Privacy

Researchers from Tokyo and the University of Michigan have found that laser pointers are capable of “hijacking” smart speakers. 

In a paper titled “Light Commands: Laser-Based Audio Injection Attacks on Voice-Controllable Systems,” the researchers said they found that voice-enabled devices could be tricked into following voice commands by beaming a laser at them. 

The team tested the effect of laser pointers on smart speakers that included Google Assistant, Apple Siri, and Amazon Alexa. They found that these devices interpreted the light of the laser as sound. 

“We have identified a semantic gap between the physics and specifications of MEMS (microelectro-mechanical systems) microphones, where such microphones unintentionally respond to light as if it was sound,” they wrote. “Exploiting this effect, we can inject sound into microphones by simply modulating the amplitude of a laser light.” 

Privacy threat

The effect produced “an attack that is capable of covertly injecting commands into voice-controllable systems” at distances of 230 to 350 away. In one instance, the team successfully commanded a Google Home device that was in a room in another building to open a garage door simply by shining a light that had the “OK Google” command encoded in it. 

The list of devices that were tested and found to be vulnerable to light commands includes Google Home; Google Nest Cam IQ; multiple Amazon Echo, Echo Dot, and Echo Show devices; Facebook's Portal Mini; the iPhone XR; and the sixth-generation iPad.

The researchers said they have already notified Tesla, Ford, Amazon, Apple, and Google about the weakness. They said that mitigating the flaw would require a redesign of most microphones. Lead author Takeshi Sugawara said one possible way to get rid of the vulnerability in microphones would be to create an obstacle that would block a line of sight to the microphone's diaphragm.

If you’re doing anything online that you don’t want anyone to know about, you’re probably out of luck.

The Washington Post reports a number of websites, from mainstream news outlets to porn sites, are using a hidden code to run a check to find out who you are. Accessing or deploying browsing features like “private browsing” may make no difference at all. In fact, because you’ve turned on a feature like “do not track” may make you more likely to be tracked, security experts say.

Some of these programs that track you online don’t appear to be that intrusive at first glance. The programs extract mostly innocent-looking data about your computer, such as your screen resolution or the version of the operating system your device is running.

It’s called “fingerprinting,” with the web taking a photograph of your browsing habits. With this information, a program can know what sites you’ve accessed in the past and create profiles of your behavior. It’s one of the reasons that ads seem to follow you around on the internet.

The Post report says most of the sites it contacted said “fingerprinting” web users is now  industry standard practice. But one analyst told the Post that “fingerprinting” is user-hostile, with the fact that web users who ask not to be tracked become even more valuable tracking commodities.

‘Growing threat’

According to the Post, Google, Apple, and Mozilla have all agreed that “fingerprinting” is a growing threat to consumers.

It’s not that websites you’ve visited have your name, address, or any other personal information about you in a database. It’s all a matter of putting information into a pattern.

As internet users access a website, the site’s code begins asking your computer for things that aren’t part of the usual process of pulling up a page. Knowing what operating system you’re running, what fonts you have installed or what your address is on your internal network distinguishing characteristics.

If you have turned on “do not track” the site may take a special interest in you. Different websites use different data points to assemble your fingerprint, which is part of what makes it so hard to control. 

Some websites say they use fingerprinting to protect their customers. They contend that fingerprinting lets them improve online security, such as fighting attempts to use stolen credit cards or passwords.

Federal regulators have slapped Google’s YouTube platform with a $170 million penalty for pulling in millions of advertising dollars through the improper collection of children’s personal information. 

The settlement announced Wednesday requires that Google and YouTube pay $136 million to the Federal Trade Commission (FTC) and $34 million to New York for allegedly violating the Children’s Online Privacy Protection Act (COPPA). 

“YouTube touted its popularity with children to prospective corporate clients,” wrote FTC Chairman Joe Simons. “Yet when it came to complying with COPPA, the company refused to acknowledge that portions of its platform were clearly directed to kids. There’s no excuse for YouTube’s violations of the law.”

New York Attorney General Letitia James said that the companies “put children at risk and abused their power” through illegally monitoring and tracking kids’ behaviors in order to serve them targeted ads. James noted that the settlement is “one of the largest settlements for a privacy matter in U.S. history.”

Settlement also requires reform

Under the settlement, Google and YouTube are also required to “develop, implement, and maintain a system that permits channel owners to identify their child-directed content on the YouTube platform” in order to ensure compliance with COPPA.

Additionally, YouTube must “obtain verifiable parental consent” before collecting personal information from children.

YouTube said in a blog post that it’s working on developing ways to address the privacy concerns that have cropped up in conjunction with “a boom in family content and the rise of shared devices.” 

In the coming months, YouTube said it will be restricting data collection on videos likely to be watched by children and treating data from anyone watching children’s content on the platform as “coming from a child, regardless of the age of the user.” 

YouTube said it will also cease its practice of serving targeted ads on videos aimed at young audiences and turn off comments and notifications for those videos. The company has recommended that parents use its YouTube Kids app when letting children under 13 watch videos without adult supervision. 

YouTube is considering putting an end to its practice of allowing “targeted” ads on videos that are more likely to be viewed by children, Bloomberg reports, citing people “familiar with the discussion.”

The video streaming platform was recently hit with a multimillion dollar fine after the FTC found that it had violated children’s privacy laws by collecting data on children under the age of 13. It’s not clear if YouTube’s changes -- which, at this point, may or may not be implemented -- are a direct result of the settlement, Bloomberg noted. 

Doing away with targeted ads on videos aimed at children could have a significant impact on YouTube’s ad revenues. An industry analyst cited in the report said the platform could lose as much as 10 percent of its overall intake from kids’ videos, which works out to about $50 million annually. 

However, this solution would be much smaller in scale than other proposed ways of complying with regulators. Last year, a coalition of advocacy groups suggested that the FTC require YouTube to migrate all of its kids’ content to its YouTube Kids app. FTC chairman Joseph Simons has suggested the possibility of disabling ads on videos likely to be watched by children. 

Tracking still an issue

Google hasn’t commented on YouTube’s reported decision to stop serving targeted ads on kids’ videos, and it’s still unclear how YouTube would determine which videos would count as kids’ videos. 

Complainants have argued that the move would be hard to enforce. Josh Golin, from the Campaign for Commercial-Free Childhood, noted that shutting off the ad-targeting feature for select kids’ videos doesn’t mean YouTube will stop tracking their web habits. 

“Is Google still going to be collecting all the data and creating marketing profiles?” he asked Bloomberg. “That wouldn’t be satisfactory either.”

A bill introduced Tuesday would make it illegal for cell phone and app companies to sell the location data of users in New York City, the New York Times reports. 

Companies that break the law would be subject to a steep fine. Additionally, users within city limits would be legally allowed to sue companies that share their data without permission. 

The Times notes that the bill is likely to face resistance from telecommunications companies because selling location data generates billions of dollars annually. But proponents of the bill say its passage would represent a small step toward mitigating the privacy concerns that stem from the practice of location data sharing.

Reining in data sharing

Currently, no law prohibits U.S. companies from selling location data. Earlier this year, FCC Commissioner Geoffrey Starks called for federal action to put an end to the practice. In an op-ed for the New York Times, Starks expressed frustration over the fact that the FCC has yet to use its authority to crack down on the practice of data sharing. 

If passed, the bill proposed Tuesday would make New York City the first to establish its own set of location data rules. 

Calling the behavior of selling location data a “dangerous breach of privacy,” Democratic City Council member Justin Brannan said New York City can “lead the way” in banning the practice.

“Big telecom companies are making millions $$ by selling our location data without our knowledge -- forget about even asking our permission,” he said on Twitter. “It's time to put an end to Big Brother Big Business. And if the federal gov won't do it, NYC will.” 

The National Security Agency (NSA) improperly collected phone call data just a few months after assuring the public that the glitch that had previously caused it to do so had been fixed, according to documents obtained by the American Civil Liberties Union (ACLU). 

The agency’s first erroneous record-collection incident happened last May. Upon realizing its mistake, the NSA said it deleted more than 600 million of the call records it had collected from phone companies in error. Now, the ACLU has found that another over-collection incident occured in October 2018. 

In its report, the ACLU said the NSA obtained information about U.S. consumers’ phone calls in a manner not authorized under section 215 of the Patriot Act. 

The report said the agency unlawfully collected call record data three times in total: in November 2017, February 2018, and October 2018. The third violation suggests the underlying problem wasn’t mitigated in the first place, or perhaps that the NSA faced new problems that caused the issue to happen again.

“These documents further confirm that this surveillance program is beyond redemption and a privacy and civil liberties disaster,” Patrick Toomey, staff attorney with the ACLU’s National Security Project, said in a statement. “The NSA’s collection of Americans’ call records is too sweeping, the compliance problems too many, and evidence of the program’s value all but nonexistent. There is no justification for leaving this surveillance power in the NSA’s hands.”

NSA responds

In a statement acknowledging its persistent over-collection problem, the NSA said the technical issues to blame for the earlier incidents were fixed. However, it found additional “data integrity and compliance concerns caused by the unique complexities of using company-generated business records for intelligence purposes.”

“Those data integrity and compliance concerns have also been addressed and reported to NSA’s overseers, including the congressional oversight committees and the Foreign Intelligence Surveillance Court,” the agency added.

The NSA is now considering shutting down its call data collection system because it “is now viewed by many within the intelligence community as more of a burden than a useful tool, in part due to the compliance issues,” the Wall Street Journal reported. 

Facebook says its discontinued research app collected data from about 187,000 users who were paid $20 a month to allow the social media company observe how they used their phones.

The app made news earlier this year when Apple blocked Facebook from offering the app to iPhone users. At the time, Facebook said it users were paid for their participation, it never tried to hide the program, and none of the information was shared.

In a letter to members of Congress, Facebook disclosed it had collected data from 31,000 users in the U.S., 4,300 of whom were teenagers. The rest were consumers who lived in India.

At the time, Facebook said the app was part of an effort to help the company better serve its users.

“Since this research is aimed at helping Facebook understand how people use their mobile devices, we’ve provided extensive information about the type of data we collect and how they can participate,” a spokesperson said at the time.

The information may or may not be relevant to the current debate about Facebook’s size and scale, and whether it is a monopoly in need of regulation. The company has defended its discontinued research app as transparent and non-intrusive.

New research app

This week, Facebook released a new Android app, available to users who are at least 18 years-old. Facebook says users who download the app will agree to let Facebook analyze the apps on the phone, looking at how much they are used and the device or network that is being used.

The company says users who agree to participate will still receive compensation for sharing their data and can leave the program at any time.

As for the new research app, at least one lawmaker thinks it is an ill-conceived move. Sen. Richard Bloomenthan (D-Conn.) told CNET he thinks Facebook should be emphasizing consumer privacy.

"At a time when the company is under investigation for its data practices and anti-competitive actions, the Facebook Study app is at best tone-deaf and ill-considered," Bloomenthal told CNET.

Facebook and other tech giants have come under closer government scrutiny in recent weeks and could face antitrust action. For its part, Facebook is attempting to settle a Federal Trade Commission action over its handling of user data.

Federal Communications Commission (FCC) Chairman Ajit Pai was grilled this week about the alleged sale of phone-location data to entities with no clear rights to possess it.

Appearing before a House committee, the FCC chairman got a scolding and a warning that “lying to Congress is a federal crime.” Rep. Anna Eshoo (D-Calif.) warned Pai that what he told the panel was at odds with what she had heard elsewhere.

Eshoo aimed pointed questions at Pai asking for details about what she had heard was an FCC probe into the apparently illegal sale of phone-location data to third-party individuals and organizations.

The Congressional inquiry appeared to expose an intensely partisan divide within the FCC, where Republicans hold three seats and the Democrats control two. Democrats on the FCC board contend there is a “black market” in data that is being used to erode consumers’ privacy protections.

Democratic lawmakers accused Pai of withholding information from their party members. During the hearing, Pai was noncommittal about whether he would share basic information about the investigation with the FCC’s two Democratic commissioners, Jessica Rosenworcel and Geoffrey Starks.

Not aware of requests for information

Pai said he had never withheld information from Democratic FCC commissioners. He said he was not aware of requests for information made by the Democratic commissioners.

Pai said that in February, just after Starks had joined the FCC, he had offered the new commissioner control of the investigation into how location data was being used. He said the Democrat had turned down the offer.

Consumers’ location data is extremely valuable knowledge. Advertisers pay handsomely for it because they have found if they can target an advertisement to a consumer who is close to the client’s location, that person is much more likely to become a customer.

But critics say location information, in the wrong hands, could be dangerous. The technology site Motherboard reports it gave a bounty hunter $300 to track someone’s cell phone and he was able to pinpoint their location within a quarter-mile.

If a law enforcement agency wants to track the location of a criminal suspect, it must get legal authorization. Last year the Supreme Court ruled 5-4 that law enforcement must obtain a search warrant to get access to cell phone location information.

The Federal Emergency Management Agency (FEMA) inappropriately shared the personal information of more than 2 million survivors of hurricanes Harvey, Irma, and Maria and the California wildfires in 2017.

The agency said it “provided more information than was necessary” while transferring survivor information to a third-party contractor that helps provide temporary housing to people affected by disasters under the Transitional Sheltering Assistance program.

“We believe this oversharing has impacted approximately 2.5 million disaster survivors,” an unnamed Department of Homeland Security official told the Washington Post.

Vulnerable to identity theft and fraud

The error was recently discovered by the Department of Homeland Security’s Office of Inspector General and detailed in a report dated March 15. Individuals who had personal data shared could be vulnerable to identity theft and fraud, the Inspector General report said.

However, FEMA has said that it’s “found no indicators to suggest survivor data has been compromised” and that it has taken “aggressive measures”  to correct the error.

“FEMA is no longer sharing unnecessary data with the contractor and has conducted a detailed review of the contractor’s information system,” FEMA Press Secretary Lizzie Litzow said in a statement.

The name of the contractor who wrongly received the information hasn’t been released, but the agency said it "worked with the contractor to remove the unnecessary data from the system."

“FEMA’s goal remains protecting and strengthening the integrity, effectiveness, and security of our disaster programs that help people before, during, and after disasters,” Litzow said.

Among health-related apps, the practice of sharing user data is “routine” and legal -- however, the lack of transparency about the practice puts consumers’ privacy at risk, the authors of a new study claim.

The study looked at 24 popular, interactive medicine-related apps for Android devices. Of the apps sampled, 19 (or 79 percent) shared user data with third parties, which then shared it with "fourth parties."

"Most health apps fail to provide privacy assurances or transparency around data sharing practices," said lead author Quinn Grundy.

Lack of informed consent

First and third parties shared the most user information with Amazon and Alphabet (the parent company of Google), with 24 unique transmissions.

“Fourth parties” -- which included multinational technology companies, digital advertising companies, telecommunications corporations, and a consumer credit reporting agency -- received the most unique user data. Only three of the 216 fourth parties were identified as belonging to the health sector.

The researchers point out that the identify of a user could be uncovered by looking at certain pieces of data, such as their device’s unique address.

"The semi-persistent Android ID will uniquely identify a user within the Google universe, which has considerable scope and ability to aggregate highly diverse information about the user," the study authors wrote.

The findings suggest a need on the part of privacy regulators to “consider that loss of privacy is not a fair cost for the use of digital health services," Grundy said.

Health professionals "should be conscious of privacy risks in their own use of apps and, when recommending apps, explain the potential for loss of privacy as part of informed consent,” the researchers concluded.

The full study has been published online in the BMJ.

Whether you’re at home or cruising at 30,000 feet you could be in the range of a microphone or camera. Even if someone isn’t watching or listening, they could be.

The latest potential encroachment on consumers’ privacy is contained in a new entertainment system being installed on major airlines. At least three major carriers -- American, United, and Singapore Airlines -- have installed new seatback entertainment systems that contain a camera.

The camera was discovered by an observant passenger on a Singapore Airlines flight who tweeted: “Just found this interesting sensor looking at me from the seat back on board of Singapore Airlines. Any expert opinion of whether this a camera? Perhaps @SingaporeAir could clarify how it is used?”

It turned out to be a camera. But why would an entertainment system on an airliner be equipped with a camera?

According to American Airlines, there’s an innocent explanation. The manufacturer of the equipment has included the capability for passengers in different parts of the plane to video chat with each other.

Cameras aren’t turned on

All three airlines told the British newspaper The Independent they’ve never activated the seatback cameras and don’t plan to in the future. Even so, travelers on those three airlines might feel a little better if they carry a piece of tape on board the flight and place it over the lens.

Consumers who have purchased smart speakers for their homes have gotten used to the idea that the speaker also has ears and is always listening. As we reported in 2017, hackers have found a way to exploit a vulnerability in the Amazon Echo that can turn it into a live microphone.

Researcher Mark Barnes said at the time that the attack is limited because it requires physical access to the device. However, he pointed out that product developers shouldn’t take it for granted that customers won’t expose their devices to uncontrolled environments.

Just forgot to mention

Just last week, Google Nest Secure users were surprised to learn that the home security system has a built-in microphone which had not been disclosed in any of the product literature. The company said that it was not trying to keep the microphone a secret, it just neglected to mention it.

As for the cameras on airplanes, it is possible that more carriers will have the seatback cameras if they install the new entertainment system on their aircraft. You can locate the camera lens by looking directly below the video screen. It is a small circular lens in the middle of a larger circle.

Google Nest is a system of smart home products that can control thermostats, smoke detectors, and security systems. But it turns out the Nest Secure product has a built-in microphone, which was news to the consumers who had purchased it.

That information came to light earlier this month when the company announced an update for Nest Secure that would allow users to enable its virtual-assistant Google Assistant by using voice commands.

But Nest users were surprised to learn they could do that since they didn’t know there was a microphone connected to Nest Secure. Various technology publications scanned the product’s technical specs and found no mention of a microphone.

Omission made in error

In statements to the media, Google officials said the omission was made in error. The company said there was never any attempt to keep the microphone a secret.

It also said that the microphone comes from the factory in the off position. It can only be turned on if the user enables it, and if the user was unaware of its existence, the microphone was not listening to private conversations.

Why even have a microphone? Google says it was originally included on the Nest Guard to enable future updates, like the ability to listen for an intrusion into an otherwise unoccupied home.

“Security systems often use microphones to provide features that rely on sound sensing,” Google said in a statement. “We included the mic on the device so that we can potentially offer additional features to our users in the future, such as the ability to detect broken glass.”

Scrutiny over privacy

Even if it’s an innocent omission, the news that Google failed to mention that one of its security devices has a built-in microphone is sure to ruffle privacy feathers. Google, along with other major tech companies, has come under increasing scrutiny for how it manages consumers’ private data.

For its part, Google has long maintained that the internet is all about transparency. CEO Eric Schmidt famously remarked in 2009 that people who have things they don’t want people to know probably shouldn’t be doing them in the first place.

Writing in Fortune in 2017, Joseph Turow, a professor at the University of Pennsylvania’s Annenberg School for Communication, maintained that “Google still doesn’t care about your privacy.”

Turow said the bargain whereby consumers agree to give up personal information in exchange for seeing only relevant ads is a one-sided deal, suggesting that consumers have little understanding of what they’re giving up.

Facebook is defending an app that allows it to access user’s smartphone data, saying people were paid for that access and that none of the data was shared.

A report by technology site TechCrunch says Facebook pays users between the ages of 13 and 35 up to $20 a month to install the app, called Facebook Research. The report said the app is similar to the social media giant’s Onavo Protect app that was discontinued in August after Apple declared it violated its privacy policy.

The TechCrunch report maintains that the app gives Facebook a massive amount of information about the participating users’ online lives, including social media messages, emails, and what they looked at online.

Facebook has not issued a formal statement, but it has defended the program and declared it was not trying to keep it a secret in various comments to media outlets. The company says it invites people to take part in research so that it can do things better.

“Since this research is aimed at helping Facebook understand how people use their mobile devices, we’ve provided extensive information about the type of data we collect and how they can participate,” a spokesperson told CNBC.

No longer available on the iPhone

Because of potential issues with Apple’s privacy policy, Facebook is withdrawing the app from iOS phones, but it will continue to be available for Android users.

Privacy has been a thorn in Facebook’s side for the last 10 months. In March, the government opened an investigation into Facebook privacy issues after the company revealed that a political marketing firm, Cambridge Analytica, had gained unauthorized access to Facebook user data and used it for political advertising in 2016.

That revelation highlighted the issue of what data big tech collects and how it is used, and it garnered the attention of both U.S. and European regulators.

In May, Europe enacted stringent privacy protections, called the General Data Protection Regulation (GDPR), and Facebook was among the early U.S. tech companies that announced plans to comply with the new set of privacy rules.

You check your phone for the weather forecast. You search for a good Thai restaurant. When you do, you give up small pieces of data about your location. It’s data that helps the apps give you the requested information, but it is also collected by the apps and sold to marketers.

Consumers who make repeated use of apps are giving up a lot of information warns Ying Cai, an associate professor of computer science at Iowa State University. He’s been thinking about the issue for years, noting that it’s only gotten worse with time.

Many of these apps are useful tools, but is the price of using them giving up even more of our privacy? Cai doesn’t think so; he has developed a cloaking technology that he says will allow consumers to continue using these popular apps without providing so much data.

Working through his university, Cai has received two patents for his location-cloaking technology. He says the technology will let consumers use mobile apps and stay relatively anonymous.

Not yet available to consumers

So far, cellular providers haven’t offered the technology to their customers, but Cai is hoping consumer demand will lead to his first sale as privacy becomes a growing concern.

“Privacy is a big issue. We can all agree on this,” Cai said. “If customers ask about cloaking technology and service providers realize location privacy is critical to customers, providers may see the value and offer this service.”

Here’s how it works: the technology walks that fine line between providing a location to the app that is as precise as possible, but just short of being too precise. For example, the app won’t know you are at the intersection of 3rd and Main Street, only that you’re in a big box store in the 300 block of Main.

Cai says the size or traffic of a particular revealed location will vary based on the user’s comfort level. He compares it to being treated by a doctor and selecting a pain threshold on a scale of one to five.

Making it difficult to track you

The big box store has a certain traffic volume that makes it difficult to track a single individual at any given time. Whenever a user wants to report their location, their service provider will select  an appropriate region to report.

“That way, every time you report your location, you make sure it cannot be linked to people who were there at the time when the location was reported,” Cai said. “This gives you protection from the time dimension, which is important.”

It’s not as cloak-and-dagger as it sounds. When you repeatedly use current location-tracking apps, you’re giving the apps a trajectory that makes it possible to identify you as an individual.

That’s a problem, Cai says, because it allows people you don’t know to learn too much about you -- not just your location, but what your location says about you.

Millions of consumers use the Weather Channel’s app to keep up with their local weather conditions, but a suit filed by the City of Los Angeles claims the app is keeping up with you.

In a suit filed late last week, the City of Los Angeles claims the company that owns the Weather Channel is manipulating users into activating location tracking by suggesting the information would only be used to provide specific weather forecasts. The suit charges that information is also used to help advertisers better target consumers.

As it turns out, knowing where individuals are at any given moment is very valuable. For example, advertisers use that information to target a consumer when he or she is near their place of business.

The City of Los Angeles lawsuit claims the Weather Channel has sold data collected from its app to companies that mine this sort of data. Citing an article in the New York Times the city said at least 75 companies collected precise location data using information obtained through the app.

The suit charges that consumers weren’t adequately informed of this arrangement. It said the notices supplied by the app failed to provide complete details about how their data would be shared and used. The suit claims  incomplete messages like that are “fraudulent and deceptive” and violate California’s Unfair Competition Law.

Tech industry crisis

The suit strikes at the heart of a crisis the technology industry is now facing. Since Facebook revealed in March that user data had been unlawfully used by a political marketing firm, big tech firms have been in a defensive posture and under increasing regulatory pressure.

As the annual Consumer Electronics Show (CES) gets underway this week in Las Vegas, Apple addressed the issue head-on in a billboard, declaring “What happens on your iPhone stays on your iPhone.”

“If the price of getting a weather report is going to be the sacrifice of your most personal information about where you spend your time day and night, you sure as heck ought to be told clearly in advance,” Michael Feuer, the Los Angeles city attorney, told the Times.

A spokesman for IBM, who owns the Weather Channel app, said the company has always been transparent in its use of personal data. It said the company will vigorously defend the lawsuit.

Facebook finds itself once again in the crosshairs as a British parliamentary group released company documents showing the social media giant used member data to help friends and punish rivals.

A British parliamentary committee released emails that focus on how Facebook operated during the period of its most rapid growth, from roughly 2012 to 2015. The documents show that Facebook executives considered member data to be their most prized commodity and used it to profit from its accumulation.

The documents also show that CEO Mark Zuckerberg and COO Sheryl Sandberg were intensely involved in decisions that had the objective of keeping members as engaged on the site as possible.

In one series of emails, Zuckerberg raised the prospect of charging developers for access to user data in an agreement to obtain user data from the developers.

“It’s not good for us unless people also share back to Facebook and that content increases the value of our network, he wrote. "So ultimately, I think the purpose of (the) platform — even the read side — is to increase sharing back into Facebook.”

User data issues

Facebook has been wrestling with user data issues since March when it revealed that user data was unlawfully transferred to a political marketing firm, which used it in the 2016 U.S. presidential election. Facebook has said it was slow to respond to that issue but has since increased user data safeguards.

Facebook had taken steps to keep the documents private. Those materials have been under a court-ordered seal as part of a lawsuit in California involving Facebook and an app developer.

In a statement Wednesday, Facebook said the documents were selectively leaked to "suggest things that are false." The company says the documents don't tell the full story.

Congressional response

Sen. Edward Markey (D-Mass.), a frequent Facebook critic, said it should not be up to Zuckerberg and other Facebook executives to decide who has access to user information.

"When he testified before Congress, Mark Zuckerberg repeatedly insisted that Facebook does not sell its users’ data," Markey said. "We now know, however, that Facebook executives discussed requiring companies to buy digital advertisements in order to access users’ personal information."

Markey says if there is any evidence of a pay-for-data model it would "fly in the face" of the statements Facebook has made to Congress and the public.

