Privacy Concerns and Violations

While artificial intelligence (AI) has made it easy for consumers to find recipes, write thank-you cards, or even do homework assignments, some chatbots have been designed for people to build relationships. 

These sites serve as a platform for consumers to build any kind of relationship – platonic, romantic, professional, etc. – with a chatbot. 

Though it may seem harmless at the outset to have an outlet to vent or share things, Mozilla’s *Privacy Not Included guide has done some deep diving, discovering that these platforms can actually be dangerous when it comes to consumers’ privacy and safety. 

The company analyzed data from 11 of the most popular relationship chatbots and determined that none provided adequate levels of privacy, security, and safety for users. 

“Today, we’re in the wild west of AI relationship chatbots,” said Jen Caltrider, director of *Privacy Not Included. “Their growth is exploding and the amount of personal information they need to pull from you to build romances, friendships, and sexy interactions is enormous. 

“And yet, we have little insight into how these AI relationship models work. Users have almost zero control over them. And the app developers behind them can’t even build a website or draft a comprehensive privacy policy. That tells us they don’t put much emphasis on protecting and respecting their users’ privacy. This is creepy on a new AI-charged scale.” 

Privacy and security are at risk

The data from this analysis will be in *Privacy Not Included’s 2024 Valentine’s Day buyer’s guide. The goal is to help open consumers’ eyes to the security and privacy risks that come with utilizing these services. 

For starters, Mozilla identified over 24,000 data trackers after using the Romantic AI app for just one minute. Once the app collects users’ data, they can share it with marketing companies, advertisers, social media platforms, and more. 

Another security flaw that Mozilla discovered: 10 of the 11 chatbots didn’t require users to make strong passwords. This makes users’ accounts even easier for hackers or scammers. 

It’s also important to note that consumers have no control over how their data or personal information is used by these platforms. This opens the door for these chatbots to utilize and manipulate users’ personal information as they please, which comes with several privacy and security risks. 

“One of the scariest things about the AI relationship chatbot is the potential for manipulation of their users, “Caltrider said. “What is to stop bad actors from creating chatbots designed to get to know their soulmates and then using that relationship to manipulate those people to do terrible things, embrace frightening ideologies, or harm themselves or others? This is why we desperately need more transparency and user control in these AI apps.” 

In its yearly review of the identity landscape, the Identity Theft Resource Center (ITRC) suggests that, as others have hinted at, the walls really are crumbling when it comes to your identity’s safety.

As this reporter experienced, last summer, the possibility that your Personal Identity Information (PII) will wind up on the dark web is a Vegas-worthy, bet-the-house possibility.

Last year witnessed a record-breaking spike in data breaches, marking a worrying trend for cybersecurity. The ITRC’s tracking saw a 78% increase in 2023 compared to 2022.

However, a disturbing trend emerged: more than 1,400 public breach notices lacked crucial information about how the attack happened, representing a significant drop from the 100% transparency rate seen just five years ago. How did that Comcast hack happen? Who knows? The one involving T-Mobile? Your guess is as good as ours.

Companies are embarrassed by these thefts

The report suggests that even though nearly 11% of publicly traded companies faced compromises in 2023 — a worrying statistic on its own – transparency remained elusive.

Companies withheld attack details in 47% of cases compared to 46% for other organizations. This lack of openness makes it difficult to assess threats and hold entities accountable. 

It’s also a reputational concern. Case-in-point is Norton Healthcare, which waited nearly six months before admitting to its patients that it had been the victim of a cyberattack.

Even though the company said that information that may have been impacted included names, contact information, Social Security numbers, birth dates, health information, insurance information, medical identification numbers, driver's license numbers or other government IDs, financial account numbers, and digital signatures, it opted to couch its breach to its customers as “We regret any inconvenience this incident may cause you.”

One reason why 2024 will be worse

The snowball effect of this is that more and more of us will see our PII on sale to anyone who wants to buy it. 

It’s a safe bet, too, that Generative AI will also contribute to a rise in the sophistication of phishing attacks and other forms of identity fraud and scams using personal information stolen in data breaches, Eva Velasquez, executive director of ITRC, said.

While other "techsperts" think that AI will enable cybercrooks to leverage a person’s data in ways like voice cloning or deep fake videos, Velasquez thinks the opposite. That the sheer volume of personal data available via the dark web, coupled with the ability of hackers to employ AI to send out phishing emails and texts, is a much larger issue.

And, if 2024 repeats what the ITRC saw in 2023, consumers need to pay extra attention to four categories: healthcare, financial services, transportation, and utility companies – which, despite having fewer breaches – topped the list for estimated victims in 2023.

“Therefore, the probability of being hacked is unpredictable but on the rise unless you take measures to protect yourself,” suggests Miklos Zoltan, founder & CEO Privacy Affairs, a company that monitors personal data available on the dark web.

“By adopting a few straightforward rules and habits, you can make it more difficult for hackers to access your data and remove yourself from their line of sight.”

Telling the real from the fake

While AI can create convincing messages, there’s one way you can figure out which are real and which are not – one that seldom gets mentioned: take a quick look at the “who” and “what.”

Let’s look at the email below that a member of the ConsumerAffairs team received.

The email says:

1. It’s from “T-Mobile,” yet the “via” says it’s from “susd12.org” which happens to be the Sunnyside School District in Arizona. Not exactly “T-Mobile,” is it?

2. There's an attachment – a document that says “Translate to English.” Ask yourself why.

3. When you click on the triangle next to your name (“me”), it brings up the full details of the sender. The “reply to” doesn’t go to “T-Mobile” or the Sunnyside Schools, but rather to a website in Russia. A real T-Mobile email would come from a .com in the U.S.

As John Fahd, founder and CEO of ITegrators, explained, “If a scam email needs a reply from you, you'll see that the ‘Reply To’ field has a different email address than the one that actually sent you the email.”

“Scammers use this technique to get replies by enticing you to read and respond to the emails they send using the names of reputed brands, companies, governmental organizations, and so on.”

And you can’t beat common sense either. Ask “why” T-Mobile is sending you an invoice when you’re actually an AT&T customer. If a truly legit company really needs to get in touch with you and you don’t respond, trust us, they’ll find a way, probably by sending you a letter with a real request and a real phone number to contact. 

The Federal Trade Commission (FTC) has issued a five-year ban on facial recognition technology to Rite Aid after the store mishandled its uses for over a decade. 

While the surveillance technology was implemented in Rite Aid stores for safety reasons, the agency found that Rite Aid was using it in ways that are harmful to consumers, including falsely accusing customers of shoplifting. According to the FTC’s complaint, women and people of color were primarily targeted for shoplifting. 

“Rite Aid’s reckless use of facial surveillance systems left its customers facing humiliation and other harms, and its order violations puts consumers’ sensitive information at risk,” said Samuel Levine, director of the FTC’s Bureau of Consumer Protection. 

“Today’s groundbreaking order makes clear that the Commission will be vigilant in protecting the public from unfair biometric surveillance and unfair data security practices.”  

Shoppers were profiled

Rite Aid had been using the facial recognition technology in its stores from 2010 through 2020, and it was originally implemented to help stores identify potential shoplifters or other problematic behaviors. 

The FTC learned that not only did Rite Aid not disclose to shoppers that they were being surveilled, but employees were also told to keep the surveillance system under wraps. Additionally, there were no systems in place to protect shoppers, which ultimately led to a great deal of chaos and harm for Rite Aid shoppers. 

“Employees, acting on false positive alerts, followed consumers around its stores, searched them, ordered them to leave, called the police to confront or remove customers, and publicly accused them, sometimes in front of friends or family, of shoplifting or other wrongdoing, according to the complaint,” the FTC wrote. “In addition, the FTC says Rite Aid’s actions disproportionately impacted people of color.” 

In one such instance, an 11-year-old girl was falsely accused of shoplifting based on images that had been generated from the facial recognition system. 

Rite Aid had contracted with two companies that created a database of people that were believed to be shoplifters or a general harm to the store. The database ended up being full of inaccurate information, low-quality images, and customers’ personal information. 

Protecting consumers moving forward

In addition to the five-year ban, the FTC has also required Rite Aid take further action to protect consumers. 

The company has been mandated to delete all pictures and videos that have been collected while this technology was implemented, and ensure all third-party entities do the same. In addition, should this technology be utilized again after five years, Rite Aid is required to clearly display notices in their stores, implement a data security system, and delete any data within five years. 

"Rite Aid’s mission has always been and will continue to be to safely and conveniently serve the communities in which we operate,” the company said in a statement. “The safety of our associates and customers is paramount. As part of the agreement with the FTC, we will continue to enhance and formalize the practices and policies of our comprehensive and information security program.” 

Since there are so many connected products on the market today, consumers have a difficult time distinguishing those that take care of their personal data from those that don't.

And, if you’re a parent and not as careful as you should be, tech gifts could be roasting on an open fire of your child’s privacy this year. 

The new Mozilla *Privacy Not Included holiday buyers’ guide shows that there’s a sleighful of children’s connected toys and apps that collect and repurpose hoards of data, and compared to adult-connected tech, many of the kids’ tech products are actually worse in the data leakage department. 

Mozilla researchers pointed to Embodied Inc’s Black Mirror-esque AI Moxie Robot as a prime example. They found that the toy records and shares its “conversations” with kids with Google and ChatGPT-maker OpenAI. But, in their opinion, Embodied Inc’s – and others’ – privacy policies are also getting more opaque and dishonest. 

“Embodied Inc’s privacy policy tells parents to teach their kids not to share personal information with their Moxie learning robot — yet the product’s marketing simultaneously encourages kids to hone skills like emotional regulation and self-confidence,” Mozilla said. 

“Other companies also often market smartwatches to parents of children too young for first phones. Researchers found many privacy concerns here, including one, the Angel Watch for Kids, that doesn't even seem to have a privacy policy that covers the smartwatch or app at all.”

But, what chapped the researchers even more was that many companies they previously rated positively — including Bose, Eufy, and Sonos — seemed to fall shot in the privacy department and earned new privacy warning labels this year.

Plus, companies like Amazon, Samsung, Wyze and Microsoft Xbox which had already earned warning labels, got even worse on data collection, use, sharing and security. 

“Wyze had serious security vulnerabilities that it was slow to respond to over the past couple of years, and Bose now says it can possibly sell data on users’ head movements while using headphones,” the researchers noted, adding that federal charges and fines against Amazon and Microsoft have confirmed their suspicions about those products’ privacy infringements, particularly when it comes to children’s uses. 

Who made the list – both naughty and nice?

The 2023 holiday edition of *Privacy Not Included reviews over 150 popular tech products across six categories, including Smart Home, Toys & Games and Wearables.

The list of reviews is quite a lineup, too: Microsoft Xbox, Sonos, Garmin Fitness Trackers, Apple Watches, Fitbit, Peloton Bikes, Amazon Ring, iRobot vacuums, Tile Trackers, Bose headphones, and the Tamagotchi Uni.

Mozilla researchers said they invested an average of eight hours researching every product in their guide, going as far as scouring companies’ track records, pouring over privacy policies and regulatory filings, and contacting each company looking for answers as to why some of what they found was going on.

The researchers said that there are some trustworthy products – some. And also acknowledged that some good products got even better.

An example the researchers shared was Garmin, the maker of GPS navigators and smartwatches. After *Privacy Not Included alerted the company last year that it had not made certain that all users had the equal right to delete their personal/private data, Garmin amended its privacy policy to explicitly state that all users have the same data deletion rights.

Researchers were also pleased with the virtual pet Tamagotchi Uni, which earned a big thumbs-up for not collecting much personal information at all — as good as good can get when it comes to ensuring privacy. 

Says Jen Caltrider, lead researcher for *Privacy Not Included: “The privacy and security of our favorite apps and gadgets has gotten worse across the board, but especially among children’s products. The companies that are good at privacy do it by not collecting any data in the first place. Alexa, did you catch that?

“All in all, if you're looking to give gifts that protect and respect the privacy of your loved ones this holiday season, maybe stick to good old-fashioned books.” 

It’s natural for a credit card company to know where you shop, how much you spend, and on what days. But, then, if it turns around and sells that information to any company that wants to buy it, some might say that may be going a little too far. 

According to an investigation from US PIRG, Mastercard has increasingly monetized an “immense” amount of transaction data that it has access to over the past several years – enabling companies to improve marketing that can predict your buying behavior prospect for new high-spending customers. 

“It’s like if you hired a babysitter and while watching your kids, they took photos of everything in your house to sell online later,” said R.J. Cross, director of PIRG’s Don’t Sell My Data campaign. 

And, Cross told ConsumerAffairs this isn’t just your straightforward “Mastercard” that’s branded as their own, but also includes other partner-branded “Mastercard" -- like the ones that airlines offer, for example.

Run, but you can’t hide

To show some examples, PIRG pointed ConsumerAffairs to Mastercard’s listing on Amazon Web Services Data Exchange, where we found trough after trough of data that companies can access address listings for:

• Online Food & Meal Delivery – Frequent Buyers

• Online Shoppers – High Spenders

• Likely to Be a Small Business – In Market

• Luxury Retailers – High Spenders

• Fast Fashion Apparel Buyers – High Spenders

• Big Ticket Shoppers (Online) – Frequent Buyers

• Affluent Shoppers

• Brick and Mortar Shoppers

• Luxury Travelers & Tourists

As well as “built-to-order audiences” that a client can spec out to work with their own marketing strategies. Those specs can include an advertiser's choice of: 

• Transactions (e.g., amount, frequency, offline vs. online)

• Date and Time (e.g., date range, time of day, weekend vs. weekday)

• Geography (e.g., country, state/province, DMA, city, region)

• Industry / Merchants (e.g., Merchant Category Codes (MCCs), custom aggregate set of industry merchants)

“Mastercard creates categories of consumers based on this transaction history, like identifying ‘high spenders’ on fast fashion or ‘frequent buyers' of big-ticket items online, and sells these groupings, called ‘audiences,’ to other entities," the report said.

These groups can be targeted at the micro-geographic level, and even be based on AI-driven scores Mastercard assigns to consumers predicting how likely they are to spend money in certain ways within the next three months.”

But Mastercard isn’t alone

PIRG’s Cross were quick to point out that Mastercard is not the lone wolf in spinning data accumulation into gold. 

“Nor is it necessarily the worst actor," she told ConsumerAffairs. “But in its position as a global payments technology company, Mastercard has access to enormous amounts of information derived from the financial lives of millions, and its monetization strategies tell a broader story of the data economy that’s gone too far.”

Who else is in on this? PIRG said lots of companies – almost every company that can collect and sell data is in the business.

“The big tech companies are the worst offenders, like Meta and Amazon. But also see Mozilla Foundation's report earlier this month that most car companies sell data they collect about consumers – particularly Ford and Toyota. Another report from 2021 found Uber Eats and Grubhub are big sellers, too," Cross noted.

"And the telephone companies, too! T-Mobile in particular has gotten big in this world in the last couple of years."

Does this mean you should cancel your Mastercard credit card?

Now that you know what PIRG found, how far should you go in protecting yourself?

“It's hard to escape credit card companies monetizing your data without your knowledge. Canceling is likely unrealistic for many people,” a spokesperson for PIRG told ConsumerAffairs.

“Right now the best option is to take advantage of the options the payment networks do offer.”

PIRG offers a complete "tips guide" for the Mastercard issue, but here are the highlights:

• Filling out this form on Mastercard’s website to opt-out of analytics, which will cut down on your data being used for extra purposes.

• Sign up for its data portal to request it delete your data.

• If you're a California or Virginia resident, take advantage of your consumer rights, thanks to state consumer privacy laws. 

• Use this form to delete the data Mastercard uses in its "identity graph" product, which gathers even more personal info. Residents of other states cannot opt out of this program at the time.

How much do you trust the Meta family of fine apps? The company certainly has had a rough few years, starting with the Cambridge Analytica faux pax, but now there may be a new verse in the book of "Instagram" in its privacy bible: “We giveth and we taketh away.” 

Lia Habereman, who teaches Social and Influencer Marketing at UCLA, picked up the scent of that addition and posted it on X (formerly known as Twitter), saying that the addition of a “Close Friends'' option could be coming to Instagram. 

“This would be one way to get people off Stories and out of DMs — create a Close Friends feed experience,”  she wrote. One that would likely allow Instagram’ers to only show certain posts to those a person deems close and trustworthy as opposed to posting to their “regular/normal” profile for the world to see.

Andrew Hutchinson, content and social media manager, at SocialMediaToday, likes where this is going. He thinks this new option is a smart move that matches up with how many people are using Instagram these days. 

“Sharing posts with close friends only is another step along this path, which could help users feel more comfortable about sharing more often if they know that only a few trusted people will see that update,” Hutchinson said.

“It’s not a major change, and functionally, it’s not a big shift either. But it would provide another option to facilitate more enclosed group discussion, which could help IG lean into the latest behavioral trends.”

The whole family is in on the dance, it appears

One might think that if Meta’s new Twitter (er, X) killer “Threads” is an official part of Instagram, there would be some privacy-forward movement there, too. But no such luck according to a new study by HomeSecurityHeroes – one that claims Threads is the “worst social media platform for protecting user privacy,” collecting 50% more personal data than X.

In fact, Meta’s entire family – Instagram, Threads, Facebook, and Messenger – is extremely notorious for collecting the most user data for advertising and marketing purposes. As a unit, they track an astonishing 86% of personal information.

So, should you move to X?

If you want a social media app that’s part of the elite, then your best bet was X. The survey said X only collects 50% of available data, but that was then and this is now and “now” means X’s new sheriff – Elon Musk – is changing things up in regards to privacy.

Mashable’s research team recently went over the company’s new Privacy Policy word by word and their takeaway was this: “There are some interesting bits, and some slightly worrying bits, though deciphering what exactly they mean is not entirely straightforward.”

Compared to Twitter’s old privacy policy, X is now collecting some new types of data, including employment history, educational history, and biometric data. “The company also plans to use that data in new ways, most importantly to train AI,” said Mashable’s Caitlin Welsh and Stan Schroeder. “Have this in mind before you hand over your data to X.”

If the Eighties were part of your life, you saw this coming. Not the polyester, tight, v-neck shirts, but a foretelling of where we’ve come to communicating with each other. “It’s so funny – we don’t talk anymore.” Thanks, Cliff Richard.

Technology has pretty much ruined interpersonal communication. We can’t communicate with most of the people in our lives these days without it.

E-mail was our first crutch. Then, texting. Now, a new trend that’s on the rise when talking to loved ones is voice notes. It’s a big rise, too – WhatsApp said last year that over 7 billion voice messages were sent via its app.

To find out why, Preply surveyed Americans to get their reasons. The top finding is that a majority – two in every three – send voice notes. 

“Americans say voice notes are convenient while they are on the go” Melissa Stephenson, media relations associate with North Star Inbound told ConsumerAffairs. “The study showed that 44% said they use voice notes while driving and another 44% use them when they are in a hurry, showing an easier way to multitask and communicate.”

The debate continues

Once you get past the convenience aspect, do the upsides of voice notes outweigh the downside? 

“Forty percent of Americans who use voice notes say they are good enough to replace phone calls, and one in four prefer using voice notes to keep in touch with those they don’t see often,"  Stephenson said. "These findings show people are building and keeping personal connections with voice notes.”

Other research shows that voice notes allow people to have more expressive conversations than texting or an emoji provides. 

The hellish side

Still, people are divided on voice notes. Some think voice note’rs are poison. Others are worried about their confidentiality.

“While people are sending and receiving voice notes, one aspect has them worried. Forty-one percent of Americans say they think it’s easier to eavesdrop on voice notes, putting privacy at risk. Using headphones or waiting to listen to a voice note while in private may help with this issue,” Stephenson said.”

“Another downside of voice notes is the effort they take. Forty-eight percent believe voice notes require more effort than a traditional typed text and a large majority say that they often need to listen to a voice note more than once to fully understand and respond appropriately, which might explain why they feel extra effort is needed for them.”

Tech experts' two-cents worth

The debate over voice notes gets a little more contentious when you ask tech and privacy professionals. Their sermons include concerns about data being shared with third parties, leading to cyberpiracy and other issues.

As ConsumerAffairs recently found out, a meager three seconds of a person’s voice in the wrong hands could lead to them being hounded for the rest of their lives by AI-using cyber creeps.

When someone uses voice-related information, they cross a line they probably don’t realize they’re crossing: biometric data. Dr. Dani Cherkassky, CEO, Co-founder of Kardome, says that biometric data stored locally on a person’s phone may not pose a risk to user privacy, but that abuses can occur when the tech companies that offer voice recognition devices store this data in the cloud.

Cherkassky reminds consumers that the biometrics-capturing cat is out of the bag. Google and Amazon have caught heat for capturing biometrics, but they aren't the only ones doing it.

There’s no uniformity in how those data collections are regulated, either. Some states have wiretapping laws, some don’t, and the EU takes the subject more seriously than the U.S. does.

Concerned about the danger of biometrics?

Raj Ananthanpillai, founder and CEO of Trua, a company that provides identity protection in digital environments, says anyone who bristles at the thought of their voice recordings coming back to haunt them has all the triggers they need to prevent that from happening.

“Many smartphones and tablets incorporate biometric authentication, such as fingerprint or facial recognition, to unlock the device or authorize transactions,” he told ConsumerAffairs.

He suggests the first thing everyone should do is look at the permissions they’re granting to apps or services that use biometrics on their devices. For example, Apple gives its users all of the keys necessary to do that within their iPhones.

Ananthanpillai’s second ace is to limit data sharing. “Be cautious about sharing biometric data with third-party apps or services and evaluate the trustworthiness of the entities requesting access to biometric information,” he said.

His third? Regularly review permissions. Every time you download or update an app, take a look at what permissions you’re granting for the use of biometrics. If you’re the least bit uncomfortable, one click will revoke access if necessary and remove unnecessary biometric data stored on devices or apps.

The next time you check into a hotel, you might find a cybercriminal hiding under your bed.

Figuratively, of course, but cybersecurity experts say hotels are becoming one of the riskiest places for travelers, and many threats await them right in their rooms. 

"It's crucial to understand that the willingness of cybercriminals to intrude on your privacy or steal your data does not depend on your presence in the office or your holiday plans,”  says NordVPN's cybersecurity expert Adrianus Warmenhoven.

“Hackers can use a hotel's cybersecurity vulnerabilities in several ways to reach you even in your room. So while you’re on vacation and using the internet connection of where you’re staying, you should be cautious and manage cybersecurity risks.”

Wi-Fi’nagling

Warmenhoven says those vulnerabilities start with the hotel’s free Wi-Fi. There are two ways in which hackers can steal travelers' passwords and personal information through a hotel's Wi-Fi.

One is where a guest connects to the hotel's Wi-Fi and malicious malware is downloaded to their device. The second is where hackers create sort of an "evil twin" – a fake, unsecured Wi-Fi hotspot with an unsuspicious name like "Guest Wi-Fi" or "Free Hotel Wi-Fi" – and steal private information that way.

"To avoid being hacked through hotel Wi-Fi, travelers must take a few steps. First, ask the person at the reception desk to give the exact name and password for the provided Wi-Fi to avoid connecting to an ‘evil twin’ network.

"Second, use a VPN service to encrypt your data and prevent third parties from intercepting it. Finally, it is always a good idea to enable a firewall while using public Wi-Fi," Warmenhoven said.

Another Wi-Fi-related issue could come from a guest using their device’s automatic connection function because hotels are frequently surrounded by public and insecure internet connections.

Disabling that option helps to mitigate cybersecurity risks on a trip, but Warmenhoven warns that if a traveler leaves their smartphone in their hotel room with the phone disconnected from Wi-Fi, the connection can automatically be turned on if, by chance, the hotel staff moves it while cleaning a room. 

USB chargers can be trouble, too

Some hotels provide USB charging ports in their rooms for the convenience of their guests, an easy way to charge a device, especially if the traveler is coming from a location with a different kind of plug.

However, cybercriminals may have already beaten the guest to that charging port, installing malware on phones to perform an attack called juice jacking. When this type of attack happens, hackers can steal users' passwords, credit card information, address, name, and all sorts of data. 

"Safe device charging on your way to your vacation spot might be challenging because you must carry a power bank or USB data blocker, but hotel rooms always have a socket. Usually, it's the safest way to charge your devices," says Warmenhoven.

Cyberstalking via smart TVs

The most unique hack these days comes from smart TVs. Depending on a hacker’s aim, they could cyberstalk travelers with built-in microphones or cameras, steal personal credentials used to log in to apps on smart TV and sell them on the dark web.

Experts recommend unplugging the smart TV when not in use. By covering the webcam and avoiding logging in with personal credentials, you can also mitigate cyber risks.

If you’re tired of being tracked, tired of website algorithms feeding you things you don’t have an ounce of interest in, or tired of fighting spam, there is now a browser that fights all those annoyances for everyone.

A year after rolling out its nuisance-fighting browser for Mac users, DuckDuckGo (DDG) has released a version for Windows users.

The company claims its alternative to Google search and Chrome won’t track you for a minute, plus it can block other companies from tracking you, too. “Just a fast, lightweight browser that makes the Internet less creepy and less cluttered,” the company calls it.

DuckDuckGo isn’t exactly a household name, but it has proved to be the little search engine that could. Since it first launched in 2008, its daily searches have moved from the hundreds of thousands to the hundreds of millions.

Is privacy important to you?

Privacy is at the heart of DDG’s browser update, a fact the company’s CEO doesn’t want to be lost on anyone.

“Search alone doesn’t actually solve the privacy harms people are concerned with,” Gabriel Weinberg said. “Like ads following you around, unsettling targeting, or people grabbing up your personal information. Search is part of that, but there are lots of trackers hiding behind websites.” 

That privacy crusade begins with DDG’s Duck Player, a YouTube player that lets you watch YouTube videos without privacy-invading ads and keeps video views from impacting the recommendations pushed your way.‌‌

Another plus is tracker blocking which the company claims goes way past what’s available from Chrome and other browsers. For example, its Tracker Loading Protection is designed to block hidden trackers from companies like Google and Facebook that may be lurking on other websites before they ever get a chance to load. ‌‌‌‌

There’s also…

• Smarter Encryption to guarantee that more of the websites you visit and the links you click on are encrypted and secure – at least relative to other browsers.

• For those who don’t like leaving any trace of where they’ve been on the internet, DuckDuckGo is introducing the Fire Button, which supposedly burns recent browsing data in one click. On the flip side, there’s also a handy “Fireproof” option for any sites you want to stay logged into.

• Another privacy perk is Email Protection, which has the ability to disguise your email address with unique @duck.com email addresses so when you’re signing up for things online, your Gmail or other regular inboxes don’t get spammed with spew.

Users like what they see, but there’s room for improvement

In the reviews ConsumerAffairs saw of DuckDuckGo, it’s hard to find any naysayers. Out of the 1.81M reviews on Google Play Store, the app averages a 4.7-star rating.

The only thing pundits say is a concern is that DDG’s competitors like Microsoft and Google have tied their services tightly to their apps and it’s making it tougher for someone to make the switch. For example, Google Docs is tied to Chrome.

“DuckDuckGo’s hope is that it can get people to do the one download to get into the browser, and then the company can provide all kinds of services,” said The Verge’s David Pierce.

And both Weinberg and the company’s product director, Peter Dolanjski, said Pierce is speaking to the choir when it comes to features. Weinberg cited DuckDuckGo’s email protection as one example. “Ideally, these are features that protect you, that we can also make more visible,” he said.

A fraudster’s best friend may be sitting right on your wrist. Cybercriminals are taking advantage of a new breed of scam via fitness trackers and health apps, according to cybersecurity company NordVPN.

And like many other data thieves, they’re feasting on what consumers have allowed social media networks to glean from gadgets like Fitbit and popular exercise apps.

All it takes is craftily befriending users to share their exercise goals. Once that box is checked, then it’s off to mining personal information or manipulating them into sending over money. 

“The trend in fitness tracker fraud shows it’s no longer enough just keeping an eye out for scammers while on your mobile or laptop — now they could be targeting you on the treadmill,” Marijus Briedis, cybersecurity expert at NordVPN, said.

“Once a scammer has you in their sights, what begins as bonding over a recent workout can quickly turn into a form of social engineering where they seek to mine as many personal details as possible while your guard is down. This can ultimately lead to attempts to manipulate you with fake personal stories, investment ‘opportunities’ or even identity theft.”

Stopping the scammers in their tracks

This is such a new wrinkle that there's no single switch to flip to stop these fraudsters, yet, there are individual app permissions you can turn off to protect what’s most important to you. 

Note: iOS and Android app permissions may be named differently, depending on the version of your operating system, so it may take a bit of extra digging to determine what’s what.

When it comes to fitness apps, the first line of defense is to avoid sharing any personally identifying information and keeping a basic ‘vanilla’ profile on your online groups, using an avatar or no picture at all.

“As with romance scams, beware of any requests from strangers, chats that veer away from fitness topics, or attempts to move the conversation onto another website or app,” Briedis added.

But, don’t stop there.

"While some running or cycling apps will request special access to your location settings to track your favorite routes, there’s no excuse for a blood pressure checker getting hold of your call history or being able to see your photos. As a minimum, make sure that any fitness apps you add allow you to delete your data,” he said.

The phone camera

If you give an app access to your camera, you’ve made the app developer very happy. With that permission, an app can take pictures and record videos as you might expect, but the Nord VPN researchers caution that some apps may misuse this permission to access your camera without your knowledge. When that happens, all bets are off and a fraudster can invade your privacy.

If you don’t want that to happen, you should only grant access to your camera to trusted apps that actually require camera functionality, such as your camera app.

“Sometimes camera requests make sense for other apps too. For example, social media apps may need it for video calls or posts, while other apps may require it to scan QR codes,” the researchers said. “But if you need help determining whether you trust the app enough, you can always grant access to your camera only when the app is in use.”

Microphone

Another entry point for someone who wants to invade your life and plunder your personal privacy is your phone’s microphone. Just like the camera, you should inspect which apps can access it, too. Some make perfect sense – like Google Assistant or texting via voice – but if you don’t see a significant reason for an app to access your microphone, stay on the safe side and deny the request.

Files and media

Apps with access to your files and media can read, modify, or delete the content on your device, including your sensitive files, photos, and videos. Some of the more notorious ones are apps that claim to clean junk files and save battery life.

Trusted brand apps that truly need access to your photos, such as Google Photos, or security software that needs to scan your files for malware, such as Norton, should be safe, but any off-brand apps should be chosen carefully.

Location

One line that apps like to wave their foot over hoping to cross into a person’s every move is the one with location settings. Google Maps? No problem. But, do you want Facebook to know where you are at all times?

Online services and websites that collect information from children under 13 must notify their parents directly and obtain their permission before they collect that child's information.

Microsoft's Xbox Live failed to do so, violating the Children’s Online Privacy Protection Act (COPPA), according to the Federal Trade Commission (FTC).

To settle those charges, Microsoft has agreed to obtain parental consent before collecting personal information from children's accounts created before May 2021. As part of its efforts to protect children, Microsoft will also inform adult Xbox Live users about its privacy settings.

"As the next generation enters the digital age, their personal data becomes a valuable asset to organizations looking to capitalize on it,” Nicky Watson, co-founder and chief architect of Cassie, a data privacy management company, told ConsumerAffairs.

“The FTC settlement with Xbox Live is keeping organizations accountable for collecting information about minors and increasing transparency about how that information will be used.”

Does your family have an Xbox Live account?

The agency says that any family who subscribes to Xbox Live can create a special account for their children that will give them privacy protections that adults don’t receive.

For example, with a child account, Microsoft is limited in how it shares your child’s information and your child may only communicate with friends that you approve. To review and adjust your child’s privacy settings, go to your Microsoft Privacy Dashboard.

Watson drove home the point that in this case with Xbox Live, both parents and children should be aware of their data privacy rights and how to better understand their preferences, and the FTC is shoulder-to-shoulder with that perspective. The agency says that before a website or online service collects personal information from any child, it has to notify you and get the parent’s permission. The notice must tell the parent:

• What information the site will collect about your child

• How it will use the information

• How to give — or withhold — your consent.

It must also include a link to the privacy policy with more details.

If a parent gives consent, their rights don’t end there. They have the right to review the information that the website or service collects about their child and delete it if they choose. They also have the right to rescind their consent at any time.

To learn more, check out the FTC’s advice about protecting your child’s information online.

The Federal Trade Commission (FTC) and Facebook are squaring off… again. The agency claims that Facebook failed to fully comply with its 2020 privacy order.

That order accused the social media giant of misleading parents about their ability to control who their children communicated with through Facebook’s Messenger Kids app. The agency said the company also misrepresented the access it allowed app developers to private user data.

Because of those indiscretions, the FTC wants the original order rewritten to take away any wiggle room Facebook has been using to its advantage.

Facebook -- now known as Meta -- has now been on the FTC's wrong side three times for allegedly failing to protect users’ privacy. The Commission first filed a complaint against Facebook in 2011 and secured an order in 2012 barring the company from misrepresenting its privacy practices. 

“Facebook has repeatedly violated its privacy promises,” said Samuel Levine, director of the FTC’s Bureau of Consumer Protection. “The company’s recklessness has put young users at risk, and Facebook needs to answer for its failures.”

What the FTC wants

If the FTC gets sign-off on the proposed changes, Facebook – and Meta’s other services such as Instagram, WhatsApp, and Oculus – would be prohibited from making any money off the back of the data it collects. This would include its virtual reality products and any user under age 18.

In addition, the social media company would have to walk the straight and narrow on its use of facial recognition technology. It would also be required to provide additional user protections. Those include:

• Blanket prohibition against monetizing the data of children under 18. Plus any data it collects on someone under 18 cannot be used for commercial gain even after those users turn 18.

• Pause the launch of new products and services until those products and privacyprotections are fully vetted by an assessor. 

• Limits on future uses of facial recognition technology

In the meantime, what parents can do

Readers of the Mozilla Foundation’s “Privacy: Not Included” series have slapped both Facebook Messenger and Messenger for Kids with a “Super Creepy” label.

“With Facebook-owned apps, we always worry there is a good deal that could go wrong,” the Mozilla Foundation wrote in its review of Messenger for Kids. 

“There are no ads served to kids in Facebook Messenger and Facebook claims they don’t use data from the Messenger Kids app for ads in their other apps. It does still collect children’s data though, so be wary. If you do decide to use Facebook Messenger, it’s probably best to assume nothing you say or do is actually private.”

Yaron Litwin, chief marketing officer at Canopy, a platform designed to keep kids safe online and give parents some peace of mind, told ConsumerAffairs that parents should talk with their children and provide examples of online communication and behavior that could be a concern. 

