2022 Cybersecurity

New research from cybersecurity company NordVPN shows that cyber scammers have their sights on the four in five Americans who might take part in Black Friday/Cyber Monday – or what Nord’s Chief Technology Officer Marijus Briedis called a “honeypot for scammers.”

Their favorite targets are people who’ll gladly exchange some private, personal information in return for a big discount or freebie. As they say, forewarned is forearmed, so let’s get on with what the "baddest of the bunch" is and how you can protect yourself.

“Please to meet you – won’t you guess my name?

Rob Shavell, the CEO of DeleteMe, an online privacy company that removes a person's data from Goolge, and security analysts from RedFlagDeals say that the hottest scam this shopping season might just be the “Fake Seller Scam” which involves scammers quickly producing storefronts in 3rd party marketplaces like Amazon and Walmart where they then:

• List legitimate popular brand name products

• Offer these products at the cheapest price on the platform

• Are algorithmically promoted by Amazon (or other retailers) for their great price

• Support their listings with fake, positive reviews

• Provide fake order tracking details to bide time to scam more people before complaints start pouring in

• Offer one-week free shipping - more time to dupe customers before negative reviews come in

• Present themselves as a real seller by lining their storefronts with hundreds of other products

“When you buy, you either don't receive the product, receive the wrong product, or receive a broken/used/unusable version of the product, with no real means for recourse, refunds, or support from the retailer themself,” Kate Musgrove, director of RedFlagDeals told ConsumerAffairs.

Amazon is doing what it can to throw these bad actors over the cliff, but how can the consumer spot this scam? The big clues and most common factors appear to be:

• A low, low price. Products are typically the cheapest you can find and have anywhere from a 20-80% discount. If you are shocked by the price, then it's a good indicator that you should do some double-checking.

• Is this a real brand? Start by checking the "ships from/sold by" information under the "Buy Buttons", where you will see the brand listed. If the brand listed isn't the brand of the product, a known, popular 3rd-party brand, or Amazon itself, you should do some investigating. Start by clicking on the 3rd party's Amazon Seller Page to see if they seem like a real business. If nothing is listed, the seller's name seems fake and contains long, non-sensible names or strings of random numbers, it could be a sign of a scammer.

• Is this brand established? On the seller's "About Page" (example), you can see recent feedback, the sentiment of that feedback, and how it has trended over time. A good rule of thumb is that if you plan to buy from 3rd party sellers, you want to buy from the ones with positive feedback ratios and who have lots of feedback data going back for more than a year.

How to protect yourself

Shavell says the single thing that a consumer can do to keep away from a fake merchant is to stick to trusted vendors.

“Fraud artists create fake companies promoting high-discount offers during high-volume sales periods; if you’re going to do comparison shopping looking for the best price, do so among retailers with whom you already have accounts and have successfully done business with in the past,” he told ConsumerAffairs.

The second of Shavell's smart moves is to stick to payment methods that have consumer protection features and the ability to execute chargebacks. He said that if consumers use a credit card with limits, it usually provides better security features than mobile payments, or is faster to respond to fraud claims than services like Paypal, which he said can be slow and difficult to document after the fact.

His third piece of advice is to consider using a “card masking service” to protect your account information.

“Particularly when doing business with new vendors, it may be safer to use a one-time payment service that prevents the vendor from retaining your account information beyond the individual transaction, and protects you in the event they experience any data breach,” Shavell concluded.

Common Spirit Health is one of the latest major hospital groups to grapple with cybersecurity issues that not only affect operations but could compromise patient privacy.

In October the hospital system reported it was the victim of a ransomware attack, interrupting operations at the Chicago-based system that operates 140 hospitals and more than 1,500 care sites in 21 states.

The cybersecurity experts we consulted said attacks on hospitals are likely to increase, posing risks to patient privacy.

Matt Mullins, senior security researcher at Cybrary, a cybersecurity training firm, says hospital networks are significantly more vulnerable than standard networks for the simple reason that healthcare has a unique focus compared to other industries. That’s because the data has to always be readily accessible for practitioners.

Not only is it easier for hackers to access that data, Mullins says the data is highly prized information.

“It can be used for blackmail or phishing, and it can be used for fraud,” Mullins told ConsumerAffairs. “This data is more useful in that it is easier to access and it allows for identity theft. Identity theft is much harder to ‘shut down’ than it is to roll a new credit card number or account!”

Valuable data

In a cyber attack, Frank Ricotta, CEO & founder at BurstIQ, a health data management company, says hackers go for patients’ personally identifiable information (PII) and personal health information (PHI) because it’s considered more valuable.

“The value of health data sold on the dark web can get upwards of 500 times more than other personal information such as Social Security numbers or credit cards,” Ricotta told us. “This data can be used to file false medical claims, get prescriptions and medical treatment, and more. And unlike a credit card breach that can be identified and resolved quickly, PII and PHI can be used long after a breach has been detected and used repeatedly.”

Irina Tsukerman, president of  Scarab Rising, Inc., a media and security strategic advisory group, says networks aren’t the only area of hospital technology vulnerable to hackers. That vulnerability poses the risk of more than just compromised data.

“A recent study found that half of internet-connected devices in hospitals are vulnerable to exploitation, with IV pumps - a direct risk to patients - being a particular vulnerability,” Tsukerman said. “The Cynerio report analyzed data from over 10 million devices at over 300 hospitals and health care facilities globally, which the company collected through connectors attached to the devices as part of its security platform. This makes hospital one of the most desirable targets for hackers.”

Hospitals spend less on security

Sanjay Raja, vice president of Product Marketing and Solutions at Gurucul, a security analytics firm, says economic factors also play a role. He says hospitals continue to bear the financial burden of treating COVID-19 patients which reduces other, more profitable services.

“This has led to a shortfall in revenues from other services causing constrained budgets, a lack of resources, and overburdened security teams,” Raja said. “Threat actors have purposefully targeted healthcare providers knowing how overwhelmed IT and security staff already are and how catastrophic ransomware or other disruption can be in the treatment of patients.”

Is there anything hospitals can do to better protect their networks from attack? Raja says perimeter defenses and patches have proved “fairly useless” against a hacker determined to get inside. 

He recommends an accurate and more automated threat detection, investigation, and response solution that provides earlier and more accurate threat detection. 

Mullins says he believes that, up until now, hospitals haven’t approached cybersecurity with enough “seriousness.”

Tsukerman says hospitals need to train all personnel in "best industry" practices in cybersecurity and enforce and reevaluate recommended security protocols, which should include physical maintenance and strengthening of networks.

As part of its review process on products that connect a person’s privacy and security online and with other companies, a new report from the Mozilla Foundation takes aim at apps that it says are “super creepy” when it comes to users’ privacy.

The report focuses its attention on mental health and prayer apps, saying their privacy standards are worse than any other product category.

The foundation’s analysts claim some of those apps routinely share data, permit weak passwords, bombard powerless users with personalized ads, and live off the premise of hazy and unintelligible privacy policies. 

“They track, share, and capitalize on users’ most intimate personal thoughts and feelings, like moods, mental state, and biometric data,” said Jen Caltrider, Mozilla’s *Privacy Not Included lead.

“Turns out, researching mental health apps is not good for your mental health, as it reveals how negligent and craven these companies can be with our most intimate personal information.”

The study looked at 32 mental health and prayer apps and anointed all but four with a *Privacy Not Included warning label and said most were “exceptionally creepy.” One of those 28 offenders is the faith-based app, Pray.com.

The app serves a number of functions, including as a social media platform for religious communities. Churches and other religious organizations use the platform to engage in discussions, Livestream services, and solicit and receive donations.

Individuals using the app may participate in “prayer communities” where users can ask for and answer prayer requests.

It sounds innocent enough but the question may arise over how this highly personal data is handled. ThreatPost reported that in late 2020, data from Pray.com leaked private data for up to 10 million people.

Included in that data leak were lists of a church’s attendees containing information for each churchgoer such as names, home and email addresses, phone numbers, and marital status. In addition, ThreatPost reported that the information exposed in a public cloud bucket also included church-donation information, photos, and users’ contact lists

Pray for your privacy

On a recent Freakonomics Radio podcast, author Stephen Dubner investigated the landscape of faith-based apps, of which Pray.com is only a part. Dubner expressed concern that these apps were sharing user data with Facebook. The Mozilla Foundation report said that is a real concern.

