Notices by Zack Whittaker (zackwhittaker@mastodon.social)

Out for lunch and saw a guy with a t-shirt that read, "Today Satan."

New, by me: UnitedHealth has scrubbed much of its website mentioning its diversity, equity, and inclusion (DEI) policies, including pulling down blog posts and large sections of its website.

TechCrunch saw UnitedHealth take down the pages in real-time this morning because we've used a webpage monitor for the past year to keep track of Change Healthcare's data breach notice, and saw the DEI-related pages removed as it happened.

https://techcrunch.com/2025/03/26/unitedhealth-removes-mentions-of-dei-from-its-website/

Holy shit. https://www.theatlantic.com/politics/archive/2025/03/trump-administration-accidentally-texted-me-its-war-plans/682151/

A federal judge on Thursday blocked DOGE's access to systems at the Social Security Administration that store huge amounts of highly sensitive information on millions of America, calling the access tantamount to a "fishing expedition."

https://techcrunch.com/2025/03/20/federal-judge-blocks-doges-access-to-social-security-administrations-banks-of-personal-information/

New, by me: Marko Elez, the DOGE staffer who resigned after his racist posts resurfaced (and was rehired soon after), violated Treasury rules when he sent an unencrypted email containing personally identifiable information to two Trump administration officials.

https://techcrunch.com/2025/03/17/doge-staffer-violated-treasury-rules-by-emailing-unencrypted-personal-data/

NEW by @carlypage: CISA had another round of layoffs, per people directly affected, said to be more than a hundred CISA employees. Red team staffers and its Cyber Incident Response Team (CIRT) are affected.

More: https://techcrunch.com/2025/03/11/doge-axes-cisa-red-team-staffers-amid-ongoing-federal-cuts/

Hats off to DataBreaches.net journalist @PogoWasRight for going public and publishing details about the legal demand they received from U.K. law firm Pinsent Masons, on behalf of the hacked health firm HCRG.

You can read more about the legal demand on DataBreaches.net.

https://databreaches.net/2025/03/05/hcrg-cares-lawyers-claimed-an-injunction-issued-in-a-private-hearing-required-us-to-remove-two-posts-we-didnt-comply/

@GossiTheDog TechCrunch uses SecureDrop and we check it regularly!

https://techcrunch.com/got-a-tip/

Extremely chilling to read that @w7voa put on leave after a Trump advisor called a tweet of his — which was quoting someone — as "treasonous."

https://www.nytimes.com/2025/02/28/business/voice-of-america-trump.html

New day, new stalkerware breach. Today it's Spyzie, a little known phone surveillance operation that's still managed to amass more than half a million customers — whose email addresses are going in Have I Been Pwned.

By our count, Spyzie is the 24th(!) stalkerware operation that's been hacked or otherwise exposed victims' private phone data since 2017.

https://techcrunch.com/2025/02/27/spyzie-stalkerware-spying-on-thousands-of-android-and-iphone-users/

Signal has long said it'd "rather shut down or leave a market" than add a backdoor or weaken its encryption.

Apple also had this option when it was ordered by the UK government to build an iCloud backdoor. Apple could have said - without violating secrecy laws — why it was leaving the UK, rather than weaken the encryption of all of its UK customers.

Instead, Apple capitulated to the demand to keep operating, and prioritized its profits over its customers' security.

https://techcrunch.com/2025/02/21/apple-pulls-icloud-end-to-end-encryption-feature-for-uk-users-after-government-demanded-backdoor/

The U.K. government's secret order demanding that Apple allows access to the cloud-stored encrypted data of any of its customers anywhere in the world is an "emergency," according to critics, and would set a dangerous global precedent that would embolden authoritarian regimes to demand the same.

From @carlypage: https://techcrunch.com/2025/02/10/uks-secret-apple-icloud-backdoor-order-is-a-global-emergency-say-critics/

Hope everyone is having a peaceful weekend. Here's Toby, aka smush face.

If you work in the U.S. government and know more about DOGE and its activities, please reach out. (Anonymity granted.)

Contact me via Signal: zackwhittaker.1337

You can also share files/docs via SecureDrop (using Tor): techcrunch.securedrop.tor.onion

ICYMI from yesterday: The biggest breach of U.S. government data is under way.

"Whether DOGE staffers are bad actors misses part of the point. Acts of subterfuge, espionage, or ignorance could produce the same suboptimal outcome: exposure or loss of the nation’s sensitive datasets."

https://techcrunch.com/2025/02/05/the-biggest-breach-of-u-s-government-data-is-under-way/

New, by me: Elon Musk's DOGE has taken control of large swathes of Americans' private information held by the U.S. government, representing the widest known compromise of government-held data by a private group of individuals — and little has gotten in their way.

https://techcrunch.com/2025/02/05/the-biggest-breach-of-u-s-government-data-is-under-way/

New: Elon Musk's DOGE team was granted "full access" to sensitive Treasury payment systems that control trillions of dollars in payments to Americans, including Social Security checks and tax refunds.

Sen. Ron Wyden said Musk’s access poses a “national security risk.”

The access could also be considered a massive data breach of Americans' personal information in the hands of unelected private individuals.

https://techcrunch.com/2025/02/01/senator-warns-of-national-security-risks-after-elon-musks-doge-granted-full-access-to-sensitive-treasury-systems/

DeepSeek exposed an internal back-end database to the internet without a password. The database contained chat histories and API keys.

https://techcrunch.com/2025/01/30/deepseek-exposed-internal-database-containing-chat-histories-and-sensitive-data

It's worth noting that PowerSchool is represented by crisis communications firm FTI Consulting to handle its PR (read: media inquiries etc.) in the aftermath of its data breach, with the goal of saying as little as possible.

This isn't an uncommon strategy, per se, but it is telling that PowerSchool — which was acquired by a private equity giant for $4 billion only the year earlier — is willing to throw money at protecting its image than investing in basic cybersecurity practices to begin with.

In an updated incident FAQ on its website, PowerSchool says: "We are not sharing specifics around the number of districts and schools we believe were involved" in the data breach.

Here's what else PowerSchool isn't telling affected individuals about its breach.

https://techcrunch.com/2025/01/22/what-powerschool-isnt-saying-about-its-massive-student-data-breach/