“In addition, having clear family rules in place regarding online responsibility and the sharing of personal photos is crucial,” he suggested.

Since the beginning of 2023 artificial intelligence (AI), in the form of ChatGPT, has been the rage. The platform is being used to write poetry, compose essays and answer obscure questions.

Now there are dozens of ChatGPT apps that you can download to your device. But some privacy experts see trouble ahead.

In fact, the European Data Protection Board (EDPB), the group coordinating Europe’s various privacy agencies, has established a ChatGPT task force is determine if privacy regulations are needed.

Sarah Hospelhorn, CMO at BigID, says consumers should be cautious about how they use these apps until they get a firm handle on privacy policies.

“Users’ privacy can be compromised if they're using an ungoverned set of data,” Hospelhorn told ConsumerAffairs. “It could be personal data, employee or consumer data, secrets and passwords, even seemingly benign data like your mother's maiden name or shopping history.”

Aaron Rafferty, CEO of Standard DAO, says users’ privacy can be compromised in several ways when using ChatGPT and other AI platforms. 

The threats

“The most concerning issues include the potential for data breaches, exposing sensitive user conversations, and unauthorized access to personal information,” he told us. “The scenario of Samsung employees using ChatGPT and ultimately compromising proprietary Samsung information that is now owned by OpenAI and its users is just one example of many. There's also the risk of AI-generated misinformation that could inadvertently violate user privacy or manipulate public opinion.”

Sameer Ahmed Khan is the co-founder & CEO of Social Champ, a MarTech start-up backed by Techstars. Khan says these new AI apps present new privacy concerns that haven't been factors with other forms of technology.

"A determined hacker team can infiltrate and exploit cybersecurity gaps to steal all data or inputs without alerting the target or their safeguards,” Khan told us. “ChatGPT is no different, and the exploits around its security measures are continuously being penetration tested by malicious actors.”

Privacy concerns limit business uses

Khan thinks there are limited business uses for ChatGPT because of privacy issues. He notes that Microsoft has developed a fix, and “it's just a matter of using Microsoft 365 Copilot, which was launched to uplevel business users with AI.”

The growing number of ChatGPT apps all have different privacy policies which you should review carefully before downloading. Ai Chat - GPT Chat Bot, an app available at the Apple app store, carries a note that it does not collect any user data. However, not all are like that.

Because of that, Rafferty believes U.S. regulators will eventually address privacy issues with new policies and will likely strike a balance between fostering innovation and ensuring user privacy.

Can someone hack your phone through a QR code? Can a scammer steal your personal and financial information via a QR code? Can a bad actor encrypt your device until you pay a ransom? Yes, yes, and yes.

A year ago, the FBI raised fears that those possibilities were real and now security and privacy experts are raising the ceiling on those fears even higher. They pose questions about how the general public can protect themselves when they’re scanning QR codes to view confirm package deliveries, add time to a parking meter, or in an advertisement.

“Unfortunately as the popularity of QR codes has increased with the public, its popularity has also increased with scammers who are setting up phony QR codes to lure you to their bogus website where they solicit personal information used for identity theft or persuade you to make a payment with a credit card,” attorney Steven Weisman, wrote for Scamicide. 

“Or even in some instances, merely by scanning the phony QR code, you will download harmful malware such as ransomware or even malware that will enable the scammer to take over your email account.” 

And the possibilities are infinite. When ConsumerAffairs dug into all the ways that QR codes could be clandestinely turned into digital weapons, we found everything from digital business cards, menus, social media links, getting an app, opening a PDF, showing a location, to sending a text message, making a phone call, making payments, getting rewards and discounts and starting a WhatsApp conversation.

How bad can a fake QR code mess up your life?

As Yaniv Masjedi at Aura points out, there’s “technically” no such thing as a “fake” QR code. “The codes themselves aren’t dangerous — it’s how they’re used that can become problematic,” he says.

The real trouble is a rabbit hole that the scammers have built, and once they get a victim inside, there are few ways to burrow out. Here’s everything that could go wrong:

• You could be redirected to a phishing website. With things like Photoshop and website builders in their treasure box, a scammer can easily make you believe that you’ve landed on a real big brand website – one that most people will never detect as fake. Once you’ve taken that bait, they then ask for your sensitive information. “But anything you enter — name, contact information, credit card number — goes to the scammer and can be used to steal your identity,” Masjedi said.

• Your device could be infected by malware. Masjedi continued – “QR codes can also download malicious software onto your device such as malware, ransomware, and trojans. These viruses can spy on you, steal your sensitive information or files (like photos and videos), or even encrypt your device until you pay a ransom.”

• If the scammer is good at their game, a QR code could send an email from your account. On top of designing QR codes to send people to websites, scammers can also program the codes to open payment sites (think PayPal or Venmo), follow social media accounts, and send pre-written emails. 

Is there a solution?

The good news is that there are ways people can protect themselves. The bad news is that most of them are very granular and take extra work.  

“The first step to protecting yourself is to always check the URL of any website the QR code takes you to that requests a payment or personal information,” Weisman said. “If the URL does not begin with https, but only begins with http, you know it is a scam.”

When it comes to updates on orders from places like Amazon or deliveries from UPS or FedEx, Weisman suggests refraining from using the QR code and going directly to your account rather than through the QR code. 

“If you receive an unordered package with a QR code to scan for instructions to return it, go directly to your account at a legitimate company, such as Amazon rather than use the QR code.  And just like you shouldn't click on links in social media posts unless you have absolutely confirmed they are legitimate, the same holds true for QR codes in social media.  Trust me, you can't trust anyone.”

If you have a recent smartphone – ones with iOS 13 and above and Android 9 and above – Beaconstac says that those come equipped with advanced QR Code readers. So you really don’t need to download any third-party app.

But if you have an older phone – or simply want to add another level of security – ConsumerAffairs found these two apps as the best-rated possible solutions:

• Kaspersky’s QR Code Reader and Scanner: GooglePlay 4.4*; Apple App Store 4.6*

• QR & Barcode Reader by Gamma Play: GooglePlay 4.5*; Apple App Store 4.3*

If you’re a former AT&T customer who may have been bit by an unlimited data plan and haven’t cashed a check from the carrier to settle claims made by the Federal Trade Commission (FTC), time is wasting. To help out, the FTC has announced a new claims process to return money to thousands of former AT&T customers who had those plans in place anytime between October 2011 and June 2015.

However, what if you are a current AT&T customer who had an unlimited data plan during this time? No need to file a claim — you should have gotten a bill credit from AT&T in early 2020.

The settlement goes back to the FTC’s claim that AT&T throttled their data, slowing down their internet speed after they used a certain amount of data in a billing cycle. The limits on this “unlimited” plan made it hard — and, in some cases, impossible — to browse the internet or stream videos. And, before people signed a long-term contract, AT&T didn’t adequately disclose to customers that it would slow down their internet.

Throttling has been a thorn in the side of the FTC for years now. In addition to AT&T, it also went after TracFone for the same thing.

AT&T's response? "While we continue to dispute the allegations in this lawsuit from 2014, we elected to settle in 2019 rather than continue with drawn-out litigation," the company said in an email to ConsumerAffairs.

Here’s what to know

If you think you meet the AT&T settlement criteria and want to move forward with a claim, here’s what you need to do:

• Determine if you’re eligible and file your claim at ftc.gov/ATT.

• You have until May 18, 2023, to file a claim.

• Questions about filing a claim? Call the refund administrator at 1-877-654-1982 or email info@ATTDataThrottling.com.

We’ve all – yes, probably all – have taken some sort of online quiz. What Hollywood star would be a perfect partner for you? What was your first car? Where did you go to high school?

Guess what – these things have a lot in common: they’re trying to sucker you in so they can get their grubby little hands on your personally identifiable information (PII).

So, before you take a quiz to find out which Marvel character you’re most like, ask yourself: Do I know who’s gathering this information about me — or what they plan to do with it?

The Federal Trade Commission (FTC) says that all those cute little quizzes and surveys are carefully crafted to get innocent people to spill the beans on the answers to security questions that they can turn around and use those answers to try and reset your accounts, then steal your bank and other account information.

The agency says that some scammers go even further, by hacking social media accounts and sending malware links to friends of the hacked account holder under the guise of sharing a quiz.

It’s ok to lie!

Even though they’re tempting, Terri Miller, a consumer education specialist at the FTC, says don’t take the bait.

“One major way to protect your personal information — in addition to maintaining strong passwords and using multi-factor authentication — is to steer clear of online quizzes -- or just don’t answer them truthfully,” she said.

Miller had some interesting advice on how to outsmart the tricksters. “As for accounts that require actual security questions, treat them like additional passwords and use random answers, preferably long ones, for those too. Asked to enter your mother’s maiden name? Say it’s something else: Parmesan or another word you’ll remember.

Or use a password manager to store a unique answer. This way, scammers won’t be able to use the information they find to steal your identity,” she said.

Anyone who’s more concerned about their overall data privacy than their short term New Year’s resolutions should be very careful about what exercise, weight loss, or quitting smoking apps they load on their phones.

A new study from Incogni, a data privacy platform, took a hard look at resolution-oriented apps and found privacy risks associated with 344 such apps. Here’s a rundown of what its researchers found:

Way too much TMI: Eighty-four percent of all apps Incogni analyzed requested 10.7 permissions on average. The most-requested dangerous permissions are read (74.4%) and modify or delete (66.3%) the contents of your USB storage.

Let’s play cat and mouse: Almost half the apps want to know exactly where you are. An estimated 40% of all apps request dangerous location-related permissions, with precise location requested slightly more often (38.4% of all apps) than approximate location (37.2%).

“Do I look fat?”: Losing weight apps are the least private and have the worst privacy score. They may argue that they have to analyze and evaluate issues relating to nutrition, etc. so they need a lot of ongoing data to provide that customization.

And the best: Quitting smoking apps perform the best in terms of privacy, with the category’s average score of 23.3 being 38.4% lower than the overall average.

Other resolution-driven apps that scored above the reasonable limit in collecting personal data are:

• Remodeling/renovating home

• Exercising more

• Spending less time on social media

• Traveling more

• Reducing stress

What privacy things you should consider when downloading an app

Incogni’s basic rule of thumb is “the more popular the app, the less private it is.” 

“If you’re planning on downloading an app to help you keep track of your New Year’s resolutions, we recommend caution,” the researchers said, and pointed to three things a consumer should consider:

1. Choose an app with a lower privacy risk score.

2. Stay away from popular apps with 500k or more downloads.

3. Consider the categories. If choosing from a high privacy risk category, check the data safety section of the app in the Google Play or Apple app store. Below are step-by-step instructions for both Android and iPhone.

Apple

Android

Twitter will pay the U.S. government $150 million after federal officials sued the platform for misleading users about how it protects their data. Regulators accused the company of violating a previous Federal Trade Commission (FTC) privacy settlement by using contact information that it collected to help marketers with targeted advertising. 

Officials said Twitter disclosed to users that phone numbers and email addresses would be used for account security, but the platform apparently did not shed enough light on how that same information would be used for other purposes. The suit claims that these practices affected over 140 million Twitter users who submitted contact information to the platform. 

“From at least May 2013 through at least September 2019, Twitter did not disclose, or did not disclose adequately, that it used these telephone numbers and email addresses to target advertisements to those users through its Tailored Audiences and Partner Audiences services,” the lawsuit stated.

In a company blog post, Twitter Chief Privacy Officer Damien Kieran pointed out that the platform addressed this problem in 2019. He also reaffirmed that Twitter is committed to protecting the privacy of its users.

“In reaching this settlement, we have paid a $150M USD penalty, and we have aligned with the agency on operational updates and program enhancements to ensure that people’s personal data remains secure and their privacy protected,” Kieran said.

In addition to paying a financial penalty, Twitter has agreed to implement a comprehensive privacy and data security program and disclose why and how it collects, shares, and uses personal information that it collects. Twitter users will also now have access to a multi-factor authentication option that does not use their phone number.

FTC advises consumers about data protection

The FTC says consumers should take away several important lessons from this suit so that they can protect their personal information in the future. Those lessons include:

• Use multi-factor authentication whenever possible. The FTC says this type of protection makes it harder for scammers to log in to consumers’ accounts, even if they’re able to steal usernames and passwords.

• Choose forms of multi-factor authentication that don’t involve personal information. The FTC says consumers should opt for authentication apps that use physical tokens instead of software that requires them to input personal data. Physical tokens require consumers to be in physical possession of a real-world object that acts as an authentication device. Some examples include a phone, USB drive, or keycard. 

• Be careful when selecting security questions. The FTC says consumers should only select security questions that they know the answers to. For added security, you could even select random answers to questions; just be sure to remember your nonsensical answers.

• Check your privacy settings. Some platforms allow users to opt out of targeted advertisements in an app’s privacy settings. 

Four years after details of the Facebook-Cambridge Analytica scandal came to light, Washington, D.C. Attorney General Carl Racine has sued Facebook – now Meta – CEO Mark Zuckerberg for his alleged role. 

Racine’s complaint accuses Zuckerberg of directly participating in decision-making that allowed the British data company to make unauthorized use of the company’s data for political purposes. Meta has declined to comment on the lawsuit.

In 2018, it was revealed that Cambridge Analytica, a political marketing firm, had accessed data on Facebook users to target 2016 political ads on behalf of the campaign to remove the U.K. from the European Union and on behalf of Donald Trump’s presidential campaign. Facebook paid a $645,000 fine in connection with the breach in 2019.

In his complaint, Racine points to evidence that he says implicates Zuckerberg in Facebook’s “lax oversight of user data and implementation of misleading privacy agreements.” The result, he contends, was that third parties like Cambridge Analytica were able to obtain personal data on 87 million Americans, including over half of the residents of the District of Columbia.

“Since filing our landmark lawsuit against Facebook, my office has fought tooth and nail against the company's characteristic efforts to resist producing documents and otherwise thwart our suit. We continue to persist and have followed the evidence right to Mr. Zuckerberg,” Racine said. 

Unauthorized access

Facebook has always maintained that Cambridge Analytica made use of information that it was not entitled to receive. Racine said the evidence shows that Zuckerberg was personally involved in the lapses that led to the breach. 

“The evidence shows Mr. Zuckerberg was personally involved in Facebook’s failure to protect the privacy and data of its users, leading directly to the Cambridge Analytica incident,” Racine said. “This unprecedented security breach exposed tens of millions of Americans’ personal information, and Mr. Zuckerberg’s policies enabled a multi-year effort to mislead users about the extent of Facebook's wrongful conduct.”

Racine attempted to name Zuckerberg as a defendant in a previous lawsuit against Facebook, but the judge disallowed it. That lawsuit, which has not yet been resolved, claims that Facebook violated the District of Columbia’s consumer protection law by misleading users and failing to protect their data in the months before the 2016 U.S. presidential election. 

The Federal Trade Commission (FTC) is taking a giant leap forward in the protection of children's privacy. The agency announced on Monday that it will strengthen the Children’s Online Privacy Protection Act (COPPA) by cracking down on any education technology company that monitors children illegally.

The FTC’s new policy statement reinforces that it is illegal for companies to force parents and schools to surrender their children’s privacy rights in order to do schoolwork online or attend class remotely. The agency says companies also cannot deny children access to educational technologies when their parents or school refuse to sign up for commercial surveillance.  

“Students must be able to do their schoolwork without surveillance by companies looking to harvest their data to pad their bottom line,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection.

“Parents should not have to choose between their children’s privacy and their participation in the digital classroom. The FTC will be closely monitoring this market to ensure that parents are not being forced to surrender to surveillance for their kids’ technology to turn on.”

Protecting children's privacy

The specific modifications that the FTC added to COPPA include:

Prohibitions Against Mandatory Collection: Companies cannot require children to provide more information than is reasonably needed for participation in an activity.

Use Prohibitions: Ed tech providers that collect personal information from a child with the school’s authorization are prohibited from using the information for any other commercial purpose including marketing or advertising. 

COPPA was first launched in 2000, and the FTC has used it to protect children's privacy since then. The agency previously imposed a fine on Toysmart.com for collecting and selling children's personal data. It also began a probe of YouTube and accused the platform of not doing enough to protect children who use the service.

This Thursday is World Password Day, and leading the celebration are Apple, Google, and Microsoft. Starting sometime within the next year, all three companies will embark on a joint effort and expand support for passwordless sign-ins across all devices and platforms.

If two heads are better than one, then the three-headed effort by the tech giants should be really powerful. For one thing, the trio promises users the ability to sign in through a single action that requires a device PIN or fingerprint verification. The new approach is designed to protect against phishing, and officials say the move will make sign-ins "radically more secure."

“The complete shift to a passwordless world will begin with consumers making it a natural part of their lives. Any viable solution must be safer, easier, and faster than the passwords and legacy multi-factor authentication methods used today,” says Alex Simons, Corporate Vice President of Identity Program Management at Microsoft.

“By working together as a community across platforms, we can at last achieve this vision and make significant progress toward eliminating passwords. We see a bright future for FIDO-based credentials in both consumer and enterprise scenarios and will continue to build support across Microsoft apps and services.”

Consumers need to protect themselves for now

Until the day when all our passwordless hopes come true, anyone who uses a digital device controls much of their own destiny when it comes to privacy and security.

What are some things that the public can do to honor World Password Day? ConsumerAffairs found five tips that various security analysts say could make their cyber use even more secure:

Stop using your pet’s name as your password. Aura, which deals in intelligent safety for consumers, found that more than 39% of American pet parents have used their pet's name as part of their password for an online account. That stat rises to 1 in 2 (50%) among pet parents between the ages of 35 and 44.

"Pet names are often widely known and easily searchable on social media or online,” Aura says. 

Is your password something a family member can guess? In a survey of 1,000 Americans, ExpressVPN uncovered several distressing findings about password security. It found that 44% of people admitted to using personally identifiable information like their date of birth; that the average person uses the same password for six websites and/or platforms; that 43% of people say their loved ones would likely be able to guess their online passwords; and that 2 in 5 people admit to using a variation of their first and/or last name in online passwords they create.

The longer, the stronger. “It’s true that the longer a combination is, the harder it is to remember. But it is one of the best ways to keep information safe so make sure to use at least 8 digits to tighten up security levels,” says CheckPoint. 

Chris Brooks, the founder of CryptoAssetRecovery, agrees and even suggests more firepower.

“People often think that adding symbols to a password makes it more secure. Given the firepower that hackers have at their disposal today, that isn't necessarily true," Brooks suggests. "Short complex passwords can be cracked in fractions of seconds. Complexity + Length is what makes passwords secure."

Check out the strength of your current password. Kaspersky, the anti-virus company, offers a password checker that can tell consumers how strong their passwords are. Before you commit to a password that you think no one on earth would ever figure out, it might be wise to test it out.

Netflix users should use caution. Netflix's recent move to crack down on password sharing has a silver lining for consumers. 

"Keeping the use of a single account and password to a single user means fewer opportunities for identity theft, fraud, or other potential damages to the primary user," Nathan Wenzler, chief security strategist at Tenable, told ConsumerAffairs.

How bad could things get for password-lazy Netflix subscribers?

"As our online presence is increasingly tied to our financial services, shopping and delivery services and our reputations, it's becoming more important that we all take the credentials we use seriously and protect them as much as we can," Wenzler said.

To help shield people from having too much of their personal information online, Google is going to allow the public to request that the tech giant remove certain pieces of personal information from its search results. Now, just by making a simple request, anyone could ask that Google remove contact information like phone numbers, email addresses, physical addresses, and even login credentials from search queries. 

The company has offered this in the past, but it was in limited, special circumstances, such as when information fraudsters steal bank and credit card details or across-the-line situations like non-consensual intimate personal images. 

The company is taking the same precautions now that it’s broadening those requests, but it’s not doing it willy-nilly or by machine. It will still review each request to ensure that it's real, and the company said it won’t delete references that are contained in a news article or are a matter of public record, like a mayor asking to have their office telephone number at city hall removed.

“The internet is always evolving – with information popping up in unexpected places and being used in new ways — so our policies and protections need to evolve, too,” Google said in a blog post. “Open access to information is a key goal of Search, but so is empowering people with the tools they need to protect themselves and keep their sensitive, personally identifiable information private. That’s why we’re updating our policies to help people take more control of their online presence in Search.”

How to request Google remove personal information

For Google to even consider a request to remove content, it first has to pertain to the following types of information:

• Confidential government identification (ID) numbers like a U.S. Social Security number.

• Bank account numbers

• Credit card numbers

• Images of handwritten signatures

• Images of ID docs

• Highly personal, restricted, and official records, like medical records

• Personal contact information (physical addresses, phone numbers, and email addresses)

• Confidential login credentials

If someone is being “doxxed” -- the term for a type of cyber harassment in which someone is using a computer or a phone to purposely cause another person to fear for their well-being -- Google is willing to help remove any content that might lead to that.

For Google to consider the content for removal, it must meet both of these requirements:

• Your contact info is present.

• There’s the presence of explicit threats, implicit threats, or explicit or implicit calls to action for others to harm or harass.

Google reminds people that it will do its part to remove information upon request, but consumers' data may still be available in other ways online.

“It’s important to remember that removing content from Google Search won’t remove it from the internet, which is why you may wish to contact the hosting site directly, if you're comfortable doing so,” the company said.

Less than six months after banishing China Telecom from the U.S. over privacy concerns, the Federal Communications Commission (FCC) has revoked the authority of two other companies that are state-owned entities of China.

ComNet, along with its parent company Pacific Networks, will no longer be able to offer service in the U.S. due to similar privacy concerns. After a thorough review of the companies' practices, the FCC concluded that they had the potential to threaten U.S. security via its telecommunications infrastructure.

Both ComNet and Pacific Networks have 60 days to discontinue all domestic and international services emanating from within the U.S.

Despite the companies' efforts to defend themselves, an FCC investigation concluded that they were "subject to exploitation, influence and control by the Chinese government" and "highly likely to be forced to comply with Chinese government requests without sufficient legal procedures subject to independent judicial oversight.”

Officials feared that the companies were in a position to monitor, store, disrupt, or misroute communications in the U.S., which could allow them to engage in espionage and other harmful activities against the U.S.

Network security equals national security

China may have been the country in the FCC’s crosshairs for this investigation, but it's not the only country that's being examined in light of the war between Russia and Ukraine.

“Our network security has never been more important. As events in Ukraine continue to unfold, reports indicate that hackers acting on behalf of Russia are seeking to sabotage Ukraine’s networks – utilizing new ways of attacking critical infrastructure, financial, and governmental networks, both in cooperation with other hackers and on their own,” FCC Commissioner Geoffrey Starks commented. 

“While we have yet to see a coordinated attack on American networks, we cannot ignore the capabilities of Russian state actors, which one technology company estimates are responsible for nearly 60 percent of all state-sponsored cyberattacks.”

Speaking directly to consumers, Starks equated network security with national security. 

“Today’s action is another positive step towards protecting our national security, but clearly we must continue to rise to the challenges of the day,” he stated.

Ireland’s Data Protection Commission has hit Meta (formerly known as Facebook) with a fine worth $18.6 million for a series of data breach notifications in the European Union (EU).

The commission said Meta failed to have appropriate technical and organizational safeguards in place to protect its users’ data. That left users vulnerable in 12 breaches over a six-month period during 2018.

When the breaches were first revealed, the commission’s investigation revealed that as many as 50 million Facebook accounts were impacted, some allowing hackers access to Facebook users’ photos. 

Meta calls the fine unfair

Facebook should be relieved that the fine wasn't any larger. Under the EU’s data protection law, member blocs like Ireland can levy penalties as high as 4% of a company’s annual revenue for the most egregious violations. In Meta's case, that would have equated to a fine of more than $4 billion.

Last year, Ireland fined another Meta product – WhatsApp – $246 million. Amazon was also slapped with a record $746 million by the country of Luxembourg’s privacy custodian.

Nonetheless, Meta still contends that the fine is unfair because it took the commission nearly four years to make its decision. Company officials say they were still making adjustments to privacy settings at that time.

“This fine is about record-keeping practices from 2018 that we have since updated, not a failure to protect people’s information,” Meta told Bloomberg News.

Two members of the Senate Intelligence Committee -- Ron Wyden (D-Ore.), and Sen. Martin Heinrich (D-N.M.) -- are asking for more transparency about an allegedly immense surveillance effort conducted by the Central Intelligence Agency (CIA).

Wyden and Heinrich want to know what kind of records the CIA collected about American citizens and the legal framework for the collection. They originally requested the declassification of a report by the Privacy and Civil Liberties Oversight Board on a CIA bulk collection program last April, but the letter was not made public until Thursday.

The senators say “the CIA has secretly conducted its own bulk program,” authorized under Executive Order 12333, rather than the laws passed by Congress.

The letter notes that the program was “entirely outside the statutory framework that Congress and the public believe govern this collection, and without any of the judicial, congressional or even executive branch oversight that comes from [Foreign Intelligence Surveillance Act] (FISA) collection.” 

“These documents demonstrate that many of the same concerns that Americans have about their privacy and civil liberties also apply to how the CIA collects and handles information under executive order and outside the FISA law,” said Senators Wyden and Heinrich. “In particular, these documents reveal serious problems associated with warrantless backdoor searches of Americans, the same issue that has generated bipartisan concern in the FISA context. … The public deserves to know more about the collection of this information.”

CIA says it takes privacy seriously

The CIA has been down this road before. In 2017, the Electronic Privacy Information Center (EPIC) warned the Senate Select Committee on Intelligence that the CIA Director must not "turn the enormous surveillance powers of the agency against the American people." It noted that the CIA has "a long history of unlawful surveillance" and pointed to a Freedom of Information Act case pursued by EPIC which revealed that the CIA spied on staff members of the U.S. Senate.

This time around, the CIA is getting out in front of Wyden and Heinrich’s claims by firmly disagreeing with the senators’ interpretation of the situation. Kristi Scott, the agency’s privacy and civil liberties officer, said the CIA takes its responsibility to safeguard the privacy and personal liberties of Americans seriously.

“CIA is committed to transparency consistent with our obligation to protect intelligence sources and methods,” Scott stated.

Zoom has agreed to pay $85 million to settle a lawsuit claiming that it violated user privacy by sharing personal data with several social networking sites and allowing hackers to disrupt virtual meetings through a practice called “Zoombombing.” 

The settlement money will go toward funding refunds to Zoom users who used the service between March 30, 2016, and the date of the settlement. 

Participants in the proposed suit would be eligible for 15% refunds on their subscriptions or $25, whichever is larger. Those who used the free version of Zoom without a subscription may be able to claim up to $15. The settlement filed on Saturday still requires approval by U.S. District Judge Lucy Koh in San Jose, California. 

Boosting security

In addition to agreeing to pay the fine, Zoom has agreed to enhance its security measures through changes "designed to improve meeting security, bolster privacy disclosures, and safeguard consumer data.” 

In the suit, Zoom was accused of sharing user data without permission with companies including Facebook, Google, and LinkedIn. While Zoom agreed to settle, it has not admitted any wrongdoing. 

“The privacy and security of our users are top priorities for Zoom, and we take seriously the trust our users place in us,” the company said in a statement. 

TikTok has agreed to pay $92 million to settle lawsuits claiming that it collected users’ personal data without their knowledge or permission, and then sold that data to advertisers. 

NPR reports that the proposed settlement includes 89 million U.S. users, some as young as six years old. The settlement combines 21 privacy-centered class action lawsuits against TikTok. 

TikTok was accused in the suits of violating users’ privacy in several ways, including by analyzing their faces to determine their ethnicity, gender, and age. The company was also accused of violating the Computer Fraud and Abuse Act, as well as privacy laws in Illinois and California. 

The settlement, which would include nearly all U.S. users, is being described as one of the “largest privacy-related payouts in history.” 

TikTok denies allegations 

In a statement to various media outlets, TikTok said it disagreed with the allegations but has decided to settle the case anyway. 

"We'd like to focus our efforts on building a safe and joyful experience for the TikTok community," a company spokesperson said.

As part of the settlement, TikTok has agreed to stop tracking biometric information and to stop transmitting user data overseas. It’s also agreed to stop collecting data from users’ draft videos.  

“This is one of the largest settlements ever achieved in a consumer BIPA case, and one of the largest privacy class action settlements,” Ekwan Rhow, a co-lead counsel for the lawsuit, said in a statement. “It serves as a reminder to corporations that privacy matters, and they will be held accountable for violating consumers’ rights.”

The settlement is still awaiting approval by the court system. 

TikTok has announced that it will soon be changing its privacy settings to keep its youngest users safe. 

For users between 13 and 15, accounts will soon be set to “private” by default. Going forward, users will also have to approve their followers. 

The short-form video platform is also changing the default setting for comments. The accounts of young users will now have the option to set the comments to “friends” or “no one.” Previously, accounts of younger users may have been set to “public.” 

TikTok is also launching a few changes geared toward older teens between the ages 16 and 17. The company said it will still allow these users to remix their videos with the app’s Duet and Stitch feature; however, the default setting for the feature will be changed to friends only. 

Videos made by users under 15 can no longer be downloaded or remixed by other users. 

Getting young users to think about privacy

In a blog post, the company said the new restrictions are intended to enable youth users to “make more deliberate decisions about their online privacy.” 

“As young people start their digital journey, we believe it's important to provide them with age-appropriate privacy settings and controls,” wrote TikTok's Head of U.S. Safety Eric Han. “Today we're announcing changes for users under age 18 aimed at driving higher default standards for user privacy and safety.” 

“We want our younger users to be able to make informed choices about what and with whom they choose to share, which includes whether they want to open their account to public views.” 

TikTok noted that it allows users under 13 to use the app “in a limited experience.” Kids under 13 can browse a “curated library of age-appropriate videos,” the company said. TikTok says it’s continuing to focus on keeping its youngest users safe through a new partnership with Common Sense Networks. 

“Through our partnership, Common Sense Networks will provide additional guidance on the appropriateness of content for children under 13 as we work to create an enjoyable and safe viewing experience,” Han said. 

Instagram is being investigated by Europe’s lead regulator over the way it handles children’s personal information, the BBC reported Monday. 

The probe, which is being carried out by Ireland's Data Protection Commissioner (DPC), was launched in response to reports that Instagram offered business accounts to kids as young as 13 years old. Regulators are concerned that children’s email addresses and phone numbers may have been displayed publicly.

“Instagram is a social media platform which is used widely by children in Ireland and across Europe,” said DPC deputy commissioner Graham Doyle. “The DPC has been actively monitoring reports of issues received from individuals in this area and has identified potential concerns in relation to the processing of children's personal data on Instagram which require further examination.”

The DBC is looking into whether Instagram sufficiently protects personal data of children and whether it has restrictions in place to prevent exposure of that data. Facebook, Instagram’s owner, could face a fine of as much as four percent of its annual worldwide revenue if the app is found to have broken privacy laws. 

Privacy concerns

The probe stems from a 2019 report from David Stier, a data scientist who claimed that his analysis showed that Instagram offered “millions” of minors the option to change their profiles into business accounts in exchange for analytics information. 

The offer raises privacy concerns because switching to a business account requires the owner to display their phone numbers and email addresses publicly in the app. The information was also contained in the HTML source code of web pages, meaning it could be “scraped” by hackers.

In a Medium blog post, Stier accused Instagram of refusing to mask users’ email addresses and of not assigning an anonymized phone number, which “runs counter to the practice of nearly every website and app today.” 

Facebook rejects claims

A Facebook spokesperson told the BBC on Monday that it’s cooperating with the DBC, but it stated that Stier’s claims are based on a misunderstanding of its systems. 

"We've always been clear that when people choose to set up a business account on Instagram, the contact information they shared would be publicly displayed. That's very different to exposing people's information.” 

Facebook said it no longer embeds contact information in the source code of Instagram pages and that it has since added the option for users to opt out of including their contact information. 

"We've also made several updates to business accounts since the time of Mr Stier's mischaracterisation in 2019, and people can now opt out of including their contact information entirely."

Following an investigation brought about by a legal challenge from Amazon, the U.S. Department of Defense (DOD) announced that it is standing firm on its original decision to award a $10 billion JEDI (Joint Enterprise Defense Infrastructure) cloud computing contract to Microsoft. 

The cloud contract’s purpose was to provide AI processing, data storage, machine learning, and other elements that could help update the United States military. Microsoft, Amazon, IBM, and Oracle all placed bids on the project. Both Amazon and Oracle challenged the DOD’s decision, but an appeals court refuted Oracle’s claim. 

Amazon’s luck with the court system was a little more fortuitous, scoring an injunction after it had challenged the fairness of the bidding process. The company argued that the U.S. was “prejudicial” and that Microsoft’s proposal was marked with deficiencies. 

“Screw Amazon”

Amazon certainly didn’t mince words about the decision. It took to the web to throw some big-time shade at the Trump administration, saying that, “On JEDI, President Trump reportedly ordered former Secretary Mattis to ‘screw’ Amazon, blatantly interfered in an active procurement, directed his subordinate to conduct an unorthodox ‘review’ prior to a contract award.”

“Others have raised similar concerns around a growing trend where defense officials act based on a desire to please the President, rather than do what’s right,” wrote Amazon Web Services Public Sector Team.

As you might expect, Microsoft’s comments were just the opposite. “We appreciate that after careful review, the DOD confirmed that we offered the right technology and the best value,” the company told TechCrunch in a statement. “We’re ready to get to work and make sure that those who serve our country have access to this much needed technology.”

The DOD’s affirmation doesn’t mean that the legal tussle is over. The Pentagon acknowledged as much in a press release, saying that it “determined that Microsoft’s proposal continues to represent the best value to the government.” However, it added that the contract “will not begin immediately” because of the temporary injunction Amazon secured.

Tesla and its founder Elon Musk are on the front burner again. Less than a year after the Securities and Exchange Commission (SEC) went after Musk for contempt, the agency is headed his way with a subpoena “seeking information concerning certain financial data and contracts including Tesla’s regular financing arrangements,” the company wrote in its latest SEC filing. 

Ironically, the SEC’s requisition came on the very same day that it finalized an inspection of forecasts and public comments Musk had made regarding the production of Tesla’s mass-market Model 3 electric vehicle. 

Musk, as he is inclined to do, found his way into hot water after tweeting that Tesla was expected to produce a half-million vehicles in 2019 when its actual estimate was somewhere between 360,000 and 400,000. The SEC considered the tweet misleading and a violation of the deal it struck with Musk to get any messaging that might have market implications approved in advance. Separately, the U.S. Department of Justice had also asked Tesla to voluntarily turn over any information related to production rates.

Cooperation over consternation

When a company gets crossways with the SEC, it really doesn’t have much wiggle room. As Musk will attest, when he tweeted out that he was thinking about taking the company private, the SEC slapped him with a civil penalty of $20 million, forced him to appoint an independent director as the Chair of the Board (as well as two additional independent directors to our board of directors), and said the company must improve its disclosure controls and other corporate governance-related matters. 

