Zack Whittaker
NEW: TechCrunch has learned of a separate security incident involving malware stealing a PowerSchool software engineer's passwords prior to its cyberattack.
While likely unrelated to the breach, it raises further doubts about the ed-tech giant's security practices.
w/ @carlypage: https://techcrunch.com/2025/01/17/malware-stole-internal-powerschool-passwords-from-engineers-hacked-computer/
Zack Whittaker
New, by me: Change Healthcare's ransomware attack last year was the largest known theft of medical data in U.S. history, affecting at least 100 million Americans.
But for months, Change Healthcare has hidden its official data breach notice from search engines, making it far more difficult for anyone searching the web to find it.
Zack Whittaker
We've also included some helpful guidance on what you can do to prevent this kind of advertising surveillance, including at the mobile device level.
“If you disable the app tracking, your data has not been shared,” security researcher Baptiste Robert told TechCrunch.
Ad-blockers are your friend!
Zack Whittaker
NEW, by me: Gravy Analytics, a location data broker, has confirmed it was hacked.
In a statement to TechCrunch, its parent company Unacast said its AWS accounts were breached. A hacker posted a huge trove of location data online containing tens of millions of location data points.
Zack Whittaker
Telegram shared thousands of users' data with authorities in the U.S. over the course of 2024, according to Telegram's latest transparency report numbers. The messaging app also reported a sharp rise in fulfilled requests from authorities in the U.K. and India.
https://techcrunch.com/2025/01/07/telegram-reports-spike-in-sharing-user-data-with-law-enforcement/
Zack Whittaker
Bloomberg's Katrina Manson has a really good story from Guam on the Volt Typhoon threat facing the island's critical infrastructure, which the U.S. military's base there relies on. Very complementary to WSJ's reporting this weekend on the wider threat faced by the U.S. from China over its anticipated future invasion of Taiwan.
Zack Whittaker
Interesting to see AT&T, Verizon, and now Lumen all say that they detect no threat activity or have no evidence of ongoing intrusions by the China-backed Salt Typhoon group, all citing a third-party forensic analysis.
If they were so confident in their assessments, they'd at least publicly name the forensic firms who allegedly cleared their networks.
Zack Whittaker
I take umbrage with headlines like this. It wasn't the employee's fault for the data breach at Ascension, a healthcare giant with over 140 hospitals across the United States. It was Ascension's leadership that failed to implement adequate cybersecurity defenses that resulted in the breach of 5.6 million patients' data.
Zack Whittaker
New, w/ @lorenzofb: Data-loss prevention startup Cyberhaven was hacked to publish a malicious update to its Chrome extension, affecting potentially thousands of users. A security researcher says other big Chrome extensions were hacked in the same campaign.
Zack Whittaker
For the past few holiday seasons, @carlypage and I have looked back at the badly handled data breaches of the year in the hope — maybe! — companies would learn from the mistakes from yesteryear.
Nope! Here's our list of security shitshows for 2024.
https://techcrunch.com/2024/12/26/badly-handled-data-breaches-2024/
Zack Whittaker
Cybersecurity experts, who work with at-risk populations like human rights defenders and journalists, agree that Apple is doing the right thing by alerting victims of government spyware — and at the same time refusing to forensically analyze the devices.
Instead, Apple recommends victims reach out to a digital security lab run by Access Now, which helps analyze victim phones to confirm spyware infections.
@lorenzofb has more: https://techcrunch.com/2024/12/20/why-apple-sends-spyware-victims-to-this-nonprofit-security-lab/
Zack Whittaker
New, by me: Hospital giant Ascension said a May ransomware attack allowed hackers to steal data on 5.6 million patients — the third-largest healthcare data breach of the year.
Zack Whittaker
UnitedHealth, which owns Change Healthcare, told us that it will "defend ourselves vigorously" in court.
The company also said that it was in the "final stages" of notifying individuals affected by the data breach — the same thing it told us in July — suggesting the number of Americans affected by the data breach will be far higher than 100 million it's disclosed so far.
Zack Whittaker
New, by @carlypage: Nebraska's attorney general has sued Change Healthcare over security failings that led to the massive data breach of at least 100 million Americans' health data.
Per the complaint, the ALPHV hackers gained access to Change Healthcare's systems using the account of a “low-level customer support employee."
Zack Whittaker
NEW, by me: UnitedHealthcare's Optum unit pulled down an internal AI chatbot after it was found exposed to the internet. The chatbot, seen by TechCrunch, allowed employees to ask it questions about how to handle patient health insurance claims and disputes.
The chatbot's exposure comes at a time when UHC faces scrutiny for its use of AI tools and algorithms to allegedly override doctors’ medical decisions and deny patient claims.
Zack Whittaker
I can't tell you what an incredible headline this is, given the decades(!) of pressure by the U.S. government advocating for technological backdoors, and all it had to take was China breaching some of America's biggest phone networks to get here.
"U.S. officials urge Americans to use encrypted apps amid unprecedented cyberattack." — @kevincollier
Zack Whittaker
By me: Data brokers could be soon blocked from selling Americans' sensitive personal data — like phone numbers and Social Security numbers — under federal law.
Zack Whittaker
We've put together an updating list of free, open-source and/or self-hosted alternatives to popular apps — like Adobe, Dropbox, Google Docs, Pocket — that can help you reclaim your data from Big Tech.
Feel free to suggest your own favorites for the list!
Zack Whittaker
With weeks to go before the bill expires at the end of Congress, this is the last chance for U.S. senators to vote on the PRESS Act, a bipartisan federal "shield" law that protects journalists from giving up their sources, and more.
It's the bill that the House *unanimously* passed in January, but yet it's been collecting dust in the Senate for a vote ever since.
More: https://techcrunch.com/2024/11/10/its-the-senates-last-chance-to-pass-the-press-act/
Zack Whittaker
The "internally screaming" edition of ~ this week in security ~ is out:
• Hacker behind Snowflake breaches arrested
• China Typhoon hacks 'more pervasive' than thought
• FBI says hacked police emails used to file fake subpoenas
• Android patches fix two zero-days under attack
• Plus: A look at the infostealer crime ecosystem
• A brand new bonus cyber cat + friend, and more.
Sign up/RSS: https://this.weekinsecurity.com
Read online: https://mailchi.mp/weekinsecurity/this-week-in-security-november-10-2024-edition
Donate/support: https://ko-fi.com/thisweekinsecurity
Security editor, TechCrunchEmail: zack.whittaker@techcrunch.comSignal: +1 646.755.8849 / zackwhittaker.1337New York, NY
GNU social JP is a social network, courtesy of GNU social JP管理人. It runs on GNU social, version 2.0.2-dev, available under the GNU Affero General Public License.
All GNU social JP content and data are available under the Creative Commons Attribution 3.0 license.