation of new incident reporting regulations for public companies, compelling timely disclosure of “material“ cybersecurity incidents to the SEC. Public companies in the U.S. now have four days to disclose cybersecurity breaches that could impact their financial standing. SEC’s interest in the matter stems from a major concern: breach information leads to a stock market activity called informed trading, currently a grey area in the eyes of law. Several prominent companies including Hewlett Packard and Frontier, have already submitted requisite filings under these regulations, highlighting the increasing scrutiny on cybersecurity disclosures. Despite pushback from some quarters, including efforts by Rep. Andrew Garbarino to The SEC’s incident reporting rule has however received pushback from close quarters including Congressman Andrew Garbarino, Chairman of the Cybersecurity and Infrastructure Protection Subcommittee of the House Homeland Security Committee and a Member of the House Financial Services Committee. Garbarino in November introduced a joint resolution with Senator Thom Tillis to disapprove SEC’s new rules. “This cybersecurity disclosure rule is a complete overreach on the part of the SEC and one that is in direct conflict with congressional intent. CISA, as the lead civilian cybersecurity agency, has been tasked with developing and issuing regulations for cyber incident reporting as it relates to covered entities. Despite this, the SEC took it upon itself to create duplicative requirements that not only further burden an understaffed cybersecurity workforce with additional and unnecessary reporting requirements, but also increase cybersecurity risk without a congressional mandate and in direct contradiction to public law that is intended to secure the homeland,” Garbarino said, at the time. Senator Tillis added to it saying the SEC was doing its “best to hurt market participants by overregulating firms into oblivion.” Businesses and industry leaders across the spectrum have expressed intense opposition to the new rules but the White House has signaled its commitment to upholding the regulatory framework. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

May is mental health awareness month! In pursuing help or advice for mental health struggles (beyond just this month, of course), users may download and use mental health apps. Mental health apps are convenient and may be cost effective for many people.

However, while these apps may provide mental health resources and benefits, they may be harvesting considerable amounts of information and sharing health-related data with third parties for advertising and tracking purposes.

Disclaimer: This post is not meant to serve as legal or medical advice. This post is for informational purposes only. If you are experiencing an emergency, please contact emergency services in your jurisdiction.

Understanding HIPAA

Many people have misconceptions about the Health Insurance Portability and Accountability Act (HIPAA) and disclosure/privacy.

According to the US Department of Health and Human Services (HHS), HIPAA is a "federal law that required the creation of national standards to protect sensitive patient health information from being disclosed without the patient's consent or knowledge." There is a HIPAA Privacy Rule and a HIPAA Security Rule.

The Centers for Disease Control and Prevention (CDC) states the Privacy Rule standards "address the use and disclosure of individuals' health information by entities subject to the Privacy Rule." It's important to understand that the Privacy Rule covers entities subject to it.

Entities include healthcare providers, health plans, health clearing houses, and business associates (such as billing specialists or data analysts). Many mental health apps aren't classified as either; also, though there are a few subject to HIPAA, some have been documented not to actually be compliant with HIPAA rules.

What does this mean? Many mental health apps are not considered covered entities and are therefore "exempt" (for lack of better word) from HIPAA. As such, these apps appear to operate in a legal "gray area," but that doesn't mean their data practices are ethical or even follow proper basic information security principles for safeguarding data...

Even apps that collect PHI information protected by HIPAA may still share/use your information that doesn't fall under HIPAA protections.

Mental health apps collect a wealth of personal information

Naturally, data collected by apps falling under the "mental health" umbrella varies widely (as do the apps that fall under this umbrella.)

However, most have users create accounts and fill out some version of an "intake" questionnaire prior to using/enrolling in services. These questionnaires vary by service, but may collect information such as:

• name
• address
• email
• phone number
• employer information

Account creation generally and at minimum requires user email and a password, which is indeed routine.

It's important to note your email address can serve as a particularly unique identifier - especially if you use the same email address everywhere else in your digital life. If you use the same email address everywhere, it's easier to track and connect your accounts and activities across the web and your digital life.