This time around, it looks like Musk has learned his lesson. 

“We are cooperating with certain government investigations,” Tesla’s SEC filing said. “To our knowledge, no government agency in any such ongoing investigation has concluded that any wrongdoing occurred.”

Where will this go? It’s anybody’s guess -- especially Musk’s. 

“We cannot predict the outcome or impact of any such ongoing matters, and there exists the possibility that we could be subject to liability, penalties and other restrictive sanctions and adverse consequences if the SEC, the DOJ, or any other government agency were to pursue legal action in the future,” the filing stated.

The Federal Trade Commission (FTC) has handed Congress its latest National Do Not Call (DNC) Registry report, which focuses on how consumers and businesses alike have been impacted by unwanted sales pitches and robocalls. 

If you guessed that there are more and more people who want to be added to the list, you’d be right. There was an uptick of more than 4.1 million registrations from the previous fiscal year, bringing the DNC Registry close to 239 million consumer registrations.

Making companies put their money where their mouth is

Many consumers might be surprised to know that businesses and other entities pay to access the registry. The reason is that any U.S. telemarketing company that wants to call a consumer is required to download the phone numbers on the National Do Not Call Registry every single year to ensure they do not call consumers who have registered their phone numbers. 

The telemarketers are given access to five area codes for free, but they have to pay up to get the other 330 area codes. Some charitable organizations get the list for free.

Consumer complaints about telemarketing calls aren’t going away any time soon, but with the new TRACED Act hopefully putting a lid on runaway robocalls, there’s a little bit of hope. Nonetheless, the FTC figures that there’ll always be some company somewhere that is going to try and find a new way to get consumers on the phone without playing by the rules.

“As new technology provides new challenges, the FTC actively seeks to address and confront them by, among other things, encouraging private industry, other government agencies, academia, and other interested parties to create and develop new strategies to help consumers avoid unwanted telemarketing calls,” the Commission wrote in its Registry update.

The company that runs the popular video app TikTok has been hit with a class-action lawsuit alleging that it transfers users’ data to servers in China. 

TikTok has amassed roughly half a billion U.S. users worldwide in recent years, with the surge in users fueled mainly by its popularity among teenagers. However, the social media platform has found itself at the center of lawmaker scrutiny over the way it handles user data. 

Now, a class-action suit filed Wednesday by a college student in California accuses TikTok and its Chinese parent company ByteDance of stealing user information without consent and transferring the data to Chinese servers. 

“TikTok clandestinely has vacuumed up and transferred to servers in China vast quantities of private and personally identifiable user data that can be employed to identify, profile and track the location and activities of users in the United States now and in the future,” the suit alleges.

Data collection concerns

The suit was filed by student Misty Hong and seeks class-action status. Hong’s lawyers claim that TikTok stored and sent large quantities of users’ personal data to servers in China as recently as April. The harvested data was then allegedly used for ad targeting purposes. 

User information taken and dispatched to China included facial scans, birthdays, phone and social network contacts, browsing history, and more, according to the suit.

“These apps infiltrate users’ devices and extract a remarkably broad array of private and personally-identifiable information that Defendants use to track and profile users for the purpose of, among other things, targeting them with advertisements from which Defendants unjustly profit,” the lawsuit claims.

Hong said she downloaded the app earlier this year but never actually created an account. Months later, she claims she discovered that the app had created an account for her without her consent. She claims the app stole a handful of videos she had made but never posted and then sent those videos to servers in China. 

Lawmaker scrutiny

Last month, the U.S. Army announced that it would be launching a security assessment of TikTok with the aim of allaying concerns raised by Sen. Chuck Schumer (D - NY) and other officials.

"National security experts have raised concerns about TikTok's collection and handling of user data, including user content and communications, IP addresses, location-related data, metadata, and other sensitive personal information," Schumer wrote in a November 7 letter to Army Secretary Ryan McCarthy.

TikTok has claimed it doesn’t store user data in Chinese servers; it has said it stores all U.S. user data in the U.S., with backups in Singapore. 

Researchers from Tokyo and the University of Michigan have found that laser pointers are capable of “hijacking” smart speakers. 

In a paper titled “Light Commands: Laser-Based Audio Injection Attacks on Voice-Controllable Systems,” the researchers said they found that voice-enabled devices could be tricked into following voice commands by beaming a laser at them. 

The team tested the effect of laser pointers on smart speakers that included Google Assistant, Apple Siri, and Amazon Alexa. They found that these devices interpreted the light of the laser as sound. 

“We have identified a semantic gap between the physics and specifications of MEMS (microelectro-mechanical systems) microphones, where such microphones unintentionally respond to light as if it was sound,” they wrote. “Exploiting this effect, we can inject sound into microphones by simply modulating the amplitude of a laser light.” 

Privacy threat

The effect produced “an attack that is capable of covertly injecting commands into voice-controllable systems” at distances of 230 to 350 away. In one instance, the team successfully commanded a Google Home device that was in a room in another building to open a garage door simply by shining a light that had the “OK Google” command encoded in it. 

The list of devices that were tested and found to be vulnerable to light commands includes Google Home; Google Nest Cam IQ; multiple Amazon Echo, Echo Dot, and Echo Show devices; Facebook's Portal Mini; the iPhone XR; and the sixth-generation iPad.

The researchers said they have already notified Tesla, Ford, Amazon, Apple, and Google about the weakness. They said that mitigating the flaw would require a redesign of most microphones. Lead author Takeshi Sugawara said one possible way to get rid of the vulnerability in microphones would be to create an obstacle that would block a line of sight to the microphone's diaphragm.

If you’re doing anything online that you don’t want anyone to know about, you’re probably out of luck.

The Washington Post reports a number of websites, from mainstream news outlets to porn sites, are using a hidden code to run a check to find out who you are. Accessing or deploying browsing features like “private browsing” may make no difference at all. In fact, because you’ve turned on a feature like “do not track” may make you more likely to be tracked, security experts say.

Some of these programs that track you online don’t appear to be that intrusive at first glance. The programs extract mostly innocent-looking data about your computer, such as your screen resolution or the version of the operating system your device is running.

It’s called “fingerprinting,” with the web taking a photograph of your browsing habits. With this information, a program can know what sites you’ve accessed in the past and create profiles of your behavior. It’s one of the reasons that ads seem to follow you around on the internet.

The Post report says most of the sites it contacted said “fingerprinting” web users is now  industry standard practice. But one analyst told the Post that “fingerprinting” is user-hostile, with the fact that web users who ask not to be tracked become even more valuable tracking commodities.

‘Growing threat’

According to the Post, Google, Apple, and Mozilla have all agreed that “fingerprinting” is a growing threat to consumers.

It’s not that websites you’ve visited have your name, address, or any other personal information about you in a database. It’s all a matter of putting information into a pattern.

As internet users access a website, the site’s code begins asking your computer for things that aren’t part of the usual process of pulling up a page. Knowing what operating system you’re running, what fonts you have installed or what your address is on your internal network distinguishing characteristics.

If you have turned on “do not track” the site may take a special interest in you. Different websites use different data points to assemble your fingerprint, which is part of what makes it so hard to control. 

Some websites say they use fingerprinting to protect their customers. They contend that fingerprinting lets them improve online security, such as fighting attempts to use stolen credit cards or passwords.

Without admitting any wrongdoing, Facebook has agreed to pay a fine of about $645,000 imposed by the UK Information Commissioner’s Office (ICO) over its role in the Cambridge Analytica data sharing scandal. 

The ICO concluded that Facebook failed to adequately protect user data, leading to the improper exposure and use of a large trove of consumer information by app developers. 

Facebook emphasized that it has “made major changes” to the site in the wake of the Cambridge Analytica scandal and that it has “significantly” restricted the information which app developers can access. Facebook noted that the ICO did not find that the data had actually been transferred to Cambridge Analytica, a political consulting firm.

“We are pleased to hear that Facebook has taken, and will continue to take significant steps to comply with the fundamental principles of data protection,” said James Dipple-Johnstone, the ICO’s Deputy Commissioner. “With this strong commitment to protecting people’s personal information and privacy, we expect that Facebook will be able to move forward and learn from the events of this case."

The ICO said in a statement that Facebook “made no admission of liability.” 

Settling with regulators

The ICO hit Facebook with a smaller fine in July of 2018, but Facebook appealed the ruling on the grounds that the agency should be required to share the documents that led to its decision. The ICO appealed Facebook’s appeal a few months later. A year later, a new settlement has been agreed upon. 

Several months ago, Facebook agreed to pay a $5 billion fine to the Federal Trade Commission over its handling of user data. The fine levied this week by the ICO is the maximum possible penalty allowed under the UK data protection law. 

Facebook's Director and Associate General Counsel Harry Kinmonth said in a statement that the company is “pleased to have reached a settlement with the ICO.” 

Consumers who previously used Lifelock for identity protection services may soon be receiving a refund check in the mail.

The Federal Trade Commission (FTC) announced that it would be sending checks to customers who used the company’s services between 2012 and 2014. The move follows a 2015 settlement in which Lifelock was accused of not securing customers’ personal data. Regulators said that the company also falsely advertised that its safeguards were on par with financial institutions and that it provided 24/7 alerts to consumers “as soon as” their identity was being used by a third-party.

“This settlement demonstrates the Commission’s commitment to enforcing the orders it has in place against companies, including orders requiring reasonable security for consumer data,” former FTC Chairwoman Edith Ramirez said at the time. “The fact that consumers paid Lifelock for help in protecting their sensitive personal information makes the charges in this case particularly troubling.”

Claiming a refund

The FTC noted that it will be sending one million checks to eligible consumers, with the average payout coming in at around $29. The agency asks that recipients deposit or cash the checks within 60 days of receiving them. 

The agency also reminds consumers that they are NOT required to pay money or provide account information in order to cash a check. If they are asked to do so, then it’s likely that they are being manipulated by a scammer. 

Those who have questions about the refund process are urged to contact Rust Consulting, Inc. -- the FTC’s refund administrator -- at 1-866-898-5106. More information about FTC refunds can be found on the agency’s website here.

Federal regulators have slapped Google’s YouTube platform with a $170 million penalty for pulling in millions of advertising dollars through the improper collection of children’s personal information. 

The settlement announced Wednesday requires that Google and YouTube pay $136 million to the Federal Trade Commission (FTC) and $34 million to New York for allegedly violating the Children’s Online Privacy Protection Act (COPPA). 

“YouTube touted its popularity with children to prospective corporate clients,” wrote FTC Chairman Joe Simons. “Yet when it came to complying with COPPA, the company refused to acknowledge that portions of its platform were clearly directed to kids. There’s no excuse for YouTube’s violations of the law.”

New York Attorney General Letitia James said that the companies “put children at risk and abused their power” through illegally monitoring and tracking kids’ behaviors in order to serve them targeted ads. James noted that the settlement is “one of the largest settlements for a privacy matter in U.S. history.”

Settlement also requires reform

Under the settlement, Google and YouTube are also required to “develop, implement, and maintain a system that permits channel owners to identify their child-directed content on the YouTube platform” in order to ensure compliance with COPPA.

Additionally, YouTube must “obtain verifiable parental consent” before collecting personal information from children.

YouTube said in a blog post that it’s working on developing ways to address the privacy concerns that have cropped up in conjunction with “a boom in family content and the rise of shared devices.” 

In the coming months, YouTube said it will be restricting data collection on videos likely to be watched by children and treating data from anyone watching children’s content on the platform as “coming from a child, regardless of the age of the user.” 

YouTube said it will also cease its practice of serving targeted ads on videos aimed at young audiences and turn off comments and notifications for those videos. The company has recommended that parents use its YouTube Kids app when letting children under 13 watch videos without adult supervision. 

YouTube is considering putting an end to its practice of allowing “targeted” ads on videos that are more likely to be viewed by children, Bloomberg reports, citing people “familiar with the discussion.”

The video streaming platform was recently hit with a multimillion dollar fine after the FTC found that it had violated children’s privacy laws by collecting data on children under the age of 13. It’s not clear if YouTube’s changes -- which, at this point, may or may not be implemented -- are a direct result of the settlement, Bloomberg noted. 

Doing away with targeted ads on videos aimed at children could have a significant impact on YouTube’s ad revenues. An industry analyst cited in the report said the platform could lose as much as 10 percent of its overall intake from kids’ videos, which works out to about $50 million annually. 

However, this solution would be much smaller in scale than other proposed ways of complying with regulators. Last year, a coalition of advocacy groups suggested that the FTC require YouTube to migrate all of its kids’ content to its YouTube Kids app. FTC chairman Joseph Simons has suggested the possibility of disabling ads on videos likely to be watched by children. 

Tracking still an issue

Google hasn’t commented on YouTube’s reported decision to stop serving targeted ads on kids’ videos, and it’s still unclear how YouTube would determine which videos would count as kids’ videos. 

Complainants have argued that the move would be hard to enforce. Josh Golin, from the Campaign for Commercial-Free Childhood, noted that shutting off the ad-targeting feature for select kids’ videos doesn’t mean YouTube will stop tracking their web habits. 

“Is Google still going to be collecting all the data and creating marketing profiles?” he asked Bloomberg. “That wouldn’t be satisfactory either.”

A bill introduced Tuesday would make it illegal for cell phone and app companies to sell the location data of users in New York City, the New York Times reports. 

Companies that break the law would be subject to a steep fine. Additionally, users within city limits would be legally allowed to sue companies that share their data without permission. 

The Times notes that the bill is likely to face resistance from telecommunications companies because selling location data generates billions of dollars annually. But proponents of the bill say its passage would represent a small step toward mitigating the privacy concerns that stem from the practice of location data sharing.

Reining in data sharing

Currently, no law prohibits U.S. companies from selling location data. Earlier this year, FCC Commissioner Geoffrey Starks called for federal action to put an end to the practice. In an op-ed for the New York Times, Starks expressed frustration over the fact that the FCC has yet to use its authority to crack down on the practice of data sharing. 

If passed, the bill proposed Tuesday would make New York City the first to establish its own set of location data rules. 

Calling the behavior of selling location data a “dangerous breach of privacy,” Democratic City Council member Justin Brannan said New York City can “lead the way” in banning the practice.

“Big telecom companies are making millions $$ by selling our location data without our knowledge -- forget about even asking our permission,” he said on Twitter. “It's time to put an end to Big Brother Big Business. And if the federal gov won't do it, NYC will.” 

The National Security Agency (NSA) improperly collected phone call data just a few months after assuring the public that the glitch that had previously caused it to do so had been fixed, according to documents obtained by the American Civil Liberties Union (ACLU). 

The agency’s first erroneous record-collection incident happened last May. Upon realizing its mistake, the NSA said it deleted more than 600 million of the call records it had collected from phone companies in error. Now, the ACLU has found that another over-collection incident occured in October 2018. 

In its report, the ACLU said the NSA obtained information about U.S. consumers’ phone calls in a manner not authorized under section 215 of the Patriot Act. 

The report said the agency unlawfully collected call record data three times in total: in November 2017, February 2018, and October 2018. The third violation suggests the underlying problem wasn’t mitigated in the first place, or perhaps that the NSA faced new problems that caused the issue to happen again.

“These documents further confirm that this surveillance program is beyond redemption and a privacy and civil liberties disaster,” Patrick Toomey, staff attorney with the ACLU’s National Security Project, said in a statement. “The NSA’s collection of Americans’ call records is too sweeping, the compliance problems too many, and evidence of the program’s value all but nonexistent. There is no justification for leaving this surveillance power in the NSA’s hands.”

NSA responds

In a statement acknowledging its persistent over-collection problem, the NSA said the technical issues to blame for the earlier incidents were fixed. However, it found additional “data integrity and compliance concerns caused by the unique complexities of using company-generated business records for intelligence purposes.”

“Those data integrity and compliance concerns have also been addressed and reported to NSA’s overseers, including the congressional oversight committees and the Foreign Intelligence Surveillance Court,” the agency added.

The NSA is now considering shutting down its call data collection system because it “is now viewed by many within the intelligence community as more of a burden than a useful tool, in part due to the compliance issues,” the Wall Street Journal reported. 

Facebook says its discontinued research app collected data from about 187,000 users who were paid $20 a month to allow the social media company observe how they used their phones.

The app made news earlier this year when Apple blocked Facebook from offering the app to iPhone users. At the time, Facebook said it users were paid for their participation, it never tried to hide the program, and none of the information was shared.

In a letter to members of Congress, Facebook disclosed it had collected data from 31,000 users in the U.S., 4,300 of whom were teenagers. The rest were consumers who lived in India.

At the time, Facebook said the app was part of an effort to help the company better serve its users.

“Since this research is aimed at helping Facebook understand how people use their mobile devices, we’ve provided extensive information about the type of data we collect and how they can participate,” a spokesperson said at the time.

The information may or may not be relevant to the current debate about Facebook’s size and scale, and whether it is a monopoly in need of regulation. The company has defended its discontinued research app as transparent and non-intrusive.

New research app

This week, Facebook released a new Android app, available to users who are at least 18 years-old. Facebook says users who download the app will agree to let Facebook analyze the apps on the phone, looking at how much they are used and the device or network that is being used.

The company says users who agree to participate will still receive compensation for sharing their data and can leave the program at any time.

As for the new research app, at least one lawmaker thinks it is an ill-conceived move. Sen. Richard Bloomenthan (D-Conn.) told CNET he thinks Facebook should be emphasizing consumer privacy.

"At a time when the company is under investigation for its data practices and anti-competitive actions, the Facebook Study app is at best tone-deaf and ill-considered," Bloomenthal told CNET.

Facebook and other tech giants have come under closer government scrutiny in recent weeks and could face antitrust action. For its part, Facebook is attempting to settle a Federal Trade Commission action over its handling of user data.

Federal Communications Commission (FCC) Chairman Ajit Pai was grilled this week about the alleged sale of phone-location data to entities with no clear rights to possess it.

Appearing before a House committee, the FCC chairman got a scolding and a warning that “lying to Congress is a federal crime.” Rep. Anna Eshoo (D-Calif.) warned Pai that what he told the panel was at odds with what she had heard elsewhere.

Eshoo aimed pointed questions at Pai asking for details about what she had heard was an FCC probe into the apparently illegal sale of phone-location data to third-party individuals and organizations.

The Congressional inquiry appeared to expose an intensely partisan divide within the FCC, where Republicans hold three seats and the Democrats control two. Democrats on the FCC board contend there is a “black market” in data that is being used to erode consumers’ privacy protections.

Democratic lawmakers accused Pai of withholding information from their party members. During the hearing, Pai was noncommittal about whether he would share basic information about the investigation with the FCC’s two Democratic commissioners, Jessica Rosenworcel and Geoffrey Starks.

Not aware of requests for information

Pai said he had never withheld information from Democratic FCC commissioners. He said he was not aware of requests for information made by the Democratic commissioners.

Pai said that in February, just after Starks had joined the FCC, he had offered the new commissioner control of the investigation into how location data was being used. He said the Democrat had turned down the offer.

Consumers’ location data is extremely valuable knowledge. Advertisers pay handsomely for it because they have found if they can target an advertisement to a consumer who is close to the client’s location, that person is much more likely to become a customer.

But critics say location information, in the wrong hands, could be dangerous. The technology site Motherboard reports it gave a bounty hunter $300 to track someone’s cell phone and he was able to pinpoint their location within a quarter-mile.

If a law enforcement agency wants to track the location of a criminal suspect, it must get legal authorization. Last year the Supreme Court ruled 5-4 that law enforcement must obtain a search warrant to get access to cell phone location information.

The Federal Emergency Management Agency (FEMA) inappropriately shared the personal information of more than 2 million survivors of hurricanes Harvey, Irma, and Maria and the California wildfires in 2017.

The agency said it “provided more information than was necessary” while transferring survivor information to a third-party contractor that helps provide temporary housing to people affected by disasters under the Transitional Sheltering Assistance program.

“We believe this oversharing has impacted approximately 2.5 million disaster survivors,” an unnamed Department of Homeland Security official told the Washington Post.

Vulnerable to identity theft and fraud

The error was recently discovered by the Department of Homeland Security’s Office of Inspector General and detailed in a report dated March 15. Individuals who had personal data shared could be vulnerable to identity theft and fraud, the Inspector General report said.

However, FEMA has said that it’s “found no indicators to suggest survivor data has been compromised” and that it has taken “aggressive measures”  to correct the error.

“FEMA is no longer sharing unnecessary data with the contractor and has conducted a detailed review of the contractor’s information system,” FEMA Press Secretary Lizzie Litzow said in a statement.

The name of the contractor who wrongly received the information hasn’t been released, but the agency said it "worked with the contractor to remove the unnecessary data from the system."

“FEMA’s goal remains protecting and strengthening the integrity, effectiveness, and security of our disaster programs that help people before, during, and after disasters,” Litzow said.

Among health-related apps, the practice of sharing user data is “routine” and legal -- however, the lack of transparency about the practice puts consumers’ privacy at risk, the authors of a new study claim.

The study looked at 24 popular, interactive medicine-related apps for Android devices. Of the apps sampled, 19 (or 79 percent) shared user data with third parties, which then shared it with "fourth parties."

"Most health apps fail to provide privacy assurances or transparency around data sharing practices," said lead author Quinn Grundy.

Lack of informed consent

First and third parties shared the most user information with Amazon and Alphabet (the parent company of Google), with 24 unique transmissions.

“Fourth parties” -- which included multinational technology companies, digital advertising companies, telecommunications corporations, and a consumer credit reporting agency -- received the most unique user data. Only three of the 216 fourth parties were identified as belonging to the health sector.

The researchers point out that the identify of a user could be uncovered by looking at certain pieces of data, such as their device’s unique address.

"The semi-persistent Android ID will uniquely identify a user within the Google universe, which has considerable scope and ability to aggregate highly diverse information about the user," the study authors wrote.

The findings suggest a need on the part of privacy regulators to “consider that loss of privacy is not a fair cost for the use of digital health services," Grundy said.

Health professionals "should be conscious of privacy risks in their own use of apps and, when recommending apps, explain the potential for loss of privacy as part of informed consent,” the researchers concluded.

The full study has been published online in the BMJ.

Whether you’re at home or cruising at 30,000 feet you could be in the range of a microphone or camera. Even if someone isn’t watching or listening, they could be.

The latest potential encroachment on consumers’ privacy is contained in a new entertainment system being installed on major airlines. At least three major carriers -- American, United, and Singapore Airlines -- have installed new seatback entertainment systems that contain a camera.

The camera was discovered by an observant passenger on a Singapore Airlines flight who tweeted: “Just found this interesting sensor looking at me from the seat back on board of Singapore Airlines. Any expert opinion of whether this a camera? Perhaps @SingaporeAir could clarify how it is used?”

It turned out to be a camera. But why would an entertainment system on an airliner be equipped with a camera?

According to American Airlines, there’s an innocent explanation. The manufacturer of the equipment has included the capability for passengers in different parts of the plane to video chat with each other.

Cameras aren’t turned on

All three airlines told the British newspaper The Independent they’ve never activated the seatback cameras and don’t plan to in the future. Even so, travelers on those three airlines might feel a little better if they carry a piece of tape on board the flight and place it over the lens.

Consumers who have purchased smart speakers for their homes have gotten used to the idea that the speaker also has ears and is always listening. As we reported in 2017, hackers have found a way to exploit a vulnerability in the Amazon Echo that can turn it into a live microphone.

Researcher Mark Barnes said at the time that the attack is limited because it requires physical access to the device. However, he pointed out that product developers shouldn’t take it for granted that customers won’t expose their devices to uncontrolled environments.

Just forgot to mention

Just last week, Google Nest Secure users were surprised to learn that the home security system has a built-in microphone which had not been disclosed in any of the product literature. The company said that it was not trying to keep the microphone a secret, it just neglected to mention it.

As for the cameras on airplanes, it is possible that more carriers will have the seatback cameras if they install the new entertainment system on their aircraft. You can locate the camera lens by looking directly below the video screen. It is a small circular lens in the middle of a larger circle.

Google Nest is a system of smart home products that can control thermostats, smoke detectors, and security systems. But it turns out the Nest Secure product has a built-in microphone, which was news to the consumers who had purchased it.

That information came to light earlier this month when the company announced an update for Nest Secure that would allow users to enable its virtual-assistant Google Assistant by using voice commands.

But Nest users were surprised to learn they could do that since they didn’t know there was a microphone connected to Nest Secure. Various technology publications scanned the product’s technical specs and found no mention of a microphone.

Omission made in error

In statements to the media, Google officials said the omission was made in error. The company said there was never any attempt to keep the microphone a secret.

It also said that the microphone comes from the factory in the off position. It can only be turned on if the user enables it, and if the user was unaware of its existence, the microphone was not listening to private conversations.

Why even have a microphone? Google says it was originally included on the Nest Guard to enable future updates, like the ability to listen for an intrusion into an otherwise unoccupied home.

“Security systems often use microphones to provide features that rely on sound sensing,” Google said in a statement. “We included the mic on the device so that we can potentially offer additional features to our users in the future, such as the ability to detect broken glass.”

Scrutiny over privacy

Even if it’s an innocent omission, the news that Google failed to mention that one of its security devices has a built-in microphone is sure to ruffle privacy feathers. Google, along with other major tech companies, has come under increasing scrutiny for how it manages consumers’ private data.

For its part, Google has long maintained that the internet is all about transparency. CEO Eric Schmidt famously remarked in 2009 that people who have things they don’t want people to know probably shouldn’t be doing them in the first place.

Writing in Fortune in 2017, Joseph Turow, a professor at the University of Pennsylvania’s Annenberg School for Communication, maintained that “Google still doesn’t care about your privacy.”

Turow said the bargain whereby consumers agree to give up personal information in exchange for seeing only relevant ads is a one-sided deal, suggesting that consumers have little understanding of what they’re giving up.

Facebook is defending an app that allows it to access user’s smartphone data, saying people were paid for that access and that none of the data was shared.

A report by technology site TechCrunch says Facebook pays users between the ages of 13 and 35 up to $20 a month to install the app, called Facebook Research. The report said the app is similar to the social media giant’s Onavo Protect app that was discontinued in August after Apple declared it violated its privacy policy.

The TechCrunch report maintains that the app gives Facebook a massive amount of information about the participating users’ online lives, including social media messages, emails, and what they looked at online.

Facebook has not issued a formal statement, but it has defended the program and declared it was not trying to keep it a secret in various comments to media outlets. The company says it invites people to take part in research so that it can do things better.

“Since this research is aimed at helping Facebook understand how people use their mobile devices, we’ve provided extensive information about the type of data we collect and how they can participate,” a spokesperson told CNBC.

No longer available on the iPhone

Because of potential issues with Apple’s privacy policy, Facebook is withdrawing the app from iOS phones, but it will continue to be available for Android users.

Privacy has been a thorn in Facebook’s side for the last 10 months. In March, the government opened an investigation into Facebook privacy issues after the company revealed that a political marketing firm, Cambridge Analytica, had gained unauthorized access to Facebook user data and used it for political advertising in 2016.

That revelation highlighted the issue of what data big tech collects and how it is used, and it garnered the attention of both U.S. and European regulators.

In May, Europe enacted stringent privacy protections, called the General Data Protection Regulation (GDPR), and Facebook was among the early U.S. tech companies that announced plans to comply with the new set of privacy rules.

You check your phone for the weather forecast. You search for a good Thai restaurant. When you do, you give up small pieces of data about your location. It’s data that helps the apps give you the requested information, but it is also collected by the apps and sold to marketers.

Consumers who make repeated use of apps are giving up a lot of information warns Ying Cai, an associate professor of computer science at Iowa State University. He’s been thinking about the issue for years, noting that it’s only gotten worse with time.

Many of these apps are useful tools, but is the price of using them giving up even more of our privacy? Cai doesn’t think so; he has developed a cloaking technology that he says will allow consumers to continue using these popular apps without providing so much data.

Working through his university, Cai has received two patents for his location-cloaking technology. He says the technology will let consumers use mobile apps and stay relatively anonymous.

Not yet available to consumers

So far, cellular providers haven’t offered the technology to their customers, but Cai is hoping consumer demand will lead to his first sale as privacy becomes a growing concern.

“Privacy is a big issue. We can all agree on this,” Cai said. “If customers ask about cloaking technology and service providers realize location privacy is critical to customers, providers may see the value and offer this service.”

Here’s how it works: the technology walks that fine line between providing a location to the app that is as precise as possible, but just short of being too precise. For example, the app won’t know you are at the intersection of 3rd and Main Street, only that you’re in a big box store in the 300 block of Main.

Cai says the size or traffic of a particular revealed location will vary based on the user’s comfort level. He compares it to being treated by a doctor and selecting a pain threshold on a scale of one to five.

Making it difficult to track you

The big box store has a certain traffic volume that makes it difficult to track a single individual at any given time. Whenever a user wants to report their location, their service provider will select  an appropriate region to report.

“That way, every time you report your location, you make sure it cannot be linked to people who were there at the time when the location was reported,” Cai said. “This gives you protection from the time dimension, which is important.”

It’s not as cloak-and-dagger as it sounds. When you repeatedly use current location-tracking apps, you’re giving the apps a trajectory that makes it possible to identify you as an individual.

That’s a problem, Cai says, because it allows people you don’t know to learn too much about you -- not just your location, but what your location says about you.

Millions of consumers use the Weather Channel’s app to keep up with their local weather conditions, but a suit filed by the City of Los Angeles claims the app is keeping up with you.

In a suit filed late last week, the City of Los Angeles claims the company that owns the Weather Channel is manipulating users into activating location tracking by suggesting the information would only be used to provide specific weather forecasts. The suit charges that information is also used to help advertisers better target consumers.

As it turns out, knowing where individuals are at any given moment is very valuable. For example, advertisers use that information to target a consumer when he or she is near their place of business.

The City of Los Angeles lawsuit claims the Weather Channel has sold data collected from its app to companies that mine this sort of data. Citing an article in the New York Times the city said at least 75 companies collected precise location data using information obtained through the app.

The suit charges that consumers weren’t adequately informed of this arrangement. It said the notices supplied by the app failed to provide complete details about how their data would be shared and used. The suit claims  incomplete messages like that are “fraudulent and deceptive” and violate California’s Unfair Competition Law.

Tech industry crisis

The suit strikes at the heart of a crisis the technology industry is now facing. Since Facebook revealed in March that user data had been unlawfully used by a political marketing firm, big tech firms have been in a defensive posture and under increasing regulatory pressure.

As the annual Consumer Electronics Show (CES) gets underway this week in Las Vegas, Apple addressed the issue head-on in a billboard, declaring “What happens on your iPhone stays on your iPhone.”

“If the price of getting a weather report is going to be the sacrifice of your most personal information about where you spend your time day and night, you sure as heck ought to be told clearly in advance,” Michael Feuer, the Los Angeles city attorney, told the Times.

A spokesman for IBM, who owns the Weather Channel app, said the company has always been transparent in its use of personal data. It said the company will vigorously defend the lawsuit.

Facebook finds itself once again in the crosshairs as a British parliamentary group released company documents showing the social media giant used member data to help friends and punish rivals.

A British parliamentary committee released emails that focus on how Facebook operated during the period of its most rapid growth, from roughly 2012 to 2015. The documents show that Facebook executives considered member data to be their most prized commodity and used it to profit from its accumulation.

The documents also show that CEO Mark Zuckerberg and COO Sheryl Sandberg were intensely involved in decisions that had the objective of keeping members as engaged on the site as possible.

In one series of emails, Zuckerberg raised the prospect of charging developers for access to user data in an agreement to obtain user data from the developers.

“It’s not good for us unless people also share back to Facebook and that content increases the value of our network, he wrote. "So ultimately, I think the purpose of (the) platform — even the read side — is to increase sharing back into Facebook.”

User data issues

Facebook has been wrestling with user data issues since March when it revealed that user data was unlawfully transferred to a political marketing firm, which used it in the 2016 U.S. presidential election. Facebook has said it was slow to respond to that issue but has since increased user data safeguards.

Facebook had taken steps to keep the documents private. Those materials have been under a court-ordered seal as part of a lawsuit in California involving Facebook and an app developer.

In a statement Wednesday, Facebook said the documents were selectively leaked to "suggest things that are false." The company says the documents don't tell the full story.

Congressional response

Sen. Edward Markey (D-Mass.), a frequent Facebook critic, said it should not be up to Zuckerberg and other Facebook executives to decide who has access to user information.

"When he testified before Congress, Mark Zuckerberg repeatedly insisted that Facebook does not sell its users’ data," Markey said. "We now know, however, that Facebook executives discussed requiring companies to buy digital advertisements in order to access users’ personal information."

Markey says if there is any evidence of a pay-for-data model it would "fly in the face" of the statements Facebook has made to Congress and the public.

Facebook says it has fixed a privacy bug that allowed websites to read likes and interests on users’ profiles without them knowing about it.

The bug was first discovered in May by Ron Masas, a security researcher at Imperva. Masas found that Facebook search results were not sufficiently protected from cross-site request forgery attacks, meaning bad actors could have used an iFrame to extract data from a logged-in Facebook profile in another tab.

“This allowed information to cross over domains — essentially meaning that if a user visits a particular website, an attacker can open Facebook and can collect information about the user and their friends,” Masas told SiliconANGLE.

Masas said the bug allowed websites to see the user’s interests as well as their friends' interests, even if their privacy settings were set to allow only friends to see their interests.

One of many security issues

Facebook said it fixed the bug within days of being alerted to it. The company says it hasn’t seen the vulnerability be exploited for malicious purposes.

“We appreciate this researcher’s report to our bug bounty program,” said Facebook spokesperson Margarita Zolotova in a statement. “As the underlying behavior is not specific to Facebook, we’ve made recommendations to browser makers and relevant web standards groups to encourage them to take steps to prevent this type of issue from occurring in other web applications.”

The data vulnerability is among several others to have affected Facebook recently. It follows the Cambridge Analytica scandal, in which a political data firm improperly harvested information on 87 million users to use for election profiling.

More recently, Facebook admitted that millions of user account tokens had been stolen by hackers who breached its system.

During a speech given at a privacy conference in Brussels on Wednesday, Apple’s chief executive Tim Cook called for stricter digital privacy laws, saying consumers’ personal information is being "weaponized against us with military efficiency."

Cook, who didn’t specifically call out any major tech companies, said technology and the business of selling ads targeting to users has created a "data industrial complex” that is affecting individuals and entire societies.

"We shouldn't sugarcoat the consequences. This is surveillance,” Cook said in an impassioned keynote address at the 40th International Conference of Data Protection and Privacy Commissioners (ICDPPC). “And these stockpiles of personal data serve only to enrich the companies that collect them. This should make us very uncomfortable. It should unsettle us."

