Notices by Zack Whittaker (zackwhittaker@mastodon.social), page 2

New, w/ @lorenzofb: Data-loss prevention startup Cyberhaven was hacked to publish a malicious update to its Chrome extension, affecting potentially thousands of users. A security researcher says other big Chrome extensions were hacked in the same campaign.

More: https://techcrunch.com/2024/12/27/cyberhaven-says-it-was-hacked-to-publish-a-malicious-update-to-its-chrome-extension/

For the past few holiday seasons, @carlypage and I have looked back at the badly handled data breaches of the year in the hope — maybe! — companies would learn from the mistakes from yesteryear.

Nope! Here's our list of security shitshows for 2024.

https://techcrunch.com/2024/12/26/badly-handled-data-breaches-2024/

Cybersecurity experts, who work with at-risk populations like human rights defenders and journalists, agree that Apple is doing the right thing by alerting victims of government spyware — and at the same time refusing to forensically analyze the devices.

Instead, Apple recommends victims reach out to a digital security lab run by Access Now, which helps analyze victim phones to confirm spyware infections.

@lorenzofb has more: https://techcrunch.com/2024/12/20/why-apple-sends-spyware-victims-to-this-nonprofit-security-lab/

New, by me: Hospital giant Ascension said a May ransomware attack allowed hackers to steal data on 5.6 million patients — the third-largest healthcare data breach of the year.

https://techcrunch.com/2024/12/20/ransomware-attack-on-health-giant-ascension-hits-5-6-million-patients/

UnitedHealth, which owns Change Healthcare, told us that it will "defend ourselves vigorously" in court.

The company also said that it was in the "final stages" of notifying individuals affected by the data breach — the same thing it told us in July — suggesting the number of Americans affected by the data breach will be far higher than 100 million it's disclosed so far.

https://techcrunch.com/2024/12/18/nebraska-sues-change-healthcare-over-security-failings-that-led-to-medical-data-breach-of-over-100-million-americans/

New, by @carlypage: Nebraska's attorney general has sued Change Healthcare over security failings that led to the massive data breach of at least 100 million Americans' health data.

Per the complaint, the ALPHV hackers gained access to Change Healthcare's systems using the account of a “low-level customer support employee."

More: https://techcrunch.com/2024/12/18/nebraska-sues-change-healthcare-over-security-failings-that-led-to-medical-data-breach-of-over-100-million-americans/

NEW, by me: UnitedHealthcare's Optum unit pulled down an internal AI chatbot after it was found exposed to the internet. The chatbot, seen by TechCrunch, allowed employees to ask it questions about how to handle patient health insurance claims and disputes.

The chatbot's exposure comes at a time when UHC faces scrutiny for its use of AI tools and algorithms to allegedly override doctors’ medical decisions and deny patient claims.

More: https://techcrunch.com/2024/12/13/unitedhealthcares-optum-left-an-ai-chatbot-used-by-employees-to-ask-questions-about-claims-exposed-to-the-internet/

I can't tell you what an incredible headline this is, given the decades(!) of pressure by the U.S. government advocating for technological backdoors, and all it had to take was China breaching some of America's biggest phone networks to get here.

"U.S. officials urge Americans to use encrypted apps amid unprecedented cyberattack." — @kevincollier

https://www.nbcnews.com/tech/security/us-officials-urge-americans-use-encrypted-apps-cyberattack-rcna182694

By me: Data brokers could be soon blocked from selling Americans' sensitive personal data — like phone numbers and Social Security numbers — under federal law.

More: https://techcrunch.com/2024/12/03/us-agency-proposes-new-rule-blocking-data-brokers-from-selling-americans-sensitive-personal-data/

We've put together an updating list of free, open-source and/or self-hosted alternatives to popular apps — like Adobe, Dropbox, Google Docs, Pocket — that can help you reclaim your data from Big Tech.

Feel free to suggest your own favorites for the list!

https://techcrunch.com/2024/11/24/these-alternatives-to-popular-apps-can-help-reclaim-your-online-life-from-billionaires-and-surveillance/

With weeks to go before the bill expires at the end of Congress, this is the last chance for U.S. senators to vote on the PRESS Act, a bipartisan federal "shield" law that protects journalists from giving up their sources, and more.