Account creation may also request alternative contact information, such as a phone number, or supplemental personal information such as your legal name. These can and often do serve as additional data points and identifiers.

It's also important to note that on the backend (usually in a database), your account may be assigned identifiers as well. In some cases, your account may also be assigned external identifiers - especially if information is shared with third parties.

Intake questionnaires can collect particularly sensitive information, such as (but not necessarily limited to):

• past mental health experiences
• age (potentially exact date of birth)
• gender identity information
• sexual orientation information
• other demographic information
• health insurance information (if relevant)
• relationship status

Question from BetterHelp intake questionnaire found in FTC complaint against BetterHelp

These points of sensitive information are rather intimate and can easily be used to identify users - and could be disasters if disclosed in a data breach or to third party platforms.

These unique and rather intimate data points can be used to exploit users in highly targeted marketing and advertising campaigns - or perhaps even used to facilitate scams and malware via advertising tools third parties who may receive such information provide to advertisers.

Note: If providing health insurance information, many services require an image of the card. Images can contain EXIF data that could expose a user's location and device information if not scrubbed prior to upload.

Information collection extends past user disclosure

Far more often than not, information collected by mental health apps extends past information a user may disclose in processes such as account creation or completing intake forms - these apps often harvest device information, frequently sending it off the device and to their own servers.

For example, here is a screenshot of the BetterHelp app's listing on the Apple App Store in MAY 2024:

The screenshot indicates BetterHelp uses your location and app usage data to "track you across apps and websites owned by other companies." We can infer from this statement that BetterHelp shares your location information and how you use the app with third parties, likely for targeted advertising and tracking purposes.

The screenshot also indicates your contact information, location information, usage data, and other identifiers are linked to your identity.

Note: Apple Privacy Labels in the App Store are self-reported by the developers of the app.

This is all reinforced in their updated privacy policy (25 APR 2024), where BetterHelp indicates they use external and internal identifiers, collect app and platform errors, and collect usage data of the app and platform:

In February 2020, an investigation revealed BetterHelp also harvested the metadata of messages exchanged between clients and therapists, sharing them with platforms like Facebook for advertising purposes. This was despite BetterHelp "encrypting communications between client and therapist" - they may have encrypted the actual message contents, but it appears information such as when a message was went, the receiver/recipient, and location information was available to the servers... and actively used/shared.

While this may not seem like a big deal at first glance - primarily because BetterHelp is not directly accessing/reading message contents - users should be aware that message metadata can give away a lot of information.

Cerebral, a mental health app that does fall under the HIPAA rules, also collects device-related data and location data, associating them with your identity:

According to this screenshot, Cerebral shares/uses app usage data with third parties, likely for marketing and advertising purposes. Specifically, they...

The post Mental Health Apps are Likely Collecting and Sharing Your Data appeared first on Security Boulevard.

Santander, one of the largest banks in the eurozone, confirmed that an unauthorized party had gained access to a database containing customer and employee information. The Banco Santander data breach is stated to stem from the database of a third-party provider and limited to the only some of the bank's customers in specific regions where it operated, as well as some of its current and former employees. However, the bank's own operations and systems are reportedly unaffected. Banco Santander is a banking services provider founded on March 21, 1857 and headquartered in Madrid, Spain. The provider operates across Europe, North America, and South America. It's services include global payments services, online bank and digital assets.

Customer and Employee Data Compromised in Santander Data Breach

The bank reported that upon becoming aware of the data breach, it had immediately implemented measures to contain the incident, such as blocking access to its database from the compromised source as well as establishing additional fraud prevention mechanisms to protect impacted customers and affected parties. After conducting an investigation, the bank had determined that the leaked information stemmed from a thid-party database and consisted of details of customers from Santander Chile, Spain and Uruguay regions along with some data on some current and former Santander employees. Despite the third-party database breach, customer data from Santander markets and businesses operating in different regions were not affected. [caption id="attachment_68444" align="alignnone" width="2422"] Source: santander.com[/caption] The bank apologized for the incident and acknowledged concerns arising from the data breach, taking action to directly notify the affected customers and employees. The security team also informed regulators and law enforcement of the incident details, stating that the bank would continue to work with them during the investigation. Santander assured its customers that no transactional data, nor transaction-facilitating credentials such as banking details and passwords were contained in the database. The statement reported that neither the bank's operations nor systems were affected, and that customers could continue with secure transaction operations. Along with the official statement in response to the data breach, the bank had provided additional advice on its site on dealing with the data breach:

• Santander will never ask you for codes, OTPs or passwords.
• Always verify information your receive and contact us through official bank channels.
• If you receive any suspicious message, email or SMS report it to your bank directly or by contacting reportphishing@gruposantander.com.
• Never access your online banking via links from suspicious emails or unsolicited emails.
• Never ignore security notifications or alerts from Santander related to your accounts.

Financial and Banking Sector Hit By Data Breaches

Increased cyber threats or third-party database exposure as in the Santander data breach pose serious concerns for stability within the financial and banking. The International Monetary Fund noted in a blog post last months that these incidents could erode confidence in the financial system, disrupt critical services, or cause spillovers to other institutions. In March, the European Central Bank instructed banks within the European region to implement stronger measures in anticipation of cyber attacks. Earlier, the body had stated that it would conduct a  resilience stest on at least 109 of its directly supervised banks in 2024. The initiatives come as part of broader concern about the security of European banks. Last year, data from the Deutsche Bank AG, Commerzbank AG and ING Groep NV were compromised after the CL0P ransomware group had exploited a security vulnerability in the MOVEit file transfer tool. The European Central Bank's site states that its banking supervisors rely on the stress tests to gather information on and assess how well the banks would able to cope, respond to and recover from a cyberattack, rather than just their ability to prevent attacks. The response and recovery assessments are described to include the activation of emergency procedures and contingency plans as well as the restoration of usual operations. The site states that these test results would then be used to aid supervisors in identifying weaknesses to be discussed in dialogue with the banks. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The Biden Administration is moving to cybersecurity standards for hospitals, but the AHA is pushing back, saying voluntary models are enough.

The post UnitedHealth, Ascension Attacks Feed Debate Over Health Care Security appeared first on Security Boulevard.

Across America, survivors of domestic abuse and stalking are facing a unique location tracking crisis born out of policy failure, unclear corporate responsibility, and potentially risky behaviors around digital sharing that are now common in relationships.

No, we’re not talking about stalkerware. Or hidden Apple AirTags. We’re talking about cars.

Modern cars are the latest consumer “device” to undergo an internet-crazed overhaul, as manufacturers increasingly stuff their automobiles with the types of features you’d expect from a smartphone, not a mode of transportation.

There are cars with WiFi, cars with wireless charging, cars with cameras that not only help while you reverse out of a driveway, but which can detect whether you’re drowsy while on a long haul. Many cars now also come with connected apps that allow you to, through your smartphone, remotely start your vehicle, schedule maintenance, and check your tire pressure.

But one feature in particular, which has legitimate uses in responding to stolen and lost vehicles, is being abused: Location tracking.

It’s time car companies do something about it.  

In December, The New York Times revealed the story of a married woman whose husband was abusing the location tracking capabilities of her Mercedes-Benz sedan to harass her. The woman tried every avenue she could to distance herself from her husband. After her husband became physically violent in an argument, she filed a domestic abuse report. Once she fled their home, she got a restraining order. She ignored his calls and texts.

But still her husband could follow her whereabouts by tracking her car—a level of access that Mercedes representatives reportedly could not turn off, as he was considered the rightful owner of the vehicle (according to The New York Times, the husband’s higher credit score convinced the married couple to have the car purchased in his name alone).

As reporter Kashmir Hill wrote of the impasse:

“Even though she was making the payments, had a restraining order against her husband and had been granted sole use of the car during divorce proceedings, Mercedes representatives told her that her husband was the customer so he would be able to keep his access. There was no button she could press to take away the app’s connection to the vehicle.”

This was far from an isolated incident.

In 2023, Reuters reported that a San Francisco woman sued her husband in 2020 for allegations of “assault and sexual battery.” But some months later, the woman’s allegations of domestic abuse grew into allegations of negligence—this time, against the carmaker Tesla.