Companies hoarding personal data

Although Cook didn’t mention Facebook or Google by name, his comments come on the heels of several massive data breaches like the Cambridge Analytica scandal, in which the information of 87 million users was “improperly shared” to profile voters.

"Every day, billions of dollars change hands, and countless decisions are made, on the basis of our likes and dislikes, our friends and families, our relationships and conversations. Our wishes and fears, our hopes and dreams," Cook said. "These scraps of data, each one harmless enough on its own, are carefully assembled, synthesized, traded, and sold."

"Your profile is then run through algorithms that can serve up increasingly extreme content, pounding our harmless preferences into hardened convictions," Cook said.

Called for new privacy laws

Apple’s CEO praised the "successful implementation" of the EU’s new data privacy law, GDPR. He said U.S.-based companies should consider implementing similarly stringent privacy regulation laws.

“This crisis is real. It is not imagined, or exaggerated, or crazy,” he said during the keynote, which can be viewed below. “And those of us who believe in technology's potential for good must not shrink from this moment.”

He said Apple would fully support the introduction of a “comprehensive federal privacy law in the United States.”

“There, and everywhere, it should be rooted in four essential rights," Cook added. Consumers should have the right to have personal data minimized, the right to knowledge, the right to access, and the right to security, he said.

In the wake of a series of highly publicized data breaches, Facebook is reportedly looking to beef up its security defenses by acquiring a major cybersecurity firm.

Sources with knowledge of the matter told The Information that the company has already offered deals to “several” security firms, but the sources stopped short of naming which companies Facebook has expressed an interest in acquiring.

Facebook wants to close the deal by the end of this year, according to the report.

Preventing another hack

The purchase would enable the company to buy software that could be integrated with Facebook’s existing services. The software could give it access to security tools, such as tools for automatically detecting hacking attempts or securing users’ accounts.

A large acquisition like this would also help increase the company’s trustworthiness in the eyes of consumers, investors, and government regulators by showing that it’s taking the issue of data security seriously.

Word of Facebook’s goal of acquiring a cybersecurity firm comes nearly a month after the company announced that hackers had stolen access tokens for 30 million accounts.

Earlier this year, CEO Mark Zuckerberg was called upon to testify before Congress following the Cambridge Analytica scandal in which the information of 87 million users was “improperly shared” to profile voters. At the hearing, Zuckerberg answered questions related to the privacy policies of the social networking platform.

“We were too slow to spot and respond to Russian interference, and we’re working hard to get better,” Zuckerberg said in a statement at the time.

“Our sophistication in handling these threats is growing and improving quickly. We will continue working with the government to understand the full extent of Russian interference, and we will do our part not only to ensure the integrity of free and fair elections around the world, but also to give everyone a voice and to be a force for good in democracy everywhere.”

Facebook now says 30 million users -- not the 50 million, as originally reported -- had their login tokens compromised in a breach discovered last month.

The tokens for those 50 million users, plus an additional 40 million, were reset as a precaution.

In a security update, Facebook said its investigation found that unknown hackers exploited a vulnerability in Facebook’s code that existed between July 2017 and September 2018. The flaw that allowed the attackers to get in involved Facebook's "View As" feature, which allows users to see what their profile looks like to other members.

The interaction of three different software bugs allowed the hackers to steal access tokens, in effect allowing them to access the corresponding accounts. The tokens work like digital keys that keep users logged in to Facebook so they don't have to repeatedly enter their username and passwords.

Spike in activity

In the security update, Facebook reported that the attack was revealed when engineers saw an unusual spike in activity that started on September 14.

"On September 25, we determined this was actually an attack and identified the vulnerability," the company said. "Within two days, we closed the vulnerability, stopped the attack, and secured people’s accounts by resetting the access tokens for people who were potentially exposed."

As a precaution, Facebook turned off “View As” and said it is working with the FBI to determine the parties that might be responsible for the attack.

While fewer Facebook users were affected than first reported, Facebook has revealed the extent of compromised information was greater for some than for others.

Exposed data

Attackers accessed two sets of information on about 15 million users. It included name and contact details such as email and phone number.

For another 14 million users, the attackers accessed additional information that was included in their profiles, such as username, gender, locale/language, relationship status, religion, hometown, self-reported current city, birthdate, device types used to access Facebook, education, work, the last 10 places they checked into or were tagged in.

For 1 million users, Facebook has determined that the attackers did not access any information. Facebook users concerned about this breach can determine whether they were affected by visiting the Facebook help center.

Facebook's update follows criticism from Ireland's Data Protection Commission (DPC), which enforces privacy regulations for the European Union (EU). At the time, the agency complained that Facebook's initial disclosure of the breach was light on details.

Facebook's data breach, disclosed last week, will likely be costly for the social media giant as European privacy regulators demand answers.

On Friday, Facebook announced that a security breach compromised about 50 million login credentials but said the issue had been resolved. But Europe has the world's toughest privacy rules and the European Union could impose fines that – by some estimates – could be in excess of $1 billion.

Ireland's Data Protection Commission (DPC) complained that Facebook's initial disclosure of the breach was light on details. The DPC said Facebook appears unable to tell users the extent of the risk they face.

The DPC said it wants answers from Facebook and those replies will determine whether there will be fines and how much they are. Later, the commission tweeted that Facebook had begun to fill in some blanks.

“Facebook issued a blog on Friday last indicating that 50 million accounts were potentially affected by a security issue,” the agency wrote. “We understand that the number of EU accounts potentially affected is less than 10 percent of that. Facebook has assured us that they will be in a position to provide a further breakdown in relation to more detailed numbers soon.”

General Data Protection Regulation

The EU's General Data Protection Regulation took effect in May and imposes heavy penalties on companies found to be in violation of it. Offenders can be required to pay $23 million or 4 percent of the previous year's international revenue. Under that formula, Facebook could face a fine in excess of $1 billion.

This isn't the first time Facebook has had to deal with a privacy issue. It faced a harsh backlash in March, when it revealed that personal information on millions of users had fallen into the hands of a political marketing firm.

In that case, there was no breach of its system. A third-party app developer had been granted access to the data but was not allowed to give it to anyone else. Facebook said the developer then sold the data to Cambridge Analytica, a political marketing firm.

At its developer conference in May, Facebook reaffirmed its commitment to protecting user data. CEO Mark Zuckerberg said the company would take a “broader view” of its responsibility to protect users' privacy.

Another 40 million accounts reset as a precaution

Consumers who made purchases at Newegg between August 14 and September 18 may have a compromised credit card in their wallet.

The popular online electronics retailer was compromised by hackers who were able to insert "skimming" code into the site's checkout page, capturing consumers' credit card information.

The incident response firm Volexcity found the code and reported it to Newegg, which removed it from the page on Tuesday. The company has not made a formal statement on the breach but TechCrunch has reported customers have received emails from the company saying it hasn't been determined how many credit cards may have been compromised.

Magecart strikes again

Volexcity attributes the attack to the Magecart group -- hackers accused of carrying out a similar breach of British Airways' online payment system.

"As it turns out, a nearly identical data theft campaign was being carried out against Newegg at the same time," Volexcity said in a report. "In fact, it appears the Newegg compromise may have started nearly a week earlier."

That also raises the frightening possibility that other ecommerce sites have also been compromised by the same group, but have not yet been discovered.

Volexcity reports the hackers have also become more efficient, using just eight lines of code to carry out the Newegg attack, down from 21 lines in the British Airways attack.

What to do

Consumers who made purchases at Newegg between August 14 and September 18 should immediately check their credit or debit card statements for unauthorized charges.

Even if none are detected, it is prudent to contact the card issuer's customer service representative and inform them the card may have been compromised. Most likely, the card issuer will cancel the old card and issue a new one.

If unauthorized charges have been made to a compromised credit card, the cardholder's liability under federal law is limited to $50. If the cardholder reports the card has been compromised before any fraudulent charges are made, they bear no liability for any subsequent fraudulent charges.

Different banks have different policies regarding fraudulent charges made to debit cards, which is why it is always advisable to use a credit card, not a debit card, when making online purchases.

In May 2014, the European Court of Justice implemented the “right to be forgotten” rule for internet users, allowing consumers to request that any information about themselves be de-listed from search results.

Four years later, the ruling has resurfaced as Google finds itself in a battle with France’s data protection agency -- the Commission nationale de l'informatique et des libertés (CNIL). CNIL is arguing that the right to be forgotten rule be expanded to cover more than just the European Union; it says the rule should give users the option to have things de-listed from search engines globally.

While CNIL acknowledged that Google does delete some search results from Europeans when requested, the main issue is that the results aren’t deleted everywhere. According to CNIL’s complaint, some non-EU versions of Google still displayed the de-listed information.

A censorship issue

At a hearing in front of 15 European Union judges, Google was strong in its stance that expanding the right to be forgotten rule would in fact infringe on some users’ freedom of expression.

Other media outlets -- including Reuters, The New York Times, Buzzfeed, and several nonprofit organizations -- agree with Google’s stance that expanding the current rule would be censorship.

“This case could see the right to be forgotten threatening global free speech,” said Thomas Hughes, the executive director of the freedom-of-expression group Article 19. “European data regulators should not be allowed to decide what internet users around the world find when they use a search engine.”

“The [Court of Justice of the European Union] must limit the scope of the right to be forgotten in order to protect the right of internet users around the world to access information online,” Hughes said.

What’s been removed

Earlier this year, Google provided an update on its efforts in the last four years since the right to be forgotten rule was put into effect.

Google reported it made good on requests covering 2.4 million URLs.

In a February report, Google noted that deciding what to de-list can become problematic, and those that have been deleted thus far comprise only 43.3 percent of requests.

“Search engines like Google must consider if the information in question is ‘inaccurate, inadequate, irrelevant or excessive’—and whether there is a public interest in the information remaining available in search results,” said Michee Smith, Google’s product lead on the project.

In the four years since right to be forgotten was enacted, the main request from consumers is tied to social media and directory services containing personal information. The second highest request is linked to news outlets and government websites.

The operators who defraud American consumers and businesses hardly ever face justice, mainly because they operate offshore.

But U.S. officials say they have a Russian national in custody who they accuse of carrying out one of the biggest hacks in history.

Federal officials report that Andrei Tyurin, a Russian who was accused of being a key player in a hack of JPMorgan Chase and other large companies, is now in their hands after he was extradited from the Republic of Georgia.

U.S. officials charge that Tyurin has been the mastermind behind a number of high-profile cyber attacks against U.S. financial firms while also engaging in credit card fraud and money laundering.

Single biggest hack

“Tyurin’s alleged hacking activities were so prolific they lay claim to the largest theft of U.S. customer data from a single financial institution in history, accounting for a staggering 80 million-plus victims," said Manhattan U.S. Attorney Geoffrey Berman. "As Americans increasingly turn to online banking, theft of online personal information can cause devastating effects on their financial well being, sometimes taking years to recover."

Berman and other law enforcement officials who have had their sights on Tyurin for years, call his extradition a significant milestone. In most cases, they have been powerless to apprehend people outside the U.S. who are scamming consumers.

Tyurin appeared in court in Manhattan with his attorney and entered a not guilty plea to charges conspiracy, computer hacking, identity theft, and wire fraud.

Could cut a deal

Legal experts say Tyurin may be in a good position to cut a deal with prosecutors since he most likely has a lot of information about others who are involved in international hacking and scams. It's not unreasonable to think his knowledge could be useful to prosecutors who are conducting investigations into a number of different areas, including interference in the 2016 presidential election.

The case at hand centers on the 2014 JP Morgan hack, which investigators said appeared to center on alleged efforts to manipulate stock prices. JP Morgan security personnel brought these concerns to public attention, fearing they might be part of an intrusion by Russian intelligence agents.

U.S. officials accuse Tyurin of working with other hackers in a coordinated attack on financial services firms' networks. Officials say they believe the hackers were able to gather sensitive information on more than 100 million people who were the firms' clients.

Prosecutors allege that stolen information was used in wide-ranging schemes, from stock manipulation to bitcoin money laundering.

Yahoo Mail is still scanning the inboxes of its users for commercial emails in order to help advertisers target ads based on users’ interests, the Wall Street Journal reported on Tuesday.

The emails that are scanned typically include order confirmations and other messages from online retailers. Oath, Yahoo’s owner, uses the information to put users into interest groups. Advertisers then show ads based on those interests.

Oath uses algorithms to identify commercial emails, then scans those emails for keywords that could provide insights into a user’s purchasing habits.

“Yahoo mined users’ emails in part to discover products they bought through receipts from e-commerce companies such as Amazon.com,” said the Journal. “In 2015, Amazon stopped including full itemized receipts in the emails it sends customers, partly because the company didn’t want Yahoo and others gathering that data for their own use.”

The company allows users to opt out of receiving targeted ads based on email scanning, but the page through which users can do so is difficult to find. Users have to navigate into the Ad Interest Manager and select “opt out” under both 'Your Advertising Choices' and the 'On Yahoo' tabs.

Yahoo’s rivals don’t scan emails

Users first noticed that Oath gave itself permission to read users’ emails when it updated its privacy policy back in April. However, the fact that the company is still pitching this ability to advertisers goes against the policies of most of its competitors.

Last year, Google confirmed that it would stop scanning users’ consumer email accounts in order to serve up targeted ads. Microsoft says it has never engaged in the practice, nor has Apple.

Oath says that scanning retail emails is part of the trade-off consumers make in exchange for free online services.

"Email is an expensive system. I think it's reasonable and ethical to expect the value exchange, if you've got this mail service and there is advertising going on," Doug Sharp, Oath's Vice President of Data, Measurements & Insights, told the Journal.

On Thursday, T-Mobile announced that it was hit with a data breach on August 20 that may have allowed hackers to gain access to the personal information of around 2 million of its customers.

“Out of an abundance of caution, we wanted to let you know about an incident that we recently handled that may have impacted some of your personal information,” T-Mobile said in a statement disclosing the breach.

T-Mobile said its cyber-security team “discovered and shut down an unauthorized access to certain information, including yours, and we promptly reported it to authorities.”

Information comprised included the name, billing zip code, phone number, email address, account number, and account type (prepaid or postpaid) of users.

Financial data not compromised

“None of your financial data (including credit card information) or social security numbers were involved, and no passwords were compromised,” T-Mobile said.

The company said anyone whose data has been stolen has been or will shortly be contacted via text message.

T-Mobile didn’t say how many customers were affected by the breach. However, a T-Mobile spokesperson noted in a statement to Motherboard that the breach affected “about” or “slightly less than” 3 percent of the carrier’s 77 million customers, which would be around 2 million users.

T-Mobile says consumers with questions or concerns about the incident can contact Customer Care.

“If you are a T-Mobile customer, you can dial 611, use two-way messaging on MyT-Mobile.com, the T-Mobile App, or iMessage through Apple Business Chat,” the carrier said. “You can also request a call back or schedule a time for your Team of Experts to call you through both the T-Mobile App and MyT-Mobile.com. If you are a T-Mobile For Business or Metro PCS customer, just dial 611 from your mobile phone.”

Facebook says it has removed 652 pages and accounts from its platform after determining their owners aren’t real, but groups based in Russian and Iran.

The purpose of the posts on those pages, Facebook said, was to spread misinformation and sow discord ahead of the U.S. midterm elections. The company said the owners of the accounts were engaging in "coordinated inauthentic behavior."

The company said the owners of the accounts were carrying out distinct campaigns and so far, it has not established any kind of direct link between the groups. But it was clear they were using the same or similar tactics and were trying to mislead others about who they were and what they were doing.

Determined and well-funded

"We ban this kind of behavior because we want people to be able to trust the connections they make on Facebook," the company said in a blog post. "And while we’re making progress rooting out this abuse, as we’ve said before, it’s an ongoing challenge because the people responsible are determined and well funded."

Facebook said it is investing in people and technology and working more closely with law enforcement. It announced those steps earlier this year when it revealed that Cambridge Analytica, a political marketing firm, made unauthorized use of Facebook data to target ads during the 2016 presidential election.

Facebook said it received a tip last month from FireEye, a cybersecurity firm, warning that it identified a group called Liberty Front Press as a potential bad actor. Facebook says a subsequent investigation was able to link the account to Iranian state media through publicly available website registration information, as well as the use of related IP addresses and Facebook Pages sharing the same administrators.

One part of the network, a Facebook group called Quest 4 Truth, identified itself as an independent Iranian media organization. But Facebook said its investigation showed it was connected to Press TV, an English-language news network affiliated with Iranian state media.

Not who they say they are

The overarching theme, says Facebook, is that the account owners portray themselves as independent media organizations when they are not.

Earlier this week Microsoft reported that it had taken control of six domains owned by the Russian hacker group APT28, which was using the domains to spoof government and conservative websites.

Facebook CEO Mark Zuckerberg says his company has moved from a reactive stance to a proactive one. In a conference call with reporters, Zuckerberg said it's the only way to stay one step ahead of groups trying to use social media platforms to spread discord among Americans.

That tracker app you installed on your family members' smartphones may be providing more information than you think, and not just to you.

German researchers at the Fraunhofer Institute analyzed 19 legal tracker apps available in the Google Play Store. The researchers closely examined how the apps collect information and how they protect highly sensitive user data.

They concluded that all 19 apps revealed 37 major vulnerabilities, with none of the apps programmed with default security features in place.

The research team stresses that tracker apps have legitimate uses. Parents often use them to monitor their children's location and to see messages and pictures they post online. They're perfectly legal so long as the person being monitored is aware of it and agrees to it.

Data stored in plain text

The researchers take issue with these apps' security features, or rather the lack of them. They found that most apps store highly sensitive data on a server in plain text, without any type of encryption.

"We only had to open up a certain website and guess or enter a user name into the URL to retrieve an individual's movement profile," said Siegfried Rasthofer, who headed the project.

The researchers said they were able to read out complete movement profiles for all app users, not just the ones being monitored. They suggest this security flaw could allow thousands of people to be tracked in real time.

"It enables total surveillance," said Stephan Huber, a member of the research team.

Lack of proper encryption

The researchers said they were also able to read the app users' login information because the developers either used improper encryption or no encryption at all. In one app, the team was able to easily access 1.7 million login credentials.

The Fraunhofer researchers said they informed the app developers and the Google Play Store team of their findings. They say Google has removed 12 of the 19 apps from its store.

If you're still using a fax machine, you're not only old fashioned, you're probably vulnerable to cyber attacks.

Researchers at Check Point, a cyber security firm, have uncovered vulnerabilities in the communication protocols used in tens of millions of fax devices. If the attacker has the fax number, that’s all they need to exploit the flaws and potentially seize control of a computer network.

Specifically, the Check Point researchers focused on the vulnerabilities in the popular HP Officejet Pro All-in-One fax printers. Its protocols are also used by other manufacturers' faxes and multi-function printers.

Check Point says the protocols are also employed in online fax services such as fax2email, and researchers say it is likely that these are also vulnerable to attack by the same method.

HP has already issued a patch

Once informed of the findings, Check Point says HP quickly developed a software patch for its printers, which is available here.

There are a reported 45 million fax machines still in use, both in homes and offices. The '80s technology is especially prevalent in healthcare, law offices, banking, and real estate, and these networks often contain vast amounts of sensitive data.

“Many companies may not even be aware they have a fax machine connected to their network, but fax capability is built into many multi-function office and home printers,” said Yaniv Balmas, Group Manager, Security Research at Check Point. “This groundbreaking research shows how these overlooked devices can be targeted by criminals and used to take over networks to breach data or disrupt operations."

Here's how it works

It's a fairly simple hack. Once the attacker obtains a fax number, they send an image file to the machine. Embedded within the image is a code that the machine recognizes, decodes, and uploads into its memory.

Check Point says this process gives the attacker the ability to break into any device that is connected to the fax's computer network.

Dom Chorafakis, founder of the cyber security consultancy Akouto, says the simplicity of the attack is what makes it so dangerous.

"The malware is embedded within a specially crafted [message] and delivered over the phone line via standard fax, so there are no defensive measures like firewalls or antivirus that can be put into place to prevent this attack," Chorafakis told ConsumerAffairs. "End users have to rely on equipment vendors to check their firmware and provide updates.

While these attacks can be hard to stop, there are a couple of ways to protect yourself before being targeted. First, check your machine's manufacturer for available firmware updates and apply them.

For businesses and organizations, the fax machine should be on a secure network segment separated from applications and servers that carry sensitive information. That will limit the ability of malware to spread across networks.

Staffers at the nonprofit PGA of America are locked out of their own computer servers and unable to access critical files that they were planning to use for the upcoming Ryder Cup in France, GolfWeek is reporting.

On Tuesday morning, staffers received a message on their computers and were unable to access their own files. “Your network has been penetrated. All files on each host in the network have been encrypted with a strong algorithm,” the message read.

The files, which include promotional banners, logos, and signage, will be destroyed if employees attempt to go around the hackers to get them back, the message warned.

Instead, the hackers have invited employees to use a decryption software that they claim has been made “exclusively” for PGA. That, of course, will cost money.

The message also includes a Bitcoin wallet number but no specific amount requested. Officials told GolfWeek that they have no intention of paying the ransom. The magazine reports that many of the files were created over a year ago and “cannot be easily replicated.”

Hacks tied to demands for a ransom paid in cryptocurrency have become increasingly common, affecting random people whose data had been stolen in previous hacks or the city of Atlanta, to name a few instances.

PGA of America is a nonprofit that is separate entity from PGA tours. In addition to the Ryder Cup, it also operates events that include the PGA Championship.

Healthcare

As medical records move online, it’s becoming clear that healthcare workers are in over their heads when it comes to data security. According to industry publications, hospitals and clinics have been suffering a record number of data breaches this year.

From April to June, the industry reported 142 data breach incidents affecting 3.14 million patient records. The figures are “nearly three times the number reported in the first part of the year,” Health IT News is reporting.

In July, another 860,000 patient records were compromised, according to an analysis of government data conducted by Healthcare Analytics News.

The attacks come following a report last year which found that 70 percent of healthcare workers lack cybersecurity awareness.

WhatsApp

The messaging app that has taken off with world travelers, people who work in tourism, or others who want a data-free method to contact overseas numbers could get users in major trouble.

Security researchers say that they have have warned WhatsApp about a flaw they discovered in the site that allows attackers to impersonate users and alter their text messages. The attackers can do so by taking advantage of the “quote” feature used in group chats.

“We believe these vulnerabilities to be of the utmost importance and require attention,” Checkpoint Research said. WhatsApp has not made clear whether it is working to fix the flaw.

“We encourage you to think before sharing messages that were forwarded,” the company said in a blogpost. “As a reminder, you can report spam or block a contact in one tap and can always reach out to WhatsApp directly for help.”

Airplanes

A security researcher says that he was able to use weaknesses in satellite equipment to hack commercial aircraft. Ruben Santamarta recently told Forbes that he was able to view the workings of hundreds of passenger and commercial aircraft and says he is the first person make the discovery.

Vulnerable airlines included Southwest, which says it already fixed the issue in December after being notified by a government agency. Other airlines that were named by Santamarta either didn’t respond or claimed that they had also already fixed the issue as well, Forbes reports.

Facebook is asking large banks to share their customers’ credit card transaction data, shopping habits, and checking account balances to help it launch a new financial services initiative, according to a report from The Wall Street Journal.

Now, Facebook is speaking up in an effort to make clear that it’s not asking banks for its users’ financial transaction data or shopping habits.

In a statement to TechCrunch, Facebook spokesperson Elisabeth Diana said the social networking platform is working with banks to increase its chatbot capabilities. However, the company denies that it’s seeking access to its users’ financial data in order to serve up targeted ads or use that information for other purposes.

Facebook says it won’t collect information

“A recent Wall Street Journal story implies incorrectly that we are actively asking financial services companies for financial transaction data – this is not true,” Diana said.

The company says it’s looking to partner with banks and credit card companies to offer customer service through a chatbot in Messenger or help users manage their accounts within the app.

“Like many online companies with commerce businesses, we partner with banks and credit card companies to offer services like customer chat or account management,” Diana continued. “Account linking enables people to receive real-time updates in Facebook Messenger where people can keep track of their transaction data like account balances, receipts, and shipping updates.”

Bank integration with Facebook

Facebook said it is considering a new initiative that would let users see their checking account balances from within Messenger.

“The idea is that messaging with a bank can be better than waiting on hold over the phone – and it’s completely opt-in,” Diana said.

“We’re not using this information beyond enabling these types of experiences – not for advertising or anything else. A critical part of these partnerships is keeping people’s information safe and secure.”

Anonymous sources told the Journal that Facebook has talked to large banks including JPMorgan Chase, Citigroup, Wells Fargo, and US Bancorp about what types of banking services Facebook Messenger could provide for customers.

The FBI has three Ukrainian nationals in custody who are leaders of an “international crime supergroup” called FIN7, the Department of Justice said Wednesday.

The group allegedly hacked the servers of Chipotle, Arby’s, Chili’s, and nearly 100 other United States companies in order to access consumer data and sell it on the dark web.

“In the United States alone, FIN7 successfully breached the computer networks of companies in 47 states and the District of Columbia,” federal authorities said. The group allegedly stole more than 15 million customer credit card records in the breaches.

Chipotle and Arby’s both admitted last year that customer credit card data was targeted via a malware attack, while Chili’s said last May that customer credit card data may have been “compromised.”

According to the Department of Justice, the attacks were part of a prolific hacking campaign “that targeted American companies and citizens by stealing valuable consumer data, including personal credit card information.”

Authorities say that the hackers posed as a security firm called Combi Security to recruit members in Israel and Eastern Europe. They launched their attacks by sending emails to employees of the companies that they were targeting. The emails were apparently so legitimate-looking that the recipients subsequently downloaded attachments containing malware -- yet another reminder to never download attachments from an unfamiliar source.

The defendants -- Dmytro Fedorov, 44; Fedir Hladyr, 33; and Andrii Kolpakov, 30 -- were arrested by foreign authorities. They now face 26 felony counts in a U.S. District Court in Seattle.

The Ivy Leagues

Yale University is offering one free year of identity theft monitoring, corporate America’s favorite way to apologize for a data breach, after university officials discovered that hackers stole 119,000 records affecting alumni, faculty, and staff nearly a decade ago.

“I am writing, with regret, to inform you that, between April 2008 and January 2009, intruders gained electronic access to a Yale database and extracted names and Social Security numbers, including yours,” says a letter that the University recently sent out to affected people.

As Yale News reports, the prestigious university has repeatedly fallen victim to hackers. Even their computer science department is not immune. A 2012 data breach in the department was blamed on a former employee with a weak password.

Reddit

Reddit  said Wednesday that a hacker stole some users’ email addresses, as well as a 2007 database containing encrypted passwords.

The “security incident,” as Reddit describes it, occurred between June 14 and 18.

“Although this was a serious attack, the attacker did not gain write access to Reddit systems; they gained read-only access to some systems that contained backup data, source code and other logs,” the company said.

Hewlett-Packard (HP) is offering hackers a bounty of up to $10,000 if they can find vulnerabilities in the company’s printers.

CNET is reporting that HP quietly started a hacking bounty program in May. A total of 34 researchers have joined, including one who already earned $10,000 for detecting a flaw.

Printers are one of many consumer products that are vulnerable to hacking. Like other unexpected hacking targets, they can fall to the wayside when it comes to the attention of security researchers, who may be more interested in protecting webcams and other obvious targets.

"As we navigate an increasingly complex world of cyber threats, it’s paramount that industry leaders leverage every resource possible to deliver trusted, resilient security from the firmware up," said Shivaun Albright, HP's chief technologist of print security, in a statement.

Taking a proactive approach

With nearly every industry proven to be vulnerable to hackers, researchers have said that businesses need to be more proactive in patching security holes.

As a result, hacking corporate clients in exchange for a “bounty”or fee has grown into a full-time career for some researchers. Recently, the automaker BMW honored the Keen Research group for their findings that hackers could remotely access its cars and wreak terror on drivers.

The tablets being provided to inmates in prisons all over the country come with special strings attached. Emails, for instance, can take up to 48 hours to reach their intended destination due to security screenings. The email costs a minimum of 35 cents to send and attaching pictures or exceeding word limits costs extra. Apps and other features designed to appeal to bored inmates all come with their own charges.

The telecommunications giant JPay in recent years has distributed free tablets to tens of thousands inmates with the anticipation that they will spend enormous amounts of money to access the features to make the tablets worthwhile. In New York alone, JPay has predicted that it will earn $8.8 million within two years by giving free tablets to 52,000 inmates in the state.

One enterprising group of inmates in Idaho is now facing punishment for hacking a piece of that pie for themselves. JPay and the Idaho Department of Corrections announced Friday that prison inmates found a vulnerability in their tablets and used it to add $225,000 worth of credits to their own JPay accounts. Most inmates loaded $1,000 or less into their accounts, though one took nearly $10,000. In all, a total of 364 inmates allegedly benefited from the scheme, but only briefly.

After the alleged hack was discovered, JPay announced that it has since recovered $65,000 worth of the credits. Apparently, however, the company needs the inmates’ help to get the rest of its own money back. The firm announced that it is suspending almost all service on the tablets -- everything but email -- until the rest of its money is refunded from the inmates involved in the scheme.

“This conduct was intentional, not accidental. It required a knowledge of the JPay system and multiple actions by every inmate who exploited the system’s vulnerability to improperly credit their account,” an Idaho Department of Corrections spokesman told the Associated Press.

Using a fee-based model to bring the comforts of home to prisoners, the jail communications firm JPay is part of an industry that profits enormously off of inmates, or more likely, their families. The firm also handles prison phone calls that used to cost as much as $14 per minute (until the FCC capped prison phone fees under the Obama administration) and commissary accounts in which family members have been charged fees as high as 45 percent of whatever amount they were sending to the inmate.

JPay also handles many of the debit cards that inmates are given upon release from prison to help pay for getting home. But the money in those cards often becomes inaccessible without explanation or is whittled away by various fees, one lawsuit contends.

JPay was purchased by Securus several years ago, another jail telecommunications giant that profits from high fees. Securus in recent years has successfully lobbied some counties to replace in-person jail visits with costly video visitation systems. Securus, which reportedly lets cops track phone calls in real time, has also proven to be vulnerable to hackers.

Even if the money is not returned, JPay will probably come through this theft just fine. Numerous advocacy groups have described the jail communications industry as one that benefits from having a monopoly in whatever facility in which they are operating.

Jail communications “often do not result in stronger lines of communication at all,” the Electronic Frontier Foundation has said. “Many communications services are offered under unfair terms and with artificially inflated fees that are only possible because the services operate monopolies at each prison or jail.”

Voting machine vendor admits vulnerability

In other hacking news, the nation’s largest provider of electronic voting machines recently admitted in a letter to a Senator that it installed remote-access software on some of its machines. Experts agree that such software is known to be widely vulnerable to hacking.

Voting machines in particular were expected to be completely disconnected from the internet or any remote internet activity.

What’s more, the firm, called Election Systems and Software, previously denied using such technology. The company reportedly now claims that it stopped using the remote software in 2007.  

The women who stepped into Jason Gargac's Chevy had no idea that strangers were publicly rating their appearance from behind the comfort of a computer screen.

Gargac, an aspiring police officer in St. Louis, said he initially took a job driving for Uber to make ends meet. But not long after, he became a television host of sorts.

On Twitch, a live streaming platform, Gargac played to the camera between rides, thanking people for tuning in and sharing his own critiques of his passengers’ looks. The passengers, on the other hand, appeared to have no idea that they were being recorded as they stepped into his car and began talking.

In the approximately 700 rides that Gargac filmed, his passengers often embarrassed themselves -- or worse. The passengers would reveal their last names, addresses, crushes, family problems, and gripes with bosses, all while strangers mocked them online.

Uber and Lyft eventually cut ties with driver

Uber and Lyft initially downplayed the news that one of their drivers was making entertainment out of peoples lower moments, a discovery that was revealed by the St. Louis Post-Dispatch newspaper.

Gargac admitted to the newspaper that he purposely worked weekend nights because passengers were more likely to be intoxicated then.

Passengers who discovered that they had been filmed and complained to Uber about it said they were only offered a $5 credit and a promise to not be paired with Gargac again.

Both companies initially told the Post-Dispatch that Gargac was not breaking any laws because Missouri is a one-party consent state when it comes to recordings.

But after the local newspaper published an investigative report about Gargac’s livestream channel this past weekend, both companies changed course and said that they had cut ties with him completely.

Gargac, whom the Post reported did not want his own last name printed in their newspaper, was also kicked off Twitch. Until his channel went offline, it had amassed over four thousand followers, a figure that made Gargac feel “forever grateful,” according to a Tweet he sent out to his fans in June.

Meanwhile, passengers interviewed by the paper said they they felt deeply violated.

Recordings all too common

Ethics aside, secret recordings in Uber and Lyft cars are legally murky territory because it’s unclear whether they count as a private space, experts say.

But common sense dictates that passengers and drivers alike should expect to be filmed, as many Uber and Lyft users film rides for their own protection.

Still, drivers typically don’t air the footage unless the passengers become violent, as the infamous Miami doctor Anjali Ramkissoon did two years ago. Nearly three million people reveled in footage showing Ramkissoon attempting to hit her Uber driver and throw his possessions out of the window.

The footage elevated Ramkissoon, a neurologist, to the status of internet celebrity that the public loved to hate. Ramkissoon was fired shortly after the incident and said that she had to change her cell phone number because strangers would not stop calling to yell at her.

Drivers and passengers have also been captured engaging in sex acts in the car, using racist language, or simply behaving rudely. Uber’s own former CEO Travis Kalanick even proved that he wasn’t immune to the trap.

Last year, an Uber driver who realized he was transporting the company’s then-CEO confronted Kalanick about low wages and other problems that Uber drivers face. Kalanick dismissed the concerns as people not taking responsibility “for their own shit.”

Like other passengers caught in embarrassing moments, Kalanick later said he was ashamed of his behavior.

Facebook has suspended the Boston-based analytics firm Crimson Hexagon after reports indicated that the company’s contracts with other countries -- including the United States and Russia -- violated Facebook’s surveillance rules.

“We don’t allow developers to build surveillance tools using information from Twitter or Facebook or Instagram,” a Facebook spokesperson said. “We take these allegations seriously, and we have suspended these apps while we investigate.”

Though no evidence has been found thus far indicating that any user data has been obtained, Facebook plans to investigate “whether the analytic firm’s contracts with the U.S. government and a Russian nonprofit tied to the Kremlin violate the platform’s policies.” Crimson Hexagon has also completed work for the Turkish government.