“If you use Pray.com, you'd better pray for your privacy. Because Pray.com is absolutely awful when it comes to their users' privacy and security,” the Mozilla analysts wrote. 

The primary stress point for the analysts was the figurative ton of personal information that’s spun into an asset and a healthy revenue stream. 

“Pray.com then says they can use all this data to target you with ads, share with third parties to target you with ads and share with other ‘faith-based organizations’ so they can target you too,” the report said.

“We don't mean to be, well, mean, but Pray.com really feels like it might be a data harvesting business targeting Christians for purposes that go way way way beyond helping them on their prayer journey. … It all feels kinda icky to us.” 

Mozilla Foundation’s advice? “Find another prayer app.”

ConsumerAffairs reached out to Pray.com and Facebook for comment but did not receive answers to the questions we posed regarding privacy policies, personal data that is being shared, and for what purposes personal data is shared.

Whatever the app, you still need to be careful

Are there prayer apps that the Foundation spared from being labeled “*Privacy Not Included”? Yes, one. Among those listed, the only one ConsumerAffairs found that met that criteria and readers did not qualify as “Super Creepy” was the “Hallow” app.

To Hallow’s credit, the researchers said the company was the only one who replied to all its questions and even updated its password requirement to require users to log in with a strong password when the Foundation noted that the app allowed the use of a relatively weak password like “11111.”

Alongside Pray.com, others in the category not meeting the criteria by both researchers and readers were the King James Bible Daily Verse and Audio and Abide. There was one app – Glorify – that was a split decision. Foundation researchers gave it a thumbs-up, but readers pegged it as “Super Creepy.”

So, what’s someone who wants to engage with a prayer app to do? If you do decide to find another, be careful, Harold Li, vice president at ExpressVPN, told ConsumerAffairs. 

“This is not the first time that faith-based apps are caught sharing data with third parties. Last year, ExpressVPN conducted extensive research on location trackers embedded in 450 social, messaging, and faith-based apps to measure the extent to which they intrude on location privacy for individuals around the world,” Li said, highlighting the fact that those investigated apps were downloaded by users 1.7 billion times in total.

The reports of phishing attacks over the holidays are starting to grow. The new wrinkle for hackers it seems is the use of artificial intelligence (AI) to improve a hacker’s ability to gather information and target a specific victim. 

Most of those targeted victims are online shoppers who hackers have discovered have gotten lackadaisical in what they click on and are clicking wily-nily on anything and everything. That’s especially true in emails.

Cybercreeps are sending out offers by the ton, bombarding users' inboxes with links to deep discounts knowing that there are enough people who’ll click on links and hand over credentials.  

“E-shopping continues to be a prime target because people are pre-programmed to click on links," Phishfirewall CEO, Joshua Crumbaugh told ConsumerAffairs. "Online deals bombard users' inboxes with links to deep discounts, and this adds fuel to the fire, creating the perfect scenario to get people to click on links and hand over credentials.

“With scams getting increasingly sophisticated, it's hard to say precisely what tactics the bad guys will use, but they are only after just a few things: Stealing your account credentials, your identity/financial information, or infecting your computer with malware/ransomware.”

A new PlayStation 5 or Dyson product on your wishlist?

Crumbaugh said that his company found that phishing attacks centered on hot but scarce items, and using those as bait are paying off for hackers.

“Fake discounts on hard-to-find items such as PS5's and Dyson hair products with the goal of stealing credentials are growing," he said. "We’ve also seen fake purchase alerts that attempt to infect your computer with ransomware and fake Amazon security alerts with the intent to steal your credentials.”

How to keep the phishers away

If you think that it’s Google’s or Microsoft's or Apple’s job to keep phishing emails out of your inbox, you might want to reconsider thinking that.

Yes, Gmail or Hotmail or Apple iCloud Mail try to keep phishing emails from getting in with their email spam filters, but scammers are cunning enough to find ways around those filters.

The Federal Trade Commission (FTC) warns consumers that it would be wise to add extra layers of protection to protect themselves from phishing attacks.

One of the agency's strongest suggestion is to protect your cell phone by setting software to update automatically. These updates could give you critical protection against security threats.

Here's how to do that on an iPhone and how to do it on an Android device. ​

And that password of yours? How long do you think it would take a hacker to crack it?

Another smart move is getting a password manager. Because if you do...

1. It allows you to use harder-to-crack passwords. (If you want to see how weak or strong your password is, check it here)
2. You don’t have to remember all of them. 
3. Plus -- and it's huge plus -- you can have a different password for every site.

That last point is a move that Dustin Heywood, a password specialist at IBM X-Force Red, says maximizes a person's password security.

"The reason passwords should not be the same between sites is that systems get breached, and then attackers [can] reuse passwords or even get passwords out of plaintext through phishing," Heywood told ConsumerAffairs. "This makes a password manager critical."

Several more major corporations have agreed to class action settlements, handing out millions of dollars. But affected consumers have no time to waste as the deadlines for filing a claim expire this month.

For starters, Humana has agreed to settle a lawsuit brought over its 2020 data breach. Settlement documents did not disclose how much the health benefits provider has agreed to pay. It affects those who were notified by Humana that their personal health information was compromised when hackers broke into the company’s network.

Hackers got access to sensitive health information as well as personal identifying information, such as Social Security Numbers. The deadline for filing a claim is Nov. 15.

Two Geico settlements

Geico is settling two class actions this month. In the first, the auto insurance company is paying $19.1 million to resolve claims that it did not pay sales tax and other fees when paying California customers who suffered a total loss.

The settlement covers California policyholders who did not get compensated for the tax and fees for total loss claims submitted between June 27, 2015, and Aug. 27, 2020. The deadline to file a claim in the settlement is Nov. 11. 

Geico has also agreed to pay an undisclosed amount to resolve a class action suit that it underpaid healthcare providers in Florida for treating covered patients. That claim deadline is Nov. 28.

Consumers who purchased the drug Remicade (infliximab) between April 5, 2016, and Feb. 28, 2022 may be eligible for a cash settlement from Johnson & Johnson and its subsidiary Janssen. The companies have agreed to a combined $25 million payment to settle claims they violated antitrust laws by suppressing generic competitors.

The suit claimed that action resulted in higher prices for Remicade, a prescription medication to treat Chrone’s disease. To be eligible for compensation, consumers must submit claim forms by Nov. 30.

Baby formula misinformation

Amidst an ongoing baby formula shortage, PBM Nutritionals has agreed pay $2 million to settle a class action lawsuit that claimed the company’s baby formula product doesn’t produce the advertised number of servings.

Consumers who purchased Well Beginnings, Meijer Baby, Little Journey, Wesley Farms, Burt’s Bees Baby, Berkley Jensen, Parent’s Choice, Earth’s Best Organic, Comforts, Up & Up, Babies “R” Us, Member’s Mark or Bobbie Baby brand baby formula between Jan. 1, 2017, and July 21, 2022 may be eligible for compensation.

Claims in that case must be filed by Nov. 30.

In ConsumerAffairs latest round-up of class action settlement announcements, we found another pile of cash that companies are paying consumers to settle claims brought against them in a variety of class action lawsuits. 

At TopClassActions, we found all the details of the settlement and how to apply. 

General Electric (GE): In early 2020, GE confessed that its current and former employees may have had their information stolen through a data breach of one of GE’s providers. The breach reportedly compromised sensitive information such as names, addresses, Social Security numbers, driver’s license information, bank account numbers, passport data, and birth dates.

As the terms of the settlement are spelled out, class members can receive reimbursement for lost time and out-of-pocket expenses. Depending on the time lost, money spent on things like credit freezes, etc., compensation could range from $18 to $3,500.

Applicants have until Dec 22, 2022 to file. Full details and enrollment are available on this website.

Toyota/Lexus: If you’re one of the nearly 3 million former or current Toyota or Lexus owners whose vehicle was recalled due to a faulty Denso fuel pump, the parties have reached a settlement and are ready for those affected by the situation to file for damages.

Under the terms of the settlement, class members can receive reimbursement for out-of-pocket repairs, an extended warranty, a customer support program, and loaner/towing coverage.

The only box left to check is the one for final approval on the settlement and that’s scheduled for Dec. 14, 2022. Then, the deadline to seek reimbursement is 90 days after the final judgment, estimated to be March 14, 2023. 