Facebook says it has fixed a privacy bug that allowed websites to read likes and interests on users’ profiles without them knowing about it.

The bug was first discovered in May by Ron Masas, a security researcher at Imperva. Masas found that Facebook search results were not sufficiently protected from cross-site request forgery attacks, meaning bad actors could have used an iFrame to extract data from a logged-in Facebook profile in another tab.

“This allowed information to cross over domains — essentially meaning that if a user visits a particular website, an attacker can open Facebook and can collect information about the user and their friends,” Masas told SiliconANGLE.

Masas said the bug allowed websites to see the user’s interests as well as their friends' interests, even if their privacy settings were set to allow only friends to see their interests.

One of many security issues

Facebook said it fixed the bug within days of being alerted to it. The company says it hasn’t seen the vulnerability be exploited for malicious purposes.

“We appreciate this researcher’s report to our bug bounty program,” said Facebook spokesperson Margarita Zolotova in a statement. “As the underlying behavior is not specific to Facebook, we’ve made recommendations to browser makers and relevant web standards groups to encourage them to take steps to prevent this type of issue from occurring in other web applications.”

The data vulnerability is among several others to have affected Facebook recently. It follows the Cambridge Analytica scandal, in which a political data firm improperly harvested information on 87 million users to use for election profiling.

More recently, Facebook admitted that millions of user account tokens had been stolen by hackers who breached its system.

During a speech given at a privacy conference in Brussels on Wednesday, Apple’s chief executive Tim Cook called for stricter digital privacy laws, saying consumers’ personal information is being "weaponized against us with military efficiency."

Cook, who didn’t specifically call out any major tech companies, said technology and the business of selling ads targeting to users has created a "data industrial complex” that is affecting individuals and entire societies.

"We shouldn't sugarcoat the consequences. This is surveillance,” Cook said in an impassioned keynote address at the 40th International Conference of Data Protection and Privacy Commissioners (ICDPPC). “And these stockpiles of personal data serve only to enrich the companies that collect them. This should make us very uncomfortable. It should unsettle us."

Companies hoarding personal data

Although Cook didn’t mention Facebook or Google by name, his comments come on the heels of several massive data breaches like the Cambridge Analytica scandal, in which the information of 87 million users was “improperly shared” to profile voters.

"Every day, billions of dollars change hands, and countless decisions are made, on the basis of our likes and dislikes, our friends and families, our relationships and conversations. Our wishes and fears, our hopes and dreams," Cook said. "These scraps of data, each one harmless enough on its own, are carefully assembled, synthesized, traded, and sold."

"Your profile is then run through algorithms that can serve up increasingly extreme content, pounding our harmless preferences into hardened convictions," Cook said.

Called for new privacy laws

Apple’s CEO praised the "successful implementation" of the EU’s new data privacy law, GDPR. He said U.S.-based companies should consider implementing similarly stringent privacy regulation laws.

“This crisis is real. It is not imagined, or exaggerated, or crazy,” he said during the keynote, which can be viewed below. “And those of us who believe in technology's potential for good must not shrink from this moment.”

He said Apple would fully support the introduction of a “comprehensive federal privacy law in the United States.”

“There, and everywhere, it should be rooted in four essential rights," Cook added. Consumers should have the right to have personal data minimized, the right to knowledge, the right to access, and the right to security, he said.

In the wake of a series of highly publicized data breaches, Facebook is reportedly looking to beef up its security defenses by acquiring a major cybersecurity firm.

Sources with knowledge of the matter told The Information that the company has already offered deals to “several” security firms, but the sources stopped short of naming which companies Facebook has expressed an interest in acquiring.

Facebook wants to close the deal by the end of this year, according to the report.

Preventing another hack

The purchase would enable the company to buy software that could be integrated with Facebook’s existing services. The software could give it access to security tools, such as tools for automatically detecting hacking attempts or securing users’ accounts.

A large acquisition like this would also help increase the company’s trustworthiness in the eyes of consumers, investors, and government regulators by showing that it’s taking the issue of data security seriously.

Word of Facebook’s goal of acquiring a cybersecurity firm comes nearly a month after the company announced that hackers had stolen access tokens for 30 million accounts.

Earlier this year, CEO Mark Zuckerberg was called upon to testify before Congress following the Cambridge Analytica scandal in which the information of 87 million users was “improperly shared” to profile voters. At the hearing, Zuckerberg answered questions related to the privacy policies of the social networking platform.

“We were too slow to spot and respond to Russian interference, and we’re working hard to get better,” Zuckerberg said in a statement at the time.

“Our sophistication in handling these threats is growing and improving quickly. We will continue working with the government to understand the full extent of Russian interference, and we will do our part not only to ensure the integrity of free and fair elections around the world, but also to give everyone a voice and to be a force for good in democracy everywhere.”

Facebook now says 30 million users -- not the 50 million, as originally reported -- had their login tokens compromised in a breach discovered last month.

The tokens for those 50 million users, plus an additional 40 million, were reset as a precaution.

In a security update, Facebook said its investigation found that unknown hackers exploited a vulnerability in Facebook’s code that existed between July 2017 and September 2018. The flaw that allowed the attackers to get in involved Facebook's "View As" feature, which allows users to see what their profile looks like to other members.

The interaction of three different software bugs allowed the hackers to steal access tokens, in effect allowing them to access the corresponding accounts. The tokens work like digital keys that keep users logged in to Facebook so they don't have to repeatedly enter their username and passwords.

Spike in activity

In the security update, Facebook reported that the attack was revealed when engineers saw an unusual spike in activity that started on September 14.

"On September 25, we determined this was actually an attack and identified the vulnerability," the company said. "Within two days, we closed the vulnerability, stopped the attack, and secured people’s accounts by resetting the access tokens for people who were potentially exposed."

As a precaution, Facebook turned off “View As” and said it is working with the FBI to determine the parties that might be responsible for the attack.

While fewer Facebook users were affected than first reported, Facebook has revealed the extent of compromised information was greater for some than for others.

Exposed data

Attackers accessed two sets of information on about 15 million users. It included name and contact details such as email and phone number.

For another 14 million users, the attackers accessed additional information that was included in their profiles, such as username, gender, locale/language, relationship status, religion, hometown, self-reported current city, birthdate, device types used to access Facebook, education, work, the last 10 places they checked into or were tagged in.

For 1 million users, Facebook has determined that the attackers did not access any information. Facebook users concerned about this breach can determine whether they were affected by visiting the Facebook help center.

Facebook's update follows criticism from Ireland's Data Protection Commission (DPC), which enforces privacy regulations for the European Union (EU). At the time, the agency complained that Facebook's initial disclosure of the breach was light on details.

Facebook's data breach, disclosed last week, will likely be costly for the social media giant as European privacy regulators demand answers.

On Friday, Facebook announced that a security breach compromised about 50 million login credentials but said the issue had been resolved. But Europe has the world's toughest privacy rules and the European Union could impose fines that – by some estimates – could be in excess of $1 billion.

Ireland's Data Protection Commission (DPC) complained that Facebook's initial disclosure of the breach was light on details. The DPC said Facebook appears unable to tell users the extent of the risk they face.

The DPC said it wants answers from Facebook and those replies will determine whether there will be fines and how much they are. Later, the commission tweeted that Facebook had begun to fill in some blanks.

“Facebook issued a blog on Friday last indicating that 50 million accounts were potentially affected by a security issue,” the agency wrote. “We understand that the number of EU accounts potentially affected is less than 10 percent of that. Facebook has assured us that they will be in a position to provide a further breakdown in relation to more detailed numbers soon.”

General Data Protection Regulation

The EU's General Data Protection Regulation took effect in May and imposes heavy penalties on companies found to be in violation of it. Offenders can be required to pay $23 million or 4 percent of the previous year's international revenue. Under that formula, Facebook could face a fine in excess of $1 billion.

This isn't the first time Facebook has had to deal with a privacy issue. It faced a harsh backlash in March, when it revealed that personal information on millions of users had fallen into the hands of a political marketing firm.

In that case, there was no breach of its system. A third-party app developer had been granted access to the data but was not allowed to give it to anyone else. Facebook said the developer then sold the data to Cambridge Analytica, a political marketing firm.

At its developer conference in May, Facebook reaffirmed its commitment to protecting user data. CEO Mark Zuckerberg said the company would take a “broader view” of its responsibility to protect users' privacy.

Another 40 million accounts reset as a precaution

In May 2014, the European Court of Justice implemented the “right to be forgotten” rule for internet users, allowing consumers to request that any information about themselves be de-listed from search results.

Four years later, the ruling has resurfaced as Google finds itself in a battle with France’s data protection agency -- the Commission nationale de l'informatique et des libertés (CNIL). CNIL is arguing that the right to be forgotten rule be expanded to cover more than just the European Union; it says the rule should give users the option to have things de-listed from search engines globally.

While CNIL acknowledged that Google does delete some search results from Europeans when requested, the main issue is that the results aren’t deleted everywhere. According to CNIL’s complaint, some non-EU versions of Google still displayed the de-listed information.

A censorship issue

At a hearing in front of 15 European Union judges, Google was strong in its stance that expanding the right to be forgotten rule would in fact infringe on some users’ freedom of expression.

Other media outlets -- including Reuters, The New York Times, Buzzfeed, and several nonprofit organizations -- agree with Google’s stance that expanding the current rule would be censorship.

“This case could see the right to be forgotten threatening global free speech,” said Thomas Hughes, the executive director of the freedom-of-expression group Article 19. “European data regulators should not be allowed to decide what internet users around the world find when they use a search engine.”

“The [Court of Justice of the European Union] must limit the scope of the right to be forgotten in order to protect the right of internet users around the world to access information online,” Hughes said.

What’s been removed

Earlier this year, Google provided an update on its efforts in the last four years since the right to be forgotten rule was put into effect.

Google reported it made good on requests covering 2.4 million URLs.

In a February report, Google noted that deciding what to de-list can become problematic, and those that have been deleted thus far comprise only 43.3 percent of requests.

“Search engines like Google must consider if the information in question is ‘inaccurate, inadequate, irrelevant or excessive’—and whether there is a public interest in the information remaining available in search results,” said Michee Smith, Google’s product lead on the project.

In the four years since right to be forgotten was enacted, the main request from consumers is tied to social media and directory services containing personal information. The second highest request is linked to news outlets and government websites.

The operators who defraud American consumers and businesses hardly ever face justice, mainly because they operate offshore.

But U.S. officials say they have a Russian national in custody who they accuse of carrying out one of the biggest hacks in history.

Federal officials report that Andrei Tyurin, a Russian who was accused of being a key player in a hack of JPMorgan Chase and other large companies, is now in their hands after he was extradited from the Republic of Georgia.

U.S. officials charge that Tyurin has been the mastermind behind a number of high-profile cyber attacks against U.S. financial firms while also engaging in credit card fraud and money laundering.

Single biggest hack

“Tyurin’s alleged hacking activities were so prolific they lay claim to the largest theft of U.S. customer data from a single financial institution in history, accounting for a staggering 80 million-plus victims," said Manhattan U.S. Attorney Geoffrey Berman. "As Americans increasingly turn to online banking, theft of online personal information can cause devastating effects on their financial well being, sometimes taking years to recover."

Berman and other law enforcement officials who have had their sights on Tyurin for years, call his extradition a significant milestone. In most cases, they have been powerless to apprehend people outside the U.S. who are scamming consumers.

Tyurin appeared in court in Manhattan with his attorney and entered a not guilty plea to charges conspiracy, computer hacking, identity theft, and wire fraud.

Could cut a deal

Legal experts say Tyurin may be in a good position to cut a deal with prosecutors since he most likely has a lot of information about others who are involved in international hacking and scams. It's not unreasonable to think his knowledge could be useful to prosecutors who are conducting investigations into a number of different areas, including interference in the 2016 presidential election.

The case at hand centers on the 2014 JP Morgan hack, which investigators said appeared to center on alleged efforts to manipulate stock prices. JP Morgan security personnel brought these concerns to public attention, fearing they might be part of an intrusion by Russian intelligence agents.

U.S. officials accuse Tyurin of working with other hackers in a coordinated attack on financial services firms' networks. Officials say they believe the hackers were able to gather sensitive information on more than 100 million people who were the firms' clients.

Prosecutors allege that stolen information was used in wide-ranging schemes, from stock manipulation to bitcoin money laundering.

Yahoo Mail is still scanning the inboxes of its users for commercial emails in order to help advertisers target ads based on users’ interests, the Wall Street Journal reported on Tuesday.

The emails that are scanned typically include order confirmations and other messages from online retailers. Oath, Yahoo’s owner, uses the information to put users into interest groups. Advertisers then show ads based on those interests.

Oath uses algorithms to identify commercial emails, then scans those emails for keywords that could provide insights into a user’s purchasing habits.

“Yahoo mined users’ emails in part to discover products they bought through receipts from e-commerce companies such as Amazon.com,” said the Journal. “In 2015, Amazon stopped including full itemized receipts in the emails it sends customers, partly because the company didn’t want Yahoo and others gathering that data for their own use.”

The company allows users to opt out of receiving targeted ads based on email scanning, but the page through which users can do so is difficult to find. Users have to navigate into the Ad Interest Manager and select “opt out” under both 'Your Advertising Choices' and the 'On Yahoo' tabs.

Yahoo’s rivals don’t scan emails

Users first noticed that Oath gave itself permission to read users’ emails when it updated its privacy policy back in April. However, the fact that the company is still pitching this ability to advertisers goes against the policies of most of its competitors.

Last year, Google confirmed that it would stop scanning users’ consumer email accounts in order to serve up targeted ads. Microsoft says it has never engaged in the practice, nor has Apple.

Oath says that scanning retail emails is part of the trade-off consumers make in exchange for free online services.

"Email is an expensive system. I think it's reasonable and ethical to expect the value exchange, if you've got this mail service and there is advertising going on," Doug Sharp, Oath's Vice President of Data, Measurements & Insights, told the Journal.

On Thursday, T-Mobile announced that it was hit with a data breach on August 20 that may have allowed hackers to gain access to the personal information of around 2 million of its customers.

“Out of an abundance of caution, we wanted to let you know about an incident that we recently handled that may have impacted some of your personal information,” T-Mobile said in a statement disclosing the breach.

T-Mobile said its cyber-security team “discovered and shut down an unauthorized access to certain information, including yours, and we promptly reported it to authorities.”

Information comprised included the name, billing zip code, phone number, email address, account number, and account type (prepaid or postpaid) of users.

Financial data not compromised

“None of your financial data (including credit card information) or social security numbers were involved, and no passwords were compromised,” T-Mobile said.

The company said anyone whose data has been stolen has been or will shortly be contacted via text message.

T-Mobile didn’t say how many customers were affected by the breach. However, a T-Mobile spokesperson noted in a statement to Motherboard that the breach affected “about” or “slightly less than” 3 percent of the carrier’s 77 million customers, which would be around 2 million users.

T-Mobile says consumers with questions or concerns about the incident can contact Customer Care.

“If you are a T-Mobile customer, you can dial 611, use two-way messaging on MyT-Mobile.com, the T-Mobile App, or iMessage through Apple Business Chat,” the carrier said. “You can also request a call back or schedule a time for your Team of Experts to call you through both the T-Mobile App and MyT-Mobile.com. If you are a T-Mobile For Business or Metro PCS customer, just dial 611 from your mobile phone.”

Facebook says it has removed 652 pages and accounts from its platform after determining their owners aren’t real, but groups based in Russian and Iran.

The purpose of the posts on those pages, Facebook said, was to spread misinformation and sow discord ahead of the U.S. midterm elections. The company said the owners of the accounts were engaging in "coordinated inauthentic behavior."

The company said the owners of the accounts were carrying out distinct campaigns and so far, it has not established any kind of direct link between the groups. But it was clear they were using the same or similar tactics and were trying to mislead others about who they were and what they were doing.

Determined and well-funded

"We ban this kind of behavior because we want people to be able to trust the connections they make on Facebook," the company said in a blog post. "And while we’re making progress rooting out this abuse, as we’ve said before, it’s an ongoing challenge because the people responsible are determined and well funded."

Facebook said it is investing in people and technology and working more closely with law enforcement. It announced those steps earlier this year when it revealed that Cambridge Analytica, a political marketing firm, made unauthorized use of Facebook data to target ads during the 2016 presidential election.

Facebook said it received a tip last month from FireEye, a cybersecurity firm, warning that it identified a group called Liberty Front Press as a potential bad actor. Facebook says a subsequent investigation was able to link the account to Iranian state media through publicly available website registration information, as well as the use of related IP addresses and Facebook Pages sharing the same administrators.

One part of the network, a Facebook group called Quest 4 Truth, identified itself as an independent Iranian media organization. But Facebook said its investigation showed it was connected to Press TV, an English-language news network affiliated with Iranian state media.

Not who they say they are

The overarching theme, says Facebook, is that the account owners portray themselves as independent media organizations when they are not.

Earlier this week Microsoft reported that it had taken control of six domains owned by the Russian hacker group APT28, which was using the domains to spoof government and conservative websites.

Facebook CEO Mark Zuckerberg says his company has moved from a reactive stance to a proactive one. In a conference call with reporters, Zuckerberg said it's the only way to stay one step ahead of groups trying to use social media platforms to spread discord among Americans.

That tracker app you installed on your family members' smartphones may be providing more information than you think, and not just to you.

German researchers at the Fraunhofer Institute analyzed 19 legal tracker apps available in the Google Play Store. The researchers closely examined how the apps collect information and how they protect highly sensitive user data.

They concluded that all 19 apps revealed 37 major vulnerabilities, with none of the apps programmed with default security features in place.

The research team stresses that tracker apps have legitimate uses. Parents often use them to monitor their children's location and to see messages and pictures they post online. They're perfectly legal so long as the person being monitored is aware of it and agrees to it.

Data stored in plain text

The researchers take issue with these apps' security features, or rather the lack of them. They found that most apps store highly sensitive data on a server in plain text, without any type of encryption.

"We only had to open up a certain website and guess or enter a user name into the URL to retrieve an individual's movement profile," said Siegfried Rasthofer, who headed the project.

The researchers said they were able to read out complete movement profiles for all app users, not just the ones being monitored. They suggest this security flaw could allow thousands of people to be tracked in real time.

"It enables total surveillance," said Stephan Huber, a member of the research team.

Lack of proper encryption

The researchers said they were also able to read the app users' login information because the developers either used improper encryption or no encryption at all. In one app, the team was able to easily access 1.7 million login credentials.

The Fraunhofer researchers said they informed the app developers and the Google Play Store team of their findings. They say Google has removed 12 of the 19 apps from its store.

If you're still using a fax machine, you're not only old fashioned, you're probably vulnerable to cyber attacks.

Researchers at Check Point, a cyber security firm, have uncovered vulnerabilities in the communication protocols used in tens of millions of fax devices. If the attacker has the fax number, that’s all they need to exploit the flaws and potentially seize control of a computer network.

Specifically, the Check Point researchers focused on the vulnerabilities in the popular HP Officejet Pro All-in-One fax printers. Its protocols are also used by other manufacturers' faxes and multi-function printers.

Check Point says the protocols are also employed in online fax services such as fax2email, and researchers say it is likely that these are also vulnerable to attack by the same method.

HP has already issued a patch

Once informed of the findings, Check Point says HP quickly developed a software patch for its printers, which is available here.

There are a reported 45 million fax machines still in use, both in homes and offices. The '80s technology is especially prevalent in healthcare, law offices, banking, and real estate, and these networks often contain vast amounts of sensitive data.

“Many companies may not even be aware they have a fax machine connected to their network, but fax capability is built into many multi-function office and home printers,” said Yaniv Balmas, Group Manager, Security Research at Check Point. “This groundbreaking research shows how these overlooked devices can be targeted by criminals and used to take over networks to breach data or disrupt operations."

Here's how it works

It's a fairly simple hack. Once the attacker obtains a fax number, they send an image file to the machine. Embedded within the image is a code that the machine recognizes, decodes, and uploads into its memory.

Check Point says this process gives the attacker the ability to break into any device that is connected to the fax's computer network.

Dom Chorafakis, founder of the cyber security consultancy Akouto, says the simplicity of the attack is what makes it so dangerous.

"The malware is embedded within a specially crafted [message] and delivered over the phone line via standard fax, so there are no defensive measures like firewalls or antivirus that can be put into place to prevent this attack," Chorafakis told ConsumerAffairs. "End users have to rely on equipment vendors to check their firmware and provide updates.

While these attacks can be hard to stop, there are a couple of ways to protect yourself before being targeted. First, check your machine's manufacturer for available firmware updates and apply them.

For businesses and organizations, the fax machine should be on a secure network segment separated from applications and servers that carry sensitive information. That will limit the ability of malware to spread across networks.

Staffers at the nonprofit PGA of America are locked out of their own computer servers and unable to access critical files that they were planning to use for the upcoming Ryder Cup in France, GolfWeek is reporting.

On Tuesday morning, staffers received a message on their computers and were unable to access their own files. “Your network has been penetrated. All files on each host in the network have been encrypted with a strong algorithm,” the message read.

The files, which include promotional banners, logos, and signage, will be destroyed if employees attempt to go around the hackers to get them back, the message warned.

Instead, the hackers have invited employees to use a decryption software that they claim has been made “exclusively” for PGA. That, of course, will cost money.

The message also includes a Bitcoin wallet number but no specific amount requested. Officials told GolfWeek that they have no intention of paying the ransom. The magazine reports that many of the files were created over a year ago and “cannot be easily replicated.”

Hacks tied to demands for a ransom paid in cryptocurrency have become increasingly common, affecting random people whose data had been stolen in previous hacks or the city of Atlanta, to name a few instances.

PGA of America is a nonprofit that is separate entity from PGA tours. In addition to the Ryder Cup, it also operates events that include the PGA Championship.

Healthcare

As medical records move online, it’s becoming clear that healthcare workers are in over their heads when it comes to data security. According to industry publications, hospitals and clinics have been suffering a record number of data breaches this year.

From April to June, the industry reported 142 data breach incidents affecting 3.14 million patient records. The figures are “nearly three times the number reported in the first part of the year,” Health IT News is reporting.

In July, another 860,000 patient records were compromised, according to an analysis of government data conducted by Healthcare Analytics News.

The attacks come following a report last year which found that 70 percent of healthcare workers lack cybersecurity awareness.

WhatsApp

The messaging app that has taken off with world travelers, people who work in tourism, or others who want a data-free method to contact overseas numbers could get users in major trouble.

Security researchers say that they have have warned WhatsApp about a flaw they discovered in the site that allows attackers to impersonate users and alter their text messages. The attackers can do so by taking advantage of the “quote” feature used in group chats.

“We believe these vulnerabilities to be of the utmost importance and require attention,” Checkpoint Research said. WhatsApp has not made clear whether it is working to fix the flaw.

“We encourage you to think before sharing messages that were forwarded,” the company said in a blogpost. “As a reminder, you can report spam or block a contact in one tap and can always reach out to WhatsApp directly for help.”

Airplanes

A security researcher says that he was able to use weaknesses in satellite equipment to hack commercial aircraft. Ruben Santamarta recently told Forbes that he was able to view the workings of hundreds of passenger and commercial aircraft and says he is the first person make the discovery.

Vulnerable airlines included Southwest, which says it already fixed the issue in December after being notified by a government agency. Other airlines that were named by Santamarta either didn’t respond or claimed that they had also already fixed the issue as well, Forbes reports.

Facebook is asking large banks to share their customers’ credit card transaction data, shopping habits, and checking account balances to help it launch a new financial services initiative, according to a report from The Wall Street Journal.

Now, Facebook is speaking up in an effort to make clear that it’s not asking banks for its users’ financial transaction data or shopping habits.

In a statement to TechCrunch, Facebook spokesperson Elisabeth Diana said the social networking platform is working with banks to increase its chatbot capabilities. However, the company denies that it’s seeking access to its users’ financial data in order to serve up targeted ads or use that information for other purposes.

Facebook says it won’t collect information

“A recent Wall Street Journal story implies incorrectly that we are actively asking financial services companies for financial transaction data – this is not true,” Diana said.

The company says it’s looking to partner with banks and credit card companies to offer customer service through a chatbot in Messenger or help users manage their accounts within the app.

“Like many online companies with commerce businesses, we partner with banks and credit card companies to offer services like customer chat or account management,” Diana continued. “Account linking enables people to receive real-time updates in Facebook Messenger where people can keep track of their transaction data like account balances, receipts, and shipping updates.”

Bank integration with Facebook

Facebook said it is considering a new initiative that would let users see their checking account balances from within Messenger.

“The idea is that messaging with a bank can be better than waiting on hold over the phone – and it’s completely opt-in,” Diana said.

“We’re not using this information beyond enabling these types of experiences – not for advertising or anything else. A critical part of these partnerships is keeping people’s information safe and secure.”

Anonymous sources told the Journal that Facebook has talked to large banks including JPMorgan Chase, Citigroup, Wells Fargo, and US Bancorp about what types of banking services Facebook Messenger could provide for customers.

The FBI has three Ukrainian nationals in custody who are leaders of an “international crime supergroup” called FIN7, the Department of Justice said Wednesday.

The group allegedly hacked the servers of Chipotle, Arby’s, Chili’s, and nearly 100 other United States companies in order to access consumer data and sell it on the dark web.

“In the United States alone, FIN7 successfully breached the computer networks of companies in 47 states and the District of Columbia,” federal authorities said. The group allegedly stole more than 15 million customer credit card records in the breaches.

Chipotle and Arby’s both admitted last year that customer credit card data was targeted via a malware attack, while Chili’s said last May that customer credit card data may have been “compromised.”

According to the Department of Justice, the attacks were part of a prolific hacking campaign “that targeted American companies and citizens by stealing valuable consumer data, including personal credit card information.”

Authorities say that the hackers posed as a security firm called Combi Security to recruit members in Israel and Eastern Europe. They launched their attacks by sending emails to employees of the companies that they were targeting. The emails were apparently so legitimate-looking that the recipients subsequently downloaded attachments containing malware -- yet another reminder to never download attachments from an unfamiliar source.