Though it isn’t against Facebook policy to use data from users for general insights, according to BBC,  “where Crimson would fall foul of Facebook’s rules is if the data was used to create tools for surveillance, though Facebook has never clarified how its policy works in practice.”

According to Crimson Hexagon’s Chief Technology Officer Chris Bingham, the company “only collects publicly available social media data that anyone can access” and “does not collect private social media data.”

Trying to right the ship

Facebook received a ton of backlash following news of the Cambridge Analytica scandal in March. The company is now being investigated by the Securities and Exchange Commission (SEC), the Justice Department, and the FBI for its treatment of the scandal.

Questioning in the investigation is focused primarily on how much Facebook knew in 2015 -- when it initially learned that Cambridge Analytica had improperly accessed the data of tens of millions of users. At the time, Facebook did not alert any shareholders or any of its users.

In an effort to prove to users that their privacy and security is of the utmost importance, Facebook then launched a series of privacy updates. The company has not only audited thousands of apps that had access to users’ data, but it also suspended 200 apps in the process. Facebook also drastically upgraded users’ privacy settings, putting control back in the hands of social media users.  

An unknown person or group that apparently collects Bitcoin is exploiting consumers’ longstanding concerns about the outside monitoring of users’ internet activity.

In what security researcher Brian Krebs is describing as a “sextortion” scam, consumers have reported receiving emails claiming that malware was secretly installed on pornography sites they visited.

That malware allowed a hacker to secretly record both the online content they viewed as well as the visitor in a so-called  “double-video,” the emails claim.

The emails demand a ransom that must be paid in Bitcoin -- otherwise, the scammers claim that every person on the victims’ contact list will be sent the video. Krebs says that this is an old scam and assures consumers that hackers do not really have the recordings that they claim to possess.

The amounts that the scammers demand vary from victim to victim. Blogger Julie Neidlinger posted a screenshot of one such email she received from an account named “Octavius Guss” demanding $2900 in Bitcoin.

“If I don’t get the Bitcoins, I will definitely send out your video to all of your contacts including relatives, coworkers, etc.,” the email says.  

This particular scam has a new twist that’s not just the Bitcoin payment. “The email now references a real password previously tied to the recipient’s email address,” Krebs writes.

In her case, Neidlinger responded that the old password that the hacker uncovered is over a decade old and adds that “you’re some little two-bit momma’s boy in a basement who stumbled into Hacking for Dummies on Reddit.” She also contacted the FBI.

Gas station thieves elude police

For over an hour and a half, a line of ten vehicles pulled up to one gas pump in Detroit. One after another, the drivers loaded up without paying.

Gas station clerk Aziz Awadh noticed something was awry, but when he went to his own computer screen, he found that his remote access to the pumps had been hijacked. "I tried to stop it here from the screen, but the screen isn't working,” he told a local news station.

Police now believe that hackers broke into the gas station pumps and stole about $1,800 worth of gas. Police say it’s unclear if all 10 vehicles were involved in the hack. Perhaps people stumbled upon the security breach by chance and just couldn’t resist the opportunity to load up on free gas.

Military, airplane and medical secrets

The security firm Recorded Future published a report on Tuesday claiming it uncovered evidence that hackers are trying to sell “highly sensitive” documents belonging to the U.S. Air Force.

“Specifically, an English-speaking hacker claimed to have access to export-controlled documents pertaining to the MQ-9 Reaper unmanned aerial vehicle,” the firm says.

The hacker’s asking price? A grand total of $200. The firm describes such a hack as incredibly unusual as well as a “disturbing preview” of better-orchestrated hacks that could occur in the future.

As it turns out, that future may not be so far off. In a separate report published yesterday by a different group, the firm McAffee describes its own discovery that hackers are selling information about airports and trying to sell it on the Dark Web. In that case, cyber criminals were caught selling passwords to access the online security systems of airports for only $10.

Not to be outdone, another group of hackers is apparently selling dead people’s medical histories on the Dark Web. That report comes courtesy of the security firm Cynerio, which says it has seen a rapid number of patient medical records breached online.

But this particular breach has an “interesting new wrinkle,” Cynerio writes. “Our research team found a post from a vendor on the dark web offering the medical records of the deceased."

Despite the concern, medical offices increasingly rely on electronic patient records. In fact, the government of Australia is encouraging its entire population to put their health records online. While doctors say this measure could give consumers more information about their health histories, online researchers worry that careless doctors or receptionists will leave patients vulnerable to both cyber criminals or insurance companies.

Australia, by the way, also requires all real estate transactions to be done through an online portal, which recently led one woman to lose $250,000 she earned on a house due to a cyber theft, she told local newspapers.  

Timehop

The app that encourages you to share your “memories”  of past social media posts you authored and pictures you took has temporarily deauthorized the accounts of all 21 million of its users to temporarily fix an apparent hack.

Still, Timehop claims no sensitive information or even social media posts were actually hacked and says that it is simply handling the situation proactively.

Macy’s

Another popular retailer, another hack. Macy’s is warning customers that anyone who shopped online via Macys.com or Bloomingdales.com may have had their passwords and credit card information stolen by hackers.

The retailer told Bloomberg it has taken new steps to prevent such hacks in the future, though it did not specify what those steps would be.

Facebook is currently under investigation from the Securities and Exchange Commission (SEC), the Justice Department, and the FBI, as authorities from these agencies are working to uncover how much the social media giant knew about the misuse and improper gathering of users’ data during last March’s Cambridge Analytica scandal. Specifically, the investigation is focusing on whether Facebook gave investors enough advance notice of what was going on.

Questioning is primarily focused on what Facebook knew in 2015 -- when it initially learned that Cambridge Analytica had improperly accessed the data of tens of millions of Facebook users -- and why the company didn’t share that information with its users or investors at the time. The news didn’t become public until March 2018. Investigators will also look into the words and actions from Facebook executives -- including CEO Mark Zuckerberg.

Facebook confirmed having received questions from federal agencies and reported that the company and its representatives will be cooperating with the investigation.

“We are cooperating with officials in the U.S., U.K., and beyond,” said Facebook spokesperson Matt Steinfeld. “We’ve provided public testimony, answered questions, and pledged to continue our assistance as their work continues.”

Facebook’s recent scandal

The Cambridge Analytica data breach first became public last March, when it was revealed that a professor used Facebook login credentials to ask users to sign up for what was said to be a personality analytics tool that would be used for academic research.

According to Facebook, the professor then violated the terms of service by selling the data of millions of Facebook users to the political marketing company Cambridge Analytica -- a company using the data to target potential voters.

In the U.K., the company allegedly targeted Facebook users inclined to vote for Britain leaving the European Union, whereas in the U.S., it was targeting users to support the Trump campaign.

Facebook reportedly removed the app -- called “This is Your Digital Life” -- as soon as the company became aware of the data breach, though it learned that not all of the data was deleted, as was required. Facebook then moved to suspend Cambridge Analytica’s account.

“We are constantly working to improve the safety and experience of everyone on Facebook,” Facebook said in a statement. “In the past five years, we have made significant improvements in our ability to detect and prevent violations by app developers.”

Changes in privacy

Since the scandal, Facebook has taken measures to protect users’ privacy moving forward.

The platform has audited thousands of apps that had access to users’ data, and it has suspended 200 apps in the process. The company has also restricted access to data for all developers using Facebook and Instagram.

The social media platform also drastically changed its privacy settings, condensing much of the settings into one easy to navigate screen.

“People have also told us that information about privacy, security, and ads should be much easier to find,” said Erin Egan, Facebook’s chief privacy officer. “Instead of having settings spread across nearly 20 different screens, they’re now accessible from a single place.”

Facebook also modified the way users see and access advertisements, as they gave users more control over the ads they view.

Timehop announced today that the company suffered a major data security breach on July 4. The app reminds social media users of posts from their past, and according to the company, 21 million users have had some form of personal data stolen as part of the incident.

The app’s attackers allegedly obtained access tokens that allowed them to view users’ Facebook, Instagram, Twitter, and Foursquare posts.

According to a technical report from Timehop, the initial attack took place on December 19, 2017 when an authorized administrator’s credentials were used by an unauthorized user. However, the attacker waited until 2:04 PM on July 4th to “attack against the production database and transfer data.”

Timehop’s report also noted that the attackers created a new administrative account and “began conducting reconnaissance activities within [the] Cloud Computing Environment.” The unauthorized user then performed reconnaissance activities for two days after the initial attack, in addition to one day in March 2018 and one day in June 2018.

Timehop’s cloud servers were not protected by a multi-factor authentication -- a security protocol that many consider to be standard for most companies.

“The damage was limited because of our long-standing commitment to only use the data we absolutely need to provide our service,” Timehop said in a statement. “Timehop has never stored your credit card or any financial data, location data, or IP addresses; we don’t store copies of your social media profiles, we separate user information from social media content -- and we delete our copies of your ‘Memories’ after you’ve seen them.”

A look into the breach

The names and email addresses of 21 million users were stolen, with 4.7 million of those accounts having phone numbers attached to them. Additionally, because the attackers garnered control of Timehop’s access tokens, they were able to pull information from users’ social media accounts.

Timehop reported that the tokens were deactivated quickly so the attackers’ couldn’t view the posts or take any of the information from them, and there is no evidence that any accounts were accessed.

Following the breach, Timehop announced that it was conducting an investigation with the help of an outside cybersecurity incident response company. This will involve an audit of Timehop’s system, contact with law enforcement, and coordination with social media partners to prevent any future breaches.

“No financial data, private messages, direct messages, user photos, user social media content, social security numbers, or other private information was breached,” Timehop reported.

“There is no such thing as perfect when it comes to cyber security, but we are committed to protecting user data,” the company report said. “As soon as the incident was recognized we began a program of security upgrades.”

Notifying users

Users are being asked to log back into all social media accounts upon reopening the Timehop app, and are being notified of the breach.

“An email to the entire user base is in the works for today,” a Timehop spokesperson told TechCrunch. “[It] took some time to get our second grid account ready for that many emails, as we are not a big email sender in general.”

Timehop users who are concerned about their “Streak” -- the number that Timehop displays of how many consecutive days users have opened the app -- are being reassured by the company that it will “ensure all Streaks remain unaffected by this event.”

Businesses and government agencies across the world now suffer data breaches on a weekly basis, but they often leave out specific details about the scope of the hack, or, in some cases, fail to alert consumers about the hack at all.

In comes HaveIBeenPwned, a website developed by former Microsoft employee Troy Hunt. The service, which has actually been around since 2013 but has proven to be more useful as hacks grow more common in recent years, invites consumers to submit their email addresses into an online database, which then promises to uncover any data breaches linked  to the account in question.

Travel booking sites, flush with credit card information and other consumer data, have proven to be popular targets to hackers, and HaveIBeenPwned is now reporting that one such site appears to have been a major target.

Over five million accounts on Yatra, a travel-booking site based in India and available across the globe, had user data compromised, according to the service.

HaveIBeenPwned tweeted on Wednesday that the breach dates back to 2013 and includes phone numbers, passwords and PIN numbers. But Yatra never disclosed the apparent breach to consumers, according to the Huffington Post.

In a recent interview, Hunt explained that consumers are growing used to data breaches as a normal part of online life and that they are more concerned with how companies handle such breaches rather than whether or not they simply occurred. It would seem, then, that Yatra joins the ranks of Equifax and others accused of failing this important litmus test.

A single computer in Alaska

A state agency in rural Alaska says that 500 people may have had their data exposed in a hack that was possibly linked to Russian cyber criminals.

The Alaska Department of Health and Social Services announced that a computer in northern Alaska was found to be infected with a virus. That same computer also had unauthorized software installed onto it, and according to the state’s investigation, had accessed websites in Russia.

It’s unknown how or why that computer was targeted, but according to the agency, it contained documents “including information on pregnancy status, death status, incarceration status, Medicaid/Medicare billing codes, criminal justice, health billing, social security numbers, driver’s license numbers, first and last names, birthdates, phone numbers, and other confidential data.”

Alaskans are invited to call the agency to see if they were affected.

Many smartphone users are paranoid that their phone is secretly listening to their conversations in order to serve up targeted ads. To find out whether that popular theory is true, researchers at Northeastern University recently conducted a study of more than 17,000 apps to find out if any of them actively overhear or record user activity.

The researchers found no instance of any app unexpectedly activating the microphone or dispatching audio files without a user’s permission. Of the 17,260 Android apps included in the year-long study, over 9,000 had permission to access the camera and microphone. The researchers used an automated program to interact with each app and then analyzed the traffic generated.

Although the researchers did not find any evidence of apps secretly recording their user to serve up targeted ads, the team found at least one instance in which an app sent screen recordings and screenshots to a third-party mobile analytics company.

Recorded what users were doing within the app

The researchers found that a popular food delivery app called GoPuff recorded and sent screen recordings to a mobile analytics company called AppSee. The app recorded footage of a screen where users had to enter their zip code.

After being contacted by the researchers, GoPuff added disclosure of this policy to its privacy policy and removed the AppSee SDK. AppSee also claims it deleted the recordings it had obtained.

“In this case it appears that Appsee’s technology was misused by the customer and that our Terms of Service were violated,” AppSee's CEO told Gizmodo. “Once this issue was brought to our attention we’ve immediately disabled tracking capabilities for the mentioned app and purged all recordings data from our servers.”

The researchers didn’t definitively conclude that smartphones never record users without permission. They only said that they did not find find any evidence of the practice in their study. The study had its limitations, including the fact that the automated systems might have missed some audio files processed locally on the device.

On Thursday, California legislators passed the California Consumer Privacy Act of 2018. Under the new law, the data-harvesting practices of Amazon, Facebook, Google, and Uber will be restricted and consumers will have control over their personal data.

The new law gives consumers the right to know what information these big tech companies are collecting, as well as why they’re collecting it and where it’s being shared. Under the new law, consumers can also choose to bar tech companies from selling their data to third parties, including advertisers.

The new privacy rules are set to take effect in 2020, but only in the state of California.

"The state that pioneered the tech revolution is now, rightly, a pioneer in consumer privacy safeguards, and we expect many additional states to follow suit," James P. Steyer, CEO and founder of Common Sense Media, said in a statement.

"Today was a huge win and gives consumer privacy advocates a blueprint for success. We look forward to working together with lawmakers across the nation to ensure robust data privacy protections for all Americans,” Steyer added.

Online privacy protection

News of the new legislation comes about a month after the European Union implemented strict new privacy rules known as General Data Protection Regulation, or GDPR.

However, the Norwegian Consumer Council recently stepped forward with claims that tech firms such as Google, Facebook, and Microsoft instituted changes to their user controls that only give consumers “the illusion” of privacy.

The California Consumer Privacy Act has gotten the support of most privacy advocates, but some have pointed out that there are a few loopholes in the law that could cause problems. For example, the law would allow tech companies or ISPs to charge higher prices to consumers who opt out of having their data sold to third parties.

"For the first time California is explicitly allowing 'pay for privacy' deals that are in direct contradiction to our privacy rights," Emily Rusch, executive director of the nonprofit California Public Interest Research Group, said in a statement.

State Senator Hannah-Beth Jackson (D), who supported the law, said paying for online privacy is a “dangerous and slippery slope.”

California’s new law provides some of the toughest online protections in the country.

“I think it’s going to set the standard across the country that legislatures across the country will look to adopt in their own states,” said state Sen. Bob Hertzberg (D).

On Thursday, Adidas reached out to millions of customers in the United States to warn them about a potential data breach that occurred within the company’s U.S. website. According to a company statement, Adidas is referring to the situation as a “potential data security incident.”

“On June 26, Adidas became aware that an unauthorized party claims to have acquired limited data associated with certain Adidas customers,” the company said.

Based on a preliminary investigation conducted by outside data security firms, the leaked data was limited in nature.

“The limited data includes contact information, usernames, and encrypted passwords,” the statement said. “Adidas has no reason to believe that any credit card or fitness information of those consumers was impacted.”

Cause for concern

Adidas found out about the possible data breach on June 26, and though it informed customers right away, the company is still uncertain when the breach took place.

“We are alerting certain customers who purchased on adidas.com/US about a potential data security incident,” a company spokeswoman told Bloomberg. “At this time, this is a few million consumers.”

A data breach -- though not uncommon for major brands as of late -- does have the ability to tarnish the reputation of a company. Based on a recent study by KPMG, 55 percent of global consumers have decided against purchasing something from companies that have had issues with online privacy.

Moreover, since 2017, several major brands have had issues with matters of data privacy, including Sears, Best Buy, Saks Fifth Avenue, Lord & Taylor, and Under Armour -- among countless others. Most recently, Delta Airlines reported a cyber attack that released the payment information for thousands of customers.

Despite this most recent incident, Adidas is looking to rectify the issue for consumers and is continuing to work to prevent future attacks on data privacy.

“Adidas is committed to the privacy and security of its consumers’ personal data,” the statement said. “Adidas immediately began taking steps to determine the scope of the issue and to alert relevant customers.”

A database controlled by a Florida-based marketing and data aggregation company may have been compromised, exposing individual records on nearly 340 million people and businesses.

Security researcher Vinny Troia found that nearly 2 terabytes of data were exposed, which includes records of 230 million consumers and 110 million businesses.

"It seems like this is a database with pretty much every US citizen in it," Troia, founder of the New York-based security firm Night Lion Security, told Wired. “I don’t know where the data is coming from, but it’s one of the most comprehensive collections I’ve ever seen.”

If these estimates are accurate, the leak would be even larger than the Equifax data breach of 2017, which exposed the personal data of around 145 million people.

Highly personal information

Although credit card information and Social Security numbers don’t appear to have been leaked, the alleged breach reportedly exposed highly personal information, including phone numbers, home addresses, email addresses.

It also exposed more than 400 personal characteristics, including interests, habits, if the person owns a dog or cat, and the age and gender of the person’s children. Wired noted that in some cases, the information may have been inaccurate or outdated.  

Despite the fact that no financial information was included, experts say that the wide range of personal data revealed could still make it possible for bad actors to create a more complete profile of individuals or help scammers steal identities.

Troia said he informed Exactis and the FBI that he was able to access the database on the internet earlier this month. The data is no longer publicly accessible. Exactis has not yet confirmed the leak.

Australia is currently in the process of rolling out a new law that requires all real estate transactions -- from mortgage payments to home sales -- to go paperless.

The online-only property exchange and payment system is run by a company called Property Exchange Australia (PEXA), which is either a government-sponsored monopoly or an important disrupter and leader of the digital revolution, depending on who you talk to.

But like other digital “disruptors,” the PEXA platform may not be as secure as the company would like the public to believe. Dani Venn, an Australian woman and a former contestant on the reality show MasterChef, recently lost $250,000 after hackers stole the funds she had earned from selling her home.

Venn had planned to use the proceeds to purchase a new house. Instead, hackers somehow intercepted the payment, leaving the family homeless for the time being.

PEXA is reportedly trying to help the family, but the company is also denying that it bears any responsibility or liability in relation to the theft. In an interview with a local newspaper, the company claimed that the hacker had gained access to the victim’s money because of a hack on her email account rather than attacking the PEXA system itself.

But Venn does not buy that story. “I feel I want to pull out all my money from the bank. I don’t trust these big corporations. They don’t care about ordinary Australians,” she told the Sydney-Morning Herald.

The theft comes just several weeks after another homeowner reported losing more than $1 million from the PEXA system. Independent property brokers in Australia told the paper that the PEXA system does not require users to verify their identity thoroughly enough.

South Korean cryptocurrency market

Repeated hacks are taking their toll on the cryptocurrency market. Less than two weeks after a multimillion dollar cryptocurrency theft in South Korea sent the value of Bitcoin tumbling worldwide, a different trading platform in South Korea reported falling victim to a similar attack.

The South Korean cryptocurrency exchange Bithumb on Wednesday announced that about $31.5 million worth of its virtual coins had been stolen. Bithumb, which is the world’s sixth largest cryptocurrency trading platform, promised to compensate all affected customers.

Still, a refund for victims doesn’t address the underlying security problem facing crypto-traders. “No security measures or regulations can 100% guarantee safety of virtual coins,” a security expert told the Guardian. “It is held anonymously and in lightly secured systems, which makes them an irresistible target.”

Bitcoin’s value has so far remained steady following the more recent hack, hovering above $6,000.  

Military contractors

A group of hackers based in China are going after military contractors in the United States and Southeast Asia, according to the security firm Symantec. The hackers appeared to be interested in learning how affected companies operate.

Symantec's report follows a Washington Post story last week detailing how a group of hackers backed by the Chinese government accessed 600 gigabytes worth of data that belonged to a United States Navy contractor. The hackers collected declassified but sensitive data, including information on a supersonic missile project, according to the FBI, which is now investigating the breach.

Though troubling, this has hardly been the worst hack on a government contractor. The news once again highlights security holes that even companies that do military business are apparently not patching.

The Supreme Court ruled on Friday that law enforcement must obtain a search warrant to get access to cell phone location information.

The 5-4 decision was written by Chief Justice John Roberts, who sided with the court’s four other liberal judges.

The decision is seen as a victory by advocates of increased privacy rights, who argued that protections were needed when the government gets involved with a third party -- like a phone provider -- to obtain information.

This is seen as a loss by the Justice Department, which argued that an individual’s privacy rights are diminished when it comes to information that has been voluntarily shared with others.

The background

The ruling follows a contentious ruling regarding a series of armed robberies that occurred in 2010 and 2011.

The police got a court order to get access to 127 days of cell phone tracking for a suspect named Timothy Carpenter. The location information found on Carpenter’s phone matched the robbery locations, and that information was used to convict him.

However, Carpenter appealed his conviction to the Supreme Court on the grounds that the police need to first obtain a warrant before getting his location from a cell-phone provider, as is stated in the Constitution.

Rather than obtain a warrant, which would have required the police to prove to a judge there was probable cause to believe the phone records contained evidence, the police opted to obtain a court order under the Stored Communications Act.

“The government’s position fails to contend with the seismic shifts in digital technology that made possible the tracking of not only Carpenter’s location, but also everyone else’s, not for a short period of time, but for years and years,” Chief Justice Roberts wrote.

Present day

Because of limited technologies seven years ago, the information used at Carpenter’s trial wasn’t as precise as location information taken off phones today. It didn’t log where he was when his phone wasn’t in use or where he was when he sent texts. Police personnel were able to see his location where he made phone calls within a mile to two miles, which worked in their favor in terms of the robberies.

Last November when this case made its way to the Supreme Court, justices were conflicted on whether they wanted to break with the third-party doctrine, which states that there is no reasonable expectation of privacy when an individual shares information with a third party (phone provider). Under this doctrine, police wouldn’t need a search warrant to obtain the pertinent information.

However, many justices have noted the stark differences in technology from when these laws were written to the present day. Chief Justice Roberts noted that allowing government access to historical GPS data represented an infringement of Carpenter’s Fourth Amendment Rights.  

“This is a groundbreaking victory for Americans’ privacy rights in the digital age,” said ACLU attorney Nathan Freed Wessler. “The Supreme Court has given privacy law an update that it has badly needed for many years, finally bringing it in line with the realities of modern life. The government can no longer claim that the mere act of using technology eliminates the Fourth Amendment’s protections.”

On the heels of an investigation by Sen. Ron Wyden (D-Ore.) that uncovered a security leak exposing the location of cell phone users, Verizon and AT&T have pledged to stop selling their mobile customers’ location details to third-party data brokers -- or, as Wyden called them, "shady middlemen."

Both mobile phone companies made their pro-consumer protection move swiftly upon news that prison phone company Securus gave law enforcement agencies the all-clear to track phone calls.

Securus was buying its geolocation data from data aggregator LocationSmart, which turned out to be the source of the data leak.

It was computer security watcher Brian Krebs (KrebsOnSecurity) who reported that a "buggy component" on LocationSmart’s site allowed anyone to access the location of any AT&T, Sprint, T-Mobile, or Verizon phone without requiring a password or any other authentication. After Krebs alerted LocationSmart about the vulnerability, the company shut down the service.

What about Sprint and T-Mobile

Wyden praised Verizon and AT&T’s move, saying the companies did the "responsible" thing and "deserve credit for taking quick action to protect its customers’ privacy and security." However, the senator called out Sprint and T-Mobile for seeming "content to keep selling customers’ private information, American’s privacy be damned."

In responding to Wyden’s inquiry regarding data collection, both Sprint and T-Mobile went to great lengths to defend their position on purchasing location data, asserting they were doing everything necessary to protect the users’ data from being exploited.

Sprint reasoned that geolocation data could help everything from child safety to roadside assistance and workforce applications that allowed employees to check in and check out at job sites.

T-Mobile affirmed that its contracts with data brokers "have important provisions that serve to protect our customers’ information, including requiring service providers, via a location aggregator, to seek approval from T-Mobile for each data use, and requiring customer consent before location data is shared."

What can you do to protect your geolocation data?

A 2017 study by TheConversation illuminated the codependency mobile carriers and apps have on a user’s geolocation data, estimating that 70 percent of apps share a user’s data with a third-party source. While location is an important function of a maps app, most location-based data is designed to leverage sales and marketing opportunities.

With consumers increasingly using their mobile devices for all electronic transactions, including banking, there is growing concern about the security of mobile devices. Nonetheless, the most direct method to protect your location data from being shared across the internet is to simply block it.

To disable location reporting on an Android device, the steps are:

1. Open the App Drawer and go to Settings.

2. Scroll down and tap Location.

3. Scroll down and tap Google Location Settings.

4. Tap Location Reporting and Location History, and switch the slider to off for each one.

To disable location services on an Apple device, do the following:

1. Open the Settings App.

2. Scroll down to Privacy, and select Location Services.

3. Disable all Location Services by swiping the slider at the top, or scroll down to disable location services for specific apps, including Google and Google Maps.

4. Select System Services to deny location data from specific features, like location-based advertisements, turn off Frequent Locations, or disable the "Popular Near Me" feature.

Services that claim to help consumers discover their ancestry have taken off in recent years, but is it wise to trust an online service with your DNA? The genealogy website MyHeritage admitted on Monday that data from more than 92 million user accounts was accessed.

MyHeritage is characterizing what happened as a “cyber security incident,” the term that has become the corporate world’s phrasing-of-choice to describe an apparent hack.

The stolen information included email addresses and encrypted passwords, though MyHeritage is downplaying the impact that the hack could have on consumer privacy. “There has been no evidence that the data in the file was ever used by the perpetrators,” the company said in a statement late Monday.

“We believe the intrusion is limited to the user email addresses...Other types of sensitive data such as family trees and DNA data are stored by MyHeritage on segregated systems, separate from those that store the email addresses, and they include added layers of security,” the company added.

The breach took place in October 2017 but was not caught until January 4, according to the company.

MyHeritage, much like competitors 23andme and Ancestry.com, offers a service in which users can submit a saliva sample for DNA analysis. 

Whether such services can be trusted with saliva samples and DNA information became a concern after police in California captured the so-called Golden State Killer earlier this year. Suspect Joseph James DeAngelo Jr. was arrested in April thanks in part to the genealogy site GEDMatch, authorities said. Police submitted a DNA sample from a crime scene to the site and said that it had matched the suspect’s DNA that they had already taken.

Ticketfly

The online ticketing site Ticketfly announced on Thursday that hackers stole the names, addresses, email addresses, and phone numbers of 27 million customers, though Ticketfly said that users’ credit card information was safe.

Ticketfly’s site went briefly offline after it detected the hack. But with the site up and running again, the company is requiring all users to change their passwords as a precaution.

“Upon first learning about this incident we took swift action to secure the data of our clients and fans,” a company spokesperson told Variety.

Canadian Banks

Several weeks ago, Mexico’s biggest banks lost millions of dollars to cyber criminals, and now America’s neighbor north of the border is dealing with its own bank hacking woes.

Canada’s fourth and fifth largest banks have released statements admitting that so-called “fraudsters” stole personal and financial information belonging to bank customers.

A spokesman for the Bank of Montreal told Reuters that less than 50,000 customers had their data accessed. Simplii Financial, the other bank that was hacked, said that 40,000 clients had “certain personal and account information” accessed. The banks’ handling of the breach is now being scrutinized by lawmakers.

“When will the Liberals take action to protect Canadian consumers with a digital bill of rights and stop letting these companies off the hook?,” Canadian Member of Parliament Brian Masse said, pointing to a similar measures that currently protects consumers in the European Union.

The EU’s data protection laws are generally stricter and more consumer-friendly than those implemented in the rest of the world.

Booking.com

Travel site Booking.com wasn’t actually hacked, but hackers are telling the site’s partner properties that attempts were being made to steal hotel cash and data on guests.

Scammers reportedly sent out emails and texts warning that Booking.com had been hacked. The emails directed recipients to change their password by clicking on a link, which actually exposed all information that customers with hotel reservations had submitted through the site.

”...in this case, there has been no compromise on Booking.com systems,” a Booking.com spokesman told the Daily Mail. “This property has been targeted by phishing emails sent by cyber criminals and by clicking on those emails, the property compromised its account.”

Nevertheless, Booking.com promised to compensate affected customers and hotels.

Cryptocurrency

The cybersecurity firm Carbon Black has a new report detailing the full scope of cryptocurrency hacks that have become regular news stories.

According to company’s new research, cybercriminals stole a total of $1.1 billion in cryptocurrency over the past six months. Their method of choice is the “dark web,” or sections of the internet that are untraceable and only accessible via special software and above-average tech skills.

In an interview with CNBC, a Carbon Black strategist warns that it is “surprisingly easy” for hackers to steal cryptocurrency.  

Alexander Nix, the former CEO of Cambridge Analytica, allegedly embezzled $8 million from the company before it shut down and filed for bankruptcy last month.

Nix is accused of stealing the money after British journalists began reporting on the company’s involvement in the Facebook data sharing scandal, but before the company collapsed, according to the Financial Times.

Investors who want to rebrand and relaunch the political ad consulting firm are currently trying to get the money back, and Nix has said he intends to repay part of the money.

Sources say the money was supposedly intended to help get potential successor data firm, Emerdata, off the ground, with one person adding that Nix said the withdrawal was made in exchange for “unbooked services.” 

Nix appeared before British lawmakers for a second time on Wednesday to testify about his role in the data sharing scandal that exposed the information of millions of Facebook users without their consent. At the session, Nix denied that he had withdrawn the money.

"The allegation made in that article is false, the facts in that article are not correct," he said.

Walmart, Target, and Amazon have pulled CloudPets’ connected teddy bears from their online stores over security concerns.

The decision comes a year after researchers first uncovered security flaws in the toys, which allow children to send and receive audio messages with the help of the cloud and an iOS or Android app.

In a blog post published last February, Troy Hunt said that the toys had leaked the voice recordings of more than 2 million children and parents, as well as email addresses and password information associated with more than 800,000 accounts.

Researchers recently discovered that the security issues in CloudPets still have not been fixed, prompting the Electronic Frontier Foundation (EFF) to pen a letter to Walmart, Target, and Amazon voicing concern that the smart toys were still available for purchase.

Insecure online database

In 2017, CloudPets’ database was accessed multiple times by hackers; the information stored in CloudPets’ database was held for ransom by cybercriminals at least twice.

"What we see with CloudPets is a breach of trust with its users. We understand that connected devices can be complex and that sometimes, mistakes happen. However the issues with the CloudPets toy demonstrate a track record of failing to protect consumers,” the EFF wrote in their letter.

“Despite the fact that security risks have been known publicly for over a year and that technical solutions are available, Spiral Toys has not rectified these problems. Security audits, instituting a vulnerability policy and also ensuring that their Bluetooth uses authentication are some of the key steps we’d like to see Spiral Toys take to help rectify this breach of trust,” the group said.

Removed from online marketplaces

Last week, Walmart and Target stopped selling the internet-connected toys. Amazon followed suit on Tuesday morning after being contacted by Mozilla, which offered research highlighting the vulnerabilities of CloudPets.

“In a world where data leaks are becoming more routine and products like CloudPets still sit on store shelves, I’m increasingly worried about my kids’ privacy and security,” Ashley Boyd, Mozilla’s vice president of advocacy, said in a statement.

Working with cybersecurity research firm Cure53, Mozilla found that the Bluetooth vulnerabilities found in CloudPets toys back in 2017 are still present.

"The company clearly does not care about their users' security and privacy being violated and makes no effort to respond to well-meaning attack reports, further facilitating and inviting malicious actions against their users," the researchers said.

If cryptocurrency companies want to replace big banks, they’ll have to get better at stopping hackers from attacking their trading platforms. This time, a hacker made off with nearly $20 million worth of cryptocurrency, affecting people who trade in Bitcoin Gold, Verge, and Monacoin.

The breach, Futurism reports, is classified as a 51 percent attack. This rare, complicated kind of hack allows hackers to take over the computer networks that cryptocurrencies are both traded and mined through. Bitcoin Gold bared the brunt of the attack but says that most traders are not at risk.

“The only parties at risk are those currently accepting large payments directly from the attacker. Exchanges are the primary targets,” Bitcoin Gold said in a statement.

The company that services companies

The blandly-titled Corporation Service Company, a Delaware company that provides domain registration and other services to Fortune 500 companies, has published a notice that they “detected that an unauthorized third party accessed its network and certain systems.”

In appropriate corporate hacking fashion, the Corporation Service Company does not specify much about what was hacked. The company says that 5,678 customers were affected and that they were based in California. Coincidentally or not, California’s state law, as CyberScoop points out, requires companies that were hacked to send notices directly to all affected consumers.

The notice does not specify or make clear if people who reside outside of California were also hacked.

The Corporation Service Company says in a letter addressed to the state’s attorney general that it “took immediate steps to stop the activity” by informing the proper authorities and hiring cyber security firms.

“While the investigation into this event is ongoing, the data stored with the exfiltrated database table included a combination of the individuals’ names and Social Security numbers or credit card/debit card information,” the company's letter says.

Oxnard

Municipalities also seem to be a regular, popular hacking target. The town of Oxnard, California is reportedly investigating a data breach into their utility system.

The breach may have exposed the personal data of residents who were just trying to pay their bills. Officials alerted their software vendor and the police, who are looking into the matter.

There's no delicate way to announce that cybercriminals have stolen sensitive information about half of the United States population, but Equifax at least deserves points for trying.

Equifax, one of “big three” agencies that control the shadowy credit reporting industry, first announced its discovery of an unfortunate “cyber security incident” in early September.

The incident potentially impacted 143 million consumers, then-chairman and CEO Richard Smith said, adding that the firm “acted immediately to stop the intrusion.” An Equifax-led investigation into the matter would be complete in several weeks, the company said.

That turned out to be an extremely optimistic assessment. Another eight months passed until, finally, in a May 8 filing to the SEC, Equifax quietly said its investigation into the breach was complete, at least where the hack of government-issued identification is concerned.

