Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Data protection. Show all posts
Data Theft
CISA CISA advisory CVE CVE exploits CVEs Cyber Attacks Cyber Exploits Cyber flaws Cyber Vulnerabilities Data protection data security Data Theft

CISA Urges Immediate Patching of Critical SysAid Vulnerabilities Amid Active Exploits

 

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a critical alert about two high-risk vulnerabilities in SysAid’s IT service management (ITSM) platform that are being actively exploited by attackers. These security flaws, identified as CVE-2025-2775 and CVE-2025-2776, can enable unauthorized actors to hijack administrator accounts without requiring credentials. 

Discovered in December 2024 by researchers at watchTowr Labs, the two vulnerabilities stem from XML External Entity (XXE) injection issues. SysAid addressed these weaknesses in March 2025 through version 24.4.60 of its On-Premises software. However, the urgency escalated when proof-of-concept code demonstrating how to exploit the flaws was published just a month later, highlighting how easily bad actors could access sensitive files on affected systems. 

Although CISA has not provided technical specifics about the ongoing attacks, it added the vulnerabilities to its Known Exploited Vulnerabilities Catalog. Under Binding Operational Directive 22-01, all Federal Civilian Executive Branch (FCEB) agencies are required to patch their systems by August 12. CISA also strongly recommends that organizations in the private sector act swiftly to apply the necessary updates, regardless of the directive’s federal scope. 

“These vulnerabilities are commonly exploited by malicious cyber actors and present serious threats to government systems,” CISA stated in its warning. SysAid’s On-Prem solution is deployed on an organization’s internal infrastructure, allowing IT departments to manage help desk tickets, assets, and other services. According to monitoring from Shadowserver, several dozen SysAid installations remain accessible online, particularly in North America and Europe, potentially increasing exposure to these attacks. 

Although CISA has not linked these specific flaws to ransomware campaigns, the SysAid platform was previously exploited in 2023 by the FIN11 cybercrime group, which used another vulnerability (CVE-2023-47246) to distribute Clop ransomware in zero-day attacks. Responding to the alert, SysAid reaffirmed its commitment to cybersecurity. “We’ve taken swift action to resolve these vulnerabilities through security patches and shared the relevant information with CISA,” a company spokesperson said. “We urge all customers to ensure their systems are fully up to date.” 

SysAid serves a global clientele of over 5,000 organizations and 10 million users across 140 countries. Its user base spans from startups to major enterprises, including recognized brands like Coca-Cola, IKEA, Honda, Xerox, Michelin, and Motorola.
Read more »
protecting sensitive data
Army British Army Data Breach Data Leak Data protection data security Information Security protecting sensitive data

UK Army Probes Leak of Special Forces Identities in Grenadier Guards Publication

 

The British Army has initiated an urgent investigation following the public exposure of sensitive information identifying members of the UK Special Forces. General Sir Roly Walker, Chief of the General Staff, has directed a comprehensive review into how classified data was shared, after it was found that a regimental newsletter had published names and postings of elite soldiers over a period of more than ten years. 

The internal publication, created by the Grenadier Guards Regimental Association, is believed to have revealed the identities and current assignments of high-ranking officers serving in confidential roles. Several names were reportedly accompanied by the abbreviation “MAB,” a known military code linked to Special Forces. Security experts have expressed concern that such identifiers could be easily deciphered by hostile actors, significantly raising the risk to those individuals. 

The revelation has triggered backlash within the Ministry of Defence, with Defence Secretary John Healey reportedly outraged by the breach. The Ministry had already issued warnings about this very issue, yet the publication remained online until it was finally edited last week. The breach adds to growing concern over operational security lapses in elite British military units.  

This latest disclosure follows closely on the heels of another incident in which the identities of Special Forces soldiers involved in missions in Afghanistan were exposed through a separate data leak. That earlier breach had been shielded by a legal order for nearly two years, emphasizing the persistent nature of such security vulnerabilities. 

The protection of Special Forces members’ identities is a critical requirement due to the covert and high-risk nature of their work. Publicly exposing their names can not only endanger lives but also jeopardize ongoing intelligence missions and international collaborations. The leaked material is also said to have included information about officers working within the Cabinet Office’s National Security Secretariat—an agency that advises the Prime Minister on national defence—and even a soldier assigned to General Walker’s own operational staff. 

While the Grenadier Guards’ publication has now removed the sensitive content, another regiment had briefly published similar