The defendants -- Dmytro Fedorov, 44; Fedir Hladyr, 33; and Andrii Kolpakov, 30 -- were arrested by foreign authorities. They now face 26 felony counts in a U.S. District Court in Seattle.

The Ivy Leagues

Yale University is offering one free year of identity theft monitoring, corporate America’s favorite way to apologize for a data breach, after university officials discovered that hackers stole 119,000 records affecting alumni, faculty, and staff nearly a decade ago.

“I am writing, with regret, to inform you that, between April 2008 and January 2009, intruders gained electronic access to a Yale database and extracted names and Social Security numbers, including yours,” says a letter that the University recently sent out to affected people.

As Yale News reports, the prestigious university has repeatedly fallen victim to hackers. Even their computer science department is not immune. A 2012 data breach in the department was blamed on a former employee with a weak password.

Reddit

Reddit  said Wednesday that a hacker stole some users’ email addresses, as well as a 2007 database containing encrypted passwords.

The “security incident,” as Reddit describes it, occurred between June 14 and 18.

“Although this was a serious attack, the attacker did not gain write access to Reddit systems; they gained read-only access to some systems that contained backup data, source code and other logs,” the company said.

Hewlett-Packard (HP) is offering hackers a bounty of up to $10,000 if they can find vulnerabilities in the company’s printers.

CNET is reporting that HP quietly started a hacking bounty program in May. A total of 34 researchers have joined, including one who already earned $10,000 for detecting a flaw.

Printers are one of many consumer products that are vulnerable to hacking. Like other unexpected hacking targets, they can fall to the wayside when it comes to the attention of security researchers, who may be more interested in protecting webcams and other obvious targets.

"As we navigate an increasingly complex world of cyber threats, it’s paramount that industry leaders leverage every resource possible to deliver trusted, resilient security from the firmware up," said Shivaun Albright, HP's chief technologist of print security, in a statement.

Taking a proactive approach

With nearly every industry proven to be vulnerable to hackers, researchers have said that businesses need to be more proactive in patching security holes.

As a result, hacking corporate clients in exchange for a “bounty”or fee has grown into a full-time career for some researchers. Recently, the automaker BMW honored the Keen Research group for their findings that hackers could remotely access its cars and wreak terror on drivers.

The tablets being provided to inmates in prisons all over the country come with special strings attached. Emails, for instance, can take up to 48 hours to reach their intended destination due to security screenings. The email costs a minimum of 35 cents to send and attaching pictures or exceeding word limits costs extra. Apps and other features designed to appeal to bored inmates all come with their own charges.

The telecommunications giant JPay in recent years has distributed free tablets to tens of thousands inmates with the anticipation that they will spend enormous amounts of money to access the features to make the tablets worthwhile. In New York alone, JPay has predicted that it will earn $8.8 million within two years by giving free tablets to 52,000 inmates in the state.

One enterprising group of inmates in Idaho is now facing punishment for hacking a piece of that pie for themselves. JPay and the Idaho Department of Corrections announced Friday that prison inmates found a vulnerability in their tablets and used it to add $225,000 worth of credits to their own JPay accounts. Most inmates loaded $1,000 or less into their accounts, though one took nearly $10,000. In all, a total of 364 inmates allegedly benefited from the scheme, but only briefly.

After the alleged hack was discovered, JPay announced that it has since recovered $65,000 worth of the credits. Apparently, however, the company needs the inmates’ help to get the rest of its own money back. The firm announced that it is suspending almost all service on the tablets -- everything but email -- until the rest of its money is refunded from the inmates involved in the scheme.

“This conduct was intentional, not accidental. It required a knowledge of the JPay system and multiple actions by every inmate who exploited the system’s vulnerability to improperly credit their account,” an Idaho Department of Corrections spokesman told the Associated Press.

Using a fee-based model to bring the comforts of home to prisoners, the jail communications firm JPay is part of an industry that profits enormously off of inmates, or more likely, their families. The firm also handles prison phone calls that used to cost as much as $14 per minute (until the FCC capped prison phone fees under the Obama administration) and commissary accounts in which family members have been charged fees as high as 45 percent of whatever amount they were sending to the inmate.

JPay also handles many of the debit cards that inmates are given upon release from prison to help pay for getting home. But the money in those cards often becomes inaccessible without explanation or is whittled away by various fees, one lawsuit contends.

JPay was purchased by Securus several years ago, another jail telecommunications giant that profits from high fees. Securus in recent years has successfully lobbied some counties to replace in-person jail visits with costly video visitation systems. Securus, which reportedly lets cops track phone calls in real time, has also proven to be vulnerable to hackers.

Even if the money is not returned, JPay will probably come through this theft just fine. Numerous advocacy groups have described the jail communications industry as one that benefits from having a monopoly in whatever facility in which they are operating.

Jail communications “often do not result in stronger lines of communication at all,” the Electronic Frontier Foundation has said. “Many communications services are offered under unfair terms and with artificially inflated fees that are only possible because the services operate monopolies at each prison or jail.”

Voting machine vendor admits vulnerability

In other hacking news, the nation’s largest provider of electronic voting machines recently admitted in a letter to a Senator that it installed remote-access software on some of its machines. Experts agree that such software is known to be widely vulnerable to hacking.

Voting machines in particular were expected to be completely disconnected from the internet or any remote internet activity.

What’s more, the firm, called Election Systems and Software, previously denied using such technology. The company reportedly now claims that it stopped using the remote software in 2007.  

The women who stepped into Jason Gargac's Chevy had no idea that strangers were publicly rating their appearance from behind the comfort of a computer screen.

Gargac, an aspiring police officer in St. Louis, said he initially took a job driving for Uber to make ends meet. But not long after, he became a television host of sorts.

On Twitch, a live streaming platform, Gargac played to the camera between rides, thanking people for tuning in and sharing his own critiques of his passengers’ looks. The passengers, on the other hand, appeared to have no idea that they were being recorded as they stepped into his car and began talking.

In the approximately 700 rides that Gargac filmed, his passengers often embarrassed themselves -- or worse. The passengers would reveal their last names, addresses, crushes, family problems, and gripes with bosses, all while strangers mocked them online.

Uber and Lyft eventually cut ties with driver

Uber and Lyft initially downplayed the news that one of their drivers was making entertainment out of peoples lower moments, a discovery that was revealed by the St. Louis Post-Dispatch newspaper.

Gargac admitted to the newspaper that he purposely worked weekend nights because passengers were more likely to be intoxicated then.

Passengers who discovered that they had been filmed and complained to Uber about it said they were only offered a $5 credit and a promise to not be paired with Gargac again.

Both companies initially told the Post-Dispatch that Gargac was not breaking any laws because Missouri is a one-party consent state when it comes to recordings.

But after the local newspaper published an investigative report about Gargac’s livestream channel this past weekend, both companies changed course and said that they had cut ties with him completely.

Gargac, whom the Post reported did not want his own last name printed in their newspaper, was also kicked off Twitch. Until his channel went offline, it had amassed over four thousand followers, a figure that made Gargac feel “forever grateful,” according to a Tweet he sent out to his fans in June.

Meanwhile, passengers interviewed by the paper said they they felt deeply violated.

Recordings all too common

Ethics aside, secret recordings in Uber and Lyft cars are legally murky territory because it’s unclear whether they count as a private space, experts say.

But common sense dictates that passengers and drivers alike should expect to be filmed, as many Uber and Lyft users film rides for their own protection.

Still, drivers typically don’t air the footage unless the passengers become violent, as the infamous Miami doctor Anjali Ramkissoon did two years ago. Nearly three million people reveled in footage showing Ramkissoon attempting to hit her Uber driver and throw his possessions out of the window.

The footage elevated Ramkissoon, a neurologist, to the status of internet celebrity that the public loved to hate. Ramkissoon was fired shortly after the incident and said that she had to change her cell phone number because strangers would not stop calling to yell at her.

Drivers and passengers have also been captured engaging in sex acts in the car, using racist language, or simply behaving rudely. Uber’s own former CEO Travis Kalanick even proved that he wasn’t immune to the trap.

Last year, an Uber driver who realized he was transporting the company’s then-CEO confronted Kalanick about low wages and other problems that Uber drivers face. Kalanick dismissed the concerns as people not taking responsibility “for their own shit.”

Like other passengers caught in embarrassing moments, Kalanick later said he was ashamed of his behavior.

Facebook has suspended the Boston-based analytics firm Crimson Hexagon after reports indicated that the company’s contracts with other countries -- including the United States and Russia -- violated Facebook’s surveillance rules.

“We don’t allow developers to build surveillance tools using information from Twitter or Facebook or Instagram,” a Facebook spokesperson said. “We take these allegations seriously, and we have suspended these apps while we investigate.”

Though no evidence has been found thus far indicating that any user data has been obtained, Facebook plans to investigate “whether the analytic firm’s contracts with the U.S. government and a Russian nonprofit tied to the Kremlin violate the platform’s policies.” Crimson Hexagon has also completed work for the Turkish government.

Though it isn’t against Facebook policy to use data from users for general insights, according to BBC,  “where Crimson would fall foul of Facebook’s rules is if the data was used to create tools for surveillance, though Facebook has never clarified how its policy works in practice.”

According to Crimson Hexagon’s Chief Technology Officer Chris Bingham, the company “only collects publicly available social media data that anyone can access” and “does not collect private social media data.”

Trying to right the ship

Facebook received a ton of backlash following news of the Cambridge Analytica scandal in March. The company is now being investigated by the Securities and Exchange Commission (SEC), the Justice Department, and the FBI for its treatment of the scandal.

Questioning in the investigation is focused primarily on how much Facebook knew in 2015 -- when it initially learned that Cambridge Analytica had improperly accessed the data of tens of millions of users. At the time, Facebook did not alert any shareholders or any of its users.

In an effort to prove to users that their privacy and security is of the utmost importance, Facebook then launched a series of privacy updates. The company has not only audited thousands of apps that had access to users’ data, but it also suspended 200 apps in the process. Facebook also drastically upgraded users’ privacy settings, putting control back in the hands of social media users.  

An unknown person or group that apparently collects Bitcoin is exploiting consumers’ longstanding concerns about the outside monitoring of users’ internet activity.

In what security researcher Brian Krebs is describing as a “sextortion” scam, consumers have reported receiving emails claiming that malware was secretly installed on pornography sites they visited.

That malware allowed a hacker to secretly record both the online content they viewed as well as the visitor in a so-called  “double-video,” the emails claim.

The emails demand a ransom that must be paid in Bitcoin -- otherwise, the scammers claim that every person on the victims’ contact list will be sent the video. Krebs says that this is an old scam and assures consumers that hackers do not really have the recordings that they claim to possess.

The amounts that the scammers demand vary from victim to victim. Blogger Julie Neidlinger posted a screenshot of one such email she received from an account named “Octavius Guss” demanding $2900 in Bitcoin.

“If I don’t get the Bitcoins, I will definitely send out your video to all of your contacts including relatives, coworkers, etc.,” the email says.  

This particular scam has a new twist that’s not just the Bitcoin payment. “The email now references a real password previously tied to the recipient’s email address,” Krebs writes.

In her case, Neidlinger responded that the old password that the hacker uncovered is over a decade old and adds that “you’re some little two-bit momma’s boy in a basement who stumbled into Hacking for Dummies on Reddit.” She also contacted the FBI.

Gas station thieves elude police

For over an hour and a half, a line of ten vehicles pulled up to one gas pump in Detroit. One after another, the drivers loaded up without paying.

Gas station clerk Aziz Awadh noticed something was awry, but when he went to his own computer screen, he found that his remote access to the pumps had been hijacked. "I tried to stop it here from the screen, but the screen isn't working,” he told a local news station.

Police now believe that hackers broke into the gas station pumps and stole about $1,800 worth of gas. Police say it’s unclear if all 10 vehicles were involved in the hack. Perhaps people stumbled upon the security breach by chance and just couldn’t resist the opportunity to load up on free gas.

Military, airplane and medical secrets

The security firm Recorded Future published a report on Tuesday claiming it uncovered evidence that hackers are trying to sell “highly sensitive” documents belonging to the U.S. Air Force.

“Specifically, an English-speaking hacker claimed to have access to export-controlled documents pertaining to the MQ-9 Reaper unmanned aerial vehicle,” the firm says.

The hacker’s asking price? A grand total of $200. The firm describes such a hack as incredibly unusual as well as a “disturbing preview” of better-orchestrated hacks that could occur in the future.

As it turns out, that future may not be so far off. In a separate report published yesterday by a different group, the firm McAffee describes its own discovery that hackers are selling information about airports and trying to sell it on the Dark Web. In that case, cyber criminals were caught selling passwords to access the online security systems of airports for only $10.

Not to be outdone, another group of hackers is apparently selling dead people’s medical histories on the Dark Web. That report comes courtesy of the security firm Cynerio, which says it has seen a rapid number of patient medical records breached online.

But this particular breach has an “interesting new wrinkle,” Cynerio writes. “Our research team found a post from a vendor on the dark web offering the medical records of the deceased."

Despite the concern, medical offices increasingly rely on electronic patient records. In fact, the government of Australia is encouraging its entire population to put their health records online. While doctors say this measure could give consumers more information about their health histories, online researchers worry that careless doctors or receptionists will leave patients vulnerable to both cyber criminals or insurance companies.

Australia, by the way, also requires all real estate transactions to be done through an online portal, which recently led one woman to lose $250,000 she earned on a house due to a cyber theft, she told local newspapers.  

Timehop

The app that encourages you to share your “memories”  of past social media posts you authored and pictures you took has temporarily deauthorized the accounts of all 21 million of its users to temporarily fix an apparent hack.

Still, Timehop claims no sensitive information or even social media posts were actually hacked and says that it is simply handling the situation proactively.

Macy’s

Another popular retailer, another hack. Macy’s is warning customers that anyone who shopped online via Macys.com or Bloomingdales.com may have had their passwords and credit card information stolen by hackers.

The retailer told Bloomberg it has taken new steps to prevent such hacks in the future, though it did not specify what those steps would be.

Facebook is currently under investigation from the Securities and Exchange Commission (SEC), the Justice Department, and the FBI, as authorities from these agencies are working to uncover how much the social media giant knew about the misuse and improper gathering of users’ data during last March’s Cambridge Analytica scandal. Specifically, the investigation is focusing on whether Facebook gave investors enough advance notice of what was going on.

Questioning is primarily focused on what Facebook knew in 2015 -- when it initially learned that Cambridge Analytica had improperly accessed the data of tens of millions of Facebook users -- and why the company didn’t share that information with its users or investors at the time. The news didn’t become public until March 2018. Investigators will also look into the words and actions from Facebook executives -- including CEO Mark Zuckerberg.

Facebook confirmed having received questions from federal agencies and reported that the company and its representatives will be cooperating with the investigation.

“We are cooperating with officials in the U.S., U.K., and beyond,” said Facebook spokesperson Matt Steinfeld. “We’ve provided public testimony, answered questions, and pledged to continue our assistance as their work continues.”

Facebook’s recent scandal

The Cambridge Analytica data breach first became public last March, when it was revealed that a professor used Facebook login credentials to ask users to sign up for what was said to be a personality analytics tool that would be used for academic research.

According to Facebook, the professor then violated the terms of service by selling the data of millions of Facebook users to the political marketing company Cambridge Analytica -- a company using the data to target potential voters.

In the U.K., the company allegedly targeted Facebook users inclined to vote for Britain leaving the European Union, whereas in the U.S., it was targeting users to support the Trump campaign.

Facebook reportedly removed the app -- called “This is Your Digital Life” -- as soon as the company became aware of the data breach, though it learned that not all of the data was deleted, as was required. Facebook then moved to suspend Cambridge Analytica’s account.

“We are constantly working to improve the safety and experience of everyone on Facebook,” Facebook said in a statement. “In the past five years, we have made significant improvements in our ability to detect and prevent violations by app developers.”

Changes in privacy

Since the scandal, Facebook has taken measures to protect users’ privacy moving forward.

The platform has audited thousands of apps that had access to users’ data, and it has suspended 200 apps in the process. The company has also restricted access to data for all developers using Facebook and Instagram.

The social media platform also drastically changed its privacy settings, condensing much of the settings into one easy to navigate screen.

“People have also told us that information about privacy, security, and ads should be much easier to find,” said Erin Egan, Facebook’s chief privacy officer. “Instead of having settings spread across nearly 20 different screens, they’re now accessible from a single place.”

Facebook also modified the way users see and access advertisements, as they gave users more control over the ads they view.

Timehop announced today that the company suffered a major data security breach on July 4. The app reminds social media users of posts from their past, and according to the company, 21 million users have had some form of personal data stolen as part of the incident.

The app’s attackers allegedly obtained access tokens that allowed them to view users’ Facebook, Instagram, Twitter, and Foursquare posts.

According to a technical report from Timehop, the initial attack took place on December 19, 2017 when an authorized administrator’s credentials were used by an unauthorized user. However, the attacker waited until 2:04 PM on July 4th to “attack against the production database and transfer data.”

Timehop’s report also noted that the attackers created a new administrative account and “began conducting reconnaissance activities within [the] Cloud Computing Environment.” The unauthorized user then performed reconnaissance activities for two days after the initial attack, in addition to one day in March 2018 and one day in June 2018.

Timehop’s cloud servers were not protected by a multi-factor authentication -- a security protocol that many consider to be standard for most companies.

“The damage was limited because of our long-standing commitment to only use the data we absolutely need to provide our service,” Timehop said in a statement. “Timehop has never stored your credit card or any financial data, location data, or IP addresses; we don’t store copies of your social media profiles, we separate user information from social media content -- and we delete our copies of your ‘Memories’ after you’ve seen them.”

A look into the breach

The names and email addresses of 21 million users were stolen, with 4.7 million of those accounts having phone numbers attached to them. Additionally, because the attackers garnered control of Timehop’s access tokens, they were able to pull information from users’ social media accounts.

Timehop reported that the tokens were deactivated quickly so the attackers’ couldn’t view the posts or take any of the information from them, and there is no evidence that any accounts were accessed.

Following the breach, Timehop announced that it was conducting an investigation with the help of an outside cybersecurity incident response company. This will involve an audit of Timehop’s system, contact with law enforcement, and coordination with social media partners to prevent any future breaches.

“No financial data, private messages, direct messages, user photos, user social media content, social security numbers, or other private information was breached,” Timehop reported.

“There is no such thing as perfect when it comes to cyber security, but we are committed to protecting user data,” the company report said. “As soon as the incident was recognized we began a program of security upgrades.”

Notifying users

Users are being asked to log back into all social media accounts upon reopening the Timehop app, and are being notified of the breach.

“An email to the entire user base is in the works for today,” a Timehop spokesperson told TechCrunch. “[It] took some time to get our second grid account ready for that many emails, as we are not a big email sender in general.”

Timehop users who are concerned about their “Streak” -- the number that Timehop displays of how many consecutive days users have opened the app -- are being reassured by the company that it will “ensure all Streaks remain unaffected by this event.”

Businesses and government agencies across the world now suffer data breaches on a weekly basis, but they often leave out specific details about the scope of the hack, or, in some cases, fail to alert consumers about the hack at all.

In comes HaveIBeenPwned, a website developed by former Microsoft employee Troy Hunt. The service, which has actually been around since 2013 but has proven to be more useful as hacks grow more common in recent years, invites consumers to submit their email addresses into an online database, which then promises to uncover any data breaches linked  to the account in question.

Travel booking sites, flush with credit card information and other consumer data, have proven to be popular targets to hackers, and HaveIBeenPwned is now reporting that one such site appears to have been a major target.

Over five million accounts on Yatra, a travel-booking site based in India and available across the globe, had user data compromised, according to the service.

HaveIBeenPwned tweeted on Wednesday that the breach dates back to 2013 and includes phone numbers, passwords and PIN numbers. But Yatra never disclosed the apparent breach to consumers, according to the Huffington Post.

In a recent interview, Hunt explained that consumers are growing used to data breaches as a normal part of online life and that they are more concerned with how companies handle such breaches rather than whether or not they simply occurred. It would seem, then, that Yatra joins the ranks of Equifax and others accused of failing this important litmus test.

A single computer in Alaska

A state agency in rural Alaska says that 500 people may have had their data exposed in a hack that was possibly linked to Russian cyber criminals.

The Alaska Department of Health and Social Services announced that a computer in northern Alaska was found to be infected with a virus. That same computer also had unauthorized software installed onto it, and according to the state’s investigation, had accessed websites in Russia.

It’s unknown how or why that computer was targeted, but according to the agency, it contained documents “including information on pregnancy status, death status, incarceration status, Medicaid/Medicare billing codes, criminal justice, health billing, social security numbers, driver’s license numbers, first and last names, birthdates, phone numbers, and other confidential data.”

Alaskans are invited to call the agency to see if they were affected.

Many smartphone users are paranoid that their phone is secretly listening to their conversations in order to serve up targeted ads. To find out whether that popular theory is true, researchers at Northeastern University recently conducted a study of more than 17,000 apps to find out if any of them actively overhear or record user activity.

The researchers found no instance of any app unexpectedly activating the microphone or dispatching audio files without a user’s permission. Of the 17,260 Android apps included in the year-long study, over 9,000 had permission to access the camera and microphone. The researchers used an automated program to interact with each app and then analyzed the traffic generated.

Although the researchers did not find any evidence of apps secretly recording their user to serve up targeted ads, the team found at least one instance in which an app sent screen recordings and screenshots to a third-party mobile analytics company.

Recorded what users were doing within the app

The researchers found that a popular food delivery app called GoPuff recorded and sent screen recordings to a mobile analytics company called AppSee. The app recorded footage of a screen where users had to enter their zip code.

After being contacted by the researchers, GoPuff added disclosure of this policy to its privacy policy and removed the AppSee SDK. AppSee also claims it deleted the recordings it had obtained.

“In this case it appears that Appsee’s technology was misused by the customer and that our Terms of Service were violated,” AppSee's CEO told Gizmodo. “Once this issue was brought to our attention we’ve immediately disabled tracking capabilities for the mentioned app and purged all recordings data from our servers.”

The researchers didn’t definitively conclude that smartphones never record users without permission. They only said that they did not find find any evidence of the practice in their study. The study had its limitations, including the fact that the automated systems might have missed some audio files processed locally on the device.

On Thursday, California legislators passed the California Consumer Privacy Act of 2018. Under the new law, the data-harvesting practices of Amazon, Facebook, Google, and Uber will be restricted and consumers will have control over their personal data.

The new law gives consumers the right to know what information these big tech companies are collecting, as well as why they’re collecting it and where it’s being shared. Under the new law, consumers can also choose to bar tech companies from selling their data to third parties, including advertisers.

The new privacy rules are set to take effect in 2020, but only in the state of California.

"The state that pioneered the tech revolution is now, rightly, a pioneer in consumer privacy safeguards, and we expect many additional states to follow suit," James P. Steyer, CEO and founder of Common Sense Media, said in a statement.

"Today was a huge win and gives consumer privacy advocates a blueprint for success. We look forward to working together with lawmakers across the nation to ensure robust data privacy protections for all Americans,” Steyer added.

Online privacy protection

News of the new legislation comes about a month after the European Union implemented strict new privacy rules known as General Data Protection Regulation, or GDPR.

However, the Norwegian Consumer Council recently stepped forward with claims that tech firms such as Google, Facebook, and Microsoft instituted changes to their user controls that only give consumers “the illusion” of privacy.

The California Consumer Privacy Act has gotten the support of most privacy advocates, but some have pointed out that there are a few loopholes in the law that could cause problems. For example, the law would allow tech companies or ISPs to charge higher prices to consumers who opt out of having their data sold to third parties.

"For the first time California is explicitly allowing 'pay for privacy' deals that are in direct contradiction to our privacy rights," Emily Rusch, executive director of the nonprofit California Public Interest Research Group, said in a statement.

State Senator Hannah-Beth Jackson (D), who supported the law, said paying for online privacy is a “dangerous and slippery slope.”

California’s new law provides some of the toughest online protections in the country.

“I think it’s going to set the standard across the country that legislatures across the country will look to adopt in their own states,” said state Sen. Bob Hertzberg (D).

On Thursday, Adidas reached out to millions of customers in the United States to warn them about a potential data breach that occurred within the company’s U.S. website. According to a company statement, Adidas is referring to the situation as a “potential data security incident.”

“On June 26, Adidas became aware that an unauthorized party claims to have acquired limited data associated with certain Adidas customers,” the company said.

Based on a preliminary investigation conducted by outside data security firms, the leaked data was limited in nature.

“The limited data includes contact information, usernames, and encrypted passwords,” the statement said. “Adidas has no reason to believe that any credit card or fitness information of those consumers was impacted.”

Cause for concern

Adidas found out about the possible data breach on June 26, and though it informed customers right away, the company is still uncertain when the breach took place.

“We are alerting certain customers who purchased on adidas.com/US about a potential data security incident,” a company spokeswoman told Bloomberg. “At this time, this is a few million consumers.”

A data breach -- though not uncommon for major brands as of late -- does have the ability to tarnish the reputation of a company. Based on a recent study by KPMG, 55 percent of global consumers have decided against purchasing something from companies that have had issues with online privacy.

Moreover, since 2017, several major brands have had issues with matters of data privacy, including Sears, Best Buy, Saks Fifth Avenue, Lord & Taylor, and Under Armour -- among countless others. Most recently, Delta Airlines reported a cyber attack that released the payment information for thousands of customers.

Despite this most recent incident, Adidas is looking to rectify the issue for consumers and is continuing to work to prevent future attacks on data privacy.

“Adidas is committed to the privacy and security of its consumers’ personal data,” the statement said. “Adidas immediately began taking steps to determine the scope of the issue and to alert relevant customers.”

A database controlled by a Florida-based marketing and data aggregation company may have been compromised, exposing individual records on nearly 340 million people and businesses.

Security researcher Vinny Troia found that nearly 2 terabytes of data were exposed, which includes records of 230 million consumers and 110 million businesses.

"It seems like this is a database with pretty much every US citizen in it," Troia, founder of the New York-based security firm Night Lion Security, told Wired. “I don’t know where the data is coming from, but it’s one of the most comprehensive collections I’ve ever seen.”