To find out more about the settlement and application process, go to this website or phone 1-833-512-2318.

Automotive Parts that affected a variety of cars: The latest round of settlement distributions that’s part of a massive $1.2 billion settlement resolving antitrust allegations is ready to go.

The settlement will benefit lots of consumers – everyone from A to V (Acura owners to Volvo owners_ – who purchased or leased certain new vehicles in the U.S. between 2002 and 2018 – or who paid to replace one or more qualifying vehicle parts (many of them being electric or hydraulic braking systems). A full list of eligible vehicles and applicable time periods can be found on the settlement website.

Smashburger: Smashburger fans should check out the sizzle the chain has agreed to in settling claims that it falsely advertised its hamburgers as containing “double the beef.” And the good thing is that consumers do not need proof of purchase to benefit from the settlement.

The settlement benefits consumers who purchased Triple Double hamburgers, Bacon Triple Double hamburgers, French Onion Triple Double hamburgers and/or Pub Triple Double hamburgers from Smashburger anytime between July 1, 2017, and May 31, 2019.

It’s not like class members will get a giant windfall like burgers for life, but they will receive a $4 cash payment per purchased product for a maximum payment of up to $20 per household. If they’d rather get a voucher instead, the people who opt into vouchers will receive up to 10 vouchers with each voucher having a $2 cash value. 

Go here to find out more about the settlement and to apply as a class member. Applicants have until late January 2023 to get their application in.

Anyone who is doing their holiday shopping early, heads up! Two new studies show there may be trouble on the way.

One says that one in seven experience package theft; another says that shipping scams are mounting up, adding another layer of woe.

In C+R Research’s latest annual package theft report, more than a quarter of Americans said they’re concerned that they could lose their gifts to porch pirates. And those thefts can be costly, too, with the average value of stolen packages ringing up at $112.30.

Where you live apparently matters to thieves. According to C+R, thieves may be zip code snobs. The researchers said that about half (49%) of those who’ve had a package stolen live in the suburbs, 39% are city dwellers, and 12% live in rural areas.

Delivery services are on alert, too

Unfortunately for delivery services, they’ve got two problems. One is that nearly half of those surveyed don’t think retailers and delivery companies do enough to prevent package theft. The other is that scammers seem to be loving delivery scams like there’s no tomorrow.

According to its latest Brand Phishing Report, Check Point Research (CPR) says hackers are imitating one major shipper and one major retailer in attempts to lure people into giving up personal data. 

DHL places at the top of the list for most impersonated, accounting for 22% of all phishing attempts worldwide. DHL also has a make-believe affiliate named “BHL” that some scammers are using to leverage cybertheft, too.

Another major firm scammers are impersonating is Walmart, which has 5% of all phishing attacks globally.

How consumers can protect themselves and their packages

To beat porch pirates at their game the C+R researchers said there are several things consumers can do to protect their online purchases.

“If you know a package is expected to be delivered – be diligent in collecting it as soon as possible to lessen the opportunity for porch pirates to steal it,” the researchers suggested.

“That's why most people (60%) keep a close eye on delivery tracking, and 43% sign up for delivery alerts.”

Some consumers stay home when they know a package is on the way, but not everyone can afford to do that. In those situations, the researchers suggest more preventative measures, such as installing a doorbell camera, sending the package to their workplace or a relative’s home, or opting to pick up their online order in the store.

When it comes to packages being delivered, many – if not most – consumers simply don’t know if DHL, UPS, the Postal Service, Amazon, or FedEX is in charge of the delivery.

“DHL is the brand most likely to be imitated, it’s crucial that anyone expecting a delivery goes straight to the official website to check progress and/or notifications,” Omer Dembinsky, Data Research Group Manager at Check Point said in an email to ConsumerAffairs. 

“Do not trust any emails, particularly those asking for information to be shared. In [the latest quarterly analysis], we saw a dramatic reduction in the number of phishing attempts related to LinkedIn, which reminds us that cybercriminals will often switch their tactics to increase their chances of success.”

If your phone is acting a little sluggish, it may be because spyware has wormed its way into your phone’s system -- tracking every click you make, every step you take, and anything and everything you do. And the situation could get worse before it gets better, too. 

Like the rest of the world, malware took 2020 off, but now it’s back with a vengeance. In 2021, Malwarebytes detected 77% more malicious software than in 2020. The study said that malware threats made on consumers last year eclipsed 150 million. 

Consumers have their work cut out for them

Before you go pointing fingers at Google or Apple or your carrier, they’re doing all they can. For its part, Apple unleashed Lockdown Mode to protect iPhone owners.

Google’s been busy protecting its Play Store from Potentially Harmful Applications (PHAs), too. It’s gotten the number of PHAs down to less than 1% of the total apps installed, but spyware accounts for 48% of those. 

Still, when you look at how many apps installed from Google Play, that sub-1% still adds up to the possibility that hundreds of millions of spyware-laden apps are winding up on people’s phones.

How do you know if spyware is on your phone? Cybersecurity experts from VPNOverview have collected the top five warning signs that could indicate that hackers are using your phone to spy on you. The study also details how you can prevent and remove spyware that hackers may have installed onto your phone.  

The Top 5 signs you’re being spied on

1. Slow performance 

The number one indication that spyware is on your phone is that your device is constantly slow – slow because it’s running rampant in the background uploading your personal data, your photos, your documents, and other files to an external server.

The VPNOverview experts say you can make sure this isn’t happening by checking your phone for any unfamiliar apps and scanning any hidden apps using an antivirus program. If you find an app that seems suspicious, deleting it may improve the performance of your device.

“Whilst some spyware is hidden by hackers, some spyware programs will appear amongst your apps," the VPNConnect cybersecurity team told ConsumerAffairs.

"These apps may show up as parental control apps intended to be used to monitor a child’s cyber safety, however, they could have been installed by a jealous ex-partner to spy on you," 

What are some apps that you should look for? The analysts singled out these: mSpy, Spyera, Flexispy, Umobix, Ikey Monitor, and Clevguard.

2. Random reboots 

Another tell-tale sign that spyware is on the loose is that your phone reboots without your authorization or because it overheated or is doing a typical system update. 

“This can indicate that someone has remote, administrator-level access to your phone. The hacker can do whatever they want with your device if this is the case,” VPNConnect analysts said. “To rule out the presence of spyware, you can update your phone’s operating system, and delete any malfunctioning apps. If neither of these solutions solves the random reboots, you may have spyware on your phone.”

3. Strange text messages 

With robocalls being throttled thanks to new rules from the Federal Communications Commission (FCC), smishing has taken its place and, with that, hackers are employing text messages to take a screenshot, detect your location or even gain control of your phone. 

“You should be not only vigilant of incoming texts but also outgoing texts as a hacker can send text messages from your phone to communicate with their own server," VPNConnect warned. 

"Any message that looks unfamiliar, sounds like gibberish, or appears outright strange should be ignored. This is especially the case for unfamiliar texts containing links; these links can allow a hacker access to your phone if clicked on.” 

4. Overheating 

Summer is pretty much gone so a phone being overheated naturally from the elements should be dwindling. However, if your phone is still overheating, it’s possible that the heat is coming from a malicious app running in the background, especially if the overheating occurs when the phone is on standby. 

How can you make sure if it’s spyware or not? First, make sure that your phone doesn’t have a hardware issue or check that the apps you have installed are not large resource consumers.

To do that, the VPNConnect folks suggest going into your phone’s settings and checking your app list to see which apps use the most resources (apps are usually presented in order of most resource use, by the way).

“Some apps will have legitimate reasons for taking up energy on your phone, but any that use more than they should (may) be the culprit and should be deleted,” the analysts said.

5. Unusually high data usage 

If you’re not a big data hog – like watching a ton of videos – but still see your data usage higher than you think it should be, it may be a cause for concern. 

“A hacker’s primary goal is to harvest your data, to sell it to the black market, or use it to blackmail you. To gather this information, a hacker will remotely access your phone and transfer your files to their server, which requires data usage on your end,” VPNConnect privacy pros said.

“Therefore, if your cellular data usage seems unusually high, this could indicate that something suspicious is going on with your phone. It is a good idea to keep track of your monthly data use to identify any unexpected spikes.”

Samsung reports that it’s suffered another data breach – its second this year and one that exposed the names of customers and their demographic information like birth dates.