“Through the company’s analysis, Equifax believes it has satisfied applicable requirements to notify consumers and regulators,” the credit reporting behemoth wrote in the filings. “It does not anticipate identifying further impacted consumers.”

The filing, Equifax seems to hope, will finally bring this dark chapter in its history to a close. Over those previous eight months, the Equifax breach evolved from a “clearly disappointing event” that Equifax said would soon be resolved to an ongoing international scandal and criminal case.

From a small sale to insider trading

Though Equifax said it “acted immediately” upon discovering that consumer information was accessed on July 29 of last year, some people questioned why the official announcement about the incident did not arrive until September 7.

It didn’t take much digging for financial journalists to find a potential answer. Later that day, Bloomberg News was reporting on its discovery that three Equifax executives sold $1.8 million worth of their shares in the company on August 1, one day after Equifax had said the breach was discovered.

John Gamble, the company’s Chief Financial Officer, sold a reported $946,374 worth of stock. Joseph Loughran, the president of U.S. information solutions, and Rodolfo Ploder, president of workforce solutions, sold a respective half a million and quarter million worth of options.

In a statement to Bloomberg, an Equifax spokesperson initially described the $1.8 million sale as “a small percentage of their Equifax shares” and added that the executives “had no knowledge that an intrusion had occurred at the time.”

By November, Equifax had backtracked slightly, saying that it had agreed to launch an investigation into the sale. Luckily for the executives, the Equifax-led investigation found that the suspicious-looking stock dumping was perfectly legal.

But by March, a former Equifax executive was facing federal insider trading charges -- only this executive was a different one from the three that were cleared in the company investigation.

Jun Ying, a former information officer, "used confidential information to conclude that his company had suffered a massive data breach” and “dumped his stock before the news went public,” federal prosecutors said.

It remains unclear why Ying knew about the breach while other executives did not. Equifax says it is cooperating with authorities, explaining to the press in March that "we take corporate governance and compliance very seriously, and will not tolerate violations of our policies.”

John Gamble, the Chief Financial Officer who sold nearly a $1 million worth of his stock on August 1, remains at the company and is “responsible for all financial functions” at Equifax, according to his Equifax bio.

Monitoring credit and giving away rights

One potential way to keep people from panicking or getting angry about their data being stolen is to frame the unpleasant announcement as a chance to get something for free.  

“Company to Offer Free Identity Theft Protection and Credit File Monitoring to All U.S. Consumers,” the first Equifax press release revealing the breach said in big, bold letters.

Shortly after, Equifax had its new crediting monitoring website live and ready to go.

At the unfortunately titled page equifaxsecurity2017.com, users were instructed to enter the last four digits of their social security numbers and their last names. From there, they could find out if they were impacted by the breach and enroll in credit monitoring.

But some consumers reported being told that their data was impacted, regardless of whether they put in a correct name and matching social security number. And after reading through the terms and conditions, advocacy groups warned that consumers may be walking into a trap. By agreeing to the terms on the website, consumers were agreeing to waive their rights to sue the company, according to a vague arbitration clause included in the fine print.

The National Consumer Law Center was among the advocacy groups warning consumers that the open-ended language in the clause would prevent consumers from taking Equifax to court.

“Consumers and media have raised legitimate concerns about the services we offered and the operations of our call center and website,” CEO Rick Smith responded in an editorial in USA Today. “We accept the criticism and are working to address a range of issues.”

Former New York Attorney General Eric Schneiderman, Sen. Elizabeth Warren, and other prominent Democratic lawmakers pressed Equifax about the arbitration clause. Equifax subsequently agreed to reword the agreement, explaining in the new fine print that the arbitration measure only applied to the credit monitoring service itself, not “the cyber security incident” in question.

Meanwhile, as that controversy played out, the official Equifax Twitter account continued to urge consumers to visit their security page and sign up for free credit monitoring. It took several weeks for people to notice that Equifax had been sending people to the wrong page.

Instead of sending consumers to equifaxsecurity2017.com, the Equifax Twitter account instead directed consumers to securityequifax2017.com, a fake phishing site that someone had created for the express purpose of ridiculing Equifax for creating “an easily impersonated domain.”

Equifax eventually apologized for the confusion, admitted that it had shared the wrong link, and removed the offending posts.

Credit locking, and more of the same

Several months later, in February 2018, Equifax rolled out Lock & Alert, a service offering a credit “lock,” marketed as a step below a credit freeze. While locks are not as secure as credit freezes, they are also cheaper and easier to implement.

In fact, Equifax said that its lock service was completely free. And, responding to the previous criticism about arbitration agreements, Equifax explicitly said that consumers who signed up for Lock & Alert were not agreeing to any arbitration provision.

“The consumer-empowerment approach that is offered through Lock & Alert is what people have come to expect,” Equifax said in promotional materials.

Not long after, consumers discovered that the experience of locking one’s credit might not be as empowering as they were led to believe.

It turned out that consumers who signed up for the service were unknowingly agreeing to let Equifax use their information for marketing purposes, according to advocacy group US PIRG, which reviewed the site’s fine print. And a reporter at NBC News found that the service didn’t work; an error message repeatedly appeared on the screen saying that “we are experiencing technical issues.”

“I think it's fair to say as with any service we did have some initial operational issues shortly after the launch,” Equifax spokeswoman Nancy Bistritz-Balkan told NBC News. “But our team has been working around the clock to document the issues and address it appropriately.”

Equifax goes abroad

Equifax focused its breach investigation on United States consumers, giving only a brief mention to impacted people in Canada in the UK. “Equifax also identified unauthorized access to limited personal information for certain UK and Canadian residents,” is all the firm had to say about the matter in September.

When people questioned what “limited personal information” for “certain UK and Canadian residents” actually meant, Equifax clarified that 400,000 people in the UK and 100,000 Canadians were affected.

That might sound like a figure a little too significant to describe as “limited,” but Equifax said that the breach was related to something else, an apparent “process failure,” as the company called it, that occurred a year earlier.

“This was due to a process failure, corrected in 2016, which led to a limited amount of UK data being stored in the US between 2011 and 2016,” Equifax told the British press.

Several weeks later, Equifax revised the number yet again. The company announced that 700,000 UK residents would receive notices about their data being hacked.

An additional 14 million records in the UK were also stolen,  Equifax clarified, but the cases were not considered serious enough to warrant direct notifications to those consumers.

An Equifax spokesman later offered this explanation about the many discrepancies affecting British Equifax victims to the BBC: "This information does not change the number of consumers affected or any of the UK figures/statements already provided.”

More people exposed

In March, Equifax said that an additional 2.4 million consumers in the United States had their information hacked, bringing the original figure of 143 million Americans that Equifax had tallied closer to 145.5 million. Though the announcement seemed like new information, Equifax insisted that it was not.

“This is not about newly discovered stolen data,” interim CEO Paulino do Rego Barros Jr. said. In what has become a familiar talking point, he said a new analysis of the stolen data had simply provided Equifax more clarity.   

“It’s about sifting through the previously identified stolen data, analyzing other information in our databases that was not taken by the attackers, and making connections that enabled us to identify additional individuals,” Barros explained.

Exposed phone numbers and passports

In February, Equifax submitted a document to the Senate Banking Committee saying that hackers also accessed phone numbers, email addresses, and the expiration dates for credit cards. That appeared to be worse than the “ birth dates, addresses, and, in some instances, driver’s license numbers” and “credit card numbers” that Equifax said had been stolen to the public.

An Equifax spokesman explained to Wall Street Journal that "in no way did we intend to mislead consumers." Rather, she said that the list given to Congress only reflected “minimal portion” of consumers affected.

Based on the statements from Equifax, the public seemed to have the impression that their passport data at least was safe.

“And some data — like passport numbers — were not stolen,” the Associated Press confidently reported in February.

However, Sen. Elizabeth Warren published an independent report not long after claiming that passport information was, in fact, stolen. Equifax said that the senator’s characterization of what was stolen was not accurate.

“The easiest way to understand this is that there was a field labeled passports [that was hacked] with no actual data in it,” an Equifax spokeswoman told the New York Post in February.

But in an SEC filing in early May, Equifax indicated that scanned images of passports were stolen from thousands of consumers who had used the agency’s dispute portal.

In a statement, Equifax said it hadn’t been trying to hide that information. The passport information that it said wasn’t hacked came from a different data set than the stolen passport data it had discovered more recently.

“Our response earlier this year regarding passports was related to the data elements contained in the database tables accessed by the attackers,” an Equifax spokeswoman told ConsumerAffairs in a statement.  

“In response to a request from Congress to provide quantities of each data element impacted, in the interest of completeness, we manually reviewed the images stolen from the dispute portal in order to include the numbers of government-issued identifications contained within those images,” she added.

No unauthorized activity on core services

Throughout its repeated “updates” and disclosures about what was hacked, Equifax has maintained that it found “no evidence of unauthorized activity on Equifax’s core consumer or commercial credit reporting databases.”

What that statement actually means is up for debate. Senators and consumer groups have complained that the definition of “core consumer or commercial credit reporting databases” is overly broad.

From a consumer standpoint, identity theft crimes possibly related to the hack already seem to be taking place, affecting “core” business at least where victims are concerned.

Earlier this year, an accountant and several consumers went public with stories about identity thieves collecting government benefits on their behalf. Experts said the crimes could have been made possible thanks to the Equifax hack, as well as vulnerabilities on the social security website itself.

“While I’m not entirely sure how the thief obtained my personal information, it’s likely that the Equifax data breach...contributed to the identity theft,” accountant Jim Shambo, one such identity theft victim, wrote in a blog post.

Luckily for Equifax, such scenarios could turn out to be beneficial for the credit reporting agency. Or as Equifax CEO Rick Smith told a conference  in August;  “Fraud is a huge opportunity for us. It is a massive growing business for us.”

Equifax has not yet returned an inquiry from ConsumerAffairs asking, among other questions, whether there is any truth to the allegations leveled by Warren and others that it has profited off its own breach.

But, in the grand tradition of Equifax disclosures, Smith also appears to have changed his story and updated his perspective on the matter.  A month after saying fraud was a “huge opportunity” for Equifax, the CEO published an editorial in USA Today clarifying that the Equifax hack had been “humbling” and bad for the company.

“We are devoting extraordinary resources to make sure this kind of incident doesn’t happen again,” Smith wrote. “We will make changes and continue to strengthen our defenses against cyber crimes.”

Two weeks after making that promise, Smith suddenly decided to retire. He left with a compensation package worth $90 million.

Nothing matters and Arby’s wants your money, according to the regular, depressing message delivered by the parody Twitter account Nihilist Arby’s. Or, in the Nihilist account’s own words: “Do drugs. Punch a stranger. Make love to your cousin. Enjoy Arby's. Arby's doesn't judge. Arby's doesn't care.”

Punk bassist and humor-writer Brendan Kelly amassed 345,000 followers with his weekly Tweets parodying Arby’s and life itself. But for a page that regularly reminds fans that they will one day die and nothing is permanent, it’s somewhat poetic that every single Tweet on the Nihilist Arby’s account was recently deleted by a teenager trying to extort Kelly for a grand total of $130.

Kelly told PR Week on Thursday that he could no longer access his account after hackers logged on and changed his password. He later learned that his account information had been sold on a message board.

With his entire portfolio offline, Kelly got some unexpected help from the real Arby’s.

The fast-food chain, which has 827,000 followers on Twitter, offered to contact a Twitter representative to help Kelly get his account back, explaining in an interview with PR Week that people had mistakenly assumed Arby’s was behind the attack.

"We never want to be a brand that comes in and sends a cease and desist and tears it down because it has such a big fan base,” an Arby’s spokesman said. Twitter reportedly went to work on the case, and the Nihilist Arby’s page now appears to be restored, with the satirical Tweets back online.

“Did I die? Whatever. it was pretty much the same, honestly,” Nihilist Arby's told fans yesterday.

It’s not the first time that Nihilist Arby’s has received help from the non-Nihilist one. The chain several years ago surprised Kelly with a delivery of free sandwiches and a therapy puppy.

Grades and lunch money

Speaking of teenage hackers, high school students in Michigan were caught hacking the school district's computer system in an attempt to change their grades and give themselves more lunch money.

In a message to parents, the school district said that its investigation into the matter was still ongoing and that it would be working with forensic data experts to understand the full extent of the hack.

“Though we encourage our students to take responsible action, sometimes they make choices that do not reflect our guiding principles,” a message reads on the school’s website.

Law enforcement’s phone-tracking company of choice

Those who have served time, or have a loved one currently serving time, have probably heard of Securus Technologies, one of the few companies that controls phone communications and sometimes even in-person visitations between inmates and the outside world.

What Securus does with all that phone data has remained somewhat unclear until recently. It turns out that the company also offers law enforcement a service that allows them to surreptitiously track the location of nearly every cell phone in the country, according to data recently uncovered by the New York Times.

As Securus now faces a potential Senate investigation for helping police spy on phone locations without a court order, an independent hacker took it upon himself to show just how unstable Securus’ own cybersecurity is.

The site Motherboard is reporting that a hacker showed them stolen data -- such as usernames, passwords, and internal company files -- that they obtained by breaking into the Securus servers.

BMWs

Security researchers recently found flaws in the software of BMWs that could allow hackers to remotely gain access to the automaker’s luxury vehicles.

The findings by the Keen Research Group come at a time when consumer groups and safety researchers have expressed concerns about the security of the software that powers cars, both self-driving vehicles and normal ones. Experts and the industry itself have repeatedly described modern cars as “computers on wheels,” with Blackberry estimating that more than 100 million lines of code powers the average sedan.

Researchers at the Keen Research Group studied BMWs, they wrote in their report, because its vehicles are now often “equipped with the new generation of ‘Internet-Connected’ Infotainment systems.”

“While these components have significantly improved the convenience and performance of customers’ experience, they have also introduced the opportunity for new attacks,” the researchers explain.

After publishing their technical report describing over a dozen vulnerabilities related to the technology, BMW announced it would use a software “patch” to fix the problem, which was also developed by the Keen Research Group. Consumers are invited to visit the dealership so they can receive the software upgrade.

Rather than try to hide the findings, BMW announced that it is honoring the Keen Research Group for their work and plans more partnerships in the future.

"In response to what has become a race between technological progress and new, presently unknown attack scenarios, the BMW Group has launched a comprehensive cybersecurity action plan, which includes tests conducted both internally by the BMW Group and with the help of independent institutions," the company said.

An unknown group of hackers stole the equivalent of $15.3 million from Mexico’s central bank, the Bank of Mexico, the institution admitted on Wednesday.

The bank assured reporters that no individual accounts were harmed, but the hack raises further questions about the online security of financial institutions worldwide. The hackers had targeted interbank payment systems, or online transfer systems that allow banks to transfer money to each other in real time.

Meanwhile, people who use Citibanamex, the country’s second largest bank, were unable to withdraw cash from ATMs or conduct transfers this week, but the bank denied that its systems were compromised.

The Bank of Mexico, meanwhile, said that it switched to a slower, more secure online system after the hack to avoid any more breaches.

Chili’s

Brinker International, the restaurant conglomerate that owns Chili's Grill & Bar, says that any customers who dined at the restaurant in March or April may have had their credit card data accessed in a hack.

Brinker says that credit card or debit card numbers, as well as cardholder names, were stolen in an attack currently under investigation. The restaurant cautions against canceling cards unless users notice suspicious activity, but in the meantime, it is offering free credit monitoring to all affected consumers

Signal

Tech experts have recommended that people who are concerned about their cybersecurity or who need to conduct sensitive conversations over the phone should use the messaging app Signal.

The SMS app boasts fully encrypted messaging, which prevents even seasoned hackers or government officials from cracking the app’s code. But even Signal isn’t perfect.

Security researchers this week identified a potential vulnerability in the app, in which they said that a malicious attacker could send an unprompted message to a stranger.

Researchers reported the vulnerability to Signal’s developers, who promptly created a patch to fix the problem.

The Electronic Frontier Foundation says people using secure email servers should find a new way to send and receive sensitive information.

The group cites new research warning of “serious vulnerabilities” in PGP, including GPG and S/MIME, the most popular email encryption standards.

The researchers say the flaw can allow an attacker to use the victim’s own email client to decrypt previously acquired messages and return the decrypted content to the attacker without alerting the victim.

“EFF is advising PGP users to pause in their use of the tool and seek other modes of secure end-to-end communication for now,” the group said in a statement.

A few mitigating factors

Dominic Chorafakis, principal consultant at cybersecurity consulting firm Akouto, says it's a serious issue for people who depend on encrypted email.

“There are, however, a few mitigating factors that significantly limit the scope of the issue, as far as the average consumer is concerned,” Chorafakis told ConsumerAffairs. “For one thing, the vast majority of consumers don’t use email encryption at all. The main reason is that it can be complicated to set up and isn’t supported by all email clients.”

Chorafakis says the attack is also fairly complex. The attacker must already have the encrypted message in their possession and then send a modified version back to the victim to trick their email client into exposing the encrypted information.

“Theoretically, encrypted email messages can be intercepted as they travel across the internet, but in reality that is not easy for the average hacker to do,” he said. “The most likely method an attacker might use to get their hands on a person’s encrypted email message is by hacking into their account. As a result, carrying out this attack requires a degree of tailoring and targeting, which is not something often seen on a large scale that impacts the average email user.”

What to do

That said, the issue isn't one consumers should ignore. It's prudent to check to see if your email uses PGP or S/MIME. Chorafakis says setting up either one isn't exactly simple, so if you don't remember doing it, chances are you aren't using it, and therefore have nothing to be concerned about.

If someone else set up your email client, it might be wise to ask them if your system is vulnerable.

“For individuals who are using PGP or S/MIME, the safest thing to do for now is to disable decryption in the email client until the vendor has provided a patch to mitigate the issue, and use an external program to do the encryption and decryption,” Chorafakis said.

Chorafakis is not a fan of sending sensitive data by email, no matter how secure the system is. If email has to be used, he suggests using a file encryption tool to encrypt the information, then sending it as an attachment.

Facebook has suspended 200 apps from its platform amid an investigation into companies that had access to large amounts of data on Facebook users.

Company CEO Mark Zuckerberg announced in late March that Facebook would restrict the amount of data apps have access to while investigating how these apps used the data before the restrictions were enacted.

Zuckerberg acted in response to the revelation that an app had sold vast amounts of user data to Cambridge Analytica, a political marketing firm. The data was used to target ads in support of Donald Trump's presidential campaign and the campaign in support of Britain leaving the European Union.

Ime Archibong, vice president of Product Partnerships at Facebook, says “thousands” of apps have been investigated so far, with 200 suspended from the Facebook platform. In a blog posting, Archibong says the suspensions do not mean the apps misused data, only that there are grounds for a further audit.

“Where we find evidence that these or other apps did misuse data, we will ban them and notify people via this website,” Archibong writes. “It will show people if they or their friends installed an app that misused data before 2015 — just as we did for Cambridge Analytica.”

Rocked to its core

The Cambridge Analytica scandal rocked Facebook to its core, resulting in Zuckerberg making numerous apologies and testifying before House and Senate committees. It also focused attention on major technology companies and what they do with users' data.

Facebook stressed that the app developer who sold data to Cambridge Analytica did not have the right to do so, adding that the move was in violation of Facebook's terms of service agreement. But the social network giant came under criticism for a nearly two-year delay in disclosing to users what had happened.

Facebook users who took part in the app developer's quiz, entitled “This is Your Digital Life,” gave the app developer access to their Facebook data, and the data belonging to their Facebook friends, most of whom were unaware of that fact.

Earlier this month Zuckerberg appeared at a developers conference and reaffirmed his company's commitment to privacy. Among the changes Zuckerberg announced was a new tool that allows users to delete any personal information about them that Facebook has collected.

On Saturday, Chili’s parent company Brinker International announced that its payment systems had been infected with malware, potentially exposing customers’ credit and debit card information.

The company confirmed that personal data such as social security numbers, birthdates, or federal or state identification numbers are still secure, as Chili’s doesn’t request that information from their customers. However, credit or debit card numbers and cardholder names are at risk, though the incident was limited to only some restaurants.

In a company news release, Brinker said it believes the timeline of the breach was limited to March-April 2018, but the company is continuing to investigate the scope of the issue.

“We are working diligently to address this issue and our priority will continue to be doing what is right for our Guests,” Brinker said in the release. “We are committed to sharing additional information on this ongoing investigation with our Guests to learn more.”

What this means for Chili’s

News of the data breach adds Chili’s to a long list of retailers that have been impacted by similar issues just this year, including Sears, Whole Foods, Under Armour, and Kmart. The news is particularly bad for Chili’s because the chain has been suffering from a rather significant sales decrease for nearly a decade.

Additionally, data breaches like this one often result in customers losing trust in brands. A recent KPMG study found that 19 percent of consumers would no longer shop at a retailer that has experienced a breach, while 33 percent would take a long break.

One positive in these circumstances is Brinker’s near immediate response to the situation. The company’s response came just one day after the breach was discovered, which differs greatly from how Facebook’s recent data breach wasn’t made public until it was discovered by reporters.

What this means for consumers

Following the breach, Brinker said it will be working with third-party forensic experts to determine its severity and potential impact. The company stated that it would provide fraud resolution and credit monitoring services for guests, and it will continue to update its website as more information is made available.

Company officials reiterated that the breach only impacted customers at certain Chili’s locations between March and April and that it was safe for consumers to use debit and credit cards at store locations going forward.

Consumers who used their cards at Chili’s locations during that time period are urged to closely monitor their accounts for any suspicious activity. In its statement, Brinker recommended that customers contact a credit reporting agency and their bank or credit provider to enable additional protections.

“We sincerely apologize to those who may have been affected and assure you we are working diligently to resolve this issue,” the company said in a news release.

For this year’s annual high school science competition sponsored by NASA, many people paid attention to one invention in particular: a water filter designed to bring cleaner drinking water to public schools.

Public health researchers have for years warned that the water from fountains in public schools is contaminated with lead, bromide, and other chemicals corroding from old pipes.

Mikayla Sharrieff, India Skinner, and Bria Snell, all in the 11th grade at Benjamin Banneker Academic High School in Washington, D.C, had  engineered a filter designed to detect contaminants in public school water fountains.

The girls had reached the finals of the NASA competition last month. They were the only black, female group of high school scientists to make the final rounds this year. Winners were to be decided by online voting.

This apparently caught the attention of 4chan, an online message board that experts warn has attracted increasingly hateful and racist users in recent years. A recent attack in Toronto was linked to a 4chan message board.

NASA said in a statement that it was ending voting early to prevent people from hacking the vote, showing how even NASA is apparently not immune to online trolls.

“Some members of the public used social media,” NASA said in a statement, “to attack a particular student team based on their race and encouraged others to disrupt the contest and manipulate the vote.”

NASA claimed that it closed the competition before the votes were compromised. The winners will be announced later this month.

But reporters found some evidence suggesting that a voting hack could have already taken place.  An analysis by CNN found several threads on 4chan boards in which users directed each other to an anonymous privacy software to help “hack the voting system” and send votes to a group of boy high school scientists in the competition.

“...users posted racist insults and urged members to spread the campaign to other 4chan boards,” CNN reported.

Credit card chips

Those frustratingly slow readers for credit cards equipped with chips were supposed to be a small price to pay in exchange for safer credit cards. That is, until hackers figured out how to hack the chip readers.

The Better Business Bureau says that scammers are inserting thin microchips into the chip reader slot, allowing them to steal credit card information.

Other than catching someone in the act of putting a microchip into the credit card machine, a job that would likely fall on the cashier, there is no easy way to detect that the machines have been hacked.

“If you insert the card and it’s very tight, that could be a sign,” a Better Business Bureau spokesman told a Fox affiliate, “so make sure that you report it to the merchant.”

Small businesses

Major corporations that do not encrypt their data have proven to be vulnerable to hackers again and again. But it turns out that smaller businesses, with fewer resources to protect themselves from a hack, may also be a popular and easier target. Small local businesses in New Jersey make just as ripe targets as big business, the New Jersey Business Journal recently reported.

Sure enough, hacks targeting local businesses have been reported across the world this week. A salon in the United Kingdom said Friday that it was targeted with ransomware, or a type of malware that shuts down a computer system until owners hand over money.

In this case, information about all of the salon’s appointments had been deleted. In their place was a message demanding 30,000 pounds and a warning that more records would be deleted if the salon did not comply. The salon was warned by an IT support worker not to hand over the money.

The city of Atlanta was targeted with a similar type of ransomware attack earlier this year, and lawmakers in the state of Georgia are now mulling over a bill to make “unauthorized computer access “ a crime in the state.

But a group of so-called ethical hackers, who say they hack for moral and ethical reasons, say that the law would only serve to criminalize their work. To protest the bill, the hackers targeted local restaurants and a church, changing their websites to add clips of pop songs.

The hackers have threatened to retaliate further if the law passes, a local newspaper reported.

Earlier this year, Senator Elizabeth Warren published a report charging that the Equifax hack was worse than the company initially disclosed, in part because hackers had accessed consumer passport information.

“Equifax failed to disclose the fact that the hackers gained access to consumers’ passport numbers,” says the report published by Warren’s office in February.

A passport breach poses obvious identity theft concerns, but it is also a national security risk. Security experts have previously identified passport theft as a terrorism threat.

At the time, Equifax denied that any passport data was stolen. Instead, the company claimed that hackers were unsuccessful in their attempt to hack passport data.

“The easiest way to understand this is that there was a field labeled passports [that was hacked] with no actual data in it,” Meredith Griffanti, an Equifax spokeswoman, told the New York Post in February.

But Equifax is now saying that passport data was stolen from several thousand consumers. The company made the admission in filings it submitted to the Securities and Exchange Commission (SEC) in response to an ongoing congressional investigation.

Hackers steal information on thousands of passports

The passport breach affected consumers who were trying to challenge information on their credit reports, according to the SEC filings. Equifax directed such consumers to submit complaints to an online dispute portal. The customers were then required by Equifax to submit scans of their ID cards to verify their identity in some cases -- information that was subsequently accessed in the 2017 hack.

Equifax says in the recent SEC filings that hackers accessed information uploaded to that dispute resolution center and made off with scans of 3,200 passports or passport cards. “As part of the dispute process, some consumers may have uploaded government-issued identifications through the portal,” Equifax explains in the SEC filing.

Though this particular aspect of the 2017 hack had not previously been disclosed to the public, Equifax says that it has already notified each affected customer individually. The company claims it had no legal duty to disclose the passport information being stolen to the rest of the general public.

“Because the company directly notified each impacted consumer, the company had not previously analyzed the government-issued identifications contained in the images uploaded in the dispute portal,” the filing says, adding that the “government-issued identifications that were uploaded by consumers to Equifax’s online dispute portal” were “stolen by the attackers.”

Stolen information and harder repercussions

Hackers also managed to steal scans of 38,000 driver’s licenses, 12,000 social security cards, and 3,000 forms of other ID from the same online portal.

Asked about why Equifax appeared to be giving inconsistent answers about whether passport data had been stolen, the company responded that it had been discussing a different aspect of the hack in the earlier answers it gave this year.

“Our response earlier this year regarding passports was related to the data elements contained in the database tables accessed by the attackers,”  spokeswoman Meredith Griffanti tells ConsumerAffairs via email. “The analysis conducted on the data elements stolen from those tables found that there were no passport numbers within the passport field accessed by the attacker.”

Warren’s office is continuing to push for harsher repercussions for Equifax. Last month, she and two other lawmakers found that consumers had filed more than 20,000 complaints to Consumer Financial Protection Bureau (CFPB) following the cyber attack.

Twitter is urging its 330 million users to change their passwords right away after it accidentally “unmasked” user passwords by storing them in an unencrypted format in an internal log file.

The company says it has since resolved the mistake and that an internal investigation revealed no indication that passwords were stolen or misused. However, users are still being urged to change their password as a precaution.

"We recently found a bug that stored passwords unmasked in an internal log," stated a tweet from the official Twitter Support account. "We fixed the bug and have no indication of a breach or misuse by anyone. As a precaution, consider changing your password on all services where you’ve used this password."

Issue in the hashing process

The platform explained in a blog post that Twitter “hashes” passwords using the Bcrypt hashing algorithm, but the glitch caused passwords to be written on an internal computer log before the scrambling process was completed.

"We found this error ourselves, removed the passwords, and are implementing plans to prevent this bug from happening again,” Twitter said.

Users are advised to change their passwords on Twitter and anywhere else they use their Twitter passwords, including third-party apps like TweetDeck or Tweeterrific. The replacement password should be strong and unique. The company also recommends enabling two factor authentication and using a password manager.

Twitter didn’t say how many user passwords may have been exposed or how long the bug lasted. However, a person familiar with the company’s response told Reuters the number was “substantial” and that passwords were exposed for “several months."

Cambridge Analytica, the political consulting firm embroiled in the Facebook privacy scandal, announced on Wednesday that it is ceasing operations and filing for bankruptcy.

The decision comes two months after the London-based company -- which was originally hired by President Trump’s election campaign -- was accused of improperly harvesting data from up to 87 million Facebook users through a personality quiz. It was later revealed that the data was used for targeted political advertising.

In a statement posted to its website, Cambridge Analytica blamed negative media coverage for the data scandal. It said it lost virtually all of its customers and suppliers as a result of the controversy and was forced to file for bankruptcy in both the U.S. and in the U.K.  

Severely damaged reputation

A former Cambridge Analytica employee revealed that Julian Wheatland, the company’s chief executive, said the damage to the company’s reputation was too severe to continue operating and it was “futile” to try to rebrand the company’s offerings.

“Despite Cambridge Analytica’s unwavering confidence that its employees have acted ethically and lawfully, which view is now fully supported by [a third-party audit], the siege of media coverage has driven away virtually all of the Company’s customers and suppliers,” the company said in a press release.

“As a result, it has been determined that it is no longer viable to continue operating the business, which left Cambridge Analytica with no realistic alternative to placing the Company into administration.”

The firm maintains that its business practices are common to other online advertisers and that Cambridge Analytica has been “vilified for activities that are not only legal, but also widely accepted as a standard component of online advertising in both the political and commercial arenas.”

At its annual developer conference -- dubbed F8 -- Facebook chief Mark Zuckerberg heralded changes to the social media platform.

The most important change involved giving its users the power to delete any personal information Facebook has collected. Also announced were a new dating tool, a virtual reality (VR) headset, and video chats for its Instagram app.

In his best business-like tone, Zuckerberg reaffirmed Facebook’s commitment to rebuilding the trust of its 2+ billion users. At the top of that list are personal privacy and building community.

"We are all here because we are optimistic about the future," said Zuckerberg. "We have real challenges to address but we have to keep that sense of optimism too. What I learned this year is we have to take a broader view of our responsibility."

Clear History

Facebook’s Chief Privacy Officer Erin Egan doubled down on Zuckerberg’s pledge in announcing the company’s plans for a feature called Clear History.

“This feature will enable you to see the websites and apps that send us information when you use them, delete this information from your account, and turn off our ability to store it associated with your account going forward,” Egan said.

When a user clears out their history via the new setting, Facebook will delete any and all information that identifies who the user is. However, the company isn’t giving up its dependency on user data or taking away its ability to collect and repurpose demographic information for advertisers. It’s simply taking out all the dots that might connect the identity of the user.

Showing its good side

Facebook is holding true to the promise for privacy Zuckerberg made to Congress, but it also added a couple of other features to Facebook’s new collection of manners.

One of those is Crisis Response, a centralized section of Facebook where people can get real-time updates about recent crises as well as connect with people on ways to help or donate.

Another show of compassion is a blood donation feature for people in India, Bangladesh, and Pakistan where they can register as blood donors. The goal for Blood Donations on Facebook is to make it easier for people who want to donate to find opportunities nearby. People in those countries will be able to view nearby blood donation camps, requests for blood donations, and blood banks from a single place on Facebook.

What else is in store?

Goodness and mercy weren’t the only things in play at the conference. There were also some tidbits for the Facebook faithful and lures for the geeks.

New bells and whistles include:

• A Groups tab designed to help users more easily connect to their existing groups and interact with content from all their groups.

• A Video Chat add-on in Instagram. This new Skype-like wrinkle gives people a way to video chat in real-time, even when they all can’t be in the same place.

• Oculus Go -- a virtual reality headset that gives gamers and curious techies the full-on spatial VR experience. The price point for Oculus Go starts at $199 for the 32 GB version.

• Facebook Dating. While bringing a private information-oriented add-on might seem a little risky given the company’s recent scolding, Facebook says it’s actually been working on the idea for a dating feature for years.

“People already use Facebook to meet new people, and we want to make that experience better,” said Zuckerberg. “People will be able to create a dating profile that is separate from their Facebook profile — and potential matches will be recommended based on dating preferences, things in common, and mutual friends. They’ll have the option to discover others with similar interests through their Groups or Events.”

Facebook’s safety net for the dating feature is that whatever people do within that section is sacred territory and will not be shown to their friends.

Tens of thousands of dollars worth of cryptocurrency have been stolen by hackers, once again raising concerns about the security of blockchain technology.

MyEtherWallet.com is a free site that allows consumers to trade Ethereum, or Ether, a cryptocurrency currently valued in the ballpark of $650. The site warns all visitors that it doesn't consider itself responsible should hackers access users’ Ether accounts.  

“We cannot recover your funds or freeze your account if you visit a phishing site or lose your private key,” a notice on the site says. “You and only you are responsible for your security.”

That’s bad news for MyEtherWallet users who recently fell victim to a DNS hijacking scam. Hackers apparently redirected people who visited MyEtherWallet.com to a fake look-alike site. When users logged into the spoof site, the hackers were able to access their passwords and subsequently empty their accounts.

In all, the hackers reportedly made off with 215 Ether -- or the equivalent of $160,000.

According to a statement that MyEtherWallet published on Reddit, the hack was no fault of their own. Instead, the site blames vulnerabilities in Google’s DNS servers for the theft.

“This redirecting of DNS servers is a decade-old hacking technique that aims to undermine the Internet’s routing system,” MyEtherWallet  said. “It can happen to any organization, including large banks. This is not due to a lack of security on the @myetherwallet platform. It is due to hackers finding vulnerabilities in public facing DNS servers.”

It’s unclear if affected traders will get their funds back. MyEtherWallet adds in its statement that “we are currently in the process of verifying which servers were targeted to help resolve this issue as soon possible.”

Uber’s Dubai competitor

Careem, a Dubai-based ride-hailing app that is Uber’s largest competitor in the Middle East, admitted that it discovered a security breach that exposed consumer data back in January.

The company did not disclose the breach until Monday because “Cybercrime investigations are immensely complicated and take time.”

