Category: data breach

About three weeks ago, Tesla found itself in the throes of a data breach when two former employees allegedly exposed the company’s confidential information to external parties. In a recent development, a former Tesla staff member has initiated legal action against the electric vehicle manufacturer, asserting that the company maintains lax access controls for safeguarding user data.

The individual behind this lawsuit is Benson Pai, who has taken legal action against Tesla’s California-based facility. He is seeking financial compensation from the automaker for its failure to adequately protect the data of both current and former employees, totaling around 75,000 individuals. This sensitive information is now accessible on the dark web due to what Pai claims are inadequate security measures. Notably, the leaked data even includes the social security number of Tesla CEO Elon Musk. The company was alerted to this breach by Handelsbatt, which claims to possess approximately 100 gigabytes of the leaked information.

The outcome of this class-action lawsuit remains uncertain, and only time will reveal its ultimate impact.

In a separate incident, Johnson & Johnson Health Care Systems,aka Janssen, has informed its CarePath customers of a data breach that was detected in early September of this year. CarePath is an application designed to assist J&J customers with medication recommendations, discounts, prescriptions, and notifications related to drug refills and administration.

The pharmaceutical company disclosed that the data breach was a result of a security vulnerability on IBM servers, which potentially granted unauthorized access to information such as contact details, dates of birth, health insurance information, medical histories, and medical conditions of patients, along with their full names and email addresses. The breach impacts individuals who enrolled on the CarePath website prior to July 2nd, 2023. Fortunately, sensitive information such as social security numbers and financial data was stored separately and remained inaccessible to hackers.

IBM has issued an official statement reassuring the public that the leaked information has not been misused thus far. Nevertheless, they urge CarePath customers to remain vigilant and monitor their bank transactions. Additionally, all affected individuals will be provided with one year of complimentary credit monitoring services to mitigate potential risks arising from cyber fraud.

The post Tesla data breach lawsuit and Johnson and Johnson data breach details appeared first on Cybersecurity Insiders.

In a concerning cybersecurity development, it appears that hackers with potential ties to Beijing managed to breach the cryptographic key of Microsoft Accounts. This unauthorized access allowed them to conduct surveillance on various U.S. government agencies. Reports indicate that this breach was carried out by a hacking group known as Storm-0558 in April 2021, and they successfully monitored the online activities of approximately 25 organizations.

What makes this intrusion particularly troubling is that neither the system administrators nor the threat monitoring solutions were able to detect the attack, as it was carried out covertly.

Delving into the specifics of the attack, it originated in early 2021 when a software bug caused a system crash. This crash led to the exposure of data and applications stored in a less secure location. Seizing this opportunity, cybercriminals managed to obtain the credentials of an engineer responsible for the access-controlled production environment. With these stolen credentials, they infiltrated Microsoft’s Exchange Online and Outlook environments.

It wasn’t until a series of audits that the technology giant detected this anomaly in July 2023 and promptly took corrective measures.

On September 6th, 2023, Microsoft disclosed that Storm-0558 had gained access to the debugging environment, enabling them to acquire counterfeit digital authentication tokens. This breach potentially allowed them to access sensitive information from the Microsoft Outlook email accounts of government officials, including U.S. Ambassador to China Nicholas Burns, Assistant Secretary of State for East Asia Daniel Kritenbrink, and Commerce Secretary Gina Raimondo.

It’s important to note that Storm-0558 is not a weather-related storm-chasing unit, as one might assume from the name. Instead, it is a hacking group believed to have ties to Chinese intelligence. Online communities, such as Reddit users, should take note of this newly identified hacking group and refrain from associating them with storm-chasing units featured on Discovery or National Geographic Channels.

The post Hackers gain access to Microsoft Cryptographic Key to spy on US Govt Departments appeared first on Cybersecurity Insiders.

AI news is bad news, an online service to catch your cheating partner, and an IoT-enabled dick cage fails to keep a grip on its own security. All this and much much more is discussed in the latest edition of the "Smashing Security" podcast by cybersecurity veterans Graham Cluley and Carole Theriault, joined this week by Mark Stockley. Plus don't miss our featured interview with Alex Lawrence, principal security architect at Sysdig.

Approximately 3 to 4 years ago, Dr. Johnny Ryan, a senior member of the Irish Council of Civil Liberties (ICCL), initiated a legal case against the Data Protection Commission (DPC) in the high court. He alleged that the DPC had inadequately addressed a significant data breach that occurred on Google’s servers.

However, Mr. Justice Garrett Simons rejected the claim, asserting that the DPC was the appropriate entity to investigate any instances of data breach or misuse involving the servers of private American technology firms, such as Google, a subsidiary of Alphabet Inc.

Ryan, responsible for highlighting data protection concerns at ICCL, contended that Google was abusing its authority by exploiting user personal data for Real Time Bidding (RTB) analysis carried out by a third party. This practice involved targeting advertisements based on users’ web browsing activities, which contravened the 2018 Data Protection Act and the General Data Protection Regulation (GDPR). These regulations strictly prohibited web companies from sharing substantial amounts of data with third parties.

In his lawsuit, Ryan asserted that the DPC had merely observed the situation without delving into a comprehensive investigation.

Contrary to this, DPC, represented by Joe Jeffers in the high court, argued that an inquiry had been initiated in 2019 and was still ongoing. The watchdog, headquartered in Ireland, assured that once the 2019 inquiry concluded, it would examine Ryan’s allegations. This approach aimed to expedite and enhance the handling of data misuse concerns.

Dr. Johnny Ryan dismissed these assertions, stressing that the delay in proceedings was providing the advertising giant with extra time and fostering a misguided belief that the law favored their actions. This could potentially bolster the internet powerhouse’s confidence in the legitimacy of its existing data handling procedures.

It’s important to note that a comparable complaint lodged by Dr. Ryan gained traction with the International Advertising Bureau (IAB) Europe and is currently under review by the Belgian Data Protection Authority, also known as the Belgian DPA.

The post Court asks DPC to reinvestigate massive Google Data Breach appeared first on Cybersecurity Insiders.