If these estimates are accurate, the leak would be even larger than the Equifax data breach of 2017, which exposed the personal data of around 145 million people.

Highly personal information

Although credit card information and Social Security numbers don’t appear to have been leaked, the alleged breach reportedly exposed highly personal information, including phone numbers, home addresses, email addresses.

It also exposed more than 400 personal characteristics, including interests, habits, if the person owns a dog or cat, and the age and gender of the person’s children. Wired noted that in some cases, the information may have been inaccurate or outdated.  

Despite the fact that no financial information was included, experts say that the wide range of personal data revealed could still make it possible for bad actors to create a more complete profile of individuals or help scammers steal identities.

Troia said he informed Exactis and the FBI that he was able to access the database on the internet earlier this month. The data is no longer publicly accessible. Exactis has not yet confirmed the leak.

Australia is currently in the process of rolling out a new law that requires all real estate transactions -- from mortgage payments to home sales -- to go paperless.

The online-only property exchange and payment system is run by a company called Property Exchange Australia (PEXA), which is either a government-sponsored monopoly or an important disrupter and leader of the digital revolution, depending on who you talk to.

But like other digital “disruptors,” the PEXA platform may not be as secure as the company would like the public to believe. Dani Venn, an Australian woman and a former contestant on the reality show MasterChef, recently lost $250,000 after hackers stole the funds she had earned from selling her home.

Venn had planned to use the proceeds to purchase a new house. Instead, hackers somehow intercepted the payment, leaving the family homeless for the time being.

PEXA is reportedly trying to help the family, but the company is also denying that it bears any responsibility or liability in relation to the theft. In an interview with a local newspaper, the company claimed that the hacker had gained access to the victim’s money because of a hack on her email account rather than attacking the PEXA system itself.

But Venn does not buy that story. “I feel I want to pull out all my money from the bank. I don’t trust these big corporations. They don’t care about ordinary Australians,” she told the Sydney-Morning Herald.

The theft comes just several weeks after another homeowner reported losing more than $1 million from the PEXA system. Independent property brokers in Australia told the paper that the PEXA system does not require users to verify their identity thoroughly enough.

South Korean cryptocurrency market

Repeated hacks are taking their toll on the cryptocurrency market. Less than two weeks after a multimillion dollar cryptocurrency theft in South Korea sent the value of Bitcoin tumbling worldwide, a different trading platform in South Korea reported falling victim to a similar attack.

The South Korean cryptocurrency exchange Bithumb on Wednesday announced that about $31.5 million worth of its virtual coins had been stolen. Bithumb, which is the world’s sixth largest cryptocurrency trading platform, promised to compensate all affected customers.

Still, a refund for victims doesn’t address the underlying security problem facing crypto-traders. “No security measures or regulations can 100% guarantee safety of virtual coins,” a security expert told the Guardian. “It is held anonymously and in lightly secured systems, which makes them an irresistible target.”

Bitcoin’s value has so far remained steady following the more recent hack, hovering above $6,000.  

Military contractors

A group of hackers based in China are going after military contractors in the United States and Southeast Asia, according to the security firm Symantec. The hackers appeared to be interested in learning how affected companies operate.

Symantec's report follows a Washington Post story last week detailing how a group of hackers backed by the Chinese government accessed 600 gigabytes worth of data that belonged to a United States Navy contractor. The hackers collected declassified but sensitive data, including information on a supersonic missile project, according to the FBI, which is now investigating the breach.

Though troubling, this has hardly been the worst hack on a government contractor. The news once again highlights security holes that even companies that do military business are apparently not patching.

The Supreme Court ruled on Friday that law enforcement must obtain a search warrant to get access to cell phone location information.

The 5-4 decision was written by Chief Justice John Roberts, who sided with the court’s four other liberal judges.

The decision is seen as a victory by advocates of increased privacy rights, who argued that protections were needed when the government gets involved with a third party -- like a phone provider -- to obtain information.

This is seen as a loss by the Justice Department, which argued that an individual’s privacy rights are diminished when it comes to information that has been voluntarily shared with others.

The background

The ruling follows a contentious ruling regarding a series of armed robberies that occurred in 2010 and 2011.

The police got a court order to get access to 127 days of cell phone tracking for a suspect named Timothy Carpenter. The location information found on Carpenter’s phone matched the robbery locations, and that information was used to convict him.

However, Carpenter appealed his conviction to the Supreme Court on the grounds that the police need to first obtain a warrant before getting his location from a cell-phone provider, as is stated in the Constitution.

Rather than obtain a warrant, which would have required the police to prove to a judge there was probable cause to believe the phone records contained evidence, the police opted to obtain a court order under the Stored Communications Act.

“The government’s position fails to contend with the seismic shifts in digital technology that made possible the tracking of not only Carpenter’s location, but also everyone else’s, not for a short period of time, but for years and years,” Chief Justice Roberts wrote.

Present day

Because of limited technologies seven years ago, the information used at Carpenter’s trial wasn’t as precise as location information taken off phones today. It didn’t log where he was when his phone wasn’t in use or where he was when he sent texts. Police personnel were able to see his location where he made phone calls within a mile to two miles, which worked in their favor in terms of the robberies.

Last November when this case made its way to the Supreme Court, justices were conflicted on whether they wanted to break with the third-party doctrine, which states that there is no reasonable expectation of privacy when an individual shares information with a third party (phone provider). Under this doctrine, police wouldn’t need a search warrant to obtain the pertinent information.

However, many justices have noted the stark differences in technology from when these laws were written to the present day. Chief Justice Roberts noted that allowing government access to historical GPS data represented an infringement of Carpenter’s Fourth Amendment Rights.  

“This is a groundbreaking victory for Americans’ privacy rights in the digital age,” said ACLU attorney Nathan Freed Wessler. “The Supreme Court has given privacy law an update that it has badly needed for many years, finally bringing it in line with the realities of modern life. The government can no longer claim that the mere act of using technology eliminates the Fourth Amendment’s protections.”

Services that claim to help consumers discover their ancestry have taken off in recent years, but is it wise to trust an online service with your DNA? The genealogy website MyHeritage admitted on Monday that data from more than 92 million user accounts was accessed.

MyHeritage is characterizing what happened as a “cyber security incident,” the term that has become the corporate world’s phrasing-of-choice to describe an apparent hack.

The stolen information included email addresses and encrypted passwords, though MyHeritage is downplaying the impact that the hack could have on consumer privacy. “There has been no evidence that the data in the file was ever used by the perpetrators,” the company said in a statement late Monday.

“We believe the intrusion is limited to the user email addresses...Other types of sensitive data such as family trees and DNA data are stored by MyHeritage on segregated systems, separate from those that store the email addresses, and they include added layers of security,” the company added.

The breach took place in October 2017 but was not caught until January 4, according to the company.

MyHeritage, much like competitors 23andme and Ancestry.com, offers a service in which users can submit a saliva sample for DNA analysis. 

Whether such services can be trusted with saliva samples and DNA information became a concern after police in California captured the so-called Golden State Killer earlier this year. Suspect Joseph James DeAngelo Jr. was arrested in April thanks in part to the genealogy site GEDMatch, authorities said. Police submitted a DNA sample from a crime scene to the site and said that it had matched the suspect’s DNA that they had already taken.

Ticketfly

The online ticketing site Ticketfly announced on Thursday that hackers stole the names, addresses, email addresses, and phone numbers of 27 million customers, though Ticketfly said that users’ credit card information was safe.

Ticketfly’s site went briefly offline after it detected the hack. But with the site up and running again, the company is requiring all users to change their passwords as a precaution.

“Upon first learning about this incident we took swift action to secure the data of our clients and fans,” a company spokesperson told Variety.

Canadian Banks

Several weeks ago, Mexico’s biggest banks lost millions of dollars to cyber criminals, and now America’s neighbor north of the border is dealing with its own bank hacking woes.

Canada’s fourth and fifth largest banks have released statements admitting that so-called “fraudsters” stole personal and financial information belonging to bank customers.

A spokesman for the Bank of Montreal told Reuters that less than 50,000 customers had their data accessed. Simplii Financial, the other bank that was hacked, said that 40,000 clients had “certain personal and account information” accessed. The banks’ handling of the breach is now being scrutinized by lawmakers.

“When will the Liberals take action to protect Canadian consumers with a digital bill of rights and stop letting these companies off the hook?,” Canadian Member of Parliament Brian Masse said, pointing to a similar measures that currently protects consumers in the European Union.

The EU’s data protection laws are generally stricter and more consumer-friendly than those implemented in the rest of the world.

Booking.com

Travel site Booking.com wasn’t actually hacked, but hackers are telling the site’s partner properties that attempts were being made to steal hotel cash and data on guests.

Scammers reportedly sent out emails and texts warning that Booking.com had been hacked. The emails directed recipients to change their password by clicking on a link, which actually exposed all information that customers with hotel reservations had submitted through the site.

”...in this case, there has been no compromise on Booking.com systems,” a Booking.com spokesman told the Daily Mail. “This property has been targeted by phishing emails sent by cyber criminals and by clicking on those emails, the property compromised its account.”

Nevertheless, Booking.com promised to compensate affected customers and hotels.

Cryptocurrency

The cybersecurity firm Carbon Black has a new report detailing the full scope of cryptocurrency hacks that have become regular news stories.

According to company’s new research, cybercriminals stole a total of $1.1 billion in cryptocurrency over the past six months. Their method of choice is the “dark web,” or sections of the internet that are untraceable and only accessible via special software and above-average tech skills.

In an interview with CNBC, a Carbon Black strategist warns that it is “surprisingly easy” for hackers to steal cryptocurrency.  

Alexander Nix, the former CEO of Cambridge Analytica, allegedly embezzled $8 million from the company before it shut down and filed for bankruptcy last month.

Nix is accused of stealing the money after British journalists began reporting on the company’s involvement in the Facebook data sharing scandal, but before the company collapsed, according to the Financial Times.

Investors who want to rebrand and relaunch the political ad consulting firm are currently trying to get the money back, and Nix has said he intends to repay part of the money.

Sources say the money was supposedly intended to help get potential successor data firm, Emerdata, off the ground, with one person adding that Nix said the withdrawal was made in exchange for “unbooked services.” 

Nix appeared before British lawmakers for a second time on Wednesday to testify about his role in the data sharing scandal that exposed the information of millions of Facebook users without their consent. At the session, Nix denied that he had withdrawn the money.

"The allegation made in that article is false, the facts in that article are not correct," he said.

If cryptocurrency companies want to replace big banks, they’ll have to get better at stopping hackers from attacking their trading platforms. This time, a hacker made off with nearly $20 million worth of cryptocurrency, affecting people who trade in Bitcoin Gold, Verge, and Monacoin.

The breach, Futurism reports, is classified as a 51 percent attack. This rare, complicated kind of hack allows hackers to take over the computer networks that cryptocurrencies are both traded and mined through. Bitcoin Gold bared the brunt of the attack but says that most traders are not at risk.

“The only parties at risk are those currently accepting large payments directly from the attacker. Exchanges are the primary targets,” Bitcoin Gold said in a statement.

The company that services companies

The blandly-titled Corporation Service Company, a Delaware company that provides domain registration and other services to Fortune 500 companies, has published a notice that they “detected that an unauthorized third party accessed its network and certain systems.”

In appropriate corporate hacking fashion, the Corporation Service Company does not specify much about what was hacked. The company says that 5,678 customers were affected and that they were based in California. Coincidentally or not, California’s state law, as CyberScoop points out, requires companies that were hacked to send notices directly to all affected consumers.

The notice does not specify or make clear if people who reside outside of California were also hacked.

The Corporation Service Company says in a letter addressed to the state’s attorney general that it “took immediate steps to stop the activity” by informing the proper authorities and hiring cyber security firms.

“While the investigation into this event is ongoing, the data stored with the exfiltrated database table included a combination of the individuals’ names and Social Security numbers or credit card/debit card information,” the company's letter says.

Oxnard

Municipalities also seem to be a regular, popular hacking target. The town of Oxnard, California is reportedly investigating a data breach into their utility system.

The breach may have exposed the personal data of residents who were just trying to pay their bills. Officials alerted their software vendor and the police, who are looking into the matter.

There's no delicate way to announce that cybercriminals have stolen sensitive information about half of the United States population, but Equifax at least deserves points for trying.

Equifax, one of “big three” agencies that control the shadowy credit reporting industry, first announced its discovery of an unfortunate “cyber security incident” in early September.

The incident potentially impacted 143 million consumers, then-chairman and CEO Richard Smith said, adding that the firm “acted immediately to stop the intrusion.” An Equifax-led investigation into the matter would be complete in several weeks, the company said.

That turned out to be an extremely optimistic assessment. Another eight months passed until, finally, in a May 8 filing to the SEC, Equifax quietly said its investigation into the breach was complete, at least where the hack of government-issued identification is concerned.

“Through the company’s analysis, Equifax believes it has satisfied applicable requirements to notify consumers and regulators,” the credit reporting behemoth wrote in the filings. “It does not anticipate identifying further impacted consumers.”

The filing, Equifax seems to hope, will finally bring this dark chapter in its history to a close. Over those previous eight months, the Equifax breach evolved from a “clearly disappointing event” that Equifax said would soon be resolved to an ongoing international scandal and criminal case.

From a small sale to insider trading

Though Equifax said it “acted immediately” upon discovering that consumer information was accessed on July 29 of last year, some people questioned why the official announcement about the incident did not arrive until September 7.

It didn’t take much digging for financial journalists to find a potential answer. Later that day, Bloomberg News was reporting on its discovery that three Equifax executives sold $1.8 million worth of their shares in the company on August 1, one day after Equifax had said the breach was discovered.

John Gamble, the company’s Chief Financial Officer, sold a reported $946,374 worth of stock. Joseph Loughran, the president of U.S. information solutions, and Rodolfo Ploder, president of workforce solutions, sold a respective half a million and quarter million worth of options.

In a statement to Bloomberg, an Equifax spokesperson initially described the $1.8 million sale as “a small percentage of their Equifax shares” and added that the executives “had no knowledge that an intrusion had occurred at the time.”

By November, Equifax had backtracked slightly, saying that it had agreed to launch an investigation into the sale. Luckily for the executives, the Equifax-led investigation found that the suspicious-looking stock dumping was perfectly legal.

But by March, a former Equifax executive was facing federal insider trading charges -- only this executive was a different one from the three that were cleared in the company investigation.

Jun Ying, a former information officer, "used confidential information to conclude that his company had suffered a massive data breach” and “dumped his stock before the news went public,” federal prosecutors said.

It remains unclear why Ying knew about the breach while other executives did not. Equifax says it is cooperating with authorities, explaining to the press in March that "we take corporate governance and compliance very seriously, and will not tolerate violations of our policies.”

John Gamble, the Chief Financial Officer who sold nearly a $1 million worth of his stock on August 1, remains at the company and is “responsible for all financial functions” at Equifax, according to his Equifax bio.

Monitoring credit and giving away rights

One potential way to keep people from panicking or getting angry about their data being stolen is to frame the unpleasant announcement as a chance to get something for free.  

“Company to Offer Free Identity Theft Protection and Credit File Monitoring to All U.S. Consumers,” the first Equifax press release revealing the breach said in big, bold letters.

Shortly after, Equifax had its new crediting monitoring website live and ready to go.

At the unfortunately titled page equifaxsecurity2017.com, users were instructed to enter the last four digits of their social security numbers and their last names. From there, they could find out if they were impacted by the breach and enroll in credit monitoring.

But some consumers reported being told that their data was impacted, regardless of whether they put in a correct name and matching social security number. And after reading through the terms and conditions, advocacy groups warned that consumers may be walking into a trap. By agreeing to the terms on the website, consumers were agreeing to waive their rights to sue the company, according to a vague arbitration clause included in the fine print.

The National Consumer Law Center was among the advocacy groups warning consumers that the open-ended language in the clause would prevent consumers from taking Equifax to court.

“Consumers and media have raised legitimate concerns about the services we offered and the operations of our call center and website,” CEO Rick Smith responded in an editorial in USA Today. “We accept the criticism and are working to address a range of issues.”

Former New York Attorney General Eric Schneiderman, Sen. Elizabeth Warren, and other prominent Democratic lawmakers pressed Equifax about the arbitration clause. Equifax subsequently agreed to reword the agreement, explaining in the new fine print that the arbitration measure only applied to the credit monitoring service itself, not “the cyber security incident” in question.

Meanwhile, as that controversy played out, the official Equifax Twitter account continued to urge consumers to visit their security page and sign up for free credit monitoring. It took several weeks for people to notice that Equifax had been sending people to the wrong page.

Instead of sending consumers to equifaxsecurity2017.com, the Equifax Twitter account instead directed consumers to securityequifax2017.com, a fake phishing site that someone had created for the express purpose of ridiculing Equifax for creating “an easily impersonated domain.”

Equifax eventually apologized for the confusion, admitted that it had shared the wrong link, and removed the offending posts.

Credit locking, and more of the same

Several months later, in February 2018, Equifax rolled out Lock & Alert, a service offering a credit “lock,” marketed as a step below a credit freeze. While locks are not as secure as credit freezes, they are also cheaper and easier to implement.

In fact, Equifax said that its lock service was completely free. And, responding to the previous criticism about arbitration agreements, Equifax explicitly said that consumers who signed up for Lock & Alert were not agreeing to any arbitration provision.

“The consumer-empowerment approach that is offered through Lock & Alert is what people have come to expect,” Equifax said in promotional materials.

Not long after, consumers discovered that the experience of locking one’s credit might not be as empowering as they were led to believe.

It turned out that consumers who signed up for the service were unknowingly agreeing to let Equifax use their information for marketing purposes, according to advocacy group US PIRG, which reviewed the site’s fine print. And a reporter at NBC News found that the service didn’t work; an error message repeatedly appeared on the screen saying that “we are experiencing technical issues.”

“I think it's fair to say as with any service we did have some initial operational issues shortly after the launch,” Equifax spokeswoman Nancy Bistritz-Balkan told NBC News. “But our team has been working around the clock to document the issues and address it appropriately.”

Equifax goes abroad

Equifax focused its breach investigation on United States consumers, giving only a brief mention to impacted people in Canada in the UK. “Equifax also identified unauthorized access to limited personal information for certain UK and Canadian residents,” is all the firm had to say about the matter in September.

When people questioned what “limited personal information” for “certain UK and Canadian residents” actually meant, Equifax clarified that 400,000 people in the UK and 100,000 Canadians were affected.

That might sound like a figure a little too significant to describe as “limited,” but Equifax said that the breach was related to something else, an apparent “process failure,” as the company called it, that occurred a year earlier.

“This was due to a process failure, corrected in 2016, which led to a limited amount of UK data being stored in the US between 2011 and 2016,” Equifax told the British press.

Several weeks later, Equifax revised the number yet again. The company announced that 700,000 UK residents would receive notices about their data being hacked.

An additional 14 million records in the UK were also stolen,  Equifax clarified, but the cases were not considered serious enough to warrant direct notifications to those consumers.

An Equifax spokesman later offered this explanation about the many discrepancies affecting British Equifax victims to the BBC: "This information does not change the number of consumers affected or any of the UK figures/statements already provided.”

More people exposed

In March, Equifax said that an additional 2.4 million consumers in the United States had their information hacked, bringing the original figure of 143 million Americans that Equifax had tallied closer to 145.5 million. Though the announcement seemed like new information, Equifax insisted that it was not.

“This is not about newly discovered stolen data,” interim CEO Paulino do Rego Barros Jr. said. In what has become a familiar talking point, he said a new analysis of the stolen data had simply provided Equifax more clarity.   

“It’s about sifting through the previously identified stolen data, analyzing other information in our databases that was not taken by the attackers, and making connections that enabled us to identify additional individuals,” Barros explained.

Exposed phone numbers and passports

In February, Equifax submitted a document to the Senate Banking Committee saying that hackers also accessed phone numbers, email addresses, and the expiration dates for credit cards. That appeared to be worse than the “ birth dates, addresses, and, in some instances, driver’s license numbers” and “credit card numbers” that Equifax said had been stolen to the public.

An Equifax spokesman explained to Wall Street Journal that "in no way did we intend to mislead consumers." Rather, she said that the list given to Congress only reflected “minimal portion” of consumers affected.

Based on the statements from Equifax, the public seemed to have the impression that their passport data at least was safe.

“And some data — like passport numbers — were not stolen,” the Associated Press confidently reported in February.

However, Sen. Elizabeth Warren published an independent report not long after claiming that passport information was, in fact, stolen. Equifax said that the senator’s characterization of what was stolen was not accurate.

“The easiest way to understand this is that there was a field labeled passports [that was hacked] with no actual data in it,” an Equifax spokeswoman told the New York Post in February.

But in an SEC filing in early May, Equifax indicated that scanned images of passports were stolen from thousands of consumers who had used the agency’s dispute portal.

In a statement, Equifax said it hadn’t been trying to hide that information. The passport information that it said wasn’t hacked came from a different data set than the stolen passport data it had discovered more recently.

“Our response earlier this year regarding passports was related to the data elements contained in the database tables accessed by the attackers,” an Equifax spokeswoman told ConsumerAffairs in a statement.  

“In response to a request from Congress to provide quantities of each data element impacted, in the interest of completeness, we manually reviewed the images stolen from the dispute portal in order to include the numbers of government-issued identifications contained within those images,” she added.

No unauthorized activity on core services

Throughout its repeated “updates” and disclosures about what was hacked, Equifax has maintained that it found “no evidence of unauthorized activity on Equifax’s core consumer or commercial credit reporting databases.”

What that statement actually means is up for debate. Senators and consumer groups have complained that the definition of “core consumer or commercial credit reporting databases” is overly broad.

From a consumer standpoint, identity theft crimes possibly related to the hack already seem to be taking place, affecting “core” business at least where victims are concerned.

Earlier this year, an accountant and several consumers went public with stories about identity thieves collecting government benefits on their behalf. Experts said the crimes could have been made possible thanks to the Equifax hack, as well as vulnerabilities on the social security website itself.

“While I’m not entirely sure how the thief obtained my personal information, it’s likely that the Equifax data breach...contributed to the identity theft,” accountant Jim Shambo, one such identity theft victim, wrote in a blog post.

Luckily for Equifax, such scenarios could turn out to be beneficial for the credit reporting agency. Or as Equifax CEO Rick Smith told a conference  in August;  “Fraud is a huge opportunity for us. It is a massive growing business for us.”

Equifax has not yet returned an inquiry from ConsumerAffairs asking, among other questions, whether there is any truth to the allegations leveled by Warren and others that it has profited off its own breach.

But, in the grand tradition of Equifax disclosures, Smith also appears to have changed his story and updated his perspective on the matter.  A month after saying fraud was a “huge opportunity” for Equifax, the CEO published an editorial in USA Today clarifying that the Equifax hack had been “humbling” and bad for the company.

“We are devoting extraordinary resources to make sure this kind of incident doesn’t happen again,” Smith wrote. “We will make changes and continue to strengthen our defenses against cyber crimes.”

Two weeks after making that promise, Smith suddenly decided to retire. He left with a compensation package worth $90 million.

Nothing matters and Arby’s wants your money, according to the regular, depressing message delivered by the parody Twitter account Nihilist Arby’s. Or, in the Nihilist account’s own words: “Do drugs. Punch a stranger. Make love to your cousin. Enjoy Arby's. Arby's doesn't judge. Arby's doesn't care.”

Punk bassist and humor-writer Brendan Kelly amassed 345,000 followers with his weekly Tweets parodying Arby’s and life itself. But for a page that regularly reminds fans that they will one day die and nothing is permanent, it’s somewhat poetic that every single Tweet on the Nihilist Arby’s account was recently deleted by a teenager trying to extort Kelly for a grand total of $130.

Kelly told PR Week on Thursday that he could no longer access his account after hackers logged on and changed his password. He later learned that his account information had been sold on a message board.

With his entire portfolio offline, Kelly got some unexpected help from the real Arby’s.

The fast-food chain, which has 827,000 followers on Twitter, offered to contact a Twitter representative to help Kelly get his account back, explaining in an interview with PR Week that people had mistakenly assumed Arby’s was behind the attack.

"We never want to be a brand that comes in and sends a cease and desist and tears it down because it has such a big fan base,” an Arby’s spokesman said. Twitter reportedly went to work on the case, and the Nihilist Arby’s page now appears to be restored, with the satirical Tweets back online.

“Did I die? Whatever. it was pretty much the same, honestly,” Nihilist Arby's told fans yesterday.

It’s not the first time that Nihilist Arby’s has received help from the non-Nihilist one. The chain several years ago surprised Kelly with a delivery of free sandwiches and a therapy puppy.

Grades and lunch money

Speaking of teenage hackers, high school students in Michigan were caught hacking the school district's computer system in an attempt to change their grades and give themselves more lunch money.

In a message to parents, the school district said that its investigation into the matter was still ongoing and that it would be working with forensic data experts to understand the full extent of the hack.

“Though we encourage our students to take responsible action, sometimes they make choices that do not reflect our guiding principles,” a message reads on the school’s website.

Law enforcement’s phone-tracking company of choice

Those who have served time, or have a loved one currently serving time, have probably heard of Securus Technologies, one of the few companies that controls phone communications and sometimes even in-person visitations between inmates and the outside world.

What Securus does with all that phone data has remained somewhat unclear until recently. It turns out that the company also offers law enforcement a service that allows them to surreptitiously track the location of nearly every cell phone in the country, according to data recently uncovered by the New York Times.

As Securus now faces a potential Senate investigation for helping police spy on phone locations without a court order, an independent hacker took it upon himself to show just how unstable Securus’ own cybersecurity is.

The site Motherboard is reporting that a hacker showed them stolen data -- such as usernames, passwords, and internal company files -- that they obtained by breaking into the Securus servers.

BMWs

Security researchers recently found flaws in the software of BMWs that could allow hackers to remotely gain access to the automaker’s luxury vehicles.

The findings by the Keen Research Group come at a time when consumer groups and safety researchers have expressed concerns about the security of the software that powers cars, both self-driving vehicles and normal ones. Experts and the industry itself have repeatedly described modern cars as “computers on wheels,” with Blackberry estimating that more than 100 million lines of code powers the average sedan.