Tesla, the woman claimed in legal filings, failed to turn off her husband’s access to the location tracking capabilities in their shared Model X SUV, despite the fact that she had obtained a restraining order against her husband, and that she was a named co-owner of the vehicle.

When The New York Times retrieved filings from the San Francisco lawsuit above, attorneys for Tesla argued that the automaker could not realistically play a role in this matter:

“Virtually every major automobile manufacturer offers a mobile app with similar functions for their customers,” the lawyers wrote. “It is illogical and impractical to expect Tesla to monitor every vehicle owner’s mobile app for misuse.”

Tesla was eventually removed from the lawsuit.

In the Reuters story, reporters also spoke with a separate woman who made similar allegations that her ex-husband had tracked her location by using the Tesla app associated with her vehicle. Because the separate woman was a “primary” account owner, she was able to remove the car’s access to the internet, Reuters reported.

A better path

Location tracking—and the abuse that can come with it—is a much-discussed topic for Malwarebytes Labs. But the type of location tracking abuse that is happening with shared cars is different because of the value that cars hold in situations of domestic abuse.

A car is an opportunity to physically leave an abusive partner. A car is a chance to start anew in a different, undisclosed location. In harrowing moments, cars have also served as temporary shelter for those without housing.

So when a survivor’s car is tracked by their abuser, it isn’t just a matter of their location and privacy being invaded, it is a matter of a refuge being robbed.

In speaking with the news outlet CalMatters, Yenni Rivera, who works on domestic violence cases, explained the stressful circumstances of exactly this dynamic.

“I hear the story over and over from survivors about being located by their vehicle and having it taken,” Rivera told CalMatters. “It just puts you in a worst case situation because it really triggers you thinking, ‘Should I go back and give in?’ and many do. And that’s why many end up being murdered in their own home. The law should make it easier to leave safely and protected.”

Though the state of California is considering legislative solutions to this problem, national lawmaking is slow.

Instead, we believe that the companies that have the power to do something act on that power. Much like how Malwarebytes and other cybersecurity vendors banded together to launch the Coalition Against Stalkerware, automakers should work together to help users.

Fortunately, an option may already exist.

When the Alliance for Automobile Innovation warned that consumer data collection requests could be weaponized by abusers who want to comb through the car location data of their partners and exes, the automaker General Motors already had a protection built in.

According to Reuters, the roadside assistance service OnStar, which is owned by General Motors, allows any car driver—be they a vehicle’s owner or not—to hide location data from other people who use the same vehicle. Rivian, a new electric carmaker, is reportedly working on a similar feature, said senior vice president of software development Wassym Bensaid in speaking with Reuters.

Though Reuters reported that Rivian had not heard of their company’s technology being leveraged in a situation of domestic abuse, Wassym believed that “users should have a right to control where that information goes.”

We agree.

---

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Read 22 remaining paragraphs | Comments

Read 10 remaining paragraphs | Comments

Chinese crooks are running a global network of more than 75,000 fake online shops to steal credit card data and process fraudulent payments.

The post Massive Online Shopping Scam Racks Up 850,000 Victims appeared first on Security Boulevard.

Hackers IntelBroker and Sanggiero have claimed a data breach allegedly impacting HSBC Bank and Barclays Bank. The HSBC Bank data breach, along with the breach at Barclays reportedly occurred in April 2024, involving a security incident through a third-party contractor, ultimately leading to the leak of sensitive data.  The compromised data, which was being offered for sale on Breachforums, allegedly includes a wide array of files such as database files, certificate files, source code, SQL files, JSON configuration files, and compiled JAR files. Preliminary analysis suggests that the data may have been sourced from the services provided by Baton Systems Inc., a post-trade processing platform, potentially impacting both HSBC Bank and Barclays Bank. However, Baton Systems has not shared any update on this alleged attack or any connection with the sample data provided by the threat actor.

