Enlarge (credit: Tim Robberts | DigitalVision)

After launching Slack AI in February, Slack appears to be digging its heels in, defending its vague policy that by default sucks up customers' data—including messages, content, and files—to train Slack's global AI models.

According to Slack engineer Aaron Maurer, Slack has explained in a blog that the Salesforce-owned chat service does not train its large language models (LLMs) on customer data. But Slack's policy may need updating "to explain more carefully how these privacy principles play with Slack AI," Maurer wrote on Threads, partly because the policy "was originally written about the search/recommendation work we've been doing for years prior to Slack AI."

Maurer was responding to a Threads post from engineer and writer Gergely Orosz, who called for companies to opt out of data sharing until the policy is clarified, not by a blog, but in the actual policy language.

Read 34 remaining paragraphs | Comments

Source: www.techrepublic.com – Author: Cedric Pernet A joint cybersecurity advisory from the Federal Bureau of Investigation, Cybersecurity and Infrastructure Security Agency, Department of Health and Human services and Multi-State Information Sharing and Analysis Center was recently released to provide more information about the Black Basta ransomware. Black Basta affiliates have targeted organizations in the U.S., […]

La entrada Black Basta Ransomware Struck More Than 500 Organizations Worldwide – Source: www.techrepublic.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

The Debate on SEC's Tight Guidelines

May is mental health awareness month! In pursuing help or advice for mental health struggles (beyond just this month, of course), users may download and use mental health apps. Mental health apps are convenient and may be cost effective for many people.

However, while these apps may provide mental health resources and benefits, they may be harvesting considerable amounts of information and sharing health-related data with third parties for advertising and tracking purposes.

Disclaimer: This post is not meant to serve as legal or medical advice. This post is for informational purposes only. If you are experiencing an emergency, please contact emergency services in your jurisdiction.

Understanding HIPAA

Many people have misconceptions about the Health Insurance Portability and Accountability Act (HIPAA) and disclosure/privacy.

According to the US Department of Health and Human Services (HHS), HIPAA is a "federal law that required the creation of national standards to protect sensitive patient health information from being disclosed without the patient's consent or knowledge." There is a HIPAA Privacy Rule and a HIPAA Security Rule.

The Centers for Disease Control and Prevention (CDC) states the Privacy Rule standards "address the use and disclosure of individuals' health information by entities subject to the Privacy Rule." It's important to understand that the Privacy Rule covers entities subject to it.

Entities include healthcare providers, health plans, health clearing houses, and business associates (such as billing specialists or data analysts). Many mental health apps aren't classified as either; also, though there are a few subject to HIPAA, some have been documented not to actually be compliant with HIPAA rules.

What does this mean? Many mental health apps are not considered covered entities and are therefore "exempt" (for lack of better word) from HIPAA. As such, these apps appear to operate in a legal "gray area," but that doesn't mean their data practices are ethical or even follow proper basic information security principles for safeguarding data...

Even apps that collect PHI information protected by HIPAA may still share/use your information that doesn't fall under HIPAA protections.

Mental health apps collect a wealth of personal information

Naturally, data collected by apps falling under the "mental health" umbrella varies widely (as do the apps that fall under this umbrella.)

However, most have users create accounts and fill out some version of an "intake" questionnaire prior to using/enrolling in services. These questionnaires vary by service, but may collect information such as:

• name
• address
• email
• phone number
• employer information

Account creation generally and at minimum requires user email and a password, which is indeed routine.

It's important to note your email address can serve as a particularly unique identifier - especially if you use the same email address everywhere else in your digital life. If you use the same email address everywhere, it's easier to track and connect your accounts and activities across the web and your digital life.

Account creation may also request alternative contact information, such as a phone number, or supplemental personal information such as your legal name. These can and often do serve as additional data points and identifiers.

It's also important to note that on the backend (usually in a database), your account may be assigned identifiers as well. In some cases, your account may also be assigned external identifiers - especially if information is shared with third parties.

Intake questionnaires can collect particularly sensitive information, such as (but not necessarily limited to):

• past mental health experiences
• age (potentially exact date of birth)
• gender identity information
• sexual orientation information
• other demographic information
• health insurance information (if relevant)
• relationship status

Question from BetterHelp intake questionnaire found in FTC complaint against BetterHelp

These points of sensitive information are rather intimate and can easily be used to identify users - and could be disasters if disclosed in a data breach or to third party platforms.

These unique and rather intimate data points can be used to exploit users in highly targeted marketing and advertising campaigns - or perhaps even used to facilitate scams and malware via advertising tools third parties who may receive such information provide to advertisers.

Note: If providing health insurance information, many services require an image of the card. Images can contain EXIF data that could expose a user's location and device information if not scrubbed prior to upload.

Information collection extends past user disclosure

Far more often than not, information collected by mental health apps extends past information a user may disclose in processes such as account creation or completing intake forms - these apps often harvest device information, frequently sending it off the device and to their own servers.