Researchers at the Keen Research Group studied BMWs, they wrote in their report, because its vehicles are now often “equipped with the new generation of ‘Internet-Connected’ Infotainment systems.”

“While these components have significantly improved the convenience and performance of customers’ experience, they have also introduced the opportunity for new attacks,” the researchers explain.

After publishing their technical report describing over a dozen vulnerabilities related to the technology, BMW announced it would use a software “patch” to fix the problem, which was also developed by the Keen Research Group. Consumers are invited to visit the dealership so they can receive the software upgrade.

Rather than try to hide the findings, BMW announced that it is honoring the Keen Research Group for their work and plans more partnerships in the future.

"In response to what has become a race between technological progress and new, presently unknown attack scenarios, the BMW Group has launched a comprehensive cybersecurity action plan, which includes tests conducted both internally by the BMW Group and with the help of independent institutions," the company said.

An unknown group of hackers stole the equivalent of $15.3 million from Mexico’s central bank, the Bank of Mexico, the institution admitted on Wednesday.

The bank assured reporters that no individual accounts were harmed, but the hack raises further questions about the online security of financial institutions worldwide. The hackers had targeted interbank payment systems, or online transfer systems that allow banks to transfer money to each other in real time.

Meanwhile, people who use Citibanamex, the country’s second largest bank, were unable to withdraw cash from ATMs or conduct transfers this week, but the bank denied that its systems were compromised.

The Bank of Mexico, meanwhile, said that it switched to a slower, more secure online system after the hack to avoid any more breaches.

Chili’s

Brinker International, the restaurant conglomerate that owns Chili's Grill & Bar, says that any customers who dined at the restaurant in March or April may have had their credit card data accessed in a hack.

Brinker says that credit card or debit card numbers, as well as cardholder names, were stolen in an attack currently under investigation. The restaurant cautions against canceling cards unless users notice suspicious activity, but in the meantime, it is offering free credit monitoring to all affected consumers

Signal

Tech experts have recommended that people who are concerned about their cybersecurity or who need to conduct sensitive conversations over the phone should use the messaging app Signal.

The SMS app boasts fully encrypted messaging, which prevents even seasoned hackers or government officials from cracking the app’s code. But even Signal isn’t perfect.

Security researchers this week identified a potential vulnerability in the app, in which they said that a malicious attacker could send an unprompted message to a stranger.

Researchers reported the vulnerability to Signal’s developers, who promptly created a patch to fix the problem.

The Electronic Frontier Foundation says people using secure email servers should find a new way to send and receive sensitive information.

The group cites new research warning of “serious vulnerabilities” in PGP, including GPG and S/MIME, the most popular email encryption standards.

The researchers say the flaw can allow an attacker to use the victim’s own email client to decrypt previously acquired messages and return the decrypted content to the attacker without alerting the victim.

“EFF is advising PGP users to pause in their use of the tool and seek other modes of secure end-to-end communication for now,” the group said in a statement.

A few mitigating factors

Dominic Chorafakis, principal consultant at cybersecurity consulting firm Akouto, says it's a serious issue for people who depend on encrypted email.

“There are, however, a few mitigating factors that significantly limit the scope of the issue, as far as the average consumer is concerned,” Chorafakis told ConsumerAffairs. “For one thing, the vast majority of consumers don’t use email encryption at all. The main reason is that it can be complicated to set up and isn’t supported by all email clients.”

Chorafakis says the attack is also fairly complex. The attacker must already have the encrypted message in their possession and then send a modified version back to the victim to trick their email client into exposing the encrypted information.

“Theoretically, encrypted email messages can be intercepted as they travel across the internet, but in reality that is not easy for the average hacker to do,” he said. “The most likely method an attacker might use to get their hands on a person’s encrypted email message is by hacking into their account. As a result, carrying out this attack requires a degree of tailoring and targeting, which is not something often seen on a large scale that impacts the average email user.”

What to do

That said, the issue isn't one consumers should ignore. It's prudent to check to see if your email uses PGP or S/MIME. Chorafakis says setting up either one isn't exactly simple, so if you don't remember doing it, chances are you aren't using it, and therefore have nothing to be concerned about.

If someone else set up your email client, it might be wise to ask them if your system is vulnerable.

“For individuals who are using PGP or S/MIME, the safest thing to do for now is to disable decryption in the email client until the vendor has provided a patch to mitigate the issue, and use an external program to do the encryption and decryption,” Chorafakis said.

Chorafakis is not a fan of sending sensitive data by email, no matter how secure the system is. If email has to be used, he suggests using a file encryption tool to encrypt the information, then sending it as an attachment.

Facebook has suspended 200 apps from its platform amid an investigation into companies that had access to large amounts of data on Facebook users.

Company CEO Mark Zuckerberg announced in late March that Facebook would restrict the amount of data apps have access to while investigating how these apps used the data before the restrictions were enacted.

Zuckerberg acted in response to the revelation that an app had sold vast amounts of user data to Cambridge Analytica, a political marketing firm. The data was used to target ads in support of Donald Trump's presidential campaign and the campaign in support of Britain leaving the European Union.

Ime Archibong, vice president of Product Partnerships at Facebook, says “thousands” of apps have been investigated so far, with 200 suspended from the Facebook platform. In a blog posting, Archibong says the suspensions do not mean the apps misused data, only that there are grounds for a further audit.

“Where we find evidence that these or other apps did misuse data, we will ban them and notify people via this website,” Archibong writes. “It will show people if they or their friends installed an app that misused data before 2015 — just as we did for Cambridge Analytica.”

Rocked to its core

The Cambridge Analytica scandal rocked Facebook to its core, resulting in Zuckerberg making numerous apologies and testifying before House and Senate committees. It also focused attention on major technology companies and what they do with users' data.

Facebook stressed that the app developer who sold data to Cambridge Analytica did not have the right to do so, adding that the move was in violation of Facebook's terms of service agreement. But the social network giant came under criticism for a nearly two-year delay in disclosing to users what had happened.

Facebook users who took part in the app developer's quiz, entitled “This is Your Digital Life,” gave the app developer access to their Facebook data, and the data belonging to their Facebook friends, most of whom were unaware of that fact.

Earlier this month Zuckerberg appeared at a developers conference and reaffirmed his company's commitment to privacy. Among the changes Zuckerberg announced was a new tool that allows users to delete any personal information about them that Facebook has collected.

On Saturday, Chili’s parent company Brinker International announced that its payment systems had been infected with malware, potentially exposing customers’ credit and debit card information.

The company confirmed that personal data such as social security numbers, birthdates, or federal or state identification numbers are still secure, as Chili’s doesn’t request that information from their customers. However, credit or debit card numbers and cardholder names are at risk, though the incident was limited to only some restaurants.

In a company news release, Brinker said it believes the timeline of the breach was limited to March-April 2018, but the company is continuing to investigate the scope of the issue.

“We are working diligently to address this issue and our priority will continue to be doing what is right for our Guests,” Brinker said in the release. “We are committed to sharing additional information on this ongoing investigation with our Guests to learn more.”

What this means for Chili’s

News of the data breach adds Chili’s to a long list of retailers that have been impacted by similar issues just this year, including Sears, Whole Foods, Under Armour, and Kmart. The news is particularly bad for Chili’s because the chain has been suffering from a rather significant sales decrease for nearly a decade.

Additionally, data breaches like this one often result in customers losing trust in brands. A recent KPMG study found that 19 percent of consumers would no longer shop at a retailer that has experienced a breach, while 33 percent would take a long break.

One positive in these circumstances is Brinker’s near immediate response to the situation. The company’s response came just one day after the breach was discovered, which differs greatly from how Facebook’s recent data breach wasn’t made public until it was discovered by reporters.

What this means for consumers

Following the breach, Brinker said it will be working with third-party forensic experts to determine its severity and potential impact. The company stated that it would provide fraud resolution and credit monitoring services for guests, and it will continue to update its website as more information is made available.

Company officials reiterated that the breach only impacted customers at certain Chili’s locations between March and April and that it was safe for consumers to use debit and credit cards at store locations going forward.

Consumers who used their cards at Chili’s locations during that time period are urged to closely monitor their accounts for any suspicious activity. In its statement, Brinker recommended that customers contact a credit reporting agency and their bank or credit provider to enable additional protections.

“We sincerely apologize to those who may have been affected and assure you we are working diligently to resolve this issue,” the company said in a news release.

For this year’s annual high school science competition sponsored by NASA, many people paid attention to one invention in particular: a water filter designed to bring cleaner drinking water to public schools.

Public health researchers have for years warned that the water from fountains in public schools is contaminated with lead, bromide, and other chemicals corroding from old pipes.

Mikayla Sharrieff, India Skinner, and Bria Snell, all in the 11th grade at Benjamin Banneker Academic High School in Washington, D.C, had  engineered a filter designed to detect contaminants in public school water fountains.

The girls had reached the finals of the NASA competition last month. They were the only black, female group of high school scientists to make the final rounds this year. Winners were to be decided by online voting.

This apparently caught the attention of 4chan, an online message board that experts warn has attracted increasingly hateful and racist users in recent years. A recent attack in Toronto was linked to a 4chan message board.

NASA said in a statement that it was ending voting early to prevent people from hacking the vote, showing how even NASA is apparently not immune to online trolls.

“Some members of the public used social media,” NASA said in a statement, “to attack a particular student team based on their race and encouraged others to disrupt the contest and manipulate the vote.”

NASA claimed that it closed the competition before the votes were compromised. The winners will be announced later this month.

But reporters found some evidence suggesting that a voting hack could have already taken place.  An analysis by CNN found several threads on 4chan boards in which users directed each other to an anonymous privacy software to help “hack the voting system” and send votes to a group of boy high school scientists in the competition.

“...users posted racist insults and urged members to spread the campaign to other 4chan boards,” CNN reported.

Credit card chips

Those frustratingly slow readers for credit cards equipped with chips were supposed to be a small price to pay in exchange for safer credit cards. That is, until hackers figured out how to hack the chip readers.

The Better Business Bureau says that scammers are inserting thin microchips into the chip reader slot, allowing them to steal credit card information.

Other than catching someone in the act of putting a microchip into the credit card machine, a job that would likely fall on the cashier, there is no easy way to detect that the machines have been hacked.

“If you insert the card and it’s very tight, that could be a sign,” a Better Business Bureau spokesman told a Fox affiliate, “so make sure that you report it to the merchant.”

Small businesses

Major corporations that do not encrypt their data have proven to be vulnerable to hackers again and again. But it turns out that smaller businesses, with fewer resources to protect themselves from a hack, may also be a popular and easier target. Small local businesses in New Jersey make just as ripe targets as big business, the New Jersey Business Journal recently reported.

Sure enough, hacks targeting local businesses have been reported across the world this week. A salon in the United Kingdom said Friday that it was targeted with ransomware, or a type of malware that shuts down a computer system until owners hand over money.

In this case, information about all of the salon’s appointments had been deleted. In their place was a message demanding 30,000 pounds and a warning that more records would be deleted if the salon did not comply. The salon was warned by an IT support worker not to hand over the money.

The city of Atlanta was targeted with a similar type of ransomware attack earlier this year, and lawmakers in the state of Georgia are now mulling over a bill to make “unauthorized computer access “ a crime in the state.

But a group of so-called ethical hackers, who say they hack for moral and ethical reasons, say that the law would only serve to criminalize their work. To protest the bill, the hackers targeted local restaurants and a church, changing their websites to add clips of pop songs.

The hackers have threatened to retaliate further if the law passes, a local newspaper reported.

Earlier this year, Senator Elizabeth Warren published a report charging that the Equifax hack was worse than the company initially disclosed, in part because hackers had accessed consumer passport information.

“Equifax failed to disclose the fact that the hackers gained access to consumers’ passport numbers,” says the report published by Warren’s office in February.

A passport breach poses obvious identity theft concerns, but it is also a national security risk. Security experts have previously identified passport theft as a terrorism threat.

At the time, Equifax denied that any passport data was stolen. Instead, the company claimed that hackers were unsuccessful in their attempt to hack passport data.

“The easiest way to understand this is that there was a field labeled passports [that was hacked] with no actual data in it,” Meredith Griffanti, an Equifax spokeswoman, told the New York Post in February.

But Equifax is now saying that passport data was stolen from several thousand consumers. The company made the admission in filings it submitted to the Securities and Exchange Commission (SEC) in response to an ongoing congressional investigation.

Hackers steal information on thousands of passports

The passport breach affected consumers who were trying to challenge information on their credit reports, according to the SEC filings. Equifax directed such consumers to submit complaints to an online dispute portal. The customers were then required by Equifax to submit scans of their ID cards to verify their identity in some cases -- information that was subsequently accessed in the 2017 hack.

Equifax says in the recent SEC filings that hackers accessed information uploaded to that dispute resolution center and made off with scans of 3,200 passports or passport cards. “As part of the dispute process, some consumers may have uploaded government-issued identifications through the portal,” Equifax explains in the SEC filing.

Though this particular aspect of the 2017 hack had not previously been disclosed to the public, Equifax says that it has already notified each affected customer individually. The company claims it had no legal duty to disclose the passport information being stolen to the rest of the general public.

“Because the company directly notified each impacted consumer, the company had not previously analyzed the government-issued identifications contained in the images uploaded in the dispute portal,” the filing says, adding that the “government-issued identifications that were uploaded by consumers to Equifax’s online dispute portal” were “stolen by the attackers.”

Stolen information and harder repercussions

Hackers also managed to steal scans of 38,000 driver’s licenses, 12,000 social security cards, and 3,000 forms of other ID from the same online portal.

Asked about why Equifax appeared to be giving inconsistent answers about whether passport data had been stolen, the company responded that it had been discussing a different aspect of the hack in the earlier answers it gave this year.

“Our response earlier this year regarding passports was related to the data elements contained in the database tables accessed by the attackers,”  spokeswoman Meredith Griffanti tells ConsumerAffairs via email. “The analysis conducted on the data elements stolen from those tables found that there were no passport numbers within the passport field accessed by the attacker.”

Warren’s office is continuing to push for harsher repercussions for Equifax. Last month, she and two other lawmakers found that consumers had filed more than 20,000 complaints to Consumer Financial Protection Bureau (CFPB) following the cyber attack.

Twitter is urging its 330 million users to change their passwords right away after it accidentally “unmasked” user passwords by storing them in an unencrypted format in an internal log file.

The company says it has since resolved the mistake and that an internal investigation revealed no indication that passwords were stolen or misused. However, users are still being urged to change their password as a precaution.

"We recently found a bug that stored passwords unmasked in an internal log," stated a tweet from the official Twitter Support account. "We fixed the bug and have no indication of a breach or misuse by anyone. As a precaution, consider changing your password on all services where you’ve used this password."

Issue in the hashing process

The platform explained in a blog post that Twitter “hashes” passwords using the Bcrypt hashing algorithm, but the glitch caused passwords to be written on an internal computer log before the scrambling process was completed.

"We found this error ourselves, removed the passwords, and are implementing plans to prevent this bug from happening again,” Twitter said.

Users are advised to change their passwords on Twitter and anywhere else they use their Twitter passwords, including third-party apps like TweetDeck or Tweeterrific. The replacement password should be strong and unique. The company also recommends enabling two factor authentication and using a password manager.

Twitter didn’t say how many user passwords may have been exposed or how long the bug lasted. However, a person familiar with the company’s response told Reuters the number was “substantial” and that passwords were exposed for “several months."

Cambridge Analytica, the political consulting firm embroiled in the Facebook privacy scandal, announced on Wednesday that it is ceasing operations and filing for bankruptcy.

The decision comes two months after the London-based company -- which was originally hired by President Trump’s election campaign -- was accused of improperly harvesting data from up to 87 million Facebook users through a personality quiz. It was later revealed that the data was used for targeted political advertising.

In a statement posted to its website, Cambridge Analytica blamed negative media coverage for the data scandal. It said it lost virtually all of its customers and suppliers as a result of the controversy and was forced to file for bankruptcy in both the U.S. and in the U.K.  

Severely damaged reputation

A former Cambridge Analytica employee revealed that Julian Wheatland, the company’s chief executive, said the damage to the company’s reputation was too severe to continue operating and it was “futile” to try to rebrand the company’s offerings.

“Despite Cambridge Analytica’s unwavering confidence that its employees have acted ethically and lawfully, which view is now fully supported by [a third-party audit], the siege of media coverage has driven away virtually all of the Company’s customers and suppliers,” the company said in a press release.

“As a result, it has been determined that it is no longer viable to continue operating the business, which left Cambridge Analytica with no realistic alternative to placing the Company into administration.”

The firm maintains that its business practices are common to other online advertisers and that Cambridge Analytica has been “vilified for activities that are not only legal, but also widely accepted as a standard component of online advertising in both the political and commercial arenas.”

At its annual developer conference -- dubbed F8 -- Facebook chief Mark Zuckerberg heralded changes to the social media platform.

The most important change involved giving its users the power to delete any personal information Facebook has collected. Also announced were a new dating tool, a virtual reality (VR) headset, and video chats for its Instagram app.

In his best business-like tone, Zuckerberg reaffirmed Facebook’s commitment to rebuilding the trust of its 2+ billion users. At the top of that list are personal privacy and building community.

"We are all here because we are optimistic about the future," said Zuckerberg. "We have real challenges to address but we have to keep that sense of optimism too. What I learned this year is we have to take a broader view of our responsibility."

Clear History

Facebook’s Chief Privacy Officer Erin Egan doubled down on Zuckerberg’s pledge in announcing the company’s plans for a feature called Clear History.

“This feature will enable you to see the websites and apps that send us information when you use them, delete this information from your account, and turn off our ability to store it associated with your account going forward,” Egan said.

When a user clears out their history via the new setting, Facebook will delete any and all information that identifies who the user is. However, the company isn’t giving up its dependency on user data or taking away its ability to collect and repurpose demographic information for advertisers. It’s simply taking out all the dots that might connect the identity of the user.

Showing its good side

Facebook is holding true to the promise for privacy Zuckerberg made to Congress, but it also added a couple of other features to Facebook’s new collection of manners.

One of those is Crisis Response, a centralized section of Facebook where people can get real-time updates about recent crises as well as connect with people on ways to help or donate.

Another show of compassion is a blood donation feature for people in India, Bangladesh, and Pakistan where they can register as blood donors. The goal for Blood Donations on Facebook is to make it easier for people who want to donate to find opportunities nearby. People in those countries will be able to view nearby blood donation camps, requests for blood donations, and blood banks from a single place on Facebook.

What else is in store?

Goodness and mercy weren’t the only things in play at the conference. There were also some tidbits for the Facebook faithful and lures for the geeks.

New bells and whistles include:

• A Groups tab designed to help users more easily connect to their existing groups and interact with content from all their groups.

• A Video Chat add-on in Instagram. This new Skype-like wrinkle gives people a way to video chat in real-time, even when they all can’t be in the same place.

• Oculus Go -- a virtual reality headset that gives gamers and curious techies the full-on spatial VR experience. The price point for Oculus Go starts at $199 for the 32 GB version.

• Facebook Dating. While bringing a private information-oriented add-on might seem a little risky given the company’s recent scolding, Facebook says it’s actually been working on the idea for a dating feature for years.

“People already use Facebook to meet new people, and we want to make that experience better,” said Zuckerberg. “People will be able to create a dating profile that is separate from their Facebook profile — and potential matches will be recommended based on dating preferences, things in common, and mutual friends. They’ll have the option to discover others with similar interests through their Groups or Events.”

Facebook’s safety net for the dating feature is that whatever people do within that section is sacred territory and will not be shown to their friends.

Tens of thousands of dollars worth of cryptocurrency have been stolen by hackers, once again raising concerns about the security of blockchain technology.

MyEtherWallet.com is a free site that allows consumers to trade Ethereum, or Ether, a cryptocurrency currently valued in the ballpark of $650. The site warns all visitors that it doesn't consider itself responsible should hackers access users’ Ether accounts.  

“We cannot recover your funds or freeze your account if you visit a phishing site or lose your private key,” a notice on the site says. “You and only you are responsible for your security.”

That’s bad news for MyEtherWallet users who recently fell victim to a DNS hijacking scam. Hackers apparently redirected people who visited MyEtherWallet.com to a fake look-alike site. When users logged into the spoof site, the hackers were able to access their passwords and subsequently empty their accounts.

In all, the hackers reportedly made off with 215 Ether -- or the equivalent of $160,000.

According to a statement that MyEtherWallet published on Reddit, the hack was no fault of their own. Instead, the site blames vulnerabilities in Google’s DNS servers for the theft.

“This redirecting of DNS servers is a decade-old hacking technique that aims to undermine the Internet’s routing system,” MyEtherWallet  said. “It can happen to any organization, including large banks. This is not due to a lack of security on the @myetherwallet platform. It is due to hackers finding vulnerabilities in public facing DNS servers.”

It’s unclear if affected traders will get their funds back. MyEtherWallet adds in its statement that “we are currently in the process of verifying which servers were targeted to help resolve this issue as soon possible.”

Uber’s Dubai competitor

Careem, a Dubai-based ride-hailing app that is Uber’s largest competitor in the Middle East, admitted that it discovered a security breach that exposed consumer data back in January.

The company did not disclose the breach until Monday because “Cybercrime investigations are immensely complicated and take time.”

“We wanted to make sure we had the most accurate information before notifying people,” a statement published by Careem added. Now that the breach has been disclosed, Careem is advising users to change their passwords and to monitor their bank accounts for any suspicious activity.

Phone numbers

Law enforcement in Colorado are asking for the public's help in finding suspects accused of taking part in a popular and relatively easy phone hijacking scam.

Using online services that identify the carriers of any phone number, identify thieves took information to a mobile phone store, where they impersonated the carrier to get a new phone without paying for it. Instead the cost of the phone showed up as an unpleasant surprise on consumers’ monthly bill.

According to the Federal Trade Commission, reports of this crime doubled since 2013, with 2,658 complaints submitted in 2016.

Yahoo rises from the grave

The company Yahoo may be no more after getting sold to Verizon in 2016, but it still owes the government some money -- $35 million to be exact. The SEC is fining Yahoo for failing to alert investors and consumers about a massive security breach that happened back in 2014.

The SEC alleges that Yahoo’s information security team learned that “Rusian hackers had stolen what the security team referred to internally as the company’s ‘crown jewels’” several days after the attack took place in 2014.

To be more specific, the security team that stolen information included “usernames, email addresses, phone numbers, birthdates, encrypted passwords, and security questions and answers for hundreds of millions of user accounts.”

Yahoo eventually did disclose the breach two years later, shortly before it closed the deal with Verizon. Altaba, the company behind the Yahoo brand, has now agreed to pay a  $35 million penalty for the cover-up.

Shipping companies

Forget pirates. A group of hackers based in Nigeria have figured out how to steal money from shipping companies via the internet, according to a report by a cybersecurity firm.  

The hacking group, which goes by the name Gold Galleon, attempted to steal at least $3.9 million from maritime shipping businesses and their customers, the researchers said.

Researchers at F-Secure, a Finnish cybersecurity company, discovered that a hotel lock system known as Vision by Vingcard can be hacked by combining a card reader that can be purchased online with custom software.

Security consultants Tomi Tuominen and Timo Hirvonen said they used old cards from hotels and generated a master key that gave them access to all the rooms using the lock.

“We found out that by using any key card to a hotel ... you can create a master key that can enter any room in the hotel. It doesn’t even have to be a valid card, it can be an expired one,” Hirvonen told Reuters.

Untraceable master keys

The researchers said they’ve been trying to get to the bottom of key card problems for more than a decade, ever since a colleague’s laptop was mysteriously stolen from a locked hotel room.

“Intriguingly, there were no signs of forced entry,” the researchers wrote. Hotel staff ultimately dismissed their complaint because there wasn’t a single indication of unauthorized room access.

The researchers then decided to investigate whether it’s possible to enter a locked hotel room without the key, and years later, they figured out how to do exactly that with the Vision by Vingcard hotel lock system.

A $300 card reader can extract data from a discarded room key and crack the code to unlock all doors at a particular hotel, Wired reported.

"Basically it blinks red a few times, and then it blinks green," Tuominen told Wired. "Then we have a master key for the whole facility."

“You can imagine what a malicious person could do with the power to enter any hotel room, with a master key created basically out of thin air,” Tuominen wrote.

Solution developed

Once the security flaws were discovered, the researchers alerted Assa Abloy, the lock’s manufacturer, and set out to develop a software fix.

That fix was issued earlier this year. However, hotel chains need to apply the fix to their systems. Several hundred thousand hotel rooms worldwide still haven’t updated their hotel key card system, Assa Abloy noted.

“I highly encourage the hotels to install those software fixes,” Hirvonen said. “But I think there is no immediate threat, since being able to develop this attack is going to take some time.”

The risk of a security breach remains relatively low since the tools and methods by which the researchers made their discovery will not be published.

In a statement, F-Secure thanked Assa Abloy for helping them fix the flaw.

“Because of Assa Abloy’s diligence and willingness to address the problems identified by our research, the hospitality world is now a safer place,” Tuominen said.

Altaba, formerly known as Yahoo, has agreed to pay a $35 million fine to settle charges that it failed to promptly disclose a massive data breach relating to hundreds of millions of user accounts.

The Securities and Exchange Commission (SEC) ruled that the company essentially misled investors because the stock price plunged after the breach was finally revealed.

The SEC found that within days of the breach, Yahoo knew that Russian hackers had broken into the network and made off with usernames, email addresses, phone numbers, birthdates, encrypted passwords, and security questions and answers for hundreds of millions of user accounts.

The regulator says the information was reported to Yahoo's senior management, but the company failed to properly investigate the circumstances and adequately consider whether the public should be notified.

Delayed for two years

The SEC says Yahoo waited two years, until it was in the process of selling its operating business to Verizon in 2016, before revealing the data breach.

“We do not second-guess good faith exercises of judgment about cyber-incident disclosure,” said Steven Peikin, Co-Director of the SEC Enforcement Division. “But we have also cautioned that a company’s response to such an event could be so lacking that an enforcement action would be warranted. This is clearly such a case.”