On Friday, the company announced that the breach happened in late July when an unauthorized third party acquired information from some of Samsung’s U.S. systems. When the company completed its investigation the first week of August, the probe revealed that personal information of certain customers was affected. 

“We have taken actions to secure the affected systems, and have engaged a leading outside cybersecurity firm and are coordinating with law enforcement,” the company said in its notice to customers about the incident.

Should you be worried?

ConsumerAffairs reached out to Samsung asking how many personal information records were involved but the company didn’t offer an answer in its response. Still, with nearly a billion consumers worldwide using a Samsung phone and another billion with a Samsung TV, the situation could be concerning for a great number of consumers.

MakeUseOf’s David Rutland says that on top of what Samsung “officially” revealed as to what data was exposed, contact details “likely” include home address, phone number, and email. Rutland thinks that it could go even deeper because the additional information Sansung collects during product registration includes gender, geolocation data, Samsung Account profile ID, username, and more. 

“Even just your email address can be valuable to criminals,” he said. “Samsung's half-hearted reassurance may console some customers that the criminals aren't using their credit card details to, for instance, buy untraceable cryptocurrency. However, the amount of information which the company admits may have been taken is staggering, and not something so easily passed off as immaterial.”

Steps that should be taken

Some cybersecurity experts warn the world has reached a dangerous crossroads where companies want as much personal data as they can amass and cybercriminals want as much as they can steal. 

In an email to ConsumerAffairs, Scamicide's Steven Weisman says that the lesson every consumer needs to learn is to limit just how much private information they give to companies when they sign up for an account or register a product.

“For example, your doctor doesn't need your Social Security number for his or her records,” Weisman said.  

Until this issue is resolved completely, anyone who has any sort of Samsung device might be wise to freeze their credit at the major credit reporting agencies – Experian, Equifax, and TransUnion. If whoever laid hands on the Samsung data wants to try and leverage someone’s personal information, they’ll be blocked from credit-related records. If freezing your credit report sounds like a hassle, it’s really not. 

“This is offered through all three major credit bureaus and certain software and can conveniently be switched on and off in order to allow approved third-parties to access reports when needed,” Hari Ravichandran, founder and CEO at Aura, an online privacy safety service, told ConsumerAffairs in the recent “Pandemic to Scamdemic” report.

“If you suspect that your personal information has been compromised in a data breach or otherwise, seriously consider freezing your credit in order to prevent bad actors from opening accounts or taking out loans in your name,” Ravichandran said.

The Federal Trade Commission (FTC) has served notice that there are limits to how far a person can be tracked. In a new lawsuit against data broker Kochava Inc. the agency claims that Kochava sold geolocation data from “hundreds of millions of mobile devices that can be used to trace the movements of individuals to and from sensitive locations.” 

And sensitive it is. The FTC said that Kochava’s data has the potential to reveal everything from someone’s visit to reproductive health clinics to places of worship, and even deeply personal facilities like homeless and domestic violence shelters, and addiction recovery locations. 

By selling data that tracks people, the FTC considers that Kochava is enabling others to identify individuals and exposing them to threats of stigma, stalking, discrimination, job loss, and even physical violence. 

“Where consumers seek out health care, receive counseling, or celebrate their faith is private information that shouldn’t be sold to the highest bidder,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “The FTC is taking Kochava to court to protect people’s privacy and halt the sale of their sensitive geolocation information.”

The FTC’s lawsuit seeks to halt Kochava’s sale of sensitive geolocation data and require the company to delete the sensitive geolocation information it has collected. 

While Kochava may not be a household name, it’s a considerable force when it comes to data. The company claims it has more than 4,500 “partner integrations” and its clients are a who’s who of consumer-focused companies including Airbnb, Kroger, McDonald’s, Disney, John Hancock, Chick-fil-A, and CBS.

ConsumerAffairs reached out to Kochava, but did not receive an immediate response.

FTC wants this type of collection stopped now

The Kochava lawsuit may be the tip of the iceberg when it comes to data collection. The FTC’s not showing its hand, but recently it went on record as saying that almost everything a consumer touches and places they go can be collected. 

“Smartphones, connected cars, wearable fitness trackers, ‘smart home’ products, and even the browser you’re reading this on are capable of directly observing or deriving sensitive information about users,” the agency said. 

“These data points may pose an incalculable risk to personal privacy. Now consider the unprecedented intrusion when these connected devices and technology companies collect that data, combine it, and sell or monetize it. This isn’t the stuff of dystopian fiction. It’s a question consumers are asking right now.”

How people can minimize their exposure to location tracking

Location tracking is important to not just Kochava, but lots of agencies that collect data and then offer it to advertisers and vendors who want to provide a better user experience or feed information that might be of more interest to the user, says Jon Clay, vice president of Threat Intelligence at Trend Micro. 

“While this may be a good thing as it delivers relevant information to the user as they change locations or visit areas where they've never been before, there is a potential for this to be abused by malicious actors,” Clay told ConsumerAffairs. “From scammers to criminals to worse, if this data gets into the wrong hands, these people could target the user."

Clay says that where the question of risk comes up is the crossroads of whether the benefits outweigh the potential harm that could occur.

“The FTC suing an organization that sells this data to others is a potential game changer as it should cause other data processors to rethink their business practices and ability to secure their customer data,” he said.

If consumers are lucky, Clay said that they’re likely to see regulations start to be created that help consumers be more in charge of their data instead of "the opposite as it is now.” Until then, what can someone do? Clay offered these suggestions on how people can help manage their data now:

• Turn off location tracking on your mobile devices. On an iPhone, go to Settings > Privacy, then select Location Services. Select an app, then turn Precise Location on or off. On an Android device, open your phone's Settings app. Under "Personal," tap Location access. At the top of the screen, turn Access to my location on or off.

• Look to use browsers that don't gather your data or limit what your browser can track

• Opt out of ad tracking and opt out of ads altogether. Here’s one way to do that.

• Control what permissions you give apps on your mobile devices. Here’s how to do that on an Android device and how to do it on an Apple device.

• Install a modern security app that can detect scams or threats in email, texts, and voice. Clay said his company's free Trend Micro Check tool can do that, as well as identify fraud and misinformation.

• Regularly check your online accounts for suspicious activity. 

While vigilance with cybersecurity is always of the utmost importance for consumers, experts are now urging Apple users to update their devices to run the latest version of the operating systems. This includes iPhone model 6S and later, iPod touch 7th generation, iPad Air 2 and later, iPad 5th generation and later, all of the iPad Pros, and the iPad mini 4 and later. 

The company released security updates for the devices last week after discovering that they may be susceptible to two different security flaws that could be abused by hackers. One vulnerability was to the kernel, which is the hub of Apple’s operating systems, and the other was to WebKit, which works to run several apps, including Safari. 

The biggest risk is a hacker fully invading the device. Security experts explained that because these security flaws are based in the operating systems of the devices, it makes it easy for hackers to access users’ personal data. Additionally, because there are two vulnerabilities, it makes it easier for hackers to bypass different security measures and get into a device. 

Though many Apple devices are set to update automatically, the updates aren’t always completed immediately, and may not begin until a device is plugged in. This makes it all the more important for consumers to check for software updates and manually update their devices to the latest operating software as soon as possible. 

Another Mac security flaw

This news comes on the heels of another recent story about vulnerabilities many Mac users were facing with the Zoom app. 

Patrick Wardle, founder of the nonprofit organization Objective-See, discovered a flaw in Zoom’s automatic update tool that could allow hackers to infiltrate Mac computers. He explained that when this tool runs an update, it looks for a signing certificate – or a unique digital verification code – that matches Zoom. 

Since automatic updates do not require a password to be installed, hackers could create packages that mimic Zoom’s signing certificate to install malicious files or programs onto users’ Macs. This could allow them to completely take over the device to delete files, steal passwords, or alter documents. 

Similar to this most recent notice to update Apple devices, Mac users specifically were encouraged to update Zoom to its most recent version to protect themselves from hackers.

Zoom rapidly gained popularity during the COVID-19 pandemic as more consumers shifted to remote work. However, users have faced several security and privacy issues over the years in connection to the service. Now, one researcher says a new bug is putting Mac users at risk. 