For example, here is a screenshot of the BetterHelp app's listing on the Apple App Store in MAY 2024:

The screenshot indicates BetterHelp uses your location and app usage data to "track you across apps and websites owned by other companies." We can infer from this statement that BetterHelp shares your location information and how you use the app with third parties, likely for targeted advertising and tracking purposes.

The screenshot also indicates your contact information, location information, usage data, and other identifiers are linked to your identity.

Note: Apple Privacy Labels in the App Store are self-reported by the developers of the app.

This is all reinforced in their updated privacy policy (25 APR 2024), where BetterHelp indicates they use external and internal identifiers, collect app and platform errors, and collect usage data of the app and platform:

In February 2020, an investigation revealed BetterHelp also harvested the metadata of messages exchanged between clients and therapists, sharing them with platforms like Facebook for advertising purposes. This was despite BetterHelp "encrypting communications between client and therapist" - they may have encrypted the actual message contents, but it appears information such as when a message was went, the receiver/recipient, and location information was available to the servers... and actively used/shared.

While this may not seem like a big deal at first glance - primarily because BetterHelp is not directly accessing/reading message contents - users should be aware that message metadata can give away a lot of information.

Cerebral, a mental health app that does fall under the HIPAA rules, also collects device-related data and location data, associating them with your identity:

According to this screenshot, Cerebral shares/uses app usage data with third parties, likely for marketing and advertising purposes. Specifically, they...

The post Mental Health Apps are Likely Collecting and Sharing Your Data appeared first on Security Boulevard.

Customer and Employee Data Compromised in Santander Data Breach

• Santander will never ask you for codes, OTPs or passwords.
• Always verify information your receive and contact us through official bank channels.
• If you receive any suspicious message, email or SMS report it to your bank directly or by contacting reportphishing@gruposantander.com.
• Never access your online banking via links from suspicious emails or unsolicited emails.
• Never ignore security notifications or alerts from Santander related to your accounts.

Financial and Banking Sector Hit By Data Breaches

The Biden Administration is moving to cybersecurity standards for hospitals, but the AHA is pushing back, saying voluntary models are enough.

The post UnitedHealth, Ascension Attacks Feed Debate Over Health Care Security appeared first on Security Boulevard.

Across America, survivors of domestic abuse and stalking are facing a unique location tracking crisis born out of policy failure, unclear corporate responsibility, and potentially risky behaviors around digital sharing that are now common in relationships.

No, we’re not talking about stalkerware. Or hidden Apple AirTags. We’re talking about cars.

Modern cars are the latest consumer “device” to undergo an internet-crazed overhaul, as manufacturers increasingly stuff their automobiles with the types of features you’d expect from a smartphone, not a mode of transportation.

There are cars with WiFi, cars with wireless charging, cars with cameras that not only help while you reverse out of a driveway, but which can detect whether you’re drowsy while on a long haul. Many cars now also come with connected apps that allow you to, through your smartphone, remotely start your vehicle, schedule maintenance, and check your tire pressure.

But one feature in particular, which has legitimate uses in responding to stolen and lost vehicles, is being abused: Location tracking.

It’s time car companies do something about it.  

In December, The New York Times revealed the story of a married woman whose husband was abusing the location tracking capabilities of her Mercedes-Benz sedan to harass her. The woman tried every avenue she could to distance herself from her husband. After her husband became physically violent in an argument, she filed a domestic abuse report. Once she fled their home, she got a restraining order. She ignored his calls and texts.

But still her husband could follow her whereabouts by tracking her car—a level of access that Mercedes representatives reportedly could not turn off, as he was considered the rightful owner of the vehicle (according to The New York Times, the husband’s higher credit score convinced the married couple to have the car purchased in his name alone).

As reporter Kashmir Hill wrote of the impasse:

“Even though she was making the payments, had a restraining order against her husband and had been granted sole use of the car during divorce proceedings, Mercedes representatives told her that her husband was the customer so he would be able to keep his access. There was no button she could press to take away the app’s connection to the vehicle.”

This was far from an isolated incident.

In 2023, Reuters reported that a San Francisco woman sued her husband in 2020 for allegations of “assault and sexual battery.” But some months later, the woman’s allegations of domestic abuse grew into allegations of negligence—this time, against the carmaker Tesla.

Tesla, the woman claimed in legal filings, failed to turn off her husband’s access to the location tracking capabilities in their shared Model X SUV, despite the fact that she had obtained a restraining order against her husband, and that she was a named co-owner of the vehicle.

When The New York Times retrieved filings from the San Francisco lawsuit above, attorneys for Tesla argued that the automaker could not realistically play a role in this matter:

“Virtually every major automobile manufacturer offers a mobile app with similar functions for their customers,” the lawyers wrote. “It is illogical and impractical to expect Tesla to monitor every vehicle owner’s mobile app for misuse.”

Tesla was eventually removed from the lawsuit.

In the Reuters story, reporters also spoke with a separate woman who made similar allegations that her ex-husband had tracked her location by using the Tesla app associated with her vehicle. Because the separate woman was a “primary” account owner, she was able to remove the car’s access to the internet, Reuters reported.