Last year, Yahoo executives were pressed by members of a Senate committee to answer questions about the breach. Then-CEO Marissa Mayer was asked to describe Yahoo's efforts to notify affected users and what steps the company had taken to mitigate consumer harm.

Last month a federal judge ruled that affected Yahoo users can move forward with a lawsuit against the company. The judge turned aside Verizon's objections, saying affected users might have behaved differently had they known their data had been compromised.

Harm to investors

The SEC settlement specifically addresses investors – people who had purchased Yahoo stock without knowing the company faced a potentially expensive liability. The order found that when Yahoo filed several quarterly and annual reports during the two-year period following the breach, the company failed to disclose the breach or its potential business impact and legal implications.

The SEC also said Yahoo failed to reveal information about the breach to its auditors or outside counsel to learn what it was obligated to disclose.

Facebook published 27 pages of previously secret rules today on how the site’s moderators decide which photos, videos, and posts should be removed and which can stay online.

The company said it spots potentially problematic content by using either artificial intelligence or reports from other users. That information is then passed on to its 7,500+ human content reviewers who work around the clock in over 40 languages.

Detailed policies

Facebook said it does not allow hate speech about “protected characteristics,” including race, ethnicity, national origin, religious affiliation, sexual orientation, sex, gender, gender identity, serious disability, or disease.

It said there are “some protections” around immigration status and three “tiers of severity” by which posts are judged. Here are a few of the site’s rules:

• The sale of marijuana is not allowed (even in states where it’s legal)

• Sexual activity in general is banned unless “posted in a satirical or humorous context”

• Photos of breasts are allowed if they depict an act of protest

• Guns can only be shown to adults aged 21 or older, and sales between individual people are not allowed

• Bullying rules don’t apply to comments made about public figures

Providing clarity

A shorter version of the guidelines had leaked before, but the full guidelines had not been released to the public until today.

In releasing the detailed guidelines (which include specific examples), Facebook hopes to provide transparency about its content-policing process, which has in the past been criticized for appearing to be inconsistent at times.

“We decided to publish these internal guidelines for two reasons,” said Monika Bickert, Vice President of Global Policy Management at Facebook, in a statement.

“First, the guidelines will help people understand where we draw the line on nuanced issues. Second, providing these details makes it easier for everyone, including experts in different fields, to give us feedback so that we can improve the guidelines – and the decisions we make – over time.”

"We want people to know about these standards, we want to give them clarity," Bickert said.

Getting user feedback

The company admits that its enforcement “isn't perfect.”

“We make mistakes because our processes involve people, and people are not infallible," Bickert said. For this reason, Facebook is also adding a way for users to appeal when one of their posts gets taken down because of sexual content, hate speech, or violence.

Users will get a message explaining why the post was taken down and can follow a link to request a review, which will be handled by a team member “typically within 24 hours.”

“We are working to extend this process further, by supporting more violation types, giving people the opportunity to provide more context that could help us make the right decision, and making appeals available not just for content that was taken down, but also for content that was reported and left up,” Bickert said.

A number of Gmail users have reported finding messages in their “Sent” folders that appeared to have been sent from themselves. Users said they discovered messages for things like “growth supplements” delivered to email addresses they didn’t recognize.

“My email account has sent out 3 spam emails in the past hour to a list of about 10 addresses that I don’t recognize,” a user posted on Gmail’s Help Forum.

“I changed my password immediately after the first one, but then it happened again 2 more times. The subject of the emails is weight loss and growth supplements for men advertisements,” the user continued.

Forged email headers

The messages contained forged email headers to make them appear to have been sent “via telus.com,” a Canadian telecommunications company.

The forged email headers allowed the messages to slip past spam filters. The fact that they appeared to have been sent by the affected user is what caused them to end up in the Sent folder.

Many users were concerned that the messages were an indication that their account had been hacked. However, Google assured users that their accounts were secure and that the issue had been fixed.

“We are aware of a spam campaign impacting a small subset of Gmail users and have actively taken measures to protect against it,” Google confirmed to Mashable. “This attempt involved forged email headers that made it appear as if users were receiving emails from themselves, which also led to those messages erroneously appearing in the Sent folder.”

“We have identified and are reclassifying all offending emails as spam, and have no reason to believe any accounts were compromised as part of this incident,” the company said.

Report as spam

Google encouraged Gmail users to report any suspicious email as spam, noting that more information on how to report spam can be found by visiting the site’s Help Center.

TELUS, meanwhile, confirmed that its servers aren’t generating the emails.

“We have identified spam emails being circulated that are disguised to appear as if they are coming from http://telus.com. We are aware of the issue and can confirm the messages are not being generated by TELUS, nor are they being sent from our server,” a spokesman for the carrier said in a statement.

“We are working with our 3rd party vendors to resolve the issue, and are advising our customers not to respond to any suspicious emails.”

A new white paper -- "Understanding and Improving Privacy ‘Audits’ under FTC Orders’" -- calls the Federal Trade Commission (FTC) on the carpet for its lenient approach to privacy audits required of tech companies like Facebook and Google.

"These audits, as a practical matter, are often the only ‘tooth’ in FTC orders to protect consumer privacy," wrote Megan Gray, an FTC attorney and non-residential fellow at Stanford Law School. "They are critically important to accomplishing the agency’s privacy mission. As such, a failure to attend to their robust enforcement can have unintended consequences, and arguably, provide consumers with a false sense of security."

While the FTC’s privacy audits are regarded as an efficient way of keeping tech companies in line with privacy commitments made to consumers, Gray urges the agency to improve its privacy standards if it intends on being serious about protecting consumers.

The paper illuminates how privacy audits are not actually audits as most understand them to be.  Rather, because the FTC’s language only requires third-party "assessments," tech companies get away with submitting reports that are essentially a confirmation that they did all that was required.

Take Facebook for instance

A contemporary example would be Facebook’s run-in with its users’ privacy. Under the social media company’s agreement with the FTC, all it’s required to do is undergo twice-yearly privacy audits to show it isn’t misinforming its users about their privacy.

However, none of Facebook’s audits brought Cambridge Analytica’s data mining into question. Despite Facebook knowing about the misuse as far back as 2015, Congressional leaders implied that Facebook wasn’t following the FTC’s instructions as rigorously as it should have been.

In the FTC’s complaint against Facebook, the agency harped on the word "deceptive" in questioning Facebook on how it handled users’ private information in areas like profile and app settings.

As an example, the FTC brought up the fact that in November 2009, approximately 586,241 users had used their Friends’ App Settings to "block" Platform Applications that their Friends used from accessing any of their profile information, including their Name, Profile Picture, Gender, Friend List, Pages, and Networks.

Yet, in Facebook’s December 2009 Privacy Changes, its users could no longer restrict access to their "publicly available information," and all prior user choices to do that were overridden. Although Facebook reinstated those settings soon thereafter, the FTC found that the settings weren’t stored to a user’s Profile Privacy restrictions and instead were essentially hidden.

Better protection of consumers’ privacy is needed

Gray offers several ways the FTC could improve its privacy audits. At the top of her list would be requiring the FTC to end its reliance on a company’s simple confirmation that its privacy protection is up to snuff.

Gray suggests that the current method could be greatly improved if the FTC detailed its expectations in what it wants privacy auditors to examine and have assessors report directly to the FTC instead of the company being audited.

"Simply ‘staying the course’ puts consumers...in an untenable situation, with real-world consequences," concludes Gray. "It’s time to dive deeply into understanding these third-party privacy assessments and consider meaningful proposals for their improvement. The FTC is an extraordinary agency, and it is more than capable of rising to this challenge."

In an email to ConsumerAffairs, the FTC stated that Gray currently has no involvement with current privacy or data security investigations and that the comments made in her paper do not reflect the agency's views.

Facebook has been dealing with a number of privacy-related issues in recent months, and now it has another one to worry about.

The company has confirmed to TechCrunch that it is investigating a research report which shows  that Facebook user data can be compromised by third-party JavaScript trackers embedded on websites using Login With Facebook.  

Trackers are able to harvest a user’s data -- including name, email address, age range, gender, location, and profile photo -- depending on what users initially provided to the website, according to the research report.

The security researchers found that “when a user grants a website access to their social media profile, they are not only trusting that website, but also third parties embedded on that site.”

“Surreptitious data collection”

Researchers say the unintended exposure of Facebook data to third party JavaScript trackers isn’t due to a flaw in Facebook’s Login feature.

“Rather, it is due to the lack of security boundaries between the first-party and third-party scripts in today’s web,” said the report prepared by Steven Englehardt and two of his colleagues at Freedom to Tinker -- a digital initiative by Princeton University’s Center for Information Technology Policy.

The research revealed that seven third parties are abusing websites’ access to Facebook user data and one third party using its own Facebook “application” to track users around the web.

Not yet widespread

The scripts were found on more than 400 of the top one million websites, including BandsInTown and MongoDB.

"We were unaware that a third-party technology was using a tracking script that collects parts of Facebook user data. We have identified the source of the script and shut it down," MongoDB told TechCrunch.

This report authors pointed out that this is another example of an exploit that could have been avoided if Facebook had done a better job of auditing how third parties use tools like Login to stop trackers from extracting more information than necessary.

Facebook is already doing damage control on a number of data issues, including the revelation that data of up to 87 million users may have been improperly shared with Cambridge Analytica.

When questioned by Congress, CEO Mark Zuckerberg admitted that Facebook collects “data of people who have not signed up for Facebook.” He claimed the practice was done for security purposes.

Consumers must give consent

A new study by the Privacy Enhancing Technologies Symposium (PETS) has uncovered an alarming statistic: a majority of the most popular and free children’s Android apps collect private data in violation of the Children’s Online Privacy Protection Act (COPPA).

Out of nearly 6,000 apps that it analyzed, the group said that over 1,100 collected personally identifiable information (PII). Additionally, nearly 3,500 shared identification information with advertisers, and roughly 2,300 collected other types of data.

The researchers say the data these apps collect runs the gamut from phone numbers and e-mail addresses to geolocation information. Of these, geolocation data may present the biggest concern because it not only pinpoints where someone lives; it also can make way for interpretations about socioeconomic classes, every day habits, health conditions, and other information -- data that could have life-long implications for children.

Follow the money

There’s a domino effect in all of this, as well. According to the study, the data collected has cookie crumbs trailing back to mobile marketers and app developers who make their money off the data they collect. The five most popular data destinations were mobile app monetization platforms: mopub.com (85 apps), aerserv.com (84 apps), skydeo.com (80 apps), youapp.com (80 apps), and inner-active.mobi (76 apps).

“Although we cannot know the true number of children’s apps in the Play Store, we believe that our results are representative, given that the apps that we examined represent the most popular free ones,” PETS said in a statement.

With the number of apps released each year, one can only imagine how daunting a task it would be to police every corner of every app’s code -- even for a company like Google.

“While child-directed apps may use some Google services, developers are responsible for using these services according to their obligations under the law,” Google stated in a directive to app developers. “Please review the FTC’s guidance on COPPA and consult with your own legal counsel.”

It was only last week when Google’s place in a child’s data food chain came into question. The Campaign for a Commercial-Free Childhood asked the Federal Trade Commission to investigate YouTube for violating COPPA. Specifically, the organization alleged that YouTube illegally collects data about underage viewers, then leverages that data to advertise to that demographic.

What apps are the biggest culprits?

One particularly flagrant example, according to the study, is app developer TinyLab. PETS observed that 81 of the company’s 82 apps shared GPS coordinates with advertisers. Especially popular apps included:

• Fun Kid Racing (10-50 million installations)

• Motocross Kids–Winter Sports (5-10 million installations)

• Fun Kid Racing–Motocross (10-50 million installations)

PETS’ deep dive also came up with a determination that human-readable network names (SSIDs) also allow some inferences about users’ locations, especially when collected over time and across locations. PETS found 148 apps engaging in this behavior, including Disney’s “Where’s My Water? Free” app (100–500 million installations).

If this raises concerns...

So-called “free” apps have to make money somewhere, and it’s usually on the backs of the data it collects and spins into advertising revenue.

Short of a parent poring over the fine print in an app’s terms of service and making a conscious decision based on what they find, it’s a smart idea to ask the app’s developer exactly what information it collects and repurposes.

COPPA also offers FAQs for parents and developers alike, as well as an e-mail address where users can ask questions. That e-mail address is CoppaHotLine@ftc.gov.

People watching the music video “Despacito” this week may have been slightly confused by the cover photograph and description displayed on their screens. Before the music video started, a photograph of masked men pointing their guns at the camera — a clip from a Spanish Netflix show — appeared in the video display.

Underneath, the title of the video was changed to say, “x – hacked by prosox & kuroi’sh @OpIsrael ???? FreePalestine ft. Maluma.”

Videos uploaded by Taylor Swift, Selena Gomez, Drake, and Shakira were also altered by the same group.

In several posts on Twitter, the hacker who identifies themself as Prosox told YouTube and Vevo that it was a harmless prank and that they did not remove the actual music videos.

@YouTube Its just for fun i just use script "youtube-change-title-video" and i write "hacked" don t judge me i love youtube <3

— Prosox (@ProsoxW3b) April 10, 2018

But the breach was apparently not amusing to YouTube and Vevo, as both sites temporarily took down “Despacito” and the other affected videos in response.

“I did not delete despacito must believe me,” Prosox added, in a post ridiculing Vevo’s security.

Virgin Island nation

Hackers have targeted the government of Sint Maarten, a small Caribbean nation located within the island nation of Saint Martin.

It’s unclear what the hackers did exactly. On its website, the Sint Maarten government only admits that some sort of cyber-attack took place and that they are now recovering from it.

“The Ministry of General Affairs hereby informs the public that the recovery process of the Government of Sint Maarten ICT Network is progressing steadily,” a local newspaper reported on April 6.

Hacking gaps found in power chords

Researchers in Israel identified a new method that hackers would be able to use to launch a hypothetical cyber-attack: hacking computer power chords.

“In this attack, the attacker taps the power lines at the phase level, in the main electrical service panel,” write researchers at the Ben-Gurion University of the Negev. Preventing such an attack would require installing special filters in power outlets, they say.

Researchers this week have also identified a method in which hackers would be able to use data from shared word documents in “Rich Text Format” (as opposed to Doc format) to steal data from consumers’ Microsoft Outlook accounts. The research is yet another reminder to never open attachments sent from strangers.

Mark Zuckerberg’s “I’m Sorry 2018” tour played to an SRO crowd on Capitol Hill on Tuesday with the Facebook honcho taking all the punches he could withstand and promising all the privacy changes he could muster up.

Zuckerberg’s nearly four-hour Q&A match with 42 Senators focused on his company’s repeated privacy missteps and its breakdown in detecting the Russia-led crusade to influence U.S. voters.

“We were too slow to spot and respond to Russian interference, and we’re working hard to get better,” said Zuckerberg in a prepared statement.

“Our sophistication in handling these threats is growing and improving quickly. We will continue working with the government to understand the full extent of Russian interference, and we will do our part not only to ensure the integrity of free and fair elections around the world, but also to give everyone a voice and to be a force for good in democracy everywhere.”

Not so fast, Facebook

However, despite Zuckerberg vowing transparency and verification rules to protect its business and its flock, there were two Senators already loaded for bear, introducing a privacy bill of rights to protect the personal information of all American consumers, not just Facebook’s.

Senators Ed Markey (D-MA) and Richard Blumenthal (D-CT) put into play a bill -- tagged CONSENT (Customer Online Notification for Stopping Edge-provider Network Transgressions) -- that would make “opt-in” the default option for whether users want their information collected or repurposed in any shape, form, or fashion.

While Facebook has offered its users the option to “opt-out” on the data it collects since 2010, it’s likely that most consumers never really paid attention to what information they were giving away until now.

“The startling consumer abuses by Facebook and other tech giants necessitate swift legislative action rather than overdue apologies and hand-wringing,” said Senator Blumenthal. “Our privacy bill of rights is built on a simple philosophy that will return autonomy to consumers: affirmative informed consent. Consumers deserve the opportunity to opt in to services that might mine and sell their data – not to find out their personal information has been exploited years later.”

Making privacy the king

In hopes of reversing a platform such as Facebook’s power over a user’s personal info, the CONSENT Act:

• Requires edge providers to obtain opt-in consent from users to use, share, or sell users’ personal information

• Requires edge providers to develop reasonable data security practices

• Requires edge providers to notify users about all collection, use, and sharing of users’ personal information

• Requires edge providers to notify users in the event of a breach

• Ensures that requirements are enforced by the FTC

This bill covers every conceivable corner of a user’s potentially sensitive information, too. Included are restrictions on:

• financial information

• health information

• information pertaining to children

• Social Security numbers

• precise geolocation information

• content of communications

• call detail information

• web browsing history

• application usage history

To prove their seriousness, Blumenthal and Markey built some legal weight into their proposal by treating any violations of the measure as an infraction of the Federal Trade Commission Act. That act was created with the sole objective of "protect[ing] the process of competition for the benefit of consumers, making sure there are strong incentives for businesses to operate efficiently, keep prices down, and keep quality up.”

The Federal Trade Commission Act also has the power to protect privacy, giving the FTC the permission to penalize companies that violate their own policies through false advertising and other actions that can harm consumers.

In a complaint filed Monday, a group of child, consumer, and privacy advocates claim YouTube illegally collects data about underage viewers and uses that data to advertise to its youngest users.

The group of advocates, led by the Campaign for a Commercial-Free Childhood, said it wants the Federal Trade Commission to investigate Google -- which owns YouTube -- for violating the Children’s Online Privacy Protection Act (COPPA), which sets strict rules for how companies can collect data about children under the age of 13.

Per COPPA regulations, companies that run websites targeted at children must notify parents and obtain their consent before collecting any personal data.

“Acted duplicitously”

The group says YouTube avoided COPPA requirements by saying in its terms of service that YouTube is only intended to be used by those over 13, even though Google knows YouTube is widely used among kids in the 6-12 age range.

The site even caters to young viewers, the group said, citing content that is specifically aimed at children under 13.

“Google has acted duplicitously by falsely claiming in its terms of service that YouTube is only for those who are age 13 or older, while it deliberately lured young people into an ad-filled digital playground,” said Jeff Chester of the Center for Digital Democracy. “Just like Facebook, Google has focused its huge resources on generating profits instead of protecting privacy.”

Calls for a fine

The group wants YouTube to change how it deals with content for children, pay a fine for allegedly profiting off young viewers, and “assess civil penalties that demonstrate that the FTC will not permit violations of COPPA.”

"Google has made substantial profits from the collection and use of personal data from children on YouTube. Its illegal collection has been going on for many years and involves tens of millions of US children," the complaint reads.

YouTube issued a statement saying that it “will read the complaint thoroughly and evaluate if there are things we can do to improve. Because YouTube is not for children, we’ve invested significantly in the creation of the YouTube Kids app to offer an alternative specifically designed for children.”

This isn’t the first time a complaint has been filed against YouTube for the way it handles children’s privacy. In 2015, advocacy groups said the site was violating FCC laws about advertising to children.

In the face of everything else it’s trying to remedy, Facebook is doubling down on how it deals with what it calls political “issue ads.”

It’s a new layer of approval for anyone who wants to pay to have their political voice heard on Facebook. On top of the existing authorization process, advertisers will have to confirm their identity and location before they’re cleared to advertise.

As Facebook continues to fend off the voodoo stemming from its Cambridge Analytica misstep, with CEO Mark Zuckerberg coming to Capitol Hill today to answer to lawmakers, the company wants the world to know that it’s serious about changing how it deals with political ads and pages.

“We know we were slow to pick up foreign interference in the 2016 US elections,” wrote Facebook’s Rob Goldman, VP of Ads and Alex Himel, VP of Local & Pages. “Today’s updates are designed to prevent future abuse in elections — and to help ensure you have the information that you need to assess political and issue ads, as well as content on Pages.”

And, hoping to make this move perfectly clear, Facebook CEO Mark Zuckerberg stressed that these steps “won't stop all people trying to game the system. But they will make it a lot harder for anyone to do what the Russians did during the 2016 election and use fake accounts and pages to run ads.”

How will these changes appear?

Going forward, political ads on Facebook will be clearly marked as “Political Ad” and will feature information about who the ad is “paid for by.” The full rollout of the new identifiers is expected later this spring.

At the center of Facebook’s political ad target are “issue ads,” the type that advocate for controversial matters. The social media platform says it’s working with third parties to craft a list of political hot potatoes which will vary depending on voter climate.

Facebook is also upping its ante on artificial intelligence and bringing in more people to help pinpoint political advertisers that should have gone through the authorization process but somehow got past its filters.

“We realize we won’t catch every ad that should be labeled, and we encourage anyone who sees an unlabeled political ad to report it. People can do this by tapping the three dots at the top right corner of the ad and selecting ‘Report Ad,’” Goldman and Himel went on to say.

As if to cover all the transparency bases, Facebook is also implementing a tool that will give its users the option to see all of the ads a page is running. That add-on is currently being tested in Canada with the intention of taking it worldwide if all goes according to plan.

Police in Virginia are now investigating a hacking attempt to change grades at a local high school. Back in November, police say, an email purporting to be from the Oaktown High School’s Honor Council,  the school panel dedicated to “honor and integrity,” directed recipients to a link that they said had news about the school.

But users who opened the link were then targeted by malware that recorded their keystrokes and other data, allowing hackers to access log-in information to the school’s computer system. Shortly after the emails circulated, the school found multiple cases of grade changes being requested.

It’s unclear who was behind the hacking attempt, but it wouldn’t be the first time that students have hacked into a public school system to change grades, as the Washington Post reports.

While it may seem like a harmless crime to students, prosecutors have gone after such cases aggressively. One University of Iowa wrestler who attempted such a stunt now faces charges from the FBI.

Every Facebook user

Facebook admitted Wednesday that nearly every one of its users has had their data collected by “malicious actors.”

In response to the ongoing Cambridge Analytica scandal, Facebook published a blog post Wednesday updating people on changes they are making to privacy settings.

Buried in that blog post, Facebook announced that they are disabling a popular search feature that had let users search for each other by phone number and email. According to Facebook’s Chief Technology Officer Mike Schroepfer, the feature posed a security risk for nearly every one of Facebook’s users.

“Until today, people could enter another person’s phone number or email address into Facebook search to help find them,” Schroepfer wrote. Hackers figured out how to “abuse” this feature, as well as the the account recovery feature, to scrape data from “most” Facebook users.

Pipelines

Environmentalists have long warned that the aging, cheap pipes that deliver oil and natural gas are ill-equipped at preventing natural gas explosions or leaks. As oil and gas companies have become more dependent on digital technology, it turns out that even these supposedly modern safety improvements also put people at risk.

Hackers reportedly launched a cyber attack on Latitude Technologies, a Texas-based firm that handles computer communications for the oil, gas, and utility industries. The hack forced four major natural gas pipeline companies, including Energy Transfer Partners, to temporarily shut down their computer systems.

It’s unclear what the motives of the hackers would have been, but a security expert told the New York Times that the energy industry’s increasing dependence on technology  poses an environmental and safety hazard. The systems may allow attackers to remotely cause “explosions, spills, or fires, which easily will threaten human life, property and the environment,” the expert said

In updated estimates, Facebook says it’s possible that up to 87 million people had their data repurposed by Cambridge Analytica.

However, that metric comes with a precautionary warning.

“We wanted to take a broad view that is a conservative estimate,” said Facebook CEO Mark Zuckerberg in an interview. “I am quite confident that given our analysis that it is not more than 87 million. It very well could be less, but we wanted to put out the maximum we felt that it could be as that analysis says.”

In response, Cambridge Analytica argued that figure loudly and defiantly.

“Cambridge Analytica licensed data for no more than 30 million people from GSR (Global Science Research), as is clearly stated in our contract with the research company,” the company wrote in a press release. “We did not receive more data than this.”

Cambridge wants its name cleared, too

Cambridge Analytica wants its name expunged from the list of entities behind any manipulation of data regarding Trump’s bid for the White House.

“We did not use any GSR data in the work we did in the 2016 US presidential election,” claims Cambridge Analytica in an attempt to define its position..

“When Facebook contacted us to let us know the data had been improperly obtained, we immediately deleted the raw data from our file server. We carried out an internal audit to make sure that all the data, all derivatives, and all backups had been deleted, and gave Facebook a certificate to this effect.”

Where do we begin?

The “millions” figures quoted by Facebook and Cambridge Analytica started out as 270,000 -- the number of respondents that used GSR’s “thisisyourdigitallife” app.

However, in addition to harvesting metrics on Facebook users who used the app, it has also been revealed that information was collected on those users’ “friends” on Facebook. That, in turn, raised the number of affected individuals exponentially.

Cambridge Analytica used the statistics it collected to build user profiles. The company credited the use of those profiles in helping the Trump ‘16 campaign take advantage of key biases and demographic changes.

All finger pointing aside, how does this get fixed?

Whether this is a matter of misdirection or re-direction, the PR battle between Facebook and Cambridge Analytica probably isn’t going away soon. But for Facebook users, it appears that CEO Mark Zuckerberg is being proactive, and things are getting better.

“So, now we have to go through every part of our relationship with people and make sure that we’re taking a broad enough view of our responsibility,” assured Zuckerberg. “And it’s not enough to give people tools to sign into apps, we have to ensure that all of those developers protect people’s information too. It’s not enough to have rules requiring they protect information, it’s not enough to believe them when they tell us they’re protecting information — we actually have to ensure that everyone in our ecosystem protects people’s information.”

At the top of Facebook’s list of new promises is a rather adamant pledge: “We’re not asking for new rights to collect, use or share your data on Facebook. We’re also not changing any of the privacy choices you’ve made in the past.”

Lining up right behind that pledge are more plums for any concerned Facebook user:

• Personalized experience: Everyone’s experience on Facebook is unique, and we’re providing more information on how this works. We explain how we use data and why it’s needed to customize the posts and ads you see, as well as the Groups, friends and Pages we suggest.

• What we share: We will never sell your information to anyone. We have a responsibility to keep people’s information safe and secure, and we impose strict restrictions on how our partners can use and disclose data. We explain all of the circumstances where we share information and make our commitments to people more clear.