Patrick Wardle, founder of the nonprofit organization Objective-See, stated at a recent DefCon event that a flaw in Zoom’s automatic update tool could allow hackers to infiltrate Mac computers. He explained that when this tool runs an update, it looks for a signing certificate – or a unique digital verification code – that matches Zoom. 

Since automatic updates do not require a password to be installed, Wardle says hackers could create packages that mimic Zoom’s signing certificate to install malicious files or programs onto users’ Macs. This could allow them to completely take over the device to delete files, steal passwords, or alter documents. 

Get the latest version of Zoom

Wardle initially told Zoom about his findings back in December, which prompted the company to create a fix for the issue. Unfortunately, that fix reportedly included a bug that still allowed the automatic updater vulnerability to be effective. 

Following Wardle’s DefCon presentation, Zoom issued a new patch under update 5.11.5 (9788). Mac users should download this update immediately to protect themselves from hackers.

Twitter has confirmed that 5.4 million accounts were plundered in a recent data breach, with the hackers hauling away personal data such as physical locations, profile photos, email addresses, and phone numbers associated with those account profiles. 

The hackers are already trying to make money off their theft. Bleeping Computer reports that the data the hackers tapped into is being offered for close to $30,000. Two different threat actors reportedly purchased the data for less than the original selling price, and all that information will likely be released for free in the future.

The attack came about as the result of a zero-day exploit – a maneuver in which hackers target a software vulnerability that software vendors or antivirus vendors are not aware of at launch. AndroidPolice reports that the Twitter hackers used a vulnerability that allowed anyone to query a phone number or email to check on an active Twitter account and then obtain the account information. 

Twitter responds

When it comes to zero-day exploits, Twitter is not alone. Over the last few years, Google, Apple, and Microsoft have all been hit by them. After being fined $150 million for failing to protect consumer data already this year, Twitter is trying its best to get ahead of this situation. The company said it deeply regrets the situation and fully understands the risk this poses to its users.

While the social media company is powerless to fix this current situation, it does have some recommendations that users can use to protect their personal data in the future. The first thing it suggests is making sure a Twitter account does not have a publicly known phone number or email address attached to it.

Even though passwords weren’t stolen, Twitter also strongly suggests enabling two-factor authentication by using authentication apps or hardware security keys. This can help protect a user's account if someone does steal their password.

The company says it’s also offering users access to its Office of Data Protection, where they can inquire about the safety of their account or ask questions about how it protects their personal information. Anyone who is interested in gaining access to that information can contact Twitter through this form.

The safety of Virtual Private Networks (VPN) – which are internet tools that prevent users from being tracked or interfered with – has come under scrutiny from two members of Congress.

In a letter to Federal Trade Commission (FTC) Chair Lina Khan, Congresswoman Anna Eshoo (D-CA) and Senator Ron Wyden (D-OR) are trying to persuade the agency to address deceptive practices in the VPN industry. Specifically, they point to VPN practices related to people attempting to mask their digital fingerprints in the wake of the Supreme Court’s decision to overturn Roe v. Wade.

In their letter, Eshoo and Wyden said some VPN providers are not only making false and misleading claims about their services, but they are also negating their promise of anonymity by selling personal data and providing user activity logs to law enforcement.

Consumers should do their VPN homework

To show that VPN providers are being less-than-honorable in their pitches to consumers, the lawmakers cited a study that found 75% of leading VPN providers misrepresented their products and technology or made exaggerated claims about the protection they provide users.

“It’s extremely difficult for someone to decipher which VPN service to trust, especially for those in crisis situations,” Eshoo and Wyden wrote. “There are hundreds, if not thousands, of VPN services available to download, yet there is a lack of practical tools or independent research to audit VPN providers’ security claims.”

The lawmakers urge consumers not to jump into a VPN subscription without researching the services first. Reports indicate that two out of three free VPN users have experienced technical issues on their networks. In some cases, VPN providers have claimed that they have a right to share users' data with a wide array of third parties.

“The Password manager privacy policy, as written and provided at install, reads in such a way that no one in their right mind would use Kaspersky software,” Brian of Semans, Saskatchewan, claimed in a ConsumerAffairs review of Kaspersky Anti-Virus. “Their policy states they wish to have the right to share users' private info with anyone including third world countries... This is security?”

After more than a century and a half, Lincoln College in Illinois is no more. Over the course of its history, it was able to stave off the Great Depression, the Spanish flu, and a couple of World Wars, but the wrath of COVID-19 and a cyberattack that hindered access to all of the college’s data proved to be too much for the predominantly Black college.

“Lincoln College has been serving students from across the globe for more than 157 years,” said David Gerlach, president of Lincoln College. “The loss of history, careers, and a community of students and alumni is immense.”

Gerlach said things were looking good up until 2019, with enrollment at Lincoln at an all-time high. But when the coronavirus hit town, recruitment, fundraising, athletics, and campus life was brought to their knees.

Added to the economic burdens brought about by the pandemic that required significant investments in technology and campus safety measures, many students decided to put college on the back burner. That put an even greater crunch on the school’s finances. Supporters of the school tried their hand at a GoFundMe campaign in hopes of raising $20 million, but the effort barely raised $2,000.

Cyberattack delivers knockout punch

The knockout punch for Lincoln came in the form of a cyberattack from Iran in December 2021, one that held the college’s computer systems hostage and made all systems required for recruitment, retention, and fundraising efforts inoperable.

By the time the school paid the ransom and got everything restored four months later, the recruitment projections showed significant enrollment shortfalls that required a transformational donation or partnership to sustain Lincoln College beyond the current semester.

“The cyberattack was just another kick in the shin,” for the struggling college, Gerlach told Forbes. 

We’re likely to hear about cyberattacks and colleges again. Cybercriminals have come to love targeting colleges and universities because, by and large, they just don’t have the cyber defenses to stave off ransomware attacks. So far this year, North Carolina A&T State University, North Orange County Community College District, the Ohlone Community College District in California, and Midland University in Nebraska have also reported ransomware attacks.

Ransomware attacks like these cost colleges an average of $112,000 in ransom payments. But that ransom payment is just a drop in the bucket compared to the total cost of resolving the attack, which averages about $2.7 million per incident, according to Chester Wisniewski, a principal research scientist at security software and hardware company Sophos.

“The average cost to an organization in the private sector was $1.8 million U.S. dollars after a ransom attack,” Wisniewski told Forbes. “So it was almost a million dollars higher cost for educational institutions to recover versus a normal private sector organization.”

Android users around the world are facing the threat of being attacked after a security issue was uncovered that leaves a device’s microphone and camera vulnerable to remote access.

Writing about its discovery, Check Point Software Technologies said hackers could leverage the vulnerability to snoop on users' audio/video media and even listen in on phone calls.

The phones that are most prone to danger are ones that have Qualcomm or MediaTek chips. Unfortunately, 98% of Android devices are powered by those two processors, so the impact could be enormous.

Closing the vulnerability

The Check Point researchers stated that they disclosed their findings to both chipmakers, and each company has apparently patched the security issue. However, anyone who has an Android device will need to update their system software to keep their device secure.

Failing to apply the update could be especially dangerous since all it would take is for a hacker to send someone a doctored audio file to compromise their device.

"The...issues our researchers found could be used by an attacker for remote code execution attack (RCE) on a mobile device through a malformed audio file," the researchers explained. "RCE attacks allow an attacker to remotely execute malicious code on a computer. The impact of an RCE vulnerability can range from malware execution to an attacker gaining control over a user’s multimedia data, including streaming from a compromised machine’s camera.

"In addition, an unprivileged Android app could use these vulnerabilities to escalate its privileges and gain access to media data and user conversations."

The “the bigger they are, the harder they fall” axiom couldn’t be more accurate. Google has announced that the 3.2 billion people who use its Chrome browser have been left vulnerable following a series of new hacks aimed at dismantling Chrome. And no one – not Mac users, not PC users, not Linux users – are safe. 

Google confirmed the hacks on its company blog, saying that nine of the 11 hacks that were discovered pose a "high level threat." The company said it’s working on a patch to close off the vulnerabilities.

What should Chrome users do?

To guard against the latest hacks, Forbes reports that Google released the Chrome 100.0.4896.88 update. Nonetheless, some patience will evidently be required. Google said the update will not be made available to everyone all at once. Instead, it will "roll out over the coming days/weeks." 