Hacker Duo Claims Barclays and HSBC Bank Data Breach

Barclays Bank PLC and The Hong Kong and Shanghai Banking Corporation Limited (HSBC) are the primary organizations reportedly affected by this breach. With operations spanning across the United Kingdom, United States, and regions including Europe and North America, the threat actor threatens the banking systems and probably targets customers' data, however, there has been no evidence of such data getting leaked.  [caption id="attachment_67347" align="alignnone" width="2084"] Source: Dark Web[/caption] In a post on Breachforums, one of the threat actors, IntelBroker, shared details of the Barclays and HSBC Bank data breach, offering the compromised data for download. The post, dated May 8, 2024, outlined the nature of the breach and the types of data compromised, including database files, certificate files, source code, and more. The post also provided a sample of the leaked data, revealing a mixture of CSV data representing financial transactions across different systems or entities.

While talking about the stolen data, IntelBroker denoted that he is "uploading the HSBC & Barclays data breach for you to download. Thanks for reading and enjoy! In April 2024, HSBC & Barclays suffered a data breach when a direct contractor of the two banks was breached. Breached by @IntelBroker & @Sanggiero".

A Closer Look at the Sample Data 

A closer look at the sample data reveals three distinct datasets, each containing transaction records with detailed information about financial activities. These records encompass a range of information, from transaction IDs and timestamps to descriptions and account numbers involved. The datasets provide a comprehensive view of various transactions, offering valuable insights for financial analysis and tracking. The Cyber Express has reached out to both the banks to learn more about these alleged data breaches. HSBC Bank has denied these allegations about the breach, stating, "We are aware of these reports and confirm HSBC has not experienced a cybersecurity incident and no HSBC data has been compromised.” However, at the time of writing this, no official statement or response has been shared by Barclays, leaving the claims of the data breach related to Barclays stand unverified. Moreover, the two hackers in question, IntelBroker and Sanggiero, have claimed similar attacks in the past, targeting various global organizations. In an exclusive interview with The Cyber Express, one of the hackers, IntelBroker shed light on their hacking activities and the motivations behind their operations. IntelBroker had also praised Sanggiero from BreachForums for “his exceptional intellect and understated contributions to the field are deserving of far greater recognition and respect.” Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The axiom “garbage in, garbage out” has been around since the early days of computer science and remains apropos today to the data associated with user behavior analytics and insider risk management (IRM). During a recent Conversations from the Inside (CFTI) episode, Mohan Koo, DTEX President and Co-Founder, spoke about how organizations are often quick … Continued

The post User Behavior Analytics: Why False Positives are NOT the Problem appeared first on DTEX Systems Inc.

The post User Behavior Analytics: Why False Positives are NOT the Problem appeared first on Security Boulevard.

