Nissan North America has revealed that extortionists who demanded a ransom after breaking into its external VPN and disrupted systems last year also stole the social security numbers of over 53,000 staff. The security breach occurred on November 7, 2023. Upon initial investigation, Nissan and external experts brought in by the firm found that although cybercriminals had accessed its systems without authorisation, the only data access had been mostly business-related. READ MORE...
The WebTPA Employer Services (WebTPA) data breach disclosed earlier this month is impacting close to 2.5 million individuals, the U.S. Department of Health and Human Services notes. Some of the impacted people are customers at large insurance companies such as The Hartford, Transamerica, and Gerber Life Insurance. WebTPA is a GuideWell Mutual Holding Corporation subsidiary and a third-party administrator (TPA) that provides customized administrative services to health plans and insurance companies. READ MORE...
The US Department of Justice has booked two brothers on allegations that they exploited open source software used in the Ethereum blockchain world to bag $25 million (£20 million). The pair - computer scientists Anton, 24, of Boston, and James Pepaire-Bueno, 28, of New York - are accused of carrying out what deputy attorney general Lisa Monaco called a "technologically sophisticated, cutting-edge scheme they plotted for months." READ MORE...
?The U.S. Justice Department charged five individuals today, a U.S. Citizen woman, a Ukrainian man, and three foreign nationals, for their involvement in cyber schemes that generated revenue for North Korea's nuclear weapons program. They were allegedly involved between October 2020 and October 2023 in a campaign coordinated by the North Korean government "to infiltrate U.S. job markets through fraud in an effort to raise revenue for the North Korean government and its illicit nuclear program." READ MORE...
The banking trojan "Grandoreiro" is spreading in a large-scale phishing campaign in over 60 countries, targeting customer accounts of roughly 1,500 banks. In January 2024, an international law enforcement operation involving Brazil, Spain, Interpol, ESET, and Caixa Bank announced the disruption of the malware operation, which had been targeting Spanish-speaking countries since 2017 and caused $120 million in losses. READ MORE...
Enterprise workplace collaboration platform Slack has sparked a privacy backlash with the revelation that it has been scraping customer data, including messages and files, to develop new AI and ML models. By default, and without requiring users to opt-in, Slack said its systems have been analyzing customer data and usage information (including messages, content and files) to build AI/ML models to improve the software. READ MORE...
The Securities and Exchange Commission (SEC) will require some financial institutions to disclose security breaches within 30 days of learning about them. On Wednesday, the SEC adopted changes to Regulation S-P, which governs the treatment of the personal information of consumers. Under the amendments, institutions must notify individuals whose personal information was compromised "as soon as practicable, but not later than 30 days" after learning of unauthorized network access or use of customer data. READ MORE...
A critical vulnerability discovered recently in a Python package used by AI application developers can allow arbitrary code execution, putting systems and data at risk. The issue, discovered by researcher Patrick Peng (aka retr0reg), is tracked as CVE-2024-34359 and it has been dubbed Llama Drama. Cybersecurity firm Checkmarx on Thursday published a blog post describing the vulnerability and its impact. READ MORE...
The US cybersecurity agency CISA on Thursday added two D-Link product CVEs to its Known Exploited Vulnerabilities (KEV) Catalog, urging federal agencies to address them as soon as possible. The first CVE, CVE-2014-100005, collectively tracks decade-old security defects impacting legacy D-Link routers that reached End-Of-Life (EOL) status. On Thursday, CISA also expanded the KEV list with CVE-2024-4761, a Chrome zero-day patched earlier this week. READ MORE...
Sony Music is sending warning letters to more than 700 artificial intelligence developers and music streaming services globally in the latest salvo in the music industry's battle against tech groups ripping off artists. The Sony Music letter, which has been seen by the Financial Times, expressly prohibits AI developers from using its music-which includes artists such as Harry Styles, Adele, and Beyoncé-and opts out of any text and data mining of any of its content for any purposes. READ MORE...