• Advertising: You have control over the ads you see, and we don’t share your information with advertisers. Our data policy explains more about how we decide which ads to show you.

• One company: Facebook is part of the same company as WhatsApp and Oculus, and we explain how we share services, infrastructure and information. We also make clear that Facebook is the corporate entity that provides the Messenger and Instagram services, which now all use the same data policy. Your experience isn’t changing with any of these products.

• Device information: People have asked to see all the information we collect from the devices they use and whether we respect the settings on your mobile device (the short answer: we do). We’ve also added more specific information about the information we collect when you sync your contacts from some of our products, including call and SMS history, which people have recently asked about.

• Addressing harmful behavior: We better explain how we combat abuse and investigate suspicious activity, including by analyzing the content people share.

When will Facebook users see these changes?

Facebook can quickly make shifts in controls users can click on or off and start its path towards cleaning up its act, but that’s only a start.

“I wish I could snap my fingers and in three to six months solve all these issues,” Zuckerberg said. “I think the reality is complex. I think this is a multiyear effort.”

Facebook CEO Mark Zuckerberg will testify before the House Energy and Commerce Committee next week, the committee has announced.

Zuckerberg has been in the eye of the Facebook storm over privacy issues since it was revealed that user data had been illegally obtained and used by a political marketing firm.

In a joint statement, committee chairman Greg Walden (R-OR) and ranking member Frank Pallone, Jr. (D-NJ) said the hearing will be an opportunity to shed light on critical consumer data privacy issues.

They said that as a result, all Americans may better understand what happens to their personal information online. The hearing is scheduled for 10 a.m. ET on April 11.

Zuckerberg declined an invitation to appear before a British Parliamentary committee investigating the same issue. Officials in both nations say they want to learn more about what data Facebook collects from users and who has access to it.

The scandal

In March, the New York Times reported that Cambridge Analytica, a political marketing firm, used Facebook user data to target ads on behalf of the British campaign to leave the European Union and the U.S. presidential campaign of Donald Trump.

Facebook said Cambridge Analytica was never authorized to receive the data, and obtained it from an app developer who had conducted a survey on Facebook. People who took the survey were informed that the developer would have access to their Facebook profiles -- as well as the profiles of all their Facebook friends. However, the friends were never informed their data was being accessed by a third party.

Since the revelation, Facebook has made a number of changes in the way it handles and safeguards user data, including severing ties with a major data broker and giving users more control over privacy settings.

Facebook is currently under investigation by the Federal Trade Commission (FTC) and several state attorneys general

Facebook is not done with Russia… yet.

The social media leader is still uncovering accounts linked to the Internet Research Agency (IRA), the Russian company bent on turning Facebook into a propaganda fest.

And as soon as Facebook finds them, they’re axed from the platform. On Tuesday, the company announced that it had removed 70 Facebook and 65 Instagram accounts, plus another 138 Facebook Pages that were controlled by the IRA. Many of the offending Pages were also sneaking in Russia-favored advertisements and those, too, have been removed.

Facebook has a serious dog in this fight and not afraid to give up the large number of users who visit these sites. An estimated 1.08 million unique users follow those suspect Facebook Pages and 493,000 unique users follow a minimum of one of the Instagram accounts.

Those users are mostly eastern European (Russia, Ukraine, Georgia, Kyrgyzstan, et al), but also include 42,000 Brazilian users.

‘We’ll keep fighting’

Losing money doesn’t seem to be an issue for Facebook, either — especially when it comes to losing face. On the income side of the Russian-influence equation, a related $167,000 was spent on Facebook and Instagram ads since 2015.

“The IRA has consistently used inauthentic accounts to deceive and manipulate people,” wrote Alex Stamos, Facebook’s Chief Security Officer. It’s why we remove every account we find that is linked to the organization — whether linked to activity in the US, Russia or elsewhere.”

“We know that the IRA — and other bad actors seeking to abuse Facebook — are always changing their tactics to hide from our security team. We expect we will find more, and if we do we will take them down too. But we’ll keep fighting and we’re investing heavily in more people and better technology to constantly improve safety on Facebook.”

While the IRA’s most heralded invasion is the one surrounding the 2016 Presidential election, the new dearly departed are accounts that were “targeting people living in Russia,” Facebook CEO Mark Zuckerberg said in a post.

Increased investment in security

Zuckerberg seems determined to wipe every bit of mud thrown on his company’s face -- mud that was first slung when it was discovered that Cambridge Analytica plucked profile data from Facebook users to slant advertising to benefit Donald Trump’s presidential campaign and other right-wing candidates.

And the Facebook CEO is putting his money where his mouth is. “We have also significantly increased our investment in security. We now have about 15,000 people working on security and content review. We'll have more than 20,000 by the end of this year,” Zuckerberg said in a post.

He goes on to remind the world that Facebook found and took down 30,000 fake accounts leading up to France’s 2017 presidential election; worked in tandem with Germany’s Federal Office for Information to examine the threats it was was seeing relating to its 2017 elections; and Facebook’s deployment of Artificial Intelligence tools that “proactively detected and removed fake accounts from Macedonia trying to spread misinformation.”

Zuckerberg closed his post with this promise: “Security isn't a problem you ever fully solve. Organizations like the IRA are sophisticated adversaries who are constantly evolving, but we'll keep improving our techniques to stay ahead -- especially when it comes to protecting the integrity of elections.”

Consumers who ordered food online from the bakery-cafe chain Panera Bread via the company’s website could potentially have had their payment information exposed.

Panerabread.com leaked eight months’ worth of customer records from its website, according to a report by KrebsOnSecurity.

The data leak included customer names, email and home addresses, birthdays, and the last four digits of credit card numbers. The beach affected "millions" of customers who ordered food on the company's website, panerabread.com, the blog post said.

Issue has been resolved

Panera claims that fewer than 10,000 consumers had potentially been affected by the breach and stated that the issue has since been resolved.

Although their investigation is ongoing, Panera maintains that there is no evidence of payment records or other large amounts of personal information being accessed or retrieved.

“Panera takes data security very seriously and this issue is resolved,” the company said in a statement. “Following reports today of a potential problem on our website, we suspended the functionality to repair the issue.”

“Our investigation is continuing, but there is no evidence of payment card information nor a large number of records being accessed or retrieved. Our investigation to date indicates that fewer than 10,000 consumers have been potentially affected by this issue and we are working diligently to finalize our investigation and take the appropriate next steps.”

Hudson’s Bay Co. says customer payment card information may have been stolen from shoppers at certain Saks Fifth Avenue, Saks Off Fifth, and Lord & Taylor stores in North America.

The retailer said in a statement that it has identified the issue and taken steps to contain it, but it has stopped short of disclosing how many payment card numbers were taken.

“Once we have more clarity around the facts, we will notify our customers quickly and will offer those impacted free identity protection services, including credit and web monitoring,” the statement said.

Five million records taken

However, one cybersecurity firm analyzed the available data and found that five million credit card and debit card numbers had been compromised in the breach.

Gemini Advisory LLC said in a report that the information was stolen from 83 Saks Fifth Avenue or Saks Off Fifth stores, and from all Lord & Taylor locations. Approximately 125,000 of the five million records compromised have been released for sale on the “dark web,” the firm said.

“Although at this moment it is close to impossible to ascertain the exact window of compromise, the preliminary analysis suggests that criminals were siphoning the information between May 2017 to present,” Gemini Advisory said.

Hudson Bay says it is “working rapidly with leading data security investigators to get customers the information they need, and the investigation is ongoing.” The company is coordinating with law enforcement authorities and the payment card companies for the investigation.

Consumers affected by the breach will not be liable for fraudulent charges, the company said.

Welcome to the future. Hackers are currently holding a major American city for ransom and are demanding that they be paid in Bitcoin.

Atlanta officials confirmed on Monday that a ransomware attack had kicked much of its computer system offline. Without the system functioning, Atlanta is unable to collect online bills from residents, which perhaps isn’t such a bad thing for people who are behind on their water bills or traffic ticket payments.

But the attack has frightening implications for government agencies. "This is much bigger than a ransomware attack, this really is an attack on our government," Mayor Keisha Lance Bottoms told a news conference. "We are dealing with a hostage situation."

The attackers have indicated that it will not restore Atlanta’s websites or computer system until they are paid $51,000 in Bitcoin.

Ransomware, as its name suggests, freezes or infects computers and then provides a message asking for a ransom if users want their systems unlocked. Like other malware, it works by sending an email to unsuspecting users with a “phishing” link.

Atlanta officials have not yet indicated whether they will pay the ransom.

As of Friday afternoon, Atlanta’s page for allowing residents to pay their water and sewer bill was still not loading. The municipal court online payment webpage says; “City of Atlanta is currently experiencing technical issues which is impacting the ability to take payments at this time.”

Under Armour

Under Armour warned a whopping 150 million people on Thursday to change their password. The company owns a popular application called MyFitnessPal that tracks nutritional intake and workout routines. Hackers gained access to all 150 million users’ passwords, names, and email addresses.

The company denies that credit card information was accessed but says they are getting law enforcement involved.  

“We do not know the identity of the unauthorized party. Our investigation into this matter is ongoing,” the company announced.

Italian soccer (football) team

It happens to the best of us. The Italian newspaper Il Tempo is reporting that SS Lazio, a football team in Italy, was tricked into paying the final portion of a player’s contract to hackers.

A Dutch soccer club had traded their star defender, 26-year-old De Vrij, to SS Lazio in 2014. A hacker impersonating the Dutch team recently sent SS Lazio an email asking for the final installment of his contract, or two million Euros.

The Dutch team says they never sent that email and never received the final payment. Authorities are reportedly investigating the issue.

Under Armour has disclosed that 150 million MyFitnessPal diet and fitness app accounts were affected by a security breach. The number of records compromised make this the largest data breach this year and one of the top five in history.

The company said it became aware of the hack on March 25, but it believes that an unauthorized party had access to the accounts since late February. Information made vulnerable to cyber criminals in the breach includes users’ email addresses, usernames, and hashed passwords.

“The affected data did not include government-issued identifiers (such as Social Security numbers and driver's license numbers), which the company does not collect from users,” Under Armour said in a statement.

“Payment card data was also not affected because it is collected and processed separately. The company's investigation is ongoing, but indicates that approximately 150 million user accounts were affected by this issue.”

Users urged to change passwords

Four days after discovering the breach, Under Armour notified MyFitnessPal users via app and email notifications. The company said users could safeguard their account and information by taking the following measures:

• Change your password for any other account on which you used the same or similar information used for your MyFitnessPal account.

• Review your accounts for suspicious activity.

• Be cautious of any unsolicited communications that ask for your personal data or refer you to a web page asking for personal data.

• Avoid clicking on links or downloading attachments from suspicious emails.

Under Armour said it doesn’t know the identity of the unauthorized party and is currently working with data security firms to assist in its investigation. It did not provide details on how the hackers got into its network in the first place.

“We continue to monitor for suspicious activity and to coordinate with law enforcement authorities,” Under Armour informed its customers. “We continue to make enhancements to our systems to detect and prevent unauthorized access to user information."

The U.S. State Department wants to widen its scrutiny of U.S. visa applicants by asking them to unveil their social media handles.

According to a Bloomberg report, the new visa applications will ask applicants to “provide any identifiers used by applicants for those platforms during the five years preceding the date of application.”

This move broadens the Department’s vetting of visa applicants. It’s possible the new information could uncover any possible ties to groups, sympathies, posts, or messages that warrant concern.

What information will be asked for

If this request is approved, additional questions will ask for five years of previously used telephone numbers, email addresses, and international travel information; whether the applicant has been deported or removed from any country; and whether specified family members have been involved in terrorist activities.

Prior to this, email addresses, phone numbers, and social media identities were asked for from applicants who the Department thought should be more closely examined. Last year, about 65,000 people fit that profile.

Visa processing is a heavy burden for the State Department. There are an estimated 14 million visa applications a year that take 21 million annual hours to process.

A diligent and thorough process

In the aftermath of the 2015 terrorist attack in San Bernardino, California, Congress raised concerns about the use of social media by terrorist groups and requested that the Department of Homeland Security (DHS) broaden its social media background checks.

In turn, DHS established a task force for using social media to screen immigration applicants. Additionally, the U.S. Citizenship and Immigration Services (USCIS) and the Immigration and Customs Enforcement (ICE) tested programs that expanded social media screening of those applicants.

Last December, DHS got the approval to put those supplemental background checks in place.

The State Department provides a full list of FAQs for anyone considering applying for a visa. Also available are updated answers to questions regarding the Trump administration’s immigration restrictions.

On a day when Facebook took additional steps to tamp down the furor over its handling of user data, company CEO Mark Zuckerberg was forced to explain an internal Facebook memo that surfaced in the media.

BuzzFeed published a 2016 Facebook memo to employees in which company vice president Andrew "Boz" Bosworth argued that Facebook should be prepared to do whatever is necessary to increase user growth.

“We connect people. Period," Bosworth told Facebook employees. "That’s why all the work we do in growth is justified. All the questionable contact importing practices. All the subtle language that helps people stay searchable by friends. All of the work we do to bring more communication in. The work we will likely have to do in China some day. All of it.”

Fuel for critics

Facebook critics were quick to pounce on the memo, calling it further evidence that the company plays fast and loose with user privacy. Facebook has been pilloried since it revealed that an app developer obtained Facebook user data, then sold it to a political marketing group.

Zuckerberg released a statement strongly disavowing the contents of the Bosworth memo. However, he pointed out that Bosworth was often purposely provocative in an effort to bring critical issues into the open for debate.

"Boz is a talented leader who says many provocative things. This was one that most people at Facebook including myself disagreed with strongly," Zuckerberg said. "We've never believed the ends justify the means."

Bad timing

The memo's release comes at a bad time for Facebook, which has spent much of this week taking steps to reassure lawmakers, regulators, and users. On Thursday, Facebook's vice president for product management, Guy Rosen, participated in a conference call with reporters to discuss steps Facebook is taking to protect election security for the upcoming midterms.

Rosen identified four main election security areas that Facebook is working on:

• Combating foreign interference

• Removing fake accounts

• Increasing ads transparency

• Reducing the spread of false news

"This is a comprehensive approach we deploy in elections around the world, and we’re here today to share our thinking about what we are doing so that you can better understand our approach," Rosen said.

Also this week, Facebook announced tweaks to the site that will cause all Facebook users to see more local news in their news feeds. Previously, the change was made only for U.S. users.

Facebook also moved this week to exclude third-party data providers from its advertising platform, limiting what marketers know about users' shopping habits. According to industry insiders who spoke with CNBC about the move, it makes data brokers less effective while giving Facebook more control over the data used to target ads.

Boeing Company’s computer system was struck by the WannaCry computer virus on Wednesday. The company’s worst fear was that crucial aircraft production equipment might be crippled, but Boeing’s IT team came to the rescue and averted the crisis.

“All hands on deck” was the message the airline builder fired off to its leadership team. In an internal memo, Mike VanderWel, Boeing’s chief engineer of commercial airplane production, said the attack was “metastasizing” and he worried it could spread to Boeing’s production systems and airline software.

A virus that lives up to its billing

Boeing became the latest to find out just how serious the WannaCry virus can be and how important up-to-date security settings are.

Simply put, WannaCry makes you, well, wanna cry. The virus is what’s called a “ransomware cryptoworm.” It targets computers running Microsoft Windows and holds users hostage until they make a ransom payment in Bitcoin or another untraceable cryptocurrency.

Even though Microsoft had released patches to fight off the virus, WannaCry is still able to paralyze computers where the patches haven’t been applied or older Windows systems that Microsoft no longer supports.

When WannaCry first hit the scene in May, 2017, it brought more than 230,000 computers to their knees worldwide. No one was spared, either. The ransomware attack hit universities, governments, hospitals, utilities, and others including Nissan, FedEx, Honda, and even the Russian railway system.

WannaCry’s victims were held up for between $300-$600 in ransom money before the virus’ masterminds would unlock the files the malware was holding hostage.

In December 2017, the United States, United Kingdom, and Australia formally alleged that North Korea had masterminded the attack. That assertion was backed by both Microsoft and the UK's National Cyber Security Centre. North Korea denied any involvement.

How to protect yourself from WannaCry

If you haven’t updated your virus protection or system software since last May, you might be still be vulnerable to WannaCry. When the virus first hit the scene, ConsumerAffairs produced an in-depth guide on the essential steps consumers should take to secure their Windows-driven computers -- where to find the patches and what to do if you’re unable to download Microsoft’s updates.

WannaCry isn’t the only bad actor out there in the virus world. Microsoft has identified 16 ransomware bandits that go after everything from documents to media files. In a list of FAQs, the Windows support team gives consumers a complete rundown of how to protect themselves from a costly attack.

The Federal Trade Commission has confirmed it has opened an investigation into Facebook's privacy practices.

The announcement from Acting Director Tom Pahl said the agency responds when any company does not live up to its promises to protect privacy.

"Companies who have settled previous FTC actions must also comply with FTC order provisions imposing privacy and data security requirements," Pahl said in a statement.

"Accordingly, the FTC takes very seriously recent press reports raising substantial concerns about the privacy practices of Facebook. Today, the FTC is confirming that it has an open non-public investigation into these practices.”

Facebook once again in FTC crosshairs

Facebook has dealt with the FTC on privacy issues in the past. It signed a consent decree with the FTC in 2011 after a privacy issue arose. The agreement required Facebook to notify users and get permission before sharing personal data beyond the user's privacy settings.

Rob Sherman, deputy chief privacy officer for Facebook, released a statement saying the company appreciates the opportunity to answer any questions the FTC might have.

Facebook found itself at the center of a media firestorm over a week ago when it was revealed that an app developer who legally accessed Facebook user data, with user's permission, then sold the data to a political consulting firm, in violation of Facebook's terms of service.

New reports suggest that Facebook has been logging Android users’ call and SMS (text) history without their permission. The company says that’s not exactly the case, but text history logging is something the user can choose as an opt-in feature.

According to an Ars Technica report, a New Zealander was poring through an archive of his personal data that he had downloaded from Facebook. What he found was not only the typical photos, posts, and contacts, but nearly two years worth of data including names, phone numbers, and the length of each call he made from his Android phone.

After last week’s PR bloodbath, Facebook was quick to step up and clear its name the best it could.

“People have to expressly agree to use this feature,” the company said in their response to the story. “If, at any time, they no longer wish to use this feature they can turn it off in settings, or here for Facebook Lite users, and all previously shared call and text history shared via that app is deleted. While we receive certain permissions from Android, uploading this information has always been opt-in only.”

Contact importing is commonplace in social apps. FourSquare, Cloze, Brewster, and others all use some form of contact collection. Not wanting to be left out on a good idea, Facebook also introduced a version in their Messenger app in 2015, then followed up with a “lightweight version” of it in its Facebook for Android app.

How it works

Many people gloss over things like fine print, opt-ins, and opt-outs, and this latest development seems to fall under that category. The way Facebook has this option set up is that when a user signs up for or logs into Messenger or Facebook Lite on an Android device, they’re given the option to have a running upload of contacts as well as call and text history.

In the Messenger app, users can either turn it on or off, or click on the “learn more” or “not now” options. On the Facebook Lite app, the choices are to turn it on or select “skip.” For users who decide to turn the feature on, Facebook logs that info as it happens.

Curious Facebook users who do their social networking on an Android device can see what information has been gathered by using Facebook’s “Download Your Information” tool.

How you can change the info Facebook collects

If a user no longer wants their calls and texts tracked, all they have to do is turn the feature off in their settings. For added security, users can also go here to see which contacts they have uploaded from Messenger and delete any uploaded contact information they want to.

Given all that’s erupted out of Facebook’s data collection dust-up, it’s smart for users to double-check what information they’ve given Facebook and others access to.. The company offers a laundry list of ways to update a user’s settings and enhance the security of their data. In a few simple steps, users can decide what apps and games they want to grant permission to collect personal data.

News that the firm Cambridge Analytica harvested profile data from Facebook users to advertise for Donald Trump’s presidential campaign and other right-wing candidates sparked a major backlash against the social media giant this weekend.

Facebook denies that it was a hack, however, explaining to the New York Times that “no systems were infiltrated, and no passwords or sensitive pieces of information were stolen or hacked.”

In fact, Facebook may have a point. As many have noted, Facebook's own policies didn’t block third parties from accessing user data until 2015, after Cambridge Analytica had already obtained information on an estimated 50 million users.

Facebook’s COO Sheryl Sandberg and CEO Mark Zuckerberg responded to the revelations publicly Wednesday with promises to review their policies. The site has approximately two billion users, or a quarter of the planet.

Universities, companies, and governments

In what the US Attorney’s office says is “one of the largest state-sponsored hacking campaigns ever prosecuted by the Department of Justice,” the DOJ said today that cyber-criminals in Iran stole $3.4 billion worth of data from 144 American universities. They also allegedly targeted 176 foreign universities, 30 private companies and five government agencies over a four-year period.

The DOJ formally indicted the alleged hackers today, though they were not arrested because they are still in Iran. Prosecutors say they could face detention if they ever try to leave the country.

More than 8,000 American professors were targeted in the attack as part of an effort to steal their research, the government says. The hackers allegedly have links to the Mabna Institute, a tech firm that the DOJ says works on behalf of the Iranian government and Iranian universities.

Orbitz customers

Orbitz, the third-party travel booking site owned by Expedia, announced this week that hackers accessed information on approximately 880,000 credit cards used by customers.

Over a period of several months last year, hackers managed to mine credit information as well as names, birth dates, and addresses on customers who used the site anywhere from from January 2016 to December 2017.

"We are offering affected individuals one year of complimentary credit monitoring and identity protection service in countries where available,” Orbitz said in a statement.

Canadian credit card users

Thieves made off with the rewards points earned by Canadian consumers participating in a grocery store loyalty program.

PC Optimum is a new but popular program in Canada that allows consumers to earn reward points when they shop at certain grocery stores and other retailers.

They may just be points, but they have real value; one victim said she lost more than one million points, allowing hackers to purchase over $1,000 worth of goods with her account. A total of more than 100,000 people had their points stolen.

Physical therapy patients and employees

ATI Physical Therapy, a chain of physical rehabilitation centers across the country, alerted over 35,000 customers yesterday that their data may have been accessed by hackers who were targeting direct deposit data of company employees.

As is becoming the standard when these breaches occur, the company is offering consumers free credit monitoring.

Facebook CEO Mark Zuckerburg has made a public statement in response to the controversy over one of its partner's illegal sale of Facebook data to a third party.

The data, which includes profiles for an estimated 50 million Facebook users, was allegedly used to target political ads in support of Republican presidential nominee Donald Trump during the 2016 election.

"We have a responsibility to protect your data, and if we can't then we don't deserve to serve you," Zukerberg wrote in a nearly 1,000 word post on Facebook. "I've been working to understand exactly what happened and how to make sure this doesn't happen again."

Facebook actually did nothing illegal. It had a partnership with a third party app -- This Is Your Digital Life -- that allowed the app developer to access data about people who downloaded the app, and their friends. People who downloaded the app were informed of the terms.

Violations of terms of service

What happened next is where it gets sticky. Facebook alleges that the owners of the app sold the data to a political marketing firm, Cambridge Analytica, in violation of Facebook's terms of service. Cambridge Analytica then allegedly used the data to target voters on behalf of the Trump campaign.

In his statement, Zuckerberg said Facebook made a number of policy changes in 2014 that would have prevented the unauthorized distribution of Facebook data had they been adopted earlier.

Among the changes:

• Limits were placed on the data that apps could access

• Apps could not access users' friends' data without permission from the friends

• Developers must receive Facebook permission before they can ask for users' data

Learned of the data sale in 2015

Zuckerberg says it was not until 2015 that Facebook learned from journalists that the app developer had sold the data to Cambridge Analytica. It then demanded the data be deleted, and Zuckerberg says Facebook received certifications that the data had, in fact, been destroyed.

"Last week, we learned from The Guardian, The New York Times and Channel 4 that Cambridge Analytica may not have deleted the data as they had certified," Zuckerberg wrote in his post. "We immediately banned them from using any of our services. Cambridge Analytica claims they have already deleted the data and has agreed to a forensic audit by a firm we hired to confirm this. We're also working with regulators as they investigate what happened."

So far, Zuckerberg's public statement has done little to quell the controversy. An appearance on CNN Wednesday night didn't seem to help either.

Critics say Facebook should have informed its users in 2015 that their data may have been sold to a political marketing firm. A Twitter campaign called #deletefacebook is urging angry Facebook users to abandon the social media platform.

But writing on Engadget, technology journalist Nicole Lee says deleting Facebook is easier said than done. She notes that the site has become too important to too many people who depend on it to stay connected to family and friends.

Members of Congress are calling for more oversight of Facebook after information about an estimated 50 million users was allegedly used to influence elections.

Sen. Edward J. Markey (D-Mass.), a member of the Commerce, Science, and Transportation Committee, wrote a letter to the committee leadership asking it to hold hearings and solicit testimony from top Facebook executives.

Markey and others are asking for an explanation of how Cambridge Analytica, a political marketing firm, acquired private data on Facebook users that was allegedly then used in the successful Brexit and Trump campaigns.

In his letter, Markey cited published reports suggesting only a small number of Facebook users had agreed to their information being shared with a third party.

“In light of these allegations, and the ongoing Federal Trade Commission (FTC) consent decree that requires Facebook to obtain explicit permission before sharing data about its users, the Committee should move quickly to hold a hearing on this incident, which has allegedly violated the privacy of tens of millions of Americans,” Markey wrote.

Request for details

Sen. Ron Wyden, (D-Ore.), is asking the social media company to detail the extent that private information was misused. He also suggested a review of how Facebook collects, stores, and shares information.

In a letter to Facebook CEO Mark Zuckerberg, Wyden said the ease with which the site's default privacy settings were exploited for profit and political gain raises questions about the company's business model.

"It also raises serious concerns about the role Facebook played in facilitating and permitting the covert collection and misuse of consumer information,” Wyden wrote. “With little oversight—and no meaningful intervention from Facebook—Cambridge Analytica was able to use Facebook-developed and marketed tools to weaponize detailed psychological profiles against tens of millions of Americans.”

Highly-targeted ads

Facebook has been successful because of the power of its targeted advertising. Commercial enterprises can buy ads that appear in the timelines of consumers of a specific age and gender who have certain interests.

The fact that politicians would also take advantage of this power should not come as a surprise. In the wake of the 2016 U.S. election that sent Donald Trump to the White House, Facebook got a lot of unwelcome attention for the information that appeared in users' timelines -- information that looked like news stories but may or may not have been true.

Facebook spent much of 2017 making adjustments -- such as downgrading links from certain sites and adding "related stories" to broaden the scope of coverage.

However, part of the problem stems from the fact that for a significant number of consumers, Facebook is their primary source of news. The Pew Research Center reports that during the height of the 2016 presidential campaign, 62 percent of adults said they got news from social media sites.

Facebook finds itself under fire after a weekend revelation that data on millions of its users was used in an unauthorized manner.

It's being called a data breach, but the data wasn't used to steal your identity or empty your bank account. Instead, Facebook critics charge it was used to influence voters in the successful Brexit and Trump campaigns.

The news has raised the issue of what data big tech collects and how it is used, and it has garnered the attention of both U.S. and European regulators. In recent months, Facebook has moved to address how political operatives have used its platform to spread misleading or one-sided information under the guise of "news."

Personality quiz

According to Facebook, a professor used Facebook's log-in credentials to ask users to sign up for what was said to be a personality analytics tool that was to be used for academic research. A total of 270,000 Facebook users downloaded the app, and in doing so gave it permission to access Facebook data on themselves and all of their friends. The New York Times estimates the total number of files to be around 50 million.

Facebook says the professor then violated its terms of service by selling the data to an obscure political marketing company called Cambridge Analytica. That company reportedly used the data to target potential voters.

In the UK, it reportedly targeted Facebook users inclined to vote for Britain leaving the European Union. In the U.S., it reportedly targeted users on behalf of the Trump campaign.

The app was called “This Is Your Digital Life.” If you downloaded it, you and all your Facebook friends may have received political posts, depending on your political leanings, as gauged by the personality test.

New revelation

Facebook says it learned of the violation of its rules nearly three years ago and removed the app from Facebook. But the company said it learned only last week that not all of the collected data was deleted, as required. It has moved to suspend Cambridge Analytica's account.

"We are constantly working to improve the safety and experience of everyone on Facebook," Facebook said in a statement. "In the past five years, we have made significant improvements in our ability to detect and prevent violations by app developers."

Cambridge Analytica has issued a statement of its own, saying it complies with Facebooks terms of service and said it deleted all data that was not gathered in compliance with the rules.

It should be noted that a major part of Facebook's business is using analytics data to help advertisers specifically target ads. However, Facebook does not allow this information to be downloaded and sold to third parties.

A former Equifax executive has been charged by the Securities and Exchange Commission (SEC) with selling nearly $1 million worth of shares before the company announced last year’s massive data breach.

Jun Ying, the former chief information officer of Equifax's U.S. Information Solutions, was allegedly entrusted with non-public information about the company’s breach before the news was disclosed to the public, the SEC said in a statement.

“As alleged in our complaint, Ying used confidential information to conclude that his company had suffered a massive data breach, and he dumped his stock before the news went public,” said Richard R. Best, Director of the SEC’s Atlanta regional office.

“Corporate insiders who learn inside information, including information about material cyber intrusions, cannot betray shareholders for their own financial benefit,” Best said.

Ying avoided more than $117,000 in losses by selling his shares before the stock price plunged after news of the breach was publicly announced. The US Attorney’s Office for the Northern District of Georgia is also filing criminal charges against Ying, the SEC said.

Largest breach in history

Nearly 150 million Americans were impacted by Equifax's data breach, making it the largest breach in history.

News of the breach was made public Sept. 7, but authorities say Equifax discovered suspicious activity on its network on July 29.

On Aug. 28, Ying allegedly used his confidential information to sell his shares before the news broke. He exercised all his available stock options and received 6,815 shares of Equifax stock, which he sold for more than $950,000 -- a total gain of more than $480,000, prosecutors said.

A federal judge has ruled that most of a lawsuit concerning Yahoo’s data breach, which exposed the personal information of all of its 3 billion users, can proceed.

Yahoo’s parent company Verizon Communications made an effort to get the claims tossed out by arguing that it had been the target of “relentless criminal attacks”, and the plaintiffs’ “20/20 hindsight” had not affected its efforts to eliminate “constantly evolving security threats.”

However, Judge Lucy Koh ruled against the argument.

“Plaintiffs’ allegations are sufficient to show that they would have behaved differently had defendants disclosed the security weaknesses of the Yahoo Mail System,” Koh wrote in her decision.

Slow to alert customers

The case centers around accusations that Yahoo took too long to notify users of the breaches. Koh said customers may have “taken measures to protect themselves” against identity theft and fraud had they known about the breaches sooner.

Three major data breaches hit the company between 2013 and 2016, but they were not disclosed until 2016.

Yahoo initially said one billion users were exposed by one hack and 500 million were exposed by another. Later, the company said it believed that all of its three billion users were affected by the data breaches.

By the time the breaches came to light, several customers had data stolen by criminals who  used it to file fraudulent tax returns or credit card charges. Scores of other customers had to freeze their credit and spend money on monitoring and protection services.

Claims made against Yahoo in the lawsuit include negligence and breach of contract.

People who dined at certain Applebee’s franchises sometime between November 2017 and January 2018 should pay extra attention to any suspicious activity on their credit cards.

RMH Franchise Holdings announced today that the computer system used by its Applebee’s stores was infected with malware, allowing hackers to access the names and credit card information of customers.

“We are providing this notice to our guests as a precaution to inform them of the incident and to call their attention to some steps they can take to help protect themselves,” RMH alerted customers in a press release.

RMH said it initially discovered the security breach on February 13. The company owns 167 Applebee’s restaurants across the country.

Cryptocurrency

Hacks involving Bitcoin or one of its many imitators are becoming a regular part of the news cycle. Financial regulators in Japan are now responding by cracking down on seven platforms where people trade cryptocurrency, including the popular application Coincheck, which is based in Japan but used by cryptocurrency traders worldwide.

Coincheck consumers lost an estimated $530 million to hackers in late January in what experts said was the largest cryptocurrency theft to date. The company’s CEO Yusuke Otsuka has promised that affected victims will be compensated.

In the United States, the SEC also released a warning on Wednesday about the security risks that online trading platforms pose.

Meanwhile, users of another cryptocurrency exchange called Binance recently became suspicious that they were being targeted by hackers. Affected individuals reported seeing bizarre discrepancies on their accounts via Reddit, which prompted a response from CEO Changpeng Zhao.. On Wednesday, he took to Twitter to say that “All funds are safe” and promised an investigation.

The announcement didn’t come soon enough for Bitcoin traders. Value of Bitcoin dipped below $10,000 this week, which Mashable reports is likely due to the Binance hack rumors and the SEC warning.

Tennessee senate candidate

A hacker may have impersonated Tennessee Senate candidate Phil Bredesen and emailed his contacts, Bredesen’s campaign warned in a letter to the FBI. Bredesen, the former governor of Tennessee, is running as a Democrat in a race that The Hill newspaper reports is a toss-up, raising concerns among Democrats that hackers could be trying to interfere with the midterm elections.

Academics

A hacking group known for going after government agencies in Asia has been sending emails to Japanese professors in an attempt to steal their research. The group reportedly pretended to be from the Japanese government and sent professors downloads that contained malware. The campaign serves as another obvious reminder to never download unknown files.

Uber admitted last year that its former security officer and deputies had paid hackers $100,000 to destroy consumer data they had accessed and to keep the breach under wraps.

Over a year after the hack occurred, the company fired the employees who made the payment, publicly apologized, and promised to investigate, but for the Pennsylvania Attorney General, the company-led investigation was too little, too late.

Pennsylvania AG Josh Shapiro is now suing Uber under a state law that requires companies to warn consumers about data hacks within a reasonable time, though the law does not specify exactly how long that time frame is.

Data breach not disclosed for over a year

The names, email addresses and phone numbers of 50 million riders and seven million drivers were compromised in October 2016. However, Uber did not warn its customers or launch a public investigation until Bloomberg reported on the beach over a year later, in November 2017.

Among the seven million drivers, 600,000 of those also had their driver’s license numbers accessed, Uber told the news agency. .

“None of this should have happened, and I will not make excuses for it,” CEO Dara Khosrowshi told Bloomberg at the time. “We are changing the way we do business.”

The Pennsylvania AG’s office determined that approximately 13,500 drivers in the state had their driver’s license information accessed in the hack. Shapiro is seeking to penalize the company $1,000 for every person affected by the breach, bringing the potential fine to $13.5 million.

“Instead of notifying impacted consumers of the breach within a reasonable amount of time, Uber hid the incident for over a year — and actually paid the hackers to delete the data and stay quiet,” Shapiro said in an announcement.

Uber’s new Chief Legal Officer Tony West told Recode that he was surprised by the lawsuit.

“While we do not in any way minimize what occurred, it’s crucial to note that the information compromised did not include any sensitive consumer information such as credit card numbers or social security numbers, which present a higher risk of harm than driver’s license numbers,” West told the site.

Drivers can find out if their license information was stolen by searching on the Uber website.

What happens to your personal identity information once it has been compromised, such as in the Equifax data breach?

It often ends up for sale on the dark web, where one security firm says a consumer's entire identity, from Social Security number to Gmail login, can be purchased for less than $1,200.

Simon Migliano, editor-in-chief at Top10VPN.com, which reviews virtual private networks (VPN), writes that every aspect of your online identity is a commodity that can be sold to scammers. The company has broken down what each part of that identity is worth, creating what it calls the Dark Web Market Price Index (DWMPI).

Let's start with your proof of identity, such as a Social Security number or other data to prove who you are. According to the DWMPI, that can sell for around $92.

With it, a scammer can take out a loan or apply for a credit card, netting thousands of dollars. That's a pretty good return on investment, but it doesn't command the highest price on the dark web.

A premium for PayPal

Scammers will pay the most for a consumer's PayPal account log-in. That goes for an average of $247, allowing a thief to quickly clean out the account. After all, it's safer for the thief than trying to use a fake identity to take out a loan.

Your online shopping account login information is also a valuable commodity in the underworld. Thieves pay nearly $165 for account logins for Amazon, Walmart, ebay, Costco, and Macy's, although some individual accounts can go for as little as $10.

Again, it's neat and clean. Thieves can order merchandise that will go on your credit card. They can either use what they purchase or sell it for cash.

Bargain-priced data

Other parts of your identity go for a lot less. While it may be no surprise to learn credit card details are among the most traded on the dark web, fraudsters buy and sell access to Uber, Airbnb, and Netflix accounts for less than $10 each.

"Would-be scammers can easily spend more on their lunchtime sandwich than buying up stolen customer logins for online stores," Migliano writes.

Why so cheap? The sad fact is there is so much competing stolen data to choose from that it tends to drag down the price.

Last year's Equifax hack alone, which compromised more than 148 million consumers, has saturated the dark web with stolen personal data. It means someone could purchase your stolen Spotify account log-in for as little as 21 cents.

Migliano says clever dark web marketers are packaging some of the stolen data into bundles. He says the company found listings offering individuals’ name, billing address, mother’s maiden name, social security number, date of birth, and other personal data.

Sure, you never technically asked Equifax to monitor your personal data, but credit checks are a necessary step to securing a home, a loan, or a job. But now that half the country’s data has been stolen, you may be tempted to purchase credit protection elsewhere as a precaution.

There’s just one problem. That other, competing credit protection service may “very well be using Equifax to do the back office part,” Sen. Elizabeth Warren told Marketplace in a recent interview. In other words, Equifax could be profiting off the scare it created from its own breach.

The senator’s allegations, made public in an interview this week with Marketplace, came one day before Equifax announced that it will notify an additional 2.4 million consumers that their data was breached.

The customers were among the 145.5 million people whose identities were already confirmed stolen. But Equifax said it could not confirm the specific of identity of those 2.4 million people until Thursday because only partial driver’s license information was taken.

Now that Equifax has identified who the additional victims are, the corporation promises to offer them free identity protection and credit monitoring services.

Social Security benefits

People filing for their taxes are reportedly getting billed by the IRS for Social Security benefits that they never collected. Even people in the business of filing taxes are affected.

Retired accountant Jim Shambo writes on the American Institute of CPAs website that he received an SSA-1099 for $19,236 in Social Security. But Shambo hadn’t even applied to collect the benefits, he writes, let alone receive the money.

And before he had a chance to alert the Social Security office to the fraud, he says received a letter “congratulating me on initiating my Social Security benefits.”

Experts say the problem isn’t unique. In fact, hackers made off with with $6 million in social security benefits stolen directly from recipients’ bank accounts, a report last year found.

Shambo says that people between the ages of 62 and 70 are vulnerable to the Social Security hack. Victims have little recourse, as one man who was billed for benefits in a similar theft told the Detroit Free Press that it took repeated calls and visits to local Social Security offices to get revised tax forms.

Shambo points to two likely culprits for the breach: the Social Security office website itself and Equifax.

Hacking aliens 

Astrophysicists Michael Hippke and John Learned recently published a paper arguing that any attempt to contact “extraterrestrial intelligence” could place our species at the risk of a widespread hack.

They say that sophisticated telescopes could, in theory, pick up a malicious virus that would affect the world’s computers. In another hypothetical scenario, extraterrestrials could use human communication to mess with the world’s collective minds, perhaps by telling everyone that “we will make your sun go supernova tomorrow.”

“True or not, it could cause widespread panic,” Hippke and Learned write.

In the long run, they argue that attempting to contact extraterrestrial intelligence comes with more benefits than drawbacks, but they say being aware of the negative possibilities is important.

If aliens do exists, “there will be a plurality of good and bad civilizations,” the physicists write, and the bad ones may be all too eager to take advantage of the fragility of humans. Even a threatening text could have what the physicists describe as a “demoralizing cultural influence.”

The paper comes after the New York Times released a bombshell report last year about mysterious sightings reported by army pilots and a resulting, unsuccessful UFO research program funded by the Pentagon to look for answers.

But even if aliens do exist, other experts say they may have bigger fish to fry than our computers or our heads. Retired Army Col. John Alexander, a founder of the Advanced Theoretical Physics Group and the author of a book about UFO sightings and theories, told the New York Daily News that the likelihood if an alien-led computer hack “is so remote as to not be worth any concern, let alone time and effort in countering it."

German Government

The German press is quoting anonymous security officials who claim that Russian hackers placed malware in government networks. The hackers infiltrated the network used specifically by the German parliament and other federal offices, the officials said. The Russian group Fancy Bear was reportedly behind the attack.

Germany's government responded that they are investigating the attack but adds that it “was isolated and brought under control within the federal administration.”

Texas was not hacked

Texas officials are pushing back on an NBC report claiming that state computers were compromised by Russian hackers during the 2016 presidential election. The report did not allege that results were changed, only that the state’s voter registration system was “compromised.”

"We have absolutely no evidence that there was any penetration or any compromise of any of Texas' voting or voting registration systems,” the Texas Secretary of State responded to the station.

In Europe, where consumers are protected by tougher privacy and data regulations than they are in the United States, judges have once again ruled that Facebook is breaking the law.

A court in Belgium on Friday ordered Facebook to stop tracking and recording the browsing habits of non-users, “as it does not bring its practices in line with Belgian privacy legislation.”

The Belgium verdict follows a ruling against Facebook in Germany last Monday.  In the latter case, a Berlin judge ruled that eights clauses in Facebook’s terms of service are illegal and that Facebook’s default privacy settings do not give users adequate consent or allow them to easily opt-out.

“Facebook hides default settings that are not privacy-friendly in its privacy center and does not provide sufficient information about it when users register,” an attorney with The Federation of German Consumer Organisations,  the organization that brought the lawsuit against Facebook,  said in a statement.

Facebook says they plan to appeal the Berlin court’s decision.

Facebook ordered to publicize judgment

In the Belgian verdict, judges ordered Facebook to destroy data that they determined was “illegally obtained” and publicize the court’s unflattering findings about itself.

The judges not only demanded that Facebook publish “the entire 84-page judgment on its website,” but also stipulated that Facebook publish a portion of the judgement in Dutch-language and French-language Belgian newspapers.  

Facebook, which has so far given no indication that it plans to follow the order, faces fines of 250,000 euros a day or a max-out of 100 million euros for not complying.

“The cookies and pixels we use are industry standard technologies and enable hundreds of thousands of businesses to grow their businesses and reach customers across the EU,” Facebook’s public policy spokesman Richard Allan told TechCrunch in a statement.

“We require any business that uses our technologies to provide clear notice to end-users, and we give people the right to opt-out of having data collected on sites and apps off Facebook being used for ads.”

Tracks non-users

Facebook’s use of tracking codes through social plug-ins, commonly known as “cookies,” allows the social media giant to sell targeted advertising. The cookies work by collecting the browsing habits of consumers, even those who do not use the social media site or who have cancelled their accounts.

“This does not only concern Facebook users, but almost all internet users in Belgium and Europe,” Belgium's Privacy Commission, the agency that filed suit against Facebook, explains on its website.

Belgian watchdogs have been fighting the practice since 2015 with a civil suit and subsequent judgement which orders Facebook to stop invisibly tracking consumers or face hefty fines. But Facebook fought the ruling  with the argument that the Belgian courts did not have jurisdiction over its business because Facebook’s Europe office is headquartered in Ireland.

Facebook’s appeals have been repeatedly shot down by the Belgian courts trying to crack down on the company. Much like the recent ruling in Germany, a report commissioned by the Belgian Privacy Commission in 2015 determined that Facebook’s privacy settings do not give users informed consent and that its terms of service violate European consumer privacy laws.

Higher European standards irk companies

While Facebook does allow users to opt-out of the tracking cookies, that this option is only available for people with a Facebook account,  not non--users. “The current practice does not meet the requirements for legally valid consent,” the Belgian Privacy Commission report said.

The European Union considers data protection to be a fundamental right and places broad regulations on the tech, financial, and advertising industries over how they handle data.

But tech giants have bristled at European attempts to regulate data collection and other aspects of their businesses. Last summer, European regulators fined Google a record 2.4 billion euros after finding it was manipulating search results in a manner that promotes its own shopping services over competitors. It was the largest antitrust fine implemented to date by the European Union.

Google responded by offering concessions, such as opening its “shopping” search results to competitors, but it also appealed the ruling in September.

Attorneys general from more than half the states have signed onto a campaign to warn consumers about websites trafficking in pirated content.

The websites attract visitors by offering free movies and other stolen entertainment content, but also give viewers more than they bargained for in the form of malware.

The campaign is led by the Digital Citizens Alliance, an advocacy group that focuses public attention on internet threats. The promise of free entertainment content, it says, comes at a high cost.

"With technology moving so fast, it's sometimes difficult to know what is risky," said Tom Galvin, Executive Director of the Digital Citizens Alliance. “That is why state AGs are playing a vital role in alerting consumers to the danger that consumers face from malware and content theft websites."

Galvin cites data from RiskIQ showing one in three websites providing free entertainment content can infect visitors' devices with malware, potentially exposing information than can be used for identity theft.

'Drive-by downloads'

Just visiting one of these websites can lead to infection. RiskIQ found 45 percent of malware was delivered through so-called "drive-by downloads" that do not require the victim to click on a link.

"From websites to new devices loaded with pirated content, hackers have found ingenious ways to invade your home," Galvin said. "The best defense is knowledge, and AGs are providing it."

The attorneys general from 28 states are appearing in public service announcements distributed online and airing on television stations in their states.

The Federal Trade Commission (FTC) has also been active in this area, warning consumers to stay away from websites offering access to pirated content.

Will Maxson the FTC's assistant director in the Division of Marketing Practices, said the agency downloaded movies from five sites offering them for free. In all five cases, he says, the agency's computers ended up with malware.

Neither the Digital Citizens Alliance nor the FTC identified specific websites that they said are distributing malware along with free entertainment.

Retailer Forever 21 has confirmed a payment card data breach it first raised as a possibility in mid-November.

The company said it received a report from a third party in mid-October suggesting there could have been unauthorized access to payment card data at certain stores. The investigation revealed that encryption technology, installed on point-of-sale (POS) devices in 2015, was not always activated at some stores.

Investigators then discovered signs of unauthorized network access and installation of malware on some POS devices. The malware searched for payment card data as it moved through the POS device.

No consistent pattern

Complicating the investigation is the fact that the encryption was not turned off in all stores; it was off for only a few days to several weeks in some stores; and it was off most of the time in other stores.

"Each Forever 21 store has multiple POS devices, and in most instances only one or a few of the POS devices were involved," the company said in a statement. In nearly all cases, potentially compromised transactions occurred between March and October 2017.

Mark Cline, a vice president at Netsurion, a provider of managed security services for multi-location businesses, says there are important lessons to learn here for both consumers and retailers.

“With its endless POS endpoints, the retail industry has always been a desirable target for cybercriminals," he told ConsumerAffairs. "They know that if they can introduce malware into POS networks, they can make a decent amount of cash by selling credit card numbers on the dark web. With their millions of customers, large retailers, like Forever 21, have typically been the hardest hit."

The costs for companies can be enormous. Cline says a retailer pays on average $172 per stolen record in "clean-up costs."

The challenge for retailers is to stay ahead of the hackers. Cline suggests companies first run a vulnerability scan on their internal networks and then update all operating system and software upgrades and patches immediately.

Consumers inconvenienced

The cost for consumers is mostly in convenience. If promptly reported, consumer liability for fraudulent use of a credit card is limited to $50, and in many cases there is no loss.

If debit card information is stolen, risks may be greater. Policies protecting consumers in these cases tend to vary bank to bank. Needless to say, a thief with a consumer's complete debit card information could clean out the account very quickly.

Consumers using a payment card at a POS terminal are safer paying with a credit card than a debit card. Paying with cash is safer still.

Forever 21 operates more than 815 stores in 57 countries with retailers in the United States and overseas. The company did not provide the number of its stores that may have been affected by the data breach.

Yahoo’s massive 2013 data breach, affecting more than one billion of its user accounts, reappeared this week with significantly worse numbers. 

The company announced Tuesday that all 3 billion of its accounts were, in fact, affected at that time–leaving additional billions of user accounts vulnerable in the interim.

The revelation follows Yahoo’s acquisition by Verizon, which paid $4.8 billion for the struggling company in hopes of combining it with AOL to create a new entity named Oath. New intelligence prompted a forensic analysis which subsequently led to Tuesday's revision.

“While this is not a new security issue, Yahoo is sending email notifications to the additional affected user accounts. The investigation indicates that the user account information that was stolen did not include passwords in clear text, payment card data, or bank account information. The company is continuing to work closely with law enforcement,” the announcement said in a statement.

“Verizon is committed to the highest standards of accountability and transparency, and we proactively work to ensure the safety and security of our users and networks in an evolving landscape of online threats,” added Verizon Chief Information Security Officer Chandra McMahon. “Our investment in Yahoo is allowing that team to continue to take significant steps to enhance their security, as well as benefit from Verizon’s experience and resources.”

Protecting stolen information

In an FAQ section of its security update web page, Yahoo says that stolen information involved in the 2013 breach may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5), and (in some cases) encrypted or unencrypted security questions and answers.

To counter the breach, Yahoo required potentially affected users to change their passwords and invalidated unencrypted security questions and answers last December.

However, in light of the recent revision, the company says that all users should change their passwords and security questions, review their accounts for any suspicious activity, and use an abundance of caution when clicking or downloading unsolicited messages, links, or attachments. The company also advises using its Yahoo Account Key authentication tool.

Users are also free to switch to a different email service, but continuing to monitor accounts and personal information will still be just as necessary either way. 

Largest breach to date

The latest announcement multiplies what was already the largest data breach in history, and will almost certainly mean more litigation for both Yahoo and Verizon.

In late August, U.S. Judge Lucy Koh ruled that class actions over the breach would be allowed to move forward. While she dismissed some parts of one particular case, she said that Yahoo’s actions “alleged risk of future identity theft” and “loss of value of [users’] personal identification information.”

Koh also said that plaintiffs would be well within their rights to pursue breach of contract and unfair competition charges against Yahoo because they would have been able close their accounts if they had known about the data breach earlier.

Equifax says consumers concerned about the company's massive data breach will be able to freeze and unfreeze their credit at will and not pay a fee.

In his testimony before a House subcommittee Tuesday, former Equifax CEO Richard Smith listed the new tool among other free remediation tools the company is providing to consumers to help them protect their identity, but he did not elaborate on it.

A credit freeze prevents anyone from accessing a consumer's credit report, so an identity thief who has stolen the victim's Social Security number and other identifying information would be unable to open a fraudulent credit account because the lender would be unable to pull the credit file.

The credit file could only be unfrozen with the consumer's permission, making the credit freeze among the strongest identity theft prevention measures that can be taken. Normally, the consumer pays a fee to freeze the credit file and another fee when it is unfrozen.

Equifax has disclosed few details of the tool, other than to say it hopes to have it available by the end of January. In an email to ConsumerAffairs, a company spokespereson said additional details would be provided closer to the launch date.

Different opinions

Security and identity theft experts have different opinions about whether a simple, easy-to-use tool to freeze and unfreeze credit is a good idea. Some have backed the idea, saying that hackers will have a harder time stealing identities if more consumers are freezing their credit files.

But Eva Valasquez, CEO of the Identity Theft Resource Center (ITRC), thinks the process should not be so simple and quick that it becomes vulnerable to hacks.

"I hope that the solution that industry proposes is not more automated technology," Valasquez told ConsumerAffairs in an interview last month. "Because the process of establishing who you are goes through several steps, and we should appreciate that it's going to take a little longer."

Whatever form the freeze tool takes, it won't be a complete solution. That's because it will only freeze one credit file -- the one managed by Equifax. Consumers also have credit files with the two other credit bureaus, Experian and TransUnion.

There will still be fees to freeze and unfreeze those files. Valasquez says ITRC has launched an online petition urging Experian and TransUnion to also waive fees when consumers freeze and unfreeze their credit reports.