pAmerican communities are being confronted by a lot of new police technology these days, a lot of which involves surveillance or otherwise raises the question: “Are we as a community comfortable with our police deploying this new technology?” A critical question when addressing such concerns is: “Does it even work, and if so, how well?” It’s hard for communities, their political leaders, and their police departments to know what to buy if they don’t know what works and to what degree./p pOne thing I’ve learned from following new law enforcement technology for over 20 years is that there is an awful lot of snake oil out there. When a new capability arrives on the scene—whether it’s a href=https://www.aclu.org/wp-content/uploads/publications/drawing_blank.pdfface recognition/a, a href=https://www.aclu.org/blog/privacy-technology/surveillance-technologies/experts-say-emotion-recognition-lacks-scientific/emotion recognition/a, a href=https://www.aclu.org/wp-content/uploads/publications/061819-robot_surveillance.pdfvideo analytics/a, or “a href=https://www.aclu.org/news/privacy-technology/chicago-police-heat-list-renews-old-fears-aboutbig data/a” pattern analysis—some companies will rush to promote the technology long before it is good enough for deployment, which sometimes a href=https://www.aclu.org/blog/privacy-technology/surveillance-technologies/experts-say-emotion-recognition-lacks-scientific/never happens/a. That may be even more true today in the age of artificial intelligence. “AI” is a term that often amounts to no more than trendy marketing jargon./p div class=mp-md wp-link div class=wp-link__img-wrapper a href=https://www.aclu.org/news/privacy-technology/six-questions-to-ask-before-accepting-a-surveillance-technology target=_blank tabindex=-1 img width=1200 height=628 src=https://www.aclu.org/wp-content/uploads/2024/03/a573aa109804db74bfef11f8a6f475e7.jpg class=attachment-original size-original alt= decoding=async loading=lazy srcset=https://www.aclu.org/wp-content/uploads/2024/03/a573aa109804db74bfef11f8a6f475e7.jpg 1200w, https://www.aclu.org/wp-content/uploads/2024/03/a573aa109804db74bfef11f8a6f475e7-768x402.jpg 768w, https://www.aclu.org/wp-content/uploads/2024/03/a573aa109804db74bfef11f8a6f475e7-400x209.jpg 400w, https://www.aclu.org/wp-content/uploads/2024/03/a573aa109804db74bfef11f8a6f475e7-600x314.jpg 600w, https://www.aclu.org/wp-content/uploads/2024/03/a573aa109804db74bfef11f8a6f475e7-800x419.jpg 800w, https://www.aclu.org/wp-content/uploads/2024/03/a573aa109804db74bfef11f8a6f475e7-1000x523.jpg 1000w sizes=(max-width: 1200px) 100vw, 1200px / /a /div div class=wp-link__title a href=https://www.aclu.org/news/privacy-technology/six-questions-to-ask-before-accepting-a-surveillance-technology target=_blank Six Questions to Ask Before Accepting a Surveillance Technology /a /div div class=wp-link__description a href=https://www.aclu.org/news/privacy-technology/six-questions-to-ask-before-accepting-a-surveillance-technology target=_blank tabindex=-1 p class=is-size-7-mobile is-size-6-tabletCommunity members, policymakers, and political leaders can make better decisions about new technology by asking these questions./p /a /div div class=wp-link__source p-4 px-6-tablet a href=https://www.aclu.org/news/privacy-technology/six-questions-to-ask-before-accepting-a-surveillance-technology target=_blank tabindex=-1 p class=is-size-7Source: American Civil Liberties Union/p /a /div /div pGiven all this, communities and city councils should not adopt new technology that has not been subject to testing and evaluation by an independent, disinterested party. That’s true for all types of technology, but doubly so for technologies that have the potential to change the balance of power between the government and the governed, like surveillance equipment. After all, there’s no reason to get a href=https://www.aclu.org/news/privacy-technology/six-questions-to-ask-before-accepting-a-surveillance-technologywrapped up in big debates/a about privacy, security, and government power if the tech doesn’t even work./p pOne example of a company refusing to allow independent review of its product is the license plate recognition company Flock, which is pushing those surveillance devices into many American communities and tying them into a centralized national network. (We wrote more about this company in a 2022 a href=https://www.aclu.org/publications/fast-growing-company-flock-building-new-ai-driven-mass-surveillance-systemwhite paper/a.) Flock has steadfastly refused to allow the a href=https://www.aclu.org/news/privacy-technology/are-gun-detectors-the-answer-to-mass-shootingsindependent/a security technology reporting and testing outlet a href=https://ipvm.com/IPVM/a to obtain one of its license plate readers for testing, though IPVM has tested all of Flock’s major competitors. That doesn’t stop Flock from a href=https://ipvm.com/reports/flock-lpr-city-sued?code=lfgsdfasd543453boasting/a that “Flock Safety technology is best-in-class, consistently