To manually check for the update, click the three dots in the top right corner of the Chrome browser and navigate to Settings > Help > About Google Chrome. An option to update your browser will be there if it is available.

For those who don't want to move away from the Chrome browser, using Enhanced Safe Browsing mode may be a viable option to keep your web surfing more secure.

More websites and business organizations are requiring two-step authentication for access as a way to increase security. Security experts say requiring a second step is highly effective at blocking intrusions, just as adding a deadbolt lock to a door is more likely to deter burglars.

Even though hackers have recently set their sights on large organizations, that doesn’t mean consumers are in the clear. Scammers are still looking for ways to take over people’s online accounts.

If your account is only protected by a username and password, you could be vulnerable, says Dominic Chorafakis, a cybersecurity expert at Akouto. Millions of usernames and passwords have been stolen in massive data breaches so a hacker can easily access the account by purchasing the username and password on the dark web.

‘Something-you-have’

The hacker’s task gets more difficult when the consumer is employing two-factor authentication. Chorafakis calls this the “something you know” authentication method.

“Two-factor authentication requires two different types of information to be used by the authentication process, something-you-know and something-you-have,” Chorafakis told ConsumerAffairs. “The something-you-know factor is usually the familiar username and password combination. The something-you-have factor can be many different things, the most common being your mobile phone.”

After entering the username and password, a one-time code is sent via text to the mobile number registered with the account. Even if a hacker has your username and password, they can’t access the account because they don’t have your smartphone. It’s a way to significantly increase security, but it isn’t foolproof.

“Unfortunately, hackers have found ways around this,” Chorafakis said. “One of the most common techniques is to trick people into installing mobile apps disguised as games that are actually malware able to steal login information including one-time-passwords. If you unknowingly install one of these malicious apps and then use your mobile phone to log into a service, hackers can get all the information they need to take over your account.”

Security keys offer more protection

The point is to be very careful and selective about the apps you install on your smartphone, even if they appear to be legitimate. To add an even higher level of security, some people are using hardware security keys instead of their smartphones. 

“These are physical USB sticks that plug into your computer and act as the second factor of something-you-have,” Chortafakis said. “You can think of them as physical keys that you need to insert into a lock, in addition to providing your username and password, to gain access to your accounts.”

Many large tech companies have made these hardware keys a routine part of security. Chortafakis says companies that have taken this additional step for their employee logins have virtually eliminated account breaches caused by password theft.

Okta, an authentication services provider, announced that it has suffered a data breach. The company told Reuters that hackers have already gone as far as posting screenshots of parts of Okta’s internal company environment.

If the hack is real, the snowball effect could be large. Okta claims to serve more than 15,000 brands by securing their digital interactions with consumers and employees. T-Mobile, Albertson’s, FedEx, Sonos, and Nasdaq are all clients of the company -- and those companies are potentially loaded with a cornucopia of personal data.

The hackers appear to be from a group called Lapsus$ – the same extortion group that took responsibility for the Samsung Galaxy breach earlier this month. The group claims that it has had “Superuser/Admin” access to Okta’s systems for more than a month; however, the hackers said their focus was “only on Okta customers.”

In a statement, Chris Hollis, a Senior Manager of Security and Crisis Communications at Okta, said the breach might be related to a previous incident in January that the company previously addressed.

"We believe the screenshots shared online are connected to this January event," he said. "Based on our investigation to date, there is no evidence of ongoing malicious activity beyond the activity detected in January.”

Putting consumer’s data security on heightened alert

With the possibility of the Russia-Ukraine conflict spilling over into a cyberattack on Americans and U.S. businesses, President Biden is not leaving anything to chance. In a roundtable discussion with CEOs on Monday, he said one of the tools Russia is most likely to use is cyberattacks. 

“The private sector, all of you, largely decides the protections that we will or will not take in order to protect your sources,” the president warned.

“But let me be absolutely clear about something: It’s not just in your interests that are at stake with their potential use of cybersecurity … the national interest is at stake."

How do consumers protect their data?

Mark Kapczynski of OneRep – a company that assists the public in removing their private data from the web –  says many people use careless internet habits and run the risk of compromising their own privacy.

“Remember that cool site with a giveaway that you gave your personal information to? Well, more than likely they sold it to a larger data aggregator like TransUnion, which pulls in millions of consumer data points and then sells all of our consumer personal information in bulk to these people search sites,” he said.

Kapczynski says consumers should take advantage of different privacy tools to ensure that their personal information stays secure.

“If you are going to share your information online with various sites, use some of the new email and phone number hiding tools within your iPhone, and/or get an email address and phone number that is dedicated only for your online activities and can easily be deleted or discarded. Most importantly, never give out personal data to online sites unless you know them to be trustworthy and respect consumer privacy,” he suggested.

While Russia and Ukraine are duking it out on the ground, there’s growing concern that Russia might take to the digital sphere to pay back the U.S. for the economic sanctions it made against it.

Russia has long been associated with trying to cripple the U.S. via cyberattacks. The country is thought to have been associated with the attacks on the world’s largest meat producer JBS and the global supply chain. Just last week, the Senate passed the Strengthening American Cybersecurity Act of 2022 to shore up the U.S.' cybersecurity.

Fearing that Russia-backed hackers might have their sights set on banks, the Financial Crimes Enforcement Network (FinCEN) issued an alert on Monday that advises all financial institutions to be vigilant against potential Russian efforts to evade the U.S.’ expansive sanctions. FinCEN put financial institutions that deal in cryptocurrency on the highest alert because gaining access to cryptocurrencies might be an easy target that could help Russia replenish its coffers after the U.S. placed economic pressure on the country.

Experts weigh in on the overall issue

Watching the Russia-Ukraine conflict unfold on TV is one thing, but if Russia decided to punish the U.S. for its role, what would the stateside effect be? ConsumerAffairs asked Dr. Aaron Brantly, Director of the Tech4Humanity Lab at Virginia Tech, to comment on the situation. 

“I would say that the threat of Russian cyber attacks against US infrastructure is high. But that such attacks have been defined by the administration as an escalatory red-line that could possibly involve the US and by extension NATO into the war in Ukraine,” Brantly told us. “Regarding individual consumer attacks to current financial constraints on the Russian Federation make such attacks less attractive as the money launder routes are increasingly closed.”

As far as what the FinCEN or American Cybersecurity Act were designed to do, Brantly thinks it’s a good move to start.

“Each act and move towards more robust cybersecurity is a step in the right direction. Yet any notion that any system or country will be largely invulnerable to cyber-attacks in the future does not pair up with the technical reality of software and hardware development.”

Consumers can protect themselves

How much could a cyberattack against the U.S. impact consumers? Therese Schachner, a cybersecurity consultant at VPNBrains, says the average person would likely feel some of the fallout.

“Organizations providing critical infrastructure are prime targets for cyberattacks since these organizations provide services that are essential for consumers," Schachner told ConsumerAffairs. "When the public loses access to power, healthcare, or other key services due to system outages caused by cyberattacks, massive disruptions are caused in the economy and in consumers' everyday lives.”

She added that government agencies -- like the Social Security Administration and the Veterans Administration – are also at risk because they provide key services and have access to confidential information that adversaries can use to gain a political or military advantage.

Schachner says consumers who are concerned about a major cybersecurity incursion can make some proactive efforts that may lessen the impact of an attack if it happens. For one thing, she suggests consumers keep their software up to date with the latest security fixes. 

“Older versions of software often have security vulnerabilities that attackers can leverage as initial entry points to computer systems to damage or disable them or gain access to confidential data,” she said.

“Strong passwords are harder to crack, and two-factor authentication adds an extra layer of security into the user authentication process, allowing users to provide additional proof that they are the true owners of their accounts.”

Schachner’s last suggestion to consumers is to keep an eye on their bank and credit card accounts. 

“Monitor accounts for unusual activity, such as suspicious purchases and logins from unrecognized locations and devices, then report and address potentially malicious activity in a timely manner before it escalates into more serious problems,” she suggested.

The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) have issued a warning to organizations that operate in critical infrastructure sectors that there’s a heightened possibility of new ransomware attacks.

In the warning, the agencies state that the Ragnar Locker ransomware group has launched 52 attacks in 2022 that focused on the manufacturing, energy, financial services, government, and information technology sectors.

"Ragnar Locker ransomware actors work as part of a ransomware family, frequently changing obfuscation techniques to avoid detection and prevention,” the agencies said. 

