German researchers who purchased biometric capture devices on eBay found sensitive US military data stored on their memory cards, The New York Times has reported. That included fingerprints, iris scans, photographs, names and descriptions of the individuals, mostly from Iraq and Afghanistan. Many worked with the US army and could be targeted if the devices fell into the wrong hands, according to the report. A group of researchers called the Chaos Computer Club, led by Matthias Marx, bought six of the devices on eBay, most for under $200. They were spurred by a 2021 report from The Intercept that the Taliban had seized similar US military biometric devices. As such, they wanted to see if they contained identifying data on people who assisted the US Military that could put them at risk.
A team of researchers has developed an eavesdropping attack for Android devices that can, to various degrees, recognize the caller’s gender and identity, and even discern private speech. Named EarSpy, the side-channel attack aims at exploring new possibilities of eavesdropping through capturing motion sensor data readings caused by reverberations from ear speakers in mobile devices. EarSpy is an academic effort of researchers from five American universities (Texas A&M University, New Jersey Institute of Technology, Temple University, University of Dayton, and Rutgers University).
Hackers stole data belonging to multiple electric utilities in an October ransomware attack on a US government contractor that handles critical infrastructure projects across the country, according to a memo describing the hack obtained by CNN. Federal officials have closely monitored the incident for any potential broader impact on the US power sector while private investigators have combed the dark web for the stolen data, according to the memo sent this month to power company executives by the North American grid regulator’s cyberthreat sharing center. The previously unreported incident is a window into how ransomware attacks on critical US companies are handled behind the scenes as lawyers and federal investigators quietly spring into action to determine the extent of the damage.
Data breaches can be extremely harmful to organizations of all shapes and sizes — but it’s how these companies react to the incident that can deal their final blow. While we’ve seen some excellent examples of how companies should respond to data breaches over the past year — kudos to Red Cross and Amnesty for their transparency — 2022 has been a year-long lesson in how not to respond to a data breach. Here is a look back at this year’s badly handled data breaches.
TikTok will no longer be allowed on any device managed by the US House of Representatives. On Tuesday, the House’s Chief Administrative Office announced the ban of the popular video-sharing app, a move that comes just a week after legislation that would bar TikTok from all federal devices was introduced. Congresspersons and their staffers will not be able to download the app on managed devices, the CAO’s Office of Cybersecurity said in an email seen by Reuters. The mobile app is a “high risk to users due to a number of security risks,” the email said.
Ransomware hacking isn’t tantamount to a physical attack, the Ohio Supreme Court ruled, meaning a software developer can’t use its property insurance to cover losses. A unanimous ruling Tuesday from the court’s seven justices sided with Lansing, Michigan-based Owners Insurance Company against greater Dayton medical billing software maker EMOI. Owners Insurance Company, a property and casualty subsidiary of the Auto-Owners Insurance Group, covered the latter for “direct physical loss” to digital media. Over the course of a three-year court battle, Owners asserted that EMOI’s September 2019 ransomware attack lacked a physical dimension and accused the developer of attempting a runaround of its business property policy’s exclusion of ransomware costs. The justices agreed with the insurance company.
The U.S. Department of Justice is reportedly investigating the theft of nearly $400 million from FTX. The crypto exchange disclosed in November the day after it filed for bankruptcy that “unauthorized access” had led to the theft. The criminal investigation is separate from the fraud case Justice is pursuing against company co-founder Sam Bankman-Fried, Bloomberg reported. Attackers stole at least $372 million from the company, after which the firm’s executives moved the remaining funds under their control to cold storage wallets “to mitigate further risk,” its filing for bankruptcy states. Blockchain analytics and security firm Elliptic previously said a hacker had swapped more than $220 million for other tokens through decentralized exchanges, helping obfuscate the flow of funds on the blockchain and avoid seizure.
All companies have to comply with privacy and security laws. They must also comply with any settlements or edicts imposed by regulatory agencies of the U.S. government. But Twitter now finds itself in a precarious position and appears to be failing to take its compliance obligations seriously. The case is a “teachable moment” for all organizations, public and private. Technology visionary and Silicon Valley founder and CEO, Elon Musk, bought social network Twitter in October for $44 billion, taking the formerly public company private. Musk immediately began personally directing many of Twitter’s actions and policies, including changes in moderation and staff. Chaos ensued, and many people — including top company officers — resigned or were fired.