“We wanted to make sure we had the most accurate information before notifying people,” a statement published by Careem added. Now that the breach has been disclosed, Careem is advising users to change their passwords and to monitor their bank accounts for any suspicious activity.

Phone numbers

Law enforcement in Colorado are asking for the public's help in finding suspects accused of taking part in a popular and relatively easy phone hijacking scam.

Using online services that identify the carriers of any phone number, identify thieves took information to a mobile phone store, where they impersonated the carrier to get a new phone without paying for it. Instead the cost of the phone showed up as an unpleasant surprise on consumers’ monthly bill.

According to the Federal Trade Commission, reports of this crime doubled since 2013, with 2,658 complaints submitted in 2016.

Yahoo rises from the grave

The company Yahoo may be no more after getting sold to Verizon in 2016, but it still owes the government some money -- $35 million to be exact. The SEC is fining Yahoo for failing to alert investors and consumers about a massive security breach that happened back in 2014.

The SEC alleges that Yahoo’s information security team learned that “Rusian hackers had stolen what the security team referred to internally as the company’s ‘crown jewels’” several days after the attack took place in 2014.

To be more specific, the security team that stolen information included “usernames, email addresses, phone numbers, birthdates, encrypted passwords, and security questions and answers for hundreds of millions of user accounts.”

Yahoo eventually did disclose the breach two years later, shortly before it closed the deal with Verizon. Altaba, the company behind the Yahoo brand, has now agreed to pay a  $35 million penalty for the cover-up.

Shipping companies

Forget pirates. A group of hackers based in Nigeria have figured out how to steal money from shipping companies via the internet, according to a report by a cybersecurity firm.  

The hacking group, which goes by the name Gold Galleon, attempted to steal at least $3.9 million from maritime shipping businesses and their customers, the researchers said.

Researchers at F-Secure, a Finnish cybersecurity company, discovered that a hotel lock system known as Vision by Vingcard can be hacked by combining a card reader that can be purchased online with custom software.

Security consultants Tomi Tuominen and Timo Hirvonen said they used old cards from hotels and generated a master key that gave them access to all the rooms using the lock.

“We found out that by using any key card to a hotel ... you can create a master key that can enter any room in the hotel. It doesn’t even have to be a valid card, it can be an expired one,” Hirvonen told Reuters.

Untraceable master keys

The researchers said they’ve been trying to get to the bottom of key card problems for more than a decade, ever since a colleague’s laptop was mysteriously stolen from a locked hotel room.

“Intriguingly, there were no signs of forced entry,” the researchers wrote. Hotel staff ultimately dismissed their complaint because there wasn’t a single indication of unauthorized room access.

The researchers then decided to investigate whether it’s possible to enter a locked hotel room without the key, and years later, they figured out how to do exactly that with the Vision by Vingcard hotel lock system.

A $300 card reader can extract data from a discarded room key and crack the code to unlock all doors at a particular hotel, Wired reported.

"Basically it blinks red a few times, and then it blinks green," Tuominen told Wired. "Then we have a master key for the whole facility."

“You can imagine what a malicious person could do with the power to enter any hotel room, with a master key created basically out of thin air,” Tuominen wrote.

Solution developed

Once the security flaws were discovered, the researchers alerted Assa Abloy, the lock’s manufacturer, and set out to develop a software fix.

That fix was issued earlier this year. However, hotel chains need to apply the fix to their systems. Several hundred thousand hotel rooms worldwide still haven’t updated their hotel key card system, Assa Abloy noted.

“I highly encourage the hotels to install those software fixes,” Hirvonen said. “But I think there is no immediate threat, since being able to develop this attack is going to take some time.”

The risk of a security breach remains relatively low since the tools and methods by which the researchers made their discovery will not be published.

In a statement, F-Secure thanked Assa Abloy for helping them fix the flaw.

“Because of Assa Abloy’s diligence and willingness to address the problems identified by our research, the hospitality world is now a safer place,” Tuominen said.

Altaba, formerly known as Yahoo, has agreed to pay a $35 million fine to settle charges that it failed to promptly disclose a massive data breach relating to hundreds of millions of user accounts.

The Securities and Exchange Commission (SEC) ruled that the company essentially misled investors because the stock price plunged after the breach was finally revealed.

The SEC found that within days of the breach, Yahoo knew that Russian hackers had broken into the network and made off with usernames, email addresses, phone numbers, birthdates, encrypted passwords, and security questions and answers for hundreds of millions of user accounts.

The regulator says the information was reported to Yahoo's senior management, but the company failed to properly investigate the circumstances and adequately consider whether the public should be notified.

Delayed for two years

The SEC says Yahoo waited two years, until it was in the process of selling its operating business to Verizon in 2016, before revealing the data breach.

“We do not second-guess good faith exercises of judgment about cyber-incident disclosure,” said Steven Peikin, Co-Director of the SEC Enforcement Division. “But we have also cautioned that a company’s response to such an event could be so lacking that an enforcement action would be warranted. This is clearly such a case.”

Last year, Yahoo executives were pressed by members of a Senate committee to answer questions about the breach. Then-CEO Marissa Mayer was asked to describe Yahoo's efforts to notify affected users and what steps the company had taken to mitigate consumer harm.

Last month a federal judge ruled that affected Yahoo users can move forward with a lawsuit against the company. The judge turned aside Verizon's objections, saying affected users might have behaved differently had they known their data had been compromised.

Harm to investors

The SEC settlement specifically addresses investors – people who had purchased Yahoo stock without knowing the company faced a potentially expensive liability. The order found that when Yahoo filed several quarterly and annual reports during the two-year period following the breach, the company failed to disclose the breach or its potential business impact and legal implications.

The SEC also said Yahoo failed to reveal information about the breach to its auditors or outside counsel to learn what it was obligated to disclose.

Facebook published 27 pages of previously secret rules today on how the site’s moderators decide which photos, videos, and posts should be removed and which can stay online.

The company said it spots potentially problematic content by using either artificial intelligence or reports from other users. That information is then passed on to its 7,500+ human content reviewers who work around the clock in over 40 languages.

Detailed policies

Facebook said it does not allow hate speech about “protected characteristics,” including race, ethnicity, national origin, religious affiliation, sexual orientation, sex, gender, gender identity, serious disability, or disease.

It said there are “some protections” around immigration status and three “tiers of severity” by which posts are judged. Here are a few of the site’s rules:

• The sale of marijuana is not allowed (even in states where it’s legal)

• Sexual activity in general is banned unless “posted in a satirical or humorous context”

• Photos of breasts are allowed if they depict an act of protest

• Guns can only be shown to adults aged 21 or older, and sales between individual people are not allowed

• Bullying rules don’t apply to comments made about public figures

Providing clarity

A shorter version of the guidelines had leaked before, but the full guidelines had not been released to the public until today.

In releasing the detailed guidelines (which include specific examples), Facebook hopes to provide transparency about its content-policing process, which has in the past been criticized for appearing to be inconsistent at times.

“We decided to publish these internal guidelines for two reasons,” said Monika Bickert, Vice President of Global Policy Management at Facebook, in a statement.

“First, the guidelines will help people understand where we draw the line on nuanced issues. Second, providing these details makes it easier for everyone, including experts in different fields, to give us feedback so that we can improve the guidelines – and the decisions we make – over time.”

"We want people to know about these standards, we want to give them clarity," Bickert said.

Getting user feedback

The company admits that its enforcement “isn't perfect.”

“We make mistakes because our processes involve people, and people are not infallible," Bickert said. For this reason, Facebook is also adding a way for users to appeal when one of their posts gets taken down because of sexual content, hate speech, or violence.

Users will get a message explaining why the post was taken down and can follow a link to request a review, which will be handled by a team member “typically within 24 hours.”

“We are working to extend this process further, by supporting more violation types, giving people the opportunity to provide more context that could help us make the right decision, and making appeals available not just for content that was taken down, but also for content that was reported and left up,” Bickert said.

A number of Gmail users have reported finding messages in their “Sent” folders that appeared to have been sent from themselves. Users said they discovered messages for things like “growth supplements” delivered to email addresses they didn’t recognize.

“My email account has sent out 3 spam emails in the past hour to a list of about 10 addresses that I don’t recognize,” a user posted on Gmail’s Help Forum.

“I changed my password immediately after the first one, but then it happened again 2 more times. The subject of the emails is weight loss and growth supplements for men advertisements,” the user continued.

Forged email headers

The messages contained forged email headers to make them appear to have been sent “via telus.com,” a Canadian telecommunications company.

The forged email headers allowed the messages to slip past spam filters. The fact that they appeared to have been sent by the affected user is what caused them to end up in the Sent folder.

Many users were concerned that the messages were an indication that their account had been hacked. However, Google assured users that their accounts were secure and that the issue had been fixed.

“We are aware of a spam campaign impacting a small subset of Gmail users and have actively taken measures to protect against it,” Google confirmed to Mashable. “This attempt involved forged email headers that made it appear as if users were receiving emails from themselves, which also led to those messages erroneously appearing in the Sent folder.”

“We have identified and are reclassifying all offending emails as spam, and have no reason to believe any accounts were compromised as part of this incident,” the company said.

Report as spam

Google encouraged Gmail users to report any suspicious email as spam, noting that more information on how to report spam can be found by visiting the site’s Help Center.

TELUS, meanwhile, confirmed that its servers aren’t generating the emails.

“We have identified spam emails being circulated that are disguised to appear as if they are coming from http://telus.com. We are aware of the issue and can confirm the messages are not being generated by TELUS, nor are they being sent from our server,” a spokesman for the carrier said in a statement.

“We are working with our 3rd party vendors to resolve the issue, and are advising our customers not to respond to any suspicious emails.”

A new white paper -- "Understanding and Improving Privacy ‘Audits’ under FTC Orders’" -- calls the Federal Trade Commission (FTC) on the carpet for its lenient approach to privacy audits required of tech companies like Facebook and Google.

"These audits, as a practical matter, are often the only ‘tooth’ in FTC orders to protect consumer privacy," wrote Megan Gray, an FTC attorney and non-residential fellow at Stanford Law School. "They are critically important to accomplishing the agency’s privacy mission. As such, a failure to attend to their robust enforcement can have unintended consequences, and arguably, provide consumers with a false sense of security."

While the FTC’s privacy audits are regarded as an efficient way of keeping tech companies in line with privacy commitments made to consumers, Gray urges the agency to improve its privacy standards if it intends on being serious about protecting consumers.

The paper illuminates how privacy audits are not actually audits as most understand them to be.  Rather, because the FTC’s language only requires third-party "assessments," tech companies get away with submitting reports that are essentially a confirmation that they did all that was required.

Take Facebook for instance

A contemporary example would be Facebook’s run-in with its users’ privacy. Under the social media company’s agreement with the FTC, all it’s required to do is undergo twice-yearly privacy audits to show it isn’t misinforming its users about their privacy.

However, none of Facebook’s audits brought Cambridge Analytica’s data mining into question. Despite Facebook knowing about the misuse as far back as 2015, Congressional leaders implied that Facebook wasn’t following the FTC’s instructions as rigorously as it should have been.

In the FTC’s complaint against Facebook, the agency harped on the word "deceptive" in questioning Facebook on how it handled users’ private information in areas like profile and app settings.

As an example, the FTC brought up the fact that in November 2009, approximately 586,241 users had used their Friends’ App Settings to "block" Platform Applications that their Friends used from accessing any of their profile information, including their Name, Profile Picture, Gender, Friend List, Pages, and Networks.

Yet, in Facebook’s December 2009 Privacy Changes, its users could no longer restrict access to their "publicly available information," and all prior user choices to do that were overridden. Although Facebook reinstated those settings soon thereafter, the FTC found that the settings weren’t stored to a user’s Profile Privacy restrictions and instead were essentially hidden.

Better protection of consumers’ privacy is needed

Gray offers several ways the FTC could improve its privacy audits. At the top of her list would be requiring the FTC to end its reliance on a company’s simple confirmation that its privacy protection is up to snuff.

Gray suggests that the current method could be greatly improved if the FTC detailed its expectations in what it wants privacy auditors to examine and have assessors report directly to the FTC instead of the company being audited.

"Simply ‘staying the course’ puts consumers...in an untenable situation, with real-world consequences," concludes Gray. "It’s time to dive deeply into understanding these third-party privacy assessments and consider meaningful proposals for their improvement. The FTC is an extraordinary agency, and it is more than capable of rising to this challenge."

In an email to ConsumerAffairs, the FTC stated that Gray currently has no involvement with current privacy or data security investigations and that the comments made in her paper do not reflect the agency's views.

Facebook has been dealing with a number of privacy-related issues in recent months, and now it has another one to worry about.

The company has confirmed to TechCrunch that it is investigating a research report which shows  that Facebook user data can be compromised by third-party JavaScript trackers embedded on websites using Login With Facebook.  

Trackers are able to harvest a user’s data -- including name, email address, age range, gender, location, and profile photo -- depending on what users initially provided to the website, according to the research report.

The security researchers found that “when a user grants a website access to their social media profile, they are not only trusting that website, but also third parties embedded on that site.”

“Surreptitious data collection”

Researchers say the unintended exposure of Facebook data to third party JavaScript trackers isn’t due to a flaw in Facebook’s Login feature.

“Rather, it is due to the lack of security boundaries between the first-party and third-party scripts in today’s web,” said the report prepared by Steven Englehardt and two of his colleagues at Freedom to Tinker -- a digital initiative by Princeton University’s Center for Information Technology Policy.

The research revealed that seven third parties are abusing websites’ access to Facebook user data and one third party using its own Facebook “application” to track users around the web.

Not yet widespread

The scripts were found on more than 400 of the top one million websites, including BandsInTown and MongoDB.

"We were unaware that a third-party technology was using a tracking script that collects parts of Facebook user data. We have identified the source of the script and shut it down," MongoDB told TechCrunch.

This report authors pointed out that this is another example of an exploit that could have been avoided if Facebook had done a better job of auditing how third parties use tools like Login to stop trackers from extracting more information than necessary.

Facebook is already doing damage control on a number of data issues, including the revelation that data of up to 87 million users may have been improperly shared with Cambridge Analytica.

When questioned by Congress, CEO Mark Zuckerberg admitted that Facebook collects “data of people who have not signed up for Facebook.” He claimed the practice was done for security purposes.

Consumers must give consent

A new study by the Privacy Enhancing Technologies Symposium (PETS) has uncovered an alarming statistic: a majority of the most popular and free children’s Android apps collect private data in violation of the Children’s Online Privacy Protection Act (COPPA).

Out of nearly 6,000 apps that it analyzed, the group said that over 1,100 collected personally identifiable information (PII). Additionally, nearly 3,500 shared identification information with advertisers, and roughly 2,300 collected other types of data.

The researchers say the data these apps collect runs the gamut from phone numbers and e-mail addresses to geolocation information. Of these, geolocation data may present the biggest concern because it not only pinpoints where someone lives; it also can make way for interpretations about socioeconomic classes, every day habits, health conditions, and other information -- data that could have life-long implications for children.

Follow the money

There’s a domino effect in all of this, as well. According to the study, the data collected has cookie crumbs trailing back to mobile marketers and app developers who make their money off the data they collect. The five most popular data destinations were mobile app monetization platforms: mopub.com (85 apps), aerserv.com (84 apps), skydeo.com (80 apps), youapp.com (80 apps), and inner-active.mobi (76 apps).

“Although we cannot know the true number of children’s apps in the Play Store, we believe that our results are representative, given that the apps that we examined represent the most popular free ones,” PETS said in a statement.

With the number of apps released each year, one can only imagine how daunting a task it would be to police every corner of every app’s code -- even for a company like Google.

“While child-directed apps may use some Google services, developers are responsible for using these services according to their obligations under the law,” Google stated in a directive to app developers. “Please review the FTC’s guidance on COPPA and consult with your own legal counsel.”

It was only last week when Google’s place in a child’s data food chain came into question. The Campaign for a Commercial-Free Childhood asked the Federal Trade Commission to investigate YouTube for violating COPPA. Specifically, the organization alleged that YouTube illegally collects data about underage viewers, then leverages that data to advertise to that demographic.

What apps are the biggest culprits?

One particularly flagrant example, according to the study, is app developer TinyLab. PETS observed that 81 of the company’s 82 apps shared GPS coordinates with advertisers. Especially popular apps included:

• Fun Kid Racing (10-50 million installations)

• Motocross Kids–Winter Sports (5-10 million installations)

• Fun Kid Racing–Motocross (10-50 million installations)

PETS’ deep dive also came up with a determination that human-readable network names (SSIDs) also allow some inferences about users’ locations, especially when collected over time and across locations. PETS found 148 apps engaging in this behavior, including Disney’s “Where’s My Water? Free” app (100–500 million installations).

If this raises concerns...

So-called “free” apps have to make money somewhere, and it’s usually on the backs of the data it collects and spins into advertising revenue.

Short of a parent poring over the fine print in an app’s terms of service and making a conscious decision based on what they find, it’s a smart idea to ask the app’s developer exactly what information it collects and repurposes.

COPPA also offers FAQs for parents and developers alike, as well as an e-mail address where users can ask questions. That e-mail address is CoppaHotLine@ftc.gov.

People watching the music video “Despacito” this week may have been slightly confused by the cover photograph and description displayed on their screens. Before the music video started, a photograph of masked men pointing their guns at the camera — a clip from a Spanish Netflix show — appeared in the video display.

Underneath, the title of the video was changed to say, “x – hacked by prosox & kuroi’sh @OpIsrael ???? FreePalestine ft. Maluma.”

Videos uploaded by Taylor Swift, Selena Gomez, Drake, and Shakira were also altered by the same group.

In several posts on Twitter, the hacker who identifies themself as Prosox told YouTube and Vevo that it was a harmless prank and that they did not remove the actual music videos.

@YouTube Its just for fun i just use script "youtube-change-title-video" and i write "hacked" don t judge me i love youtube <3

— Prosox (@ProsoxW3b) April 10, 2018

But the breach was apparently not amusing to YouTube and Vevo, as both sites temporarily took down “Despacito” and the other affected videos in response.

“I did not delete despacito must believe me,” Prosox added, in a post ridiculing Vevo’s security.

Virgin Island nation

Hackers have targeted the government of Sint Maarten, a small Caribbean nation located within the island nation of Saint Martin.

It’s unclear what the hackers did exactly. On its website, the Sint Maarten government only admits that some sort of cyber-attack took place and that they are now recovering from it.

“The Ministry of General Affairs hereby informs the public that the recovery process of the Government of Sint Maarten ICT Network is progressing steadily,” a local newspaper reported on April 6.

Hacking gaps found in power chords

Researchers in Israel identified a new method that hackers would be able to use to launch a hypothetical cyber-attack: hacking computer power chords.

“In this attack, the attacker taps the power lines at the phase level, in the main electrical service panel,” write researchers at the Ben-Gurion University of the Negev. Preventing such an attack would require installing special filters in power outlets, they say.

Researchers this week have also identified a method in which hackers would be able to use data from shared word documents in “Rich Text Format” (as opposed to Doc format) to steal data from consumers’ Microsoft Outlook accounts. The research is yet another reminder to never open attachments sent from strangers.

Mark Zuckerberg’s “I’m Sorry 2018” tour played to an SRO crowd on Capitol Hill on Tuesday with the Facebook honcho taking all the punches he could withstand and promising all the privacy changes he could muster up.

Zuckerberg’s nearly four-hour Q&A match with 42 Senators focused on his company’s repeated privacy missteps and its breakdown in detecting the Russia-led crusade to influence U.S. voters.

“We were too slow to spot and respond to Russian interference, and we’re working hard to get better,” said Zuckerberg in a prepared statement.

“Our sophistication in handling these threats is growing and improving quickly. We will continue working with the government to understand the full extent of Russian interference, and we will do our part not only to ensure the integrity of free and fair elections around the world, but also to give everyone a voice and to be a force for good in democracy everywhere.”

Not so fast, Facebook

However, despite Zuckerberg vowing transparency and verification rules to protect its business and its flock, there were two Senators already loaded for bear, introducing a privacy bill of rights to protect the personal information of all American consumers, not just Facebook’s.

Senators Ed Markey (D-MA) and Richard Blumenthal (D-CT) put into play a bill -- tagged CONSENT (Customer Online Notification for Stopping Edge-provider Network Transgressions) -- that would make “opt-in” the default option for whether users want their information collected or repurposed in any shape, form, or fashion.

While Facebook has offered its users the option to “opt-out” on the data it collects since 2010, it’s likely that most consumers never really paid attention to what information they were giving away until now.

“The startling consumer abuses by Facebook and other tech giants necessitate swift legislative action rather than overdue apologies and hand-wringing,” said Senator Blumenthal. “Our privacy bill of rights is built on a simple philosophy that will return autonomy to consumers: affirmative informed consent. Consumers deserve the opportunity to opt in to services that might mine and sell their data – not to find out their personal information has been exploited years later.”

Making privacy the king

In hopes of reversing a platform such as Facebook’s power over a user’s personal info, the CONSENT Act:

• Requires edge providers to obtain opt-in consent from users to use, share, or sell users’ personal information

• Requires edge providers to develop reasonable data security practices

• Requires edge providers to notify users about all collection, use, and sharing of users’ personal information

• Requires edge providers to notify users in the event of a breach

• Ensures that requirements are enforced by the FTC

This bill covers every conceivable corner of a user’s potentially sensitive information, too. Included are restrictions on:

• financial information

• health information

• information pertaining to children

• Social Security numbers

• precise geolocation information

• content of communications

• call detail information

• web browsing history

• application usage history

To prove their seriousness, Blumenthal and Markey built some legal weight into their proposal by treating any violations of the measure as an infraction of the Federal Trade Commission Act. That act was created with the sole objective of "protect[ing] the process of competition for the benefit of consumers, making sure there are strong incentives for businesses to operate efficiently, keep prices down, and keep quality up.”

The Federal Trade Commission Act also has the power to protect privacy, giving the FTC the permission to penalize companies that violate their own policies through false advertising and other actions that can harm consumers.

In a complaint filed Monday, a group of child, consumer, and privacy advocates claim YouTube illegally collects data about underage viewers and uses that data to advertise to its youngest users.

The group of advocates, led by the Campaign for a Commercial-Free Childhood, said it wants the Federal Trade Commission to investigate Google -- which owns YouTube -- for violating the Children’s Online Privacy Protection Act (COPPA), which sets strict rules for how companies can collect data about children under the age of 13.

Per COPPA regulations, companies that run websites targeted at children must notify parents and obtain their consent before collecting any personal data.

“Acted duplicitously”

The group says YouTube avoided COPPA requirements by saying in its terms of service that YouTube is only intended to be used by those over 13, even though Google knows YouTube is widely used among kids in the 6-12 age range.

The site even caters to young viewers, the group said, citing content that is specifically aimed at children under 13.

“Google has acted duplicitously by falsely claiming in its terms of service that YouTube is only for those who are age 13 or older, while it deliberately lured young people into an ad-filled digital playground,” said Jeff Chester of the Center for Digital Democracy. “Just like Facebook, Google has focused its huge resources on generating profits instead of protecting privacy.”

Calls for a fine

The group wants YouTube to change how it deals with content for children, pay a fine for allegedly profiting off young viewers, and “assess civil penalties that demonstrate that the FTC will not permit violations of COPPA.”

"Google has made substantial profits from the collection and use of personal data from children on YouTube. Its illegal collection has been going on for many years and involves tens of millions of US children," the complaint reads.

YouTube issued a statement saying that it “will read the complaint thoroughly and evaluate if there are things we can do to improve. Because YouTube is not for children, we’ve invested significantly in the creation of the YouTube Kids app to offer an alternative specifically designed for children.”

This isn’t the first time a complaint has been filed against YouTube for the way it handles children’s privacy. In 2015, advocacy groups said the site was violating FCC laws about advertising to children.

Best buy customers who used a payment card for purchases should monitor their accounts closely. The company reports a data breach has compromised some customer payment information.

But this data breach is a little different. Hackers didn't penetrate Best Buy's system; they broke into a company that manages Best Buy's customer chat platform.

The company in question is [24]7.ai. Between September 27 and October 12 of last year, it suffered a breach of its network system. Hackers were able to access all kinds of company data, including Best Buy customers' payment card information.

“Since we were notified by [24]7.ai, we have been working to determine the extent to which Best Buy online customers’ information was affected,” the company said in a statement. “We have done that in collaboration with our third-party vendor and have notified law enforcement.”

Best Buy says only “a small fraction” of the company's online customers have been affected. However, it says customers didn't have to use the chat function to be compromised.

Best Buy customers who think they could have been affected are encouraged to visit this website for more information about the breach.

“We will contact any affected customers directly and want to assure them that they will not be liable for fraudulent charges that result from this issue,” the company said. “Additionally, free credit monitoring services will be available if needed.”

What to do

Consumers who learn their payment card information was compromised should contact the card's issuer and report it. The institution will likely issue a new card.

It is also important to carefully monitor accounts and look for fraudulent charges. By law, consumers' liability for fraudulent credit card charges is limited to $50 if the charge is reported promptly. In this case, Best Buy says affected customers will not be liable for any fraudulent charges.

Best Buy customers who see fraudulent charges on their credit or debit card accounts should also inform Best Buy at 247incident@bestbuy.com.

In the face of everything else it’s trying to remedy, Facebook is doubling down on how it deals with what it calls political “issue ads.”

It’s a new layer of approval for anyone who wants to pay to have their political voice heard on Facebook. On top of the existing authorization process, advertisers will have to confirm their identity and location before they’re cleared to advertise.

As Facebook continues to fend off the voodoo stemming from its Cambridge Analytica misstep, with CEO Mark Zuckerberg coming to Capitol Hill today to answer to lawmakers, the company wants the world to know that it’s serious about changing how it deals with political ads and pages.

“We know we were slow to pick up foreign interference in the 2016 US elections,” wrote Facebook’s Rob Goldman, VP of Ads and Alex Himel, VP of Local & Pages. “Today’s updates are designed to prevent future abuse in elections — and to help ensure you have the information that you need to assess political and issue ads, as well as content on Pages.”

And, hoping to make this move perfectly clear, Facebook CEO Mark Zuckerberg stressed that these steps “won't stop all people trying to game the system. But they will make it a lot harder for anyone to do what the Russians did during the 2016 election and use fake accounts and pages to run ads.”

How will these changes appear?

Going forward, political ads on Facebook will be clearly marked as “Political Ad” and will feature information about who the ad is “paid for by.” The full rollout of the new identifiers is expected later this spring.

At the center of Facebook’s political ad target are “issue ads,” the type that advocate for controversial matters. The social media platform says it’s working with third parties to craft a list of political hot potatoes which will vary depending on voter climate.

Facebook is also upping its ante on artificial intelligence and bringing in more people to help pinpoint political advertisers that should have gone through the authorization process but somehow got past its filters.

“We realize we won’t catch every ad that should be labeled, and we encourage anyone who sees an unlabeled political ad to report it. People can do this by tapping the three dots at the top right corner of the ad and selecting ‘Report Ad,’” Goldman and Himel went on to say.

As if to cover all the transparency bases, Facebook is also implementing a tool that will give its users the option to see all of the ads a page is running. That add-on is currently being tested in Canada with the intention of taking it worldwide if all goes according to plan.

Police in Virginia are now investigating a hacking attempt to change grades at a local high school. Back in November, police say, an email purporting to be from the Oaktown High School’s Honor Council,  the school panel dedicated to “honor and integrity,” directed recipients to a link that they said had news about the school.

But users who opened the link were then targeted by malware that recorded their keystrokes and other data, allowing hackers to access log-in information to the school’s computer system. Shortly after the emails circulated, the school found multiple cases of grade changes being requested.

It’s unclear who was behind the hacking attempt, but it wouldn’t be the first time that students have hacked into a public school system to change grades, as the Washington Post reports.

While it may seem like a harmless crime to students, prosecutors have gone after such cases aggressively. One University of Iowa wrestler who attempted such a stunt now faces charges from the FBI.

Every Facebook user

Facebook admitted Wednesday that nearly every one of its users has had their data collected by “malicious actors.”

In response to the ongoing Cambridge Analytica scandal, Facebook published a blog post Wednesday updating people on changes they are making to privacy settings.

Buried in that blog post, Facebook announced that they are disabling a popular search feature that had let users search for each other by phone number and email. According to Facebook’s Chief Technology Officer Mike Schroepfer, the feature posed a security risk for nearly every one of Facebook’s users.

“Until today, people could enter another person’s phone number or email address into Facebook search to help find them,” Schroepfer wrote. Hackers figured out how to “abuse” this feature, as well as the the account recovery feature, to scrape data from “most” Facebook users.

Pipelines

Environmentalists have long warned that the aging, cheap pipes that deliver oil and natural gas are ill-equipped at preventing natural gas explosions or leaks. As oil and gas companies have become more dependent on digital technology, it turns out that even these supposedly modern safety improvements also put people at risk.

Hackers reportedly launched a cyber attack on Latitude Technologies, a Texas-based firm that handles computer communications for the oil, gas, and utility industries. The hack forced four major natural gas pipeline companies, including Energy Transfer Partners, to temporarily shut down their computer systems.

It’s unclear what the motives of the hackers would have been, but a security expert told the New York Times that the energy industry’s increasing dependence on technology  poses an environmental and safety hazard. The systems may allow attackers to remotely cause “explosions, spills, or fires, which easily will threaten human life, property and the environment,” the expert said

In updated estimates, Facebook says it’s possible that up to 87 million people had their data repurposed by Cambridge Analytica.

However, that metric comes with a precautionary warning.

“We wanted to take a broad view that is a conservative estimate,” said Facebook CEO Mark Zuckerberg in an interview. “I am quite confident that given our analysis that it is not more than 87 million. It very well could be less, but we wanted to put out the maximum we felt that it could be as that analysis says.”

In response, Cambridge Analytica argued that figure loudly and defiantly.

“Cambridge Analytica licensed data for no more than 30 million people from GSR (Global Science Research), as is clearly stated in our contract with the research company,” the company wrote in a press release. “We did not receive more data than this.”

Cambridge wants its name cleared, too

Cambridge Analytica wants its name expunged from the list of entities behind any manipulation of data regarding Trump’s bid for the White House.

“We did not use any GSR data in the work we did in the 2016 US presidential election,” claims Cambridge Analytica in an attempt to define its position..

“When Facebook contacted us to let us know the data had been improperly obtained, we immediately deleted the raw data from our file server. We carried out an internal audit to make sure that all the data, all derivatives, and all backups had been deleted, and gave Facebook a certificate to this effect.”

Where do we begin?

The “millions” figures quoted by Facebook and Cambridge Analytica started out as 270,000 -- the number of respondents that used GSR’s “thisisyourdigitallife” app.

However, in addition to harvesting metrics on Facebook users who used the app, it has also been revealed that information was collected on those users’ “friends” on Facebook. That, in turn, raised the number of affected individuals exponentially.

Cambridge Analytica used the statistics it collected to build user profiles. The company credited the use of those profiles in helping the Trump ‘16 campaign take advantage of key biases and demographic changes.

All finger pointing aside, how does this get fixed?

Whether this is a matter of misdirection or re-direction, the PR battle between Facebook and Cambridge Analytica probably isn’t going away soon. But for Facebook users, it appears that CEO Mark Zuckerberg is being proactive, and things are getting better.

“So, now we have to go through every part of our relationship with people and make sure that we’re taking a broad enough view of our responsibility,” assured Zuckerberg. “And it’s not enough to give people tools to sign into apps, we have to ensure that all of those developers protect people’s information too. It’s not enough to have rules requiring they protect information, it’s not enough to believe them when they tell us they’re protecting information — we actually have to ensure that everyone in our ecosystem protects people’s information.”

At the top of Facebook’s list of new promises is a rather adamant pledge: “We’re not asking for new rights to collect, use or share your data on Facebook. We’re also not changing any of the privacy choices you’ve made in the past.”

Lining up right behind that pledge are more plums for any concerned Facebook user:

• Personalized experience: Everyone’s experience on Facebook is unique, and we’re providing more information on how this works. We explain how we use data and why it’s needed to customize the posts and ads you see, as well as the Groups, friends and Pages we suggest.

• What we share: We will never sell your information to anyone. We have a responsibility to keep people’s information safe and secure, and we impose strict restrictions on how our partners can use and disclose data. We explain all of the circumstances where we share information and make our commitments to people more clear.

• Advertising: You have control over the ads you see, and we don’t share your information with advertisers. Our data policy explains more about how we decide which ads to show you.

• One company: Facebook is part of the same company as WhatsApp and Oculus, and we explain how we share services, infrastructure and information. We also make clear that Facebook is the corporate entity that provides the Messenger and Instagram services, which now all use the same data policy. Your experience isn’t changing with any of these products.

• Device information: People have asked to see all the information we collect from the devices they use and whether we respect the settings on your mobile device (the short answer: we do). We’ve also added more specific information about the information we collect when you sync your contacts from some of our products, including call and SMS history, which people have recently asked about.

• Addressing harmful behavior: We better explain how we combat abuse and investigate suspicious activity, including by analyzing the content people share.

When will Facebook users see these changes?

Facebook can quickly make shifts in controls users can click on or off and start its path towards cleaning up its act, but that’s only a start.

“I wish I could snap my fingers and in three to six months solve all these issues,” Zuckerberg said. “I think the reality is complex. I think this is a multiyear effort.”

Facebook CEO Mark Zuckerberg will testify before the House Energy and Commerce Committee next week, the committee has announced.

Zuckerberg has been in the eye of the Facebook storm over privacy issues since it was revealed that user data had been illegally obtained and used by a political marketing firm.

In a joint statement, committee chairman Greg Walden (R-OR) and ranking member Frank Pallone, Jr. (D-NJ) said the hearing will be an opportunity to shed light on critical consumer data privacy issues.

They said that as a result, all Americans may better understand what happens to their personal information online. The hearing is scheduled for 10 a.m. ET on April 11.

Zuckerberg declined an invitation to appear before a British Parliamentary committee investigating the same issue. Officials in both nations say they want to learn more about what data Facebook collects from users and who has access to it.

The scandal

In March, the New York Times reported that Cambridge Analytica, a political marketing firm, used Facebook user data to target ads on behalf of the British campaign to leave the European Union and the U.S. presidential campaign of Donald Trump.

Facebook said Cambridge Analytica was never authorized to receive the data, and obtained it from an app developer who had conducted a survey on Facebook. People who took the survey were informed that the developer would have access to their Facebook profiles -- as well as the profiles of all their Facebook friends. However, the friends were never informed their data was being accessed by a third party.

Since the revelation, Facebook has made a number of changes in the way it handles and safeguards user data, including severing ties with a major data broker and giving users more control over privacy settings.

