All of the big pharmacy chains in the US hand over sensitive medical records to law enforcement without a warrant—and some will do so without even running the requests by a legal professional, according to a congressional investigation. The revelation raises grave medical privacy concerns, particularly in a post-Dobbs era in which many states are working to criminalize reproductive health care. Even if people in states with restrictive laws cross state lines for care, pharmacists in massive chains, such as CVS, can access records across borders.
Apple (AAPL.O) has said it now requires a judge’s order to hand over information about its customers’ push notification to law enforcement, putting the iPhone maker’s policy in line with rival Google and raising the hurdle officials must clear to get app data about users. The new policy was not formally announced but appeared sometime over the past few days on Apple’s publicly available law enforcement guidelines. It follows the revelation from Oregon Senator Ron Wyden that officials were requesting such data from Apple as well as from Google, the unit of Alphabet (GOOGL.O) that makes the operating system for Android phones.
In one of the coolest and more outrageous repair stories in quite some time, three white-hat hackers helped a regional rail company in southwest Poland unbrick a train that had been artificially rendered inoperable by the train’s manufacturer after an independent maintenance company worked on it. The train’s manufacturer is now threatening to sue the hackers who were hired by the independent repair company to fix it.
Threat actors have opened a new underground market known as OLVX Marketplace (olvx[.]cc) that is gaining notoriety just in time for the holidays. This new marketplace claims to sell all the tools necessary to commit online fraud, manipulate the very savviest of online shoppers, and make this time of year much less merry and bright. OLVX follows a trend ZeroFox Intelligence has observed relating to multiple underground marketplaces now operating on the clear web, whereas in the past, most would only operate on the deep or dark web (DDW).
Microsoft on Wednesday announced the disruption of Storm-1152, a cybercrime-as-a-service (CaaS) ecosystem that created 750 million fraudulent Microsoft accounts in support of phishing, identity theft, and other schemes. The CaaS is believed to have made millions of dollars in illicit revenue by creating fraudulent accounts for other cybercrime groups to use in phishing, spam, ransomware, distributed denial-of-service (DDoS), and other types of attacks.
The National Institute of Standards and Technology launched new draft guidance earlier this week focused on clarifying how organizations can adopt differential privacy — a mathematical algorithm broadly used to quantify how much privacy risk is posed to individuals from a given dataset — as part of their security infrastructure. As NIST’s guidance notes, differential privacy can be leveraged as a scheme to evaluate an organization’s digital privacy posture through a framework that identifies existing factors to potential breaches in data security.