Officials say Ragnar Locker has encrypted files on systems and apps that include Windows software, Mozilla Firefox, Internet Explorer, Recycle Bin, Google software, and Opera software.

FBI seeks help from ransomware victims

The FBI says organizations that are targeted with ransomware by Ragnar Locker should not pay the group's ransom to get their files back.

“Paying a ransom may embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, or fund illicit activities. Paying the ransom also does not guarantee a victim’s files will be recovered,” the Bureau said. 

Although it believes that companies shouldn't pay ransom demands, FBI officials admit that some businesses may need to pay a ransom if they cannot function without certain files. They say company executives should evaluate all options to protect their shareholders, employees, and customers. 

“Regardless of whether you or your organization decides to pay the ransom, the FBI urges you to report ransomware incidents to your local field office. Doing so provides investigators and analysts with the critical information they need to track ransomware attackers, hold them accountable under US law, and prevent future attacks,” the agency stated.

Samsung has announced that a data extortion gang named Lapsus$ has breached the company’s internal data and stolen confidential source code related to its Galaxy-branded devices (smartphones, tablets, smartwatches, etc.). The company did not disclose exactly what information was hacked, but it did note that it does not foresee any impact on its end-user products or private customer data.

Lapsus$ is certainly making the rounds. It recently released what it claimed to be data and employee passwords stolen from Nvidia, a company that designs graphics processing units (GPUs) for the gaming and professional markets. BleepingComputer reports that it is unclear if Lapsus$ contacted Samsung for a ransom, as it claimed in the case of Nvidia. 

“We were recently made aware that there was a security breach relating to certain internal company data. Immediately after discovering the incident, we strengthened our security system,” a Samsung spokesperson told CNBC.

“According to our initial analysis, the breach involves some source codes relating to the operation of Galaxy devices, but does not include the personal information of our consumers or employees.”

This is just the latest setback that Samsung has faced in recent weeks. Last week, Samsung made the news when phone owners reportedly experienced a slowdown of more than 10,000 apps.

The U.S. Senate has taken a proactive approach to combat possible cybersecurity threats in the face of the Russia-Ukraine situation.

In a package authored by U.S. Senator Gary Peters (D-MI), the Senate has passed the Strengthening American Cybersecurity Act of 2022. The legislation would require infrastructure entities and federal agencies to report cyberattacks to the government within 72 hours; ransomware threats would also need to be reported within 24 hours. The bill awaits passage in the House of Representatives.

“The legislation is urgently needed in the face of potential cyber-attacks sponsored by the Russian government in retaliation for U.S. support in Ukraine,” Peters stated.

“As our nation continues to support Ukraine, we must ready ourselves for retaliatory cyber-attacks from the Russian government. As we have seen repeatedly, these online attacks can significantly disrupt our economy – including by driving up the price of gasoline and threatening our most essential supply chains – as well as the safety and security of our communities.”

Guaranteeing online security in the U.S.

Peters said he will continue his efforts to make the bill a law. He's urging his colleagues in the House to “urgently” pass the legislation to ensure that the nation's online security is kept safe.

Danielle Jablanski, an operational technology cybersecurity strategist at Nozomi Networks, told CNN that the reporting deadlines written into the legislation may be difficult for some companies to handle because information sharing may not be the top priority in a crisis.

Tight or not, the potential consumer impact could be monumental, as the U.S. found out when the Colonial pipeline was hacked. The breach led to increased gas prices and gas shortages. Meat producer JBS was also hit by a cyberattack that prompted shutdowns at company plants and threatened meat supplies all across the nation.

Florida Attorney General Ashley Moody says her office has learned that personal information stolen during last year’s T-Mobile data breach has begun showing up for sale on the dark web.

Hackers stole the data last August, obtaining consumers’ names, dates of birth, Social Security numbers, and driver’s license information. It’s estimated that the thieves hauled in personal information on as many as 53 million people.

“It is extremely important that consumers who had their personal information exposed during last year’s T-Mobile data breach take immediate action to secure and protect their identities,” Moody said. “A large subset of the information is being sold on the dark web, increasing the likelihood that the data breach victims could have their identities stolen and personal finances compromised.”

Credit monitoring

Some affected consumers have obtained the services of one of the credit monitoring companies to alert them to fraudulent activity.

Paul, of Reynoldsburg, Ohio, opened an account with Identity Guard and was initially unimpressed with the company's service. However, he improved his rating for the company after a representative reached out and offered to provide personal assistance.

"We appreciate the feedback as we always make sure to review and research all issues and concerns. We will have a specialist from our Alerts and Restoration department reach out to you to obtain more details and to offer assistance," the company told Paul.

Unfortunately, that kind of turnaround doesn't happen for everyone. Richard, of Boulder, Colo., signed up with AllClear ID and hasn’t found that service to be that useful, even though the company informs him when his data is found on the dark web.

“They'll also say ‘password found,’ but ‘For your security, we do not display your password in an effort to stop further exposure.’ Because there's not even a hint of which password it was, and there's also not an indication of which site(s) it was associated with, there is literally nothing to do with this notification except feel bad -- unless you want to change your passwords across every single site you use,” Richard wrote.

Actually, security experts say that isn’t a bad idea. They saw all passwords should be changed on a regular basis.

Credit Freeze offers the best protection

Moody says there are other proactive steps consumers can take to protect their identities. She suggests placing a credit freeze on credit reports. That will block identity thieves from opening credit accounts in the victim’s name.

To place a credit freeze, consumers must contact each of the three credit bureaus to request it. Here’s the contact information:

Equifax: Visit: Equifax.com/Personal/Credit-Report-Services/Credit-Freeze/ or call 1(888) 766-0008.

Experian: Visit: Experian.com/Freeze/Center or call 1(888) 397-3742.

TransUnion: Visit: TransUnion.com/Credit-Freeze or call 1(800) 680-7289.

A less extreme step is to place a “fraud alert” on all three credit reports. A fraud alert tells lenders and creditors to take extra steps to verify a consumer’s identity before issuing credit. Fraud alerts can be placed by contacting any one of the three major credit bureaus.

A suspected cyberattack hit one of Toyota’s suppliers of electronic components and plastic parts at one of its plants in Japan, wiping out 13,000 cars' worth of output. The automaker said it is suspending all Japanese operations until the company has an opportunity to investigate the situation and restore factory operations to normal.

CNBC reports that it’s unknown who was responsible for the attack or what their reason was, but NikkeiAsia reports that malware was involved. Russia has been implicated due to Japan joining Western allies and blocking Russian banks’ access to the SWIFT international payment network in response to Russia’s invasion of Ukraine.

Fumio Kishida, Japan’s Prime Minister, said the government would launch a probe into the incident to determine whether Russia was involved or not.

“It is difficult to say whether this has anything to do with Russia before making thorough checks,” he told reporters. As for Toyota’s official stance on the matter, a spokesperson for the company described it as a “supplier system failure.” 

The effect on production

All told, 28 lines at 14 Toyota plants – plus some plants operated by Toyota’s affiliates Hino Motors and Daihatsu – were shut down because of the incident.

Toyota has not said exactly how long the shutdown will last, but the spokesperson said it will last for more than a day.

Toyota has experienced cyberattacks in the past in Japan and Australia. This time around, though, the company also has to contend with supply chain issues that have been exacerbated by the pandemic. Those conditions were made worse when protesters prevented trucks from passing through U.S-Canadian borders to deliver parts to North American Toyota factories.

Several U.S. telecoms are asking the Federal Communications Commission (FCC) to pay them $5.6 billion for “reasonable expenses” they incurred after removing ZTE and Huawei ZTE and Huawei from their networks.

Previously, officials designated Huawei and ZTE as “national security threats” and voted in concert to ban U.S. carriers from offering service from either company and demanded that their equipment be replaced. The FCC originally thought it would cost carriers more than $1.8 billion to satisfy the order, so it set aside $1.9 billion. However, the telecom companies say that number only covers about a quarter of what they need.

“Last year Congress created a first-of-its-kind program for the FCC to reimburse service providers for their efforts to increase the security of our nation's communications networks,” said FCC Chairwoman Jessica Rosenworcel.  

“We’ve received over 181 applications from carriers who have developed plans to remove and replace equipment in their networks that pose a national security threat. While we have more work to do to review these applications, I look forward to working with Congress to ensure that there is enough funding available for this program to advance Congress’s security goals and ensure that the U.S. will continue to lead the way on 5G security.”