performing above other vendors.” Claims like these are puzzling and laughable when the company doesn’t appear to have enough confidence in its product to let IPVM test it./p div class=mp-md wp-link div class=wp-link__img-wrapper a href=https://www.aclu.org/news/privacy-technology/experts-say-emotion-recognition-lacks-scientific target=_blank tabindex=-1 img width=1160 height=768 src=https://www.aclu.org/wp-content/uploads/2024/03/f0cab632e1da8a25e9a54ba8019ef74e.jpg class=attachment-original size-original alt= decoding=async loading=lazy srcset=https://www.aclu.org/wp-content/uploads/2024/03/f0cab632e1da8a25e9a54ba8019ef74e.jpg 1160w, https://www.aclu.org/wp-content/uploads/2024/03/f0cab632e1da8a25e9a54ba8019ef74e-768x508.jpg 768w, https://www.aclu.org/wp-content/uploads/2024/03/f0cab632e1da8a25e9a54ba8019ef74e-400x265.jpg 400w, https://www.aclu.org/wp-content/uploads/2024/03/f0cab632e1da8a25e9a54ba8019ef74e-600x397.jpg 600w, https://www.aclu.org/wp-content/uploads/2024/03/f0cab632e1da8a25e9a54ba8019ef74e-800x530.jpg 800w, https://www.aclu.org/wp-content/uploads/2024/03/f0cab632e1da8a25e9a54ba8019ef74e-1000x662.jpg 1000w sizes=(max-width: 1160px) 100vw, 1160px / /a /div div class=wp-link__title a href=https://www.aclu.org/news/privacy-technology/experts-say-emotion-recognition-lacks-scientific target=_blank Experts Say 'Emotion Recognition' Lacks Scientific Foundation /a /div div class=wp-link__description a href=https://www.aclu.org/news/privacy-technology/experts-say-emotion-recognition-lacks-scientific target=_blank tabindex=-1 p class=is-size-7-mobile is-size-6-tablet/p /a /div div class=wp-link__source p-4 px-6-tablet a href=https://www.aclu.org/news/privacy-technology/experts-say-emotion-recognition-lacks-scientific target=_blank tabindex=-1 p class=is-size-7Source: American Civil Liberties Union/p /a /div /div pCommunities considering installing Flock cameras should take note. That is especially the case when errors by Flock and other companies’ license plate readers can lead to innocent drivers finding themselves with their a href=https://ipvm.com/reports/flock-lpr-city-sued?code=lfgsdfasd543453hands behind their heads/a, facing jittery police pointing guns at them. Such errors can also expose police departments and cities to lawsuits./p pEven worse is when a company pretends that its product has been subject to independent review when it hasn’t. The metal detector company Evolv, which sells — wait for it — emAI/em metal detectors, submitted its technology to testing by a supposedly independent lab operated by the University of Southern Mississippi, and publicly touted the results of the tests. But a href=https://ipvm.com/reports/bbc-evolvIPVM/a and the a href=https://www.bbc.com/news/technology-63476769BBC/a reported that the lab, the National Center for Spectator Sports Safety and Security (a href=https://ncs4.usm.edu/NCS4/a), had colluded with Evolv to manipulate the report and hide negative findings about the effectiveness of the company’s product. Like Flock, Evolv refuses to allow IPVM to obtain one of its units for testing. (We wrote about Evolv and its product a href=https://www.aclu.org/news/privacy-technology/are-gun-detectors-the-answer-to-mass-shootingshere/a.)/p pOne of the reasons these companies can prevent a tough, independent reviewer such as IPVM from obtaining their equipment is their subscription and/or cloud-based architecture. “Most companies in the industry still operate on the more traditional model of having open systems,” IPVM Government Research Director Conor Healy told me. “But there’s a rise in demand for cloud-based surveillance, where people can store things in cloud, access them on their phone, see the cameras. Cloud-based surveillance by definition involves central control by the company that’s providing the cloud services.” Cloud-based architectures can a href=https://www.aclu.org/news/civil-liberties/major-hack-of-camera-company-offers-four-key-lessons-on-surveillanceworsen the privacy risks/a created by a surveillance system. Another consequence of their centralized control is increasing the ability of a company to control who can carry out an independent review./p pWe’re living in an era where a lot of new technology is emerging, with many companies trying to be the first to put them on the market. As Healy told me, “We see a lot of claims of AI, all the time. At this point, almost every product I see out there that gets launched has some component of AI.” But like other technologies before them, these products often come in highly immature, premature, inaccurate, or outright deceptive forms, relying little more than on the use of “AI” as a buzzword./p pIt’s vital for independent reviewers to contribute to our ongoing local and national conversations about new surveillance and other police technologies. It’s unclear why a company that has faith in its product would attempt to block independent review, which is all the more reason why buyers should know this about those companies./p