It's the bill that the House *unanimously* passed in January, but yet it's been collecting dust in the Senate for a vote ever since.

More: https://techcrunch.com/2024/11/10/its-the-senates-last-chance-to-pass-the-press-act/

The "internally screaming" edition of ~ this week in security ~ is out:

• Hacker behind Snowflake breaches arrested
• China Typhoon hacks 'more pervasive' than thought
• FBI says hacked police emails used to file fake subpoenas
• Android patches fix two zero-days under attack
• Plus: A look at the infostealer crime ecosystem
• A brand new bonus cyber cat + friend, and more.

Sign up/RSS: https://this.weekinsecurity.com

Read online: https://mailchi.mp/weekinsecurity/this-week-in-security-november-10-2024-edition

Donate/support: https://ko-fi.com/thisweekinsecurity

New, by me: The FBI is warning that hackers are gaining access to law enforcement and government email addresses to file fraudulent "emergency" data requests with U.S. companies to obtain user data — which is often then used for doxing and financial fraud.

The abuse of emergency data requests is not new, and has been widely reported in recent years; but this is a rare admission from the federal government about the threat from fraudulent emergency data requests.

More: https://techcrunch.com/2024/11/08/fbi-says-hackers-are-sending-fraudulent-police-data-requests-to-tech-giants-to-steal-peoples-private-information/

@GossiTheDog it wasn't already?!

From me, last month, and still relevant today. I wrote about the 30-year-old internet backdoor law that came back to bite, after Chinese spies were found in the legally mandated wiretap systems of telecom and internet providers.

More: https://techcrunch.com/2024/10/07/the-30-year-old-internet-backdoor-law-that-came-back-to-bite/

Meet the “advanced persistent teenagers.” These are highly skilled, financially motivated hackers, like Lapsus$ and Scattered Spider, made up of mostly teenegers and young adults, and proven capable of digitally breaking into hotel chains, casinos, and tech giants.

MongoDB, which had a limited intrusion last year, said the incident matched tactics used by Scattered Spider, which broke in via phishing as if they were a legitimate employee.

More from TechCrunch Disrupt: https://techcrunch.com/2024/11/01/the-biggest-underestimated-security-threat-of-today-advanced-persistent-teenagers/

2024 looks set to be another record-breaking year for ransomware. And the outcome of the upcoming U.S. election next week could have a major effect on the future of ransomware.

“I don’t think that’s something we’re prepared for — and we could see even more of an acceleration of ransomware attacks if law enforcement is less able to do their job,” said Allan Liska.

More by @carlypage: https://techcrunch.com/2024/10/31/2024-looks-set-to-be-another-record-breaking-year-for-ransomware-and-its-likely-going-to-get-worse/

WSJ's @dustinvolz reports that DHS' Cyber Safety Review Board will investigate the Chinese "Typhoon" intrusions on several dozen U.S. telecom giants and others. The hacks have been linked to efforts to spy on prominent Americans, including a failed attempt to access an account belonging to a WSJ reporter after that reporter published articles about the group’s activities.

https://www.wsj.com/politics/national-security/u-s-panel-to-probe-cyber-failures-in-massive-chinese-hack-of-telecoms-6bdc2f2e

New, by me: Apple will pay security researchers up to $1 million to hack into its private AI cloud, dubbed Private Cloud Compute.

More: https://techcrunch.com/2024/10/24/apple-will-pay-security-researchers-up-to-1-million-to-hack-its-private-ai-cloud/

Well this data breach just got a lot worse.

Fidelity filed several other data breach notices, which confirm that the unauthorized third-party "accessed and retrieved certain documents related to Fidelity customers and other individuals by submitting fraudulent requests to an internal database that housed images of documents pertaining to Fidelity customers."

Fidelity also confirmed SSNs and driver's licenses were compromised in the data breach.

More: https://techcrunch.com/2024/10/10/fidelity-says-data-breach-exposed-personal-data-of-77000-customers?nocache=1