A better path

Location tracking—and the abuse that can come with it—is a much-discussed topic for Malwarebytes Labs. But the type of location tracking abuse that is happening with shared cars is different because of the value that cars hold in situations of domestic abuse.

A car is an opportunity to physically leave an abusive partner. A car is a chance to start anew in a different, undisclosed location. In harrowing moments, cars have also served as temporary shelter for those without housing.

So when a survivor’s car is tracked by their abuser, it isn’t just a matter of their location and privacy being invaded, it is a matter of a refuge being robbed.

In speaking with the news outlet CalMatters, Yenni Rivera, who works on domestic violence cases, explained the stressful circumstances of exactly this dynamic.

“I hear the story over and over from survivors about being located by their vehicle and having it taken,” Rivera told CalMatters. “It just puts you in a worst case situation because it really triggers you thinking, ‘Should I go back and give in?’ and many do. And that’s why many end up being murdered in their own home. The law should make it easier to leave safely and protected.”

Though the state of California is considering legislative solutions to this problem, national lawmaking is slow.

Instead, we believe that the companies that have the power to do something act on that power. Much like how Malwarebytes and other cybersecurity vendors banded together to launch the Coalition Against Stalkerware, automakers should work together to help users.

Fortunately, an option may already exist.

When the Alliance for Automobile Innovation warned that consumer data collection requests could be weaponized by abusers who want to comb through the car location data of their partners and exes, the automaker General Motors already had a protection built in.

According to Reuters, the roadside assistance service OnStar, which is owned by General Motors, allows any car driver—be they a vehicle’s owner or not—to hide location data from other people who use the same vehicle. Rivian, a new electric carmaker, is reportedly working on a similar feature, said senior vice president of software development Wassym Bensaid in speaking with Reuters.

Though Reuters reported that Rivian had not heard of their company’s technology being leveraged in a situation of domestic abuse, Wassym believed that “users should have a right to control where that information goes.”

We agree.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Source: www.techrepublic.com – Author: Fiona Jackson TechRepublic consolidated expert advice on how businesses can defend themselves against the most common cyberthreats, including zero-days, ransomware and deepfakes. Today, all businesses are at risk of cyberattack, and that risk is constantly growing. Digital transformations are resulting in more sensitive and valuable data being moved onto online systems […]

La entrada How Can Businesses Defend Themselves Against Common Cyberthreats? – Source: www.techrepublic.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

Enlarge (credit: Apu Gomes / Stringer | Getty Images News)

US District Judge William Alsup has dismissed Elon Musk's X Corp lawsuit against Bright Data, a data-scraping company accused of improperly accessing X (formerly Twitter) systems and violating both X terms and state laws when scraping and selling data.

X sued Bright Data to stop the company from scraping and selling X data to academic institutes and businesses, including Fortune 500 companies.

According to Alsup, X failed to state a claim while arguing that companies like Bright Data should have to pay X to access public data posted by X users.

Read 22 remaining paragraphs | Comments

Enlarge (credit: Verizon)

T-Mobile, Verizon, and AT&T will pay a combined $10.2 million in a settlement with US states that alleged the carriers falsely advertised wireless plans as "unlimited" and phones as "free." The deal was announced yesterday by New York Attorney General Letitia James.

"A multistate investigation found that the companies made false claims in advertisements in New York and across the nation, including misrepresentations about 'unlimited' data plans that were in fact limited and had reduced quality and speed after a certain limit was reached by the user," the announcement said.

T-Mobile and Verizon agreed to pay $4.1 million each while AT&T agreed to pay a little over $2 million. The settlement includes AT&T subsidiary Cricket Wireless and Verizon subsidiary TracFone.

Read 10 remaining paragraphs | Comments

Chinese crooks are running a global network of more than 75,000 fake online shops to steal credit card data and process fraudulent payments.

The post Massive Online Shopping Scam Racks Up 850,000 Victims appeared first on Security Boulevard.

Hacker Duo Claims Barclays and HSBC Bank Data Breach

While talking about the stolen data, IntelBroker denoted that he is "uploading the HSBC & Barclays data breach for you to download. Thanks for reading and enjoy! In April 2024, HSBC & Barclays suffered a data breach when a direct contractor of the two banks was breached. Breached by @IntelBroker & @Sanggiero".

A Closer Look at the Sample Data 

The axiom “garbage in, garbage out” has been around since the early days of computer science and remains apropos today to the data associated with user behavior analytics and insider risk management (IRM). During a recent Conversations from the Inside (CFTI) episode, Mohan Koo, DTEX President and Co-Founder, spoke about how organizations are often quick … Continued

The post User Behavior Analytics: Why False Positives are NOT the Problem appeared first on DTEX Systems Inc.

The post User Behavior Analytics: Why False Positives are NOT the Problem appeared first on Security Boulevard.

Monash Health Data Breach

Microsoft warns that several OpenMetadata vulnerabilities are being exploited to deploy cryptomining malware to Kubernetes environments.

The post OpenMetadata Vulnerabilities Exploited to Abuse Kubernetes Clusters for Cryptomining   appeared first on SecurityWeek.