Facebook is currently under investigation by the Federal Trade Commission (FTC) and several state attorneys general

Facebook is not done with Russia… yet.

The social media leader is still uncovering accounts linked to the Internet Research Agency (IRA), the Russian company bent on turning Facebook into a propaganda fest.

And as soon as Facebook finds them, they’re axed from the platform. On Tuesday, the company announced that it had removed 70 Facebook and 65 Instagram accounts, plus another 138 Facebook Pages that were controlled by the IRA. Many of the offending Pages were also sneaking in Russia-favored advertisements and those, too, have been removed.

Facebook has a serious dog in this fight and not afraid to give up the large number of users who visit these sites. An estimated 1.08 million unique users follow those suspect Facebook Pages and 493,000 unique users follow a minimum of one of the Instagram accounts.

Those users are mostly eastern European (Russia, Ukraine, Georgia, Kyrgyzstan, et al), but also include 42,000 Brazilian users.

‘We’ll keep fighting’

Losing money doesn’t seem to be an issue for Facebook, either — especially when it comes to losing face. On the income side of the Russian-influence equation, a related $167,000 was spent on Facebook and Instagram ads since 2015.

“The IRA has consistently used inauthentic accounts to deceive and manipulate people,” wrote Alex Stamos, Facebook’s Chief Security Officer. It’s why we remove every account we find that is linked to the organization — whether linked to activity in the US, Russia or elsewhere.”

“We know that the IRA — and other bad actors seeking to abuse Facebook — are always changing their tactics to hide from our security team. We expect we will find more, and if we do we will take them down too. But we’ll keep fighting and we’re investing heavily in more people and better technology to constantly improve safety on Facebook.”

While the IRA’s most heralded invasion is the one surrounding the 2016 Presidential election, the new dearly departed are accounts that were “targeting people living in Russia,” Facebook CEO Mark Zuckerberg said in a post.

Increased investment in security

Zuckerberg seems determined to wipe every bit of mud thrown on his company’s face -- mud that was first slung when it was discovered that Cambridge Analytica plucked profile data from Facebook users to slant advertising to benefit Donald Trump’s presidential campaign and other right-wing candidates.

And the Facebook CEO is putting his money where his mouth is. “We have also significantly increased our investment in security. We now have about 15,000 people working on security and content review. We'll have more than 20,000 by the end of this year,” Zuckerberg said in a post.

He goes on to remind the world that Facebook found and took down 30,000 fake accounts leading up to France’s 2017 presidential election; worked in tandem with Germany’s Federal Office for Information to examine the threats it was was seeing relating to its 2017 elections; and Facebook’s deployment of Artificial Intelligence tools that “proactively detected and removed fake accounts from Macedonia trying to spread misinformation.”

Zuckerberg closed his post with this promise: “Security isn't a problem you ever fully solve. Organizations like the IRA are sophisticated adversaries who are constantly evolving, but we'll keep improving our techniques to stay ahead -- especially when it comes to protecting the integrity of elections.”

Consumers who ordered food online from the bakery-cafe chain Panera Bread via the company’s website could potentially have had their payment information exposed.

Panerabread.com leaked eight months’ worth of customer records from its website, according to a report by KrebsOnSecurity.

The data leak included customer names, email and home addresses, birthdays, and the last four digits of credit card numbers. The beach affected "millions" of customers who ordered food on the company's website, panerabread.com, the blog post said.

Issue has been resolved

Panera claims that fewer than 10,000 consumers had potentially been affected by the breach and stated that the issue has since been resolved.

Although their investigation is ongoing, Panera maintains that there is no evidence of payment records or other large amounts of personal information being accessed or retrieved.

“Panera takes data security very seriously and this issue is resolved,” the company said in a statement. “Following reports today of a potential problem on our website, we suspended the functionality to repair the issue.”

“Our investigation is continuing, but there is no evidence of payment card information nor a large number of records being accessed or retrieved. Our investigation to date indicates that fewer than 10,000 consumers have been potentially affected by this issue and we are working diligently to finalize our investigation and take the appropriate next steps.”

Hudson’s Bay Co. says customer payment card information may have been stolen from shoppers at certain Saks Fifth Avenue, Saks Off Fifth, and Lord & Taylor stores in North America.

The retailer said in a statement that it has identified the issue and taken steps to contain it, but it has stopped short of disclosing how many payment card numbers were taken.

“Once we have more clarity around the facts, we will notify our customers quickly and will offer those impacted free identity protection services, including credit and web monitoring,” the statement said.

Five million records taken

However, one cybersecurity firm analyzed the available data and found that five million credit card and debit card numbers had been compromised in the breach.

Gemini Advisory LLC said in a report that the information was stolen from 83 Saks Fifth Avenue or Saks Off Fifth stores, and from all Lord & Taylor locations. Approximately 125,000 of the five million records compromised have been released for sale on the “dark web,” the firm said.

“Although at this moment it is close to impossible to ascertain the exact window of compromise, the preliminary analysis suggests that criminals were siphoning the information between May 2017 to present,” Gemini Advisory said.

Hudson Bay says it is “working rapidly with leading data security investigators to get customers the information they need, and the investigation is ongoing.” The company is coordinating with law enforcement authorities and the payment card companies for the investigation.

Consumers affected by the breach will not be liable for fraudulent charges, the company said.

Welcome to the future. Hackers are currently holding a major American city for ransom and are demanding that they be paid in Bitcoin.

Atlanta officials confirmed on Monday that a ransomware attack had kicked much of its computer system offline. Without the system functioning, Atlanta is unable to collect online bills from residents, which perhaps isn’t such a bad thing for people who are behind on their water bills or traffic ticket payments.

But the attack has frightening implications for government agencies. "This is much bigger than a ransomware attack, this really is an attack on our government," Mayor Keisha Lance Bottoms told a news conference. "We are dealing with a hostage situation."

The attackers have indicated that it will not restore Atlanta’s websites or computer system until they are paid $51,000 in Bitcoin.

Ransomware, as its name suggests, freezes or infects computers and then provides a message asking for a ransom if users want their systems unlocked. Like other malware, it works by sending an email to unsuspecting users with a “phishing” link.

Atlanta officials have not yet indicated whether they will pay the ransom.

As of Friday afternoon, Atlanta’s page for allowing residents to pay their water and sewer bill was still not loading. The municipal court online payment webpage says; “City of Atlanta is currently experiencing technical issues which is impacting the ability to take payments at this time.”

Under Armour

Under Armour warned a whopping 150 million people on Thursday to change their password. The company owns a popular application called MyFitnessPal that tracks nutritional intake and workout routines. Hackers gained access to all 150 million users’ passwords, names, and email addresses.

The company denies that credit card information was accessed but says they are getting law enforcement involved.  

“We do not know the identity of the unauthorized party. Our investigation into this matter is ongoing,” the company announced.

Italian soccer (football) team

It happens to the best of us. The Italian newspaper Il Tempo is reporting that SS Lazio, a football team in Italy, was tricked into paying the final portion of a player’s contract to hackers.

A Dutch soccer club had traded their star defender, 26-year-old De Vrij, to SS Lazio in 2014. A hacker impersonating the Dutch team recently sent SS Lazio an email asking for the final installment of his contract, or two million Euros.

The Dutch team says they never sent that email and never received the final payment. Authorities are reportedly investigating the issue.

Under Armour has disclosed that 150 million MyFitnessPal diet and fitness app accounts were affected by a security breach. The number of records compromised make this the largest data breach this year and one of the top five in history.

The company said it became aware of the hack on March 25, but it believes that an unauthorized party had access to the accounts since late February. Information made vulnerable to cyber criminals in the breach includes users’ email addresses, usernames, and hashed passwords.

“The affected data did not include government-issued identifiers (such as Social Security numbers and driver's license numbers), which the company does not collect from users,” Under Armour said in a statement.

“Payment card data was also not affected because it is collected and processed separately. The company's investigation is ongoing, but indicates that approximately 150 million user accounts were affected by this issue.”

Users urged to change passwords

Four days after discovering the breach, Under Armour notified MyFitnessPal users via app and email notifications. The company said users could safeguard their account and information by taking the following measures:

• Change your password for any other account on which you used the same or similar information used for your MyFitnessPal account.

• Review your accounts for suspicious activity.

• Be cautious of any unsolicited communications that ask for your personal data or refer you to a web page asking for personal data.

• Avoid clicking on links or downloading attachments from suspicious emails.

Under Armour said it doesn’t know the identity of the unauthorized party and is currently working with data security firms to assist in its investigation. It did not provide details on how the hackers got into its network in the first place.

“We continue to monitor for suspicious activity and to coordinate with law enforcement authorities,” Under Armour informed its customers. “We continue to make enhancements to our systems to detect and prevent unauthorized access to user information."

The U.S. State Department wants to widen its scrutiny of U.S. visa applicants by asking them to unveil their social media handles.

According to a Bloomberg report, the new visa applications will ask applicants to “provide any identifiers used by applicants for those platforms during the five years preceding the date of application.”

This move broadens the Department’s vetting of visa applicants. It’s possible the new information could uncover any possible ties to groups, sympathies, posts, or messages that warrant concern.

What information will be asked for

If this request is approved, additional questions will ask for five years of previously used telephone numbers, email addresses, and international travel information; whether the applicant has been deported or removed from any country; and whether specified family members have been involved in terrorist activities.

Prior to this, email addresses, phone numbers, and social media identities were asked for from applicants who the Department thought should be more closely examined. Last year, about 65,000 people fit that profile.

Visa processing is a heavy burden for the State Department. There are an estimated 14 million visa applications a year that take 21 million annual hours to process.

A diligent and thorough process

In the aftermath of the 2015 terrorist attack in San Bernardino, California, Congress raised concerns about the use of social media by terrorist groups and requested that the Department of Homeland Security (DHS) broaden its social media background checks.

In turn, DHS established a task force for using social media to screen immigration applicants. Additionally, the U.S. Citizenship and Immigration Services (USCIS) and the Immigration and Customs Enforcement (ICE) tested programs that expanded social media screening of those applicants.

Last December, DHS got the approval to put those supplemental background checks in place.

The State Department provides a full list of FAQs for anyone considering applying for a visa. Also available are updated answers to questions regarding the Trump administration’s immigration restrictions.

On a day when Facebook took additional steps to tamp down the furor over its handling of user data, company CEO Mark Zuckerberg was forced to explain an internal Facebook memo that surfaced in the media.

BuzzFeed published a 2016 Facebook memo to employees in which company vice president Andrew "Boz" Bosworth argued that Facebook should be prepared to do whatever is necessary to increase user growth.

“We connect people. Period," Bosworth told Facebook employees. "That’s why all the work we do in growth is justified. All the questionable contact importing practices. All the subtle language that helps people stay searchable by friends. All of the work we do to bring more communication in. The work we will likely have to do in China some day. All of it.”

Fuel for critics

Facebook critics were quick to pounce on the memo, calling it further evidence that the company plays fast and loose with user privacy. Facebook has been pilloried since it revealed that an app developer obtained Facebook user data, then sold it to a political marketing group.

Zuckerberg released a statement strongly disavowing the contents of the Bosworth memo. However, he pointed out that Bosworth was often purposely provocative in an effort to bring critical issues into the open for debate.

"Boz is a talented leader who says many provocative things. This was one that most people at Facebook including myself disagreed with strongly," Zuckerberg said. "We've never believed the ends justify the means."

Bad timing

The memo's release comes at a bad time for Facebook, which has spent much of this week taking steps to reassure lawmakers, regulators, and users. On Thursday, Facebook's vice president for product management, Guy Rosen, participated in a conference call with reporters to discuss steps Facebook is taking to protect election security for the upcoming midterms.

Rosen identified four main election security areas that Facebook is working on:

• Combating foreign interference

• Removing fake accounts

• Increasing ads transparency

• Reducing the spread of false news

"This is a comprehensive approach we deploy in elections around the world, and we’re here today to share our thinking about what we are doing so that you can better understand our approach," Rosen said.

Also this week, Facebook announced tweaks to the site that will cause all Facebook users to see more local news in their news feeds. Previously, the change was made only for U.S. users.

Facebook also moved this week to exclude third-party data providers from its advertising platform, limiting what marketers know about users' shopping habits. According to industry insiders who spoke with CNBC about the move, it makes data brokers less effective while giving Facebook more control over the data used to target ads.

Boeing Company’s computer system was struck by the WannaCry computer virus on Wednesday. The company’s worst fear was that crucial aircraft production equipment might be crippled, but Boeing’s IT team came to the rescue and averted the crisis.

“All hands on deck” was the message the airline builder fired off to its leadership team. In an internal memo, Mike VanderWel, Boeing’s chief engineer of commercial airplane production, said the attack was “metastasizing” and he worried it could spread to Boeing’s production systems and airline software.

A virus that lives up to its billing

Boeing became the latest to find out just how serious the WannaCry virus can be and how important up-to-date security settings are.

Simply put, WannaCry makes you, well, wanna cry. The virus is what’s called a “ransomware cryptoworm.” It targets computers running Microsoft Windows and holds users hostage until they make a ransom payment in Bitcoin or another untraceable cryptocurrency.

Even though Microsoft had released patches to fight off the virus, WannaCry is still able to paralyze computers where the patches haven’t been applied or older Windows systems that Microsoft no longer supports.

When WannaCry first hit the scene in May, 2017, it brought more than 230,000 computers to their knees worldwide. No one was spared, either. The ransomware attack hit universities, governments, hospitals, utilities, and others including Nissan, FedEx, Honda, and even the Russian railway system.

WannaCry’s victims were held up for between $300-$600 in ransom money before the virus’ masterminds would unlock the files the malware was holding hostage.

In December 2017, the United States, United Kingdom, and Australia formally alleged that North Korea had masterminded the attack. That assertion was backed by both Microsoft and the UK's National Cyber Security Centre. North Korea denied any involvement.

How to protect yourself from WannaCry

If you haven’t updated your virus protection or system software since last May, you might be still be vulnerable to WannaCry. When the virus first hit the scene, ConsumerAffairs produced an in-depth guide on the essential steps consumers should take to secure their Windows-driven computers -- where to find the patches and what to do if you’re unable to download Microsoft’s updates.

WannaCry isn’t the only bad actor out there in the virus world. Microsoft has identified 16 ransomware bandits that go after everything from documents to media files. In a list of FAQs, the Windows support team gives consumers a complete rundown of how to protect themselves from a costly attack.

Facebook is making major changes to its privacy settings to make it easier for users to find and change them.

The company has been under fire because one of its app developers misappropriated Facebook data, allegedly selling it to a political marketing firm.

"We’ve redesigned our entire settings menu on mobile devices from top to bottom to make things easier to find," said Erin Egan, Facebook's chief privacy officer, in a company blog. "Instead of having settings spread across nearly 20 different screens, they’re now accessible from a single place."

Other modifications include "cleaning up" outdated settings so users have a better understanding of what information can and can’t be shared with apps.

Privacy shortcuts

"People have also told us that information about privacy, security, and ads should be much easier to find," Egan writes. "The new privacy shortcuts is a menu where you can control your data in just a few taps, with clearer explanations of how our controls work. The experience is now clearer, more visual, and easy to find."

Using the new privacy shortcuts menu, expected to go live later today, Facebook users can make their accounts more secure with added layers of protection. Users will be able to review information that has been shared and delete it. The data includes posts that have been shared or commented upon, friend requests, and Facebook searches.

Controlling ad placement

Facebook is also giving users more control over the ads they view by managing the information Facebook uses to decide ad placement. Users will be able to manage who sees their posts and profile information.

"Last week showed how much more work we need to do to enforce our policies and help people understand how Facebook works and the choices they have over their data," Egan said. "We’ve heard loud and clear that privacy settings and other important tools are too hard to find and that we must do more to keep people informed."

Facebook has faced intense media criticism after it was revealed that an app developer that had permission to access Facebook user data reportedly sold the data, in violation of Facebook's rules, to a third party.

That third party, a political marketing company called Cambridge Analytica, reportedly used the data to target political ads and information in support of Donald Trump during the 2016 presidential campaign.

The Federal Trade Commission has confirmed it has opened an investigation into Facebook's privacy practices.

The announcement from Acting Director Tom Pahl said the agency responds when any company does not live up to its promises to protect privacy.

"Companies who have settled previous FTC actions must also comply with FTC order provisions imposing privacy and data security requirements," Pahl said in a statement.

"Accordingly, the FTC takes very seriously recent press reports raising substantial concerns about the privacy practices of Facebook. Today, the FTC is confirming that it has an open non-public investigation into these practices.”

Facebook once again in FTC crosshairs

Facebook has dealt with the FTC on privacy issues in the past. It signed a consent decree with the FTC in 2011 after a privacy issue arose. The agreement required Facebook to notify users and get permission before sharing personal data beyond the user's privacy settings.

Rob Sherman, deputy chief privacy officer for Facebook, released a statement saying the company appreciates the opportunity to answer any questions the FTC might have.

Facebook found itself at the center of a media firestorm over a week ago when it was revealed that an app developer who legally accessed Facebook user data, with user's permission, then sold the data to a political consulting firm, in violation of Facebook's terms of service.

New reports suggest that Facebook has been logging Android users’ call and SMS (text) history without their permission. The company says that’s not exactly the case, but text history logging is something the user can choose as an opt-in feature.

According to an Ars Technica report, a New Zealander was poring through an archive of his personal data that he had downloaded from Facebook. What he found was not only the typical photos, posts, and contacts, but nearly two years worth of data including names, phone numbers, and the length of each call he made from his Android phone.

After last week’s PR bloodbath, Facebook was quick to step up and clear its name the best it could.

“People have to expressly agree to use this feature,” the company said in their response to the story. “If, at any time, they no longer wish to use this feature they can turn it off in settings, or here for Facebook Lite users, and all previously shared call and text history shared via that app is deleted. While we receive certain permissions from Android, uploading this information has always been opt-in only.”

Contact importing is commonplace in social apps. FourSquare, Cloze, Brewster, and others all use some form of contact collection. Not wanting to be left out on a good idea, Facebook also introduced a version in their Messenger app in 2015, then followed up with a “lightweight version” of it in its Facebook for Android app.

How it works

Many people gloss over things like fine print, opt-ins, and opt-outs, and this latest development seems to fall under that category. The way Facebook has this option set up is that when a user signs up for or logs into Messenger or Facebook Lite on an Android device, they’re given the option to have a running upload of contacts as well as call and text history.

In the Messenger app, users can either turn it on or off, or click on the “learn more” or “not now” options. On the Facebook Lite app, the choices are to turn it on or select “skip.” For users who decide to turn the feature on, Facebook logs that info as it happens.

Curious Facebook users who do their social networking on an Android device can see what information has been gathered by using Facebook’s “Download Your Information” tool.

How you can change the info Facebook collects

If a user no longer wants their calls and texts tracked, all they have to do is turn the feature off in their settings. For added security, users can also go here to see which contacts they have uploaded from Messenger and delete any uploaded contact information they want to.

Given all that’s erupted out of Facebook’s data collection dust-up, it’s smart for users to double-check what information they’ve given Facebook and others access to.. The company offers a laundry list of ways to update a user’s settings and enhance the security of their data. In a few simple steps, users can decide what apps and games they want to grant permission to collect personal data.

News that the firm Cambridge Analytica harvested profile data from Facebook users to advertise for Donald Trump’s presidential campaign and other right-wing candidates sparked a major backlash against the social media giant this weekend.

Facebook denies that it was a hack, however, explaining to the New York Times that “no systems were infiltrated, and no passwords or sensitive pieces of information were stolen or hacked.”

In fact, Facebook may have a point. As many have noted, Facebook's own policies didn’t block third parties from accessing user data until 2015, after Cambridge Analytica had already obtained information on an estimated 50 million users.

Facebook’s COO Sheryl Sandberg and CEO Mark Zuckerberg responded to the revelations publicly Wednesday with promises to review their policies. The site has approximately two billion users, or a quarter of the planet.

Universities, companies, and governments

In what the US Attorney’s office says is “one of the largest state-sponsored hacking campaigns ever prosecuted by the Department of Justice,” the DOJ said today that cyber-criminals in Iran stole $3.4 billion worth of data from 144 American universities. They also allegedly targeted 176 foreign universities, 30 private companies and five government agencies over a four-year period.

The DOJ formally indicted the alleged hackers today, though they were not arrested because they are still in Iran. Prosecutors say they could face detention if they ever try to leave the country.

More than 8,000 American professors were targeted in the attack as part of an effort to steal their research, the government says. The hackers allegedly have links to the Mabna Institute, a tech firm that the DOJ says works on behalf of the Iranian government and Iranian universities.

Orbitz customers

Orbitz, the third-party travel booking site owned by Expedia, announced this week that hackers accessed information on approximately 880,000 credit cards used by customers.

Over a period of several months last year, hackers managed to mine credit information as well as names, birth dates, and addresses on customers who used the site anywhere from from January 2016 to December 2017.

"We are offering affected individuals one year of complimentary credit monitoring and identity protection service in countries where available,” Orbitz said in a statement.

Canadian credit card users

Thieves made off with the rewards points earned by Canadian consumers participating in a grocery store loyalty program.

PC Optimum is a new but popular program in Canada that allows consumers to earn reward points when they shop at certain grocery stores and other retailers.

They may just be points, but they have real value; one victim said she lost more than one million points, allowing hackers to purchase over $1,000 worth of goods with her account. A total of more than 100,000 people had their points stolen.

Physical therapy patients and employees

ATI Physical Therapy, a chain of physical rehabilitation centers across the country, alerted over 35,000 customers yesterday that their data may have been accessed by hackers who were targeting direct deposit data of company employees.

As is becoming the standard when these breaches occur, the company is offering consumers free credit monitoring.

Facebook CEO Mark Zuckerburg has made a public statement in response to the controversy over one of its partner's illegal sale of Facebook data to a third party.

The data, which includes profiles for an estimated 50 million Facebook users, was allegedly used to target political ads in support of Republican presidential nominee Donald Trump during the 2016 election.

"We have a responsibility to protect your data, and if we can't then we don't deserve to serve you," Zukerberg wrote in a nearly 1,000 word post on Facebook. "I've been working to understand exactly what happened and how to make sure this doesn't happen again."

Facebook actually did nothing illegal. It had a partnership with a third party app -- This Is Your Digital Life -- that allowed the app developer to access data about people who downloaded the app, and their friends. People who downloaded the app were informed of the terms.

Violations of terms of service

What happened next is where it gets sticky. Facebook alleges that the owners of the app sold the data to a political marketing firm, Cambridge Analytica, in violation of Facebook's terms of service. Cambridge Analytica then allegedly used the data to target voters on behalf of the Trump campaign.

In his statement, Zuckerberg said Facebook made a number of policy changes in 2014 that would have prevented the unauthorized distribution of Facebook data had they been adopted earlier.

Among the changes:

• Limits were placed on the data that apps could access

• Apps could not access users' friends' data without permission from the friends

• Developers must receive Facebook permission before they can ask for users' data

Learned of the data sale in 2015

Zuckerberg says it was not until 2015 that Facebook learned from journalists that the app developer had sold the data to Cambridge Analytica. It then demanded the data be deleted, and Zuckerberg says Facebook received certifications that the data had, in fact, been destroyed.

"Last week, we learned from The Guardian, The New York Times and Channel 4 that Cambridge Analytica may not have deleted the data as they had certified," Zuckerberg wrote in his post. "We immediately banned them from using any of our services. Cambridge Analytica claims they have already deleted the data and has agreed to a forensic audit by a firm we hired to confirm this. We're also working with regulators as they investigate what happened."

So far, Zuckerberg's public statement has done little to quell the controversy. An appearance on CNN Wednesday night didn't seem to help either.

Critics say Facebook should have informed its users in 2015 that their data may have been sold to a political marketing firm. A Twitter campaign called #deletefacebook is urging angry Facebook users to abandon the social media platform.

But writing on Engadget, technology journalist Nicole Lee says deleting Facebook is easier said than done. She notes that the site has become too important to too many people who depend on it to stay connected to family and friends.

Members of Congress are calling for more oversight of Facebook after information about an estimated 50 million users was allegedly used to influence elections.

Sen. Edward J. Markey (D-Mass.), a member of the Commerce, Science, and Transportation Committee, wrote a letter to the committee leadership asking it to hold hearings and solicit testimony from top Facebook executives.

Markey and others are asking for an explanation of how Cambridge Analytica, a political marketing firm, acquired private data on Facebook users that was allegedly then used in the successful Brexit and Trump campaigns.

In his letter, Markey cited published reports suggesting only a small number of Facebook users had agreed to their information being shared with a third party.

“In light of these allegations, and the ongoing Federal Trade Commission (FTC) consent decree that requires Facebook to obtain explicit permission before sharing data about its users, the Committee should move quickly to hold a hearing on this incident, which has allegedly violated the privacy of tens of millions of Americans,” Markey wrote.

Request for details

Sen. Ron Wyden, (D-Ore.), is asking the social media company to detail the extent that private information was misused. He also suggested a review of how Facebook collects, stores, and shares information.

In a letter to Facebook CEO Mark Zuckerberg, Wyden said the ease with which the site's default privacy settings were exploited for profit and political gain raises questions about the company's business model.

"It also raises serious concerns about the role Facebook played in facilitating and permitting the covert collection and misuse of consumer information,” Wyden wrote. “With little oversight—and no meaningful intervention from Facebook—Cambridge Analytica was able to use Facebook-developed and marketed tools to weaponize detailed psychological profiles against tens of millions of Americans.”

Highly-targeted ads

Facebook has been successful because of the power of its targeted advertising. Commercial enterprises can buy ads that appear in the timelines of consumers of a specific age and gender who have certain interests.

The fact that politicians would also take advantage of this power should not come as a surprise. In the wake of the 2016 U.S. election that sent Donald Trump to the White House, Facebook got a lot of unwelcome attention for the information that appeared in users' timelines -- information that looked like news stories but may or may not have been true.

Facebook spent much of 2017 making adjustments -- such as downgrading links from certain sites and adding "related stories" to broaden the scope of coverage.

However, part of the problem stems from the fact that for a significant number of consumers, Facebook is their primary source of news. The Pew Research Center reports that during the height of the 2016 presidential campaign, 62 percent of adults said they got news from social media sites.

Facebook finds itself under fire after a weekend revelation that data on millions of its users was used in an unauthorized manner.

It's being called a data breach, but the data wasn't used to steal your identity or empty your bank account. Instead, Facebook critics charge it was used to influence voters in the successful Brexit and Trump campaigns.

The news has raised the issue of what data big tech collects and how it is used, and it has garnered the attention of both U.S. and European regulators. In recent months, Facebook has moved to address how political operatives have used its platform to spread misleading or one-sided information under the guise of "news."

Personality quiz

According to Facebook, a professor used Facebook's log-in credentials to ask users to sign up for what was said to be a personality analytics tool that was to be used for academic research. A total of 270,000 Facebook users downloaded the app, and in doing so gave it permission to access Facebook data on themselves and all of their friends. The New York Times estimates the total number of files to be around 50 million.

Facebook says the professor then violated its terms of service by selling the data to an obscure political marketing company called Cambridge Analytica. That company reportedly used the data to target potential voters.

In the UK, it reportedly targeted Facebook users inclined to vote for Britain leaving the European Union. In the U.S., it reportedly targeted users on behalf of the Trump campaign.

The app was called “This Is Your Digital Life.” If you downloaded it, you and all your Facebook friends may have received political posts, depending on your political leanings, as gauged by the personality test.

New revelation

Facebook says it learned of the violation of its rules nearly three years ago and removed the app from Facebook. But the company said it learned only last week that not all of the collected data was deleted, as required. It has moved to suspend Cambridge Analytica's account.

"We are constantly working to improve the safety and experience of everyone on Facebook," Facebook said in a statement. "In the past five years, we have made significant improvements in our ability to detect and prevent violations by app developers."

Cambridge Analytica has issued a statement of its own, saying it complies with Facebooks terms of service and said it deleted all data that was not gathered in compliance with the rules.

It should be noted that a major part of Facebook's business is using analytics data to help advertisers specifically target ads. However, Facebook does not allow this information to be downloaded and sold to third parties.

The Trump administration said Thursday that the Russian government tried to hack the United States power grid two years ago.

The announcement coincided with sanctions that the US treasury imposed on 19 Russians for what they described as meddling in the 2016 presidential elections. Russian officials denied their involvement with either attack and vowed to retaliate for the sanctions.

According to the Department of Homeland Security and the FBI, Russian “government cyber actors” targeted “energy sector networks,” but the agency did not name who was affected.

Russia has also been accused of hacking Ukraine’s energy infrastructure and causing widespread blackouts several years ago. It’s unclear if hackers were trying to cause power outages here, security experts told CNBC, but they said disrupting the power grid was a likely motive.

United States officials also have a long record of spying on infrastructure in other countries, they added, which is why the United States is typically reluctant to name attackers who do the same here. In fact, they say this is the first time that the United States government has publicly accused another country of such a massive breach.

"I have never seen anything like this," Amit Yoran, a former U.S. official who now heads a cyber security firm, told the station.

Pentagon employees

Hackers successfully guessed the usernames and passwords of 318 people who work in the Pentagon and use Citigroup credit cards.

Citigroup says that the hackers could not get past the second layer of authentication, however, and said no money or other data was stolen.

Citigroup, which runs the a travel charge card program for the  Department of Defense, described the hacker or hackers as a “malicious actor.”

Florida “virtual” students

Florida boasts the largest virtual school system in the nation, with an internet-based elementary school and high school that offers 150 courses. But a new report raises concerns about the cyber-security of students who take them.

The Florida Department of Education recently admitted that a massive data breach in its Florida Virtual School impacted more than 368,000 current and former students and as many as 2,000 teachers.

The hack, which occurred sometime between May 2016 and February 2018, allowed thieves to access names, birth dates, and school account numbers of students and teachers. One security expert describes schools as prime targets for cyber-attackers because of the critical information they hold.  

Florida administrators added that they had contacted law enforcement and offered students free identity protection services.

Equifax accused of insider trading

Need another reason to be mad at Equifax? How about one million?

Equifax’s former chief information officer Jun Ying is facing insider trading charges for dumping his company stock shortly before the company had admitted that a massive amount of consumers’ data was stolen last year. The Securities and Exchange Commission (SEC) says that Ying made over $1 million from the sale.

“Ying used confidential information to conclude that his company had suffered a massive data breach, and he dumped his stock before the news went public," Richard R. Best, director of the SEC's Atlanta regional office, said in a press release. "Corporate insiders who learn inside information, including information about material cyber intrusions, cannot betray shareholders for their own financial benefit."

A former Equifax executive has been charged by the Securities and Exchange Commission (SEC) with selling nearly $1 million worth of shares before the company announced last year’s massive data breach.

Jun Ying, the former chief information officer of Equifax's U.S. Information Solutions, was allegedly entrusted with non-public information about the company’s breach before the news was disclosed to the public, the SEC said in a statement.

“As alleged in our complaint, Ying used confidential information to conclude that his company had suffered a massive data breach, and he dumped his stock before the news went public,” said Richard R. Best, Director of the SEC’s Atlanta regional office.

“Corporate insiders who learn inside information, including information about material cyber intrusions, cannot betray shareholders for their own financial benefit,” Best said.

Ying avoided more than $117,000 in losses by selling his shares before the stock price plunged after news of the breach was publicly announced. The US Attorney’s Office for the Northern District of Georgia is also filing criminal charges against Ying, the SEC said.

Largest breach in history

Nearly 150 million Americans were impacted by Equifax's data breach, making it the largest breach in history.

News of the breach was made public Sept. 7, but authorities say Equifax discovered suspicious activity on its network on July 29.

On Aug. 28, Ying allegedly used his confidential information to sell his shares before the news broke. He exercised all his available stock options and received 6,815 shares of Equifax stock, which he sold for more than $950,000 -- a total gain of more than $480,000, prosecutors said.

A federal judge has ruled that most of a lawsuit concerning Yahoo’s data breach, which exposed the personal information of all of its 3 billion users, can proceed.

Yahoo’s parent company Verizon Communications made an effort to get the claims tossed out by arguing that it had been the target of “relentless criminal attacks”, and the plaintiffs’ “20/20 hindsight” had not affected its efforts to eliminate “constantly evolving security threats.”

However, Judge Lucy Koh ruled against the argument.

“Plaintiffs’ allegations are sufficient to show that they would have behaved differently had defendants disclosed the security weaknesses of the Yahoo Mail System,” Koh wrote in her decision.

Slow to alert customers

The case centers around accusations that Yahoo took too long to notify users of the breaches. Koh said customers may have “taken measures to protect themselves” against identity theft and fraud had they known about the breaches sooner.

Three major data breaches hit the company between 2013 and 2016, but they were not disclosed until 2016.

Yahoo initially said one billion users were exposed by one hack and 500 million were exposed by another. Later, the company said it believed that all of its three billion users were affected by the data breaches.

By the time the breaches came to light, several customers had data stolen by criminals who  used it to file fraudulent tax returns or credit card charges. Scores of other customers had to freeze their credit and spend money on monitoring and protection services.

Claims made against Yahoo in the lawsuit include negligence and breach of contract.

People who dined at certain Applebee’s franchises sometime between November 2017 and January 2018 should pay extra attention to any suspicious activity on their credit cards.

RMH Franchise Holdings announced today that the computer system used by its Applebee’s stores was infected with malware, allowing hackers to access the names and credit card information of customers.

“We are providing this notice to our guests as a precaution to inform them of the incident and to call their attention to some steps they can take to help protect themselves,” RMH alerted customers in a press release.

RMH said it initially discovered the security breach on February 13. The company owns 167 Applebee’s restaurants across the country.

Cryptocurrency

Hacks involving Bitcoin or one of its many imitators are becoming a regular part of the news cycle. Financial regulators in Japan are now responding by cracking down on seven platforms where people trade cryptocurrency, including the popular application Coincheck, which is based in Japan but used by cryptocurrency traders worldwide.

Coincheck consumers lost an estimated $530 million to hackers in late January in what experts said was the largest cryptocurrency theft to date. The company’s CEO Yusuke Otsuka has promised that affected victims will be compensated.

In the United States, the SEC also released a warning on Wednesday about the security risks that online trading platforms pose.

Meanwhile, users of another cryptocurrency exchange called Binance recently became suspicious that they were being targeted by hackers. Affected individuals reported seeing bizarre discrepancies on their accounts via Reddit, which prompted a response from CEO Changpeng Zhao.. On Wednesday, he took to Twitter to say that “All funds are safe” and promised an investigation.

The announcement didn’t come soon enough for Bitcoin traders. Value of Bitcoin dipped below $10,000 this week, which Mashable reports is likely due to the Binance hack rumors and the SEC warning.