Commentaries and Analyses – Page 2

Many researchers are pseudonymous. That doesn’t justify ignoring their alerts.

Posted on January 5, 2025January 5, 2025 by Dissent

For many years, the FTC has published guidance for businesses to Start with Security. Their advice has always included having a clear way to receive security alerts about vulnerabilities. That advice has been repeated in all updates, including their 2023 version. Why do I mention that now? Because once again, attempts to warn a company…

Feds claims just 7% of available funds from OPM breach settlement, remainder returns to Treasury

Posted on January 3, 2025 by Dissent

Eric Katz reports: Current federal employees, retirees and others impacted by widespread breach of personal data maintained by the Office of Personnel Management took advantage of only a small portion of the money made available in a settlement agreement following the 2015 hack. Plaintiffs in the class action lawsuit reached a settlement in 2022 with…

No need to hack when it’s leaking: Roomster edition (1)

Posted on January 2, 2025January 9, 2025 by Dissent

There are leaks and then there are leaks. Hundreds of thousands of people who shared houses via Roomster might want to say a mental “Thank you” to the researcher known as @JayeLTee, who discovered a long-standing data leak and took steps to get it secured. As JayeLTee relates, he first spotted the misconfigured server in…

Westend Dental agrees to pay Indiana $350K and to implement corrective action plan to settle charges of multiple HIPAA violations

Posted on December 31, 2024 by Dissent

TechCrunch recently did its annual write-up of badly handled data security incidents. The following wasn’t in it but is one of the worst security and privacy failures that I’ve ever read, and that’s saying a lot. This case stems from a ransomware attack by Medusa Locker in October 2020 that is first being seriously addressed…

2024’s Data Breaches: Breaches Handled Badly

Posted on December 27, 2024 by Dissent

There are always a ton of articles at the end of every year recapping what went wrong. Over on TechCrunch, Zack Whittaker and Carly Page have their annual list of breaches handled poorly. This year’s list includes 23andMe, Change Healthcare, Synnovis, Snowflake, Columbus Ohio, Salt Typhoon, Moneygram, and HotTopic. DataBreaches generally agrees with their recap,…

Clop ransomware is now extorting 66 Cleo data-theft victims

Posted on December 25, 2024 by Dissent

Bill Toulas reports: The Clop ransomware gang started to extort victims of its Cleo data theft attacks and announced on its dark web portal that 66 companies have 48 hours to respond to the demands. The cybercriminals announced that they are contacting those companies directly to provide links to a secure chat channel for conducting ransom payment negotiations….