Consumers beware

Since the FCC has banned ZTE and Huawei, people who own one of those brands' devices would be smart to start shopping for a replacement.

Raymond, from Danville, Penn., told ConsumerAffairs that he recently purchased a ZTE device and had trouble activating it. Eventually, he took it to a Verizon store for assistance.

"The person there attempted to activate it took my prepaid card and after 45 minutes told me he could not activate it and handed it back to me. I tried returning it without luck," Raymond wrote in a ConsumerAffairs review. "I'm out over 100 dollars and still have nothing."

If you’re one of the tens of millions of consumers who use Venmo, American Express, Robinhood, Ally Financial, Capital One, Citi, Rocket Loans, TD Ameritrade, Venmo, or Wells Fargo apps to make banking transactions, you may be in for a pleasant surprise.

Plaid – a California-based data transfer network that powers fintech and digital finance products – will be paying $58 million to users to settle charges that it took more financial data than was needed by a user’s app. 

On top of getting more personal financial data than necessary, the company is alleged to have obtained log-in credentials through the app’s “Plaid Link” interface. Regulators say the interface mimicked the look and feel of users' own bank account login screen, leading people to believe that the data they were sharing was really with the bank and not a third-party source. The plaintiffs in the class action suit alleged that Plaid then used that information to access and sell transaction histories. 

Major settlement in the fintech market

Consumers flocked to digital banking during the pandemic, and federal regulators started raising concerns. Early last year, the Justice Department stepped in to oppose Visa's efforts to acquire Plaid, saying that the deal was anti-competitive. This latest settlement could be monumentally important when it comes to policing the fintech market.

"This is a major settlement in the fintech privacy area, as the collection and use of consumer data has become more scrutinized in the past few years, especially amidst the wave of fintech and money transfer apps that have become popular with consumers," said attorney Jeffrey D. Neuburger, co-head of Proskauer’s Technology, Media & Telecommunications Group. 

Plaid might be out $58 million, but it’s remaining steadfast about its innocence. 

“We don’t share your personal information without your permission,” the company stated on its website. It also denies any wrongdoing and claims that it adequately disclosed and maintained transparency about its practices to consumers.

This is real, not a hoax

Snopes reports that earlier this month, Google users went on the hunt to find out if an email for Plaid’s class action settlement was a “scam or legit,” as people frequently do after receiving such notices. But this is real, and consumers have already started to receive a Notice of Settlement either by postal mail or email.

However, anyone who's due some money as part of this settlement might want to hold off on making any big plans with their check. The suit likely includes "tens of millions" of plaintiffs, so the payouts may not wind up being that big. 

Nonetheless, if you want to find out if you're eligible for some part of the settlement money, the settlement website has a complete searchable list of the companies linked to the Plaid app. You can also call the settlement administrator toll-free at 855-645-1115 to find out whether or not you are a class member.

Anyone who feels their data was misappropriated by Plaid has until April 28, 2022, to file a claim. Full settlement details and the consumer’s legal rights are available here.

Crypto.com – a cryptocurrency exchange app company – says it was the victim of a hack totaling $15 million in stolen funds.

In a statement, a Crypto spokesperson told ConsumerAffairs that the incident affected 483 customers and that the company prevented unauthorized withdrawals in the majority of cases. In all other cases, customers were fully reimbursed.

Breaking those 483 instances down into values, the company said the unsanctioned withdrawals totaled 4,836.26 ether, 443.93 bitcoins (BTC), and approximately $66,200 in other currencies.

To ensure a hack like this doesn’t affect users the next time one happens, the company said it has “hardened” its security systems and is introducing a program to offer additional protection and security for up to $250,000 in funds held in the Crypto.com app and exchange.

The company appears to be in solid enough financial shape to withstand the losses claimed by the hack. Crypto.com CEO Kris Marszalek recently told Fortune that the company's revenue surged 2,000% in the last 12 months. 

Security firm says not all funds are safe

Peckshield, a China-based blockchain security firm, questioned Crypto.com’s stance that only $66,000 USD was stolen, claiming that its analysis shows that the unauthorized withdrawals amounted to $33 million.

"I’m sorry, but all funds are not safe. I had BTC withdrawn from my account that I did not authorize," tweeted J8Arnold, one of Crypto’s customers. "These funds have yet to be returned to me… I have always had passcode & 2FA [two-factor authentication, a method for protecting identity theft] enabled. I have reached out to Customer Support using every channel possible with no response."

ConsumerAffairs asked Crypto to speak directly to Peckshield’s claims, but the company has not yet replied.

Shaky ground?

While protections are improving for cryptocurrency investors, the digital money world is still in its "Wild West" phase and is not yet completely under the same regulations that the Securities and Exchange Commission (SEC) requires other trading sectors to follow. That allows some wiggle room for hackers to continue trying to break into cryptocurrency exchanges whenever they can, forcing many investors into "buyer beware" mode.

Roger Aliaga-Díaz, Vanguard America’s Chief Economist, cautions investors that while cryptocurrency may seem attractive, it’s no substitute for stocks and bonds.

"The biggest risk for all investors would be to assume that demand growth will continue just because their prices have recently gone up," he said. "That's speculation, not investment."

Goodwill has reportedly become the victim of a data breach that is directly impacting the users of its ShopGoodwill.com e-commerce platform. 

TechRadar reports that hackers made their way into the company’s platform via an exploitable vulnerability that allowed them access to customer names, phone numbers, email addresses, and postal addresses. The larger unanswered question is how many customers the breach actually affected. 

Goodwill responds

Goodwill stated that it patched the vulnerability that led to the exposure. In a letter sent to customers affected by the hack, company Vice President Ryan Smith said the silver lining in this attack is that no customer financial data was stolen. 

"We were recently alerted to an issue on our website which resulted in the exposure of some of your personal contact information to an unauthorized third party,” Smith said. “No payment card information was exposed; ShopGoodwill does not store payment card information. While the third party accessed buyer contact information, they did not access your ShopGoodwill account."

Still, this is not a good look for the donation-driven company. In 2014, an estimated 868,000 credit and debit cards were compromised when the company’s computer network was infected with malware that gave hackers access to customer credit card data. 

Stolen data could lead to more trouble

Although financial information wasn't included in this hack, that information that was stolen could still lead to future problems for consumers. 

Hackers have been known to use stolen personal information for identity theft, which was on the rise in 2021. They could also combine the information with stolen passwords from other hacks in password spraying attacks to compromise other important accounts. 

For more information on identity theft trends and statistics, check out ConsumerAffairs' guide here.

A hack of one of the largest health care systems in the U.S. has compromised the personal and private data of more than a million people who were exposed.

A recent filing showed that 1,357,879 were impacted by the breach in October 2021. In a letter to customers, Broward Health stated that the stolen information may have included names, dates of birth, addresses, phone numbers, financial or bank account information, Social Security numbers, insurance information, driver’s license numbers, email addresses, and various medical information.

Ransomware is the new hot hospital hack

In ConsumerAffairs review of identity theft in 2021, Rob Douglas – a leading authority on cybersecurity – said the pandemic helped create an “easier and more lucrative path” for attackers to launch ransomware. 

Mandiant, an enterprise-scale threat intelligence company, agrees. In its tracking of foreign hackers, it stated that a group dubbed FIN12 has taken a shine to companies that provide critical care functions. The company said nearly 20% of FIN12 victims were in the health care industry and were warned that they were more likely to be targeted during the COVID-19 pandemic.

Mandiant says the hackers are primarily focused on finding financial data, particularly annual income, because of the perception that it justifies proportionally large ransom demands.

Customers urged to take preventive action

In response to the incident, Broward Health said it is taking steps to prevent similar incidents from happening down the line, including adding password resets and multifactor authentication for all users of its systems.

While that may help going forward, Broward customers have a lot to do on their end to protect any of their personal information that may have been hacked. The company suggests that its customers do the following:

• Regularly review the explanation of benefits statements that you receive from your health plan. Broward asks that if anyone sees a service that they did not receive, to contact the health plan at the number on the statement.

• Monitor your financial accounts. If you see any unauthorized activity, promptly contact your financial institution. Broward stated that it would be a good idea to also take a look at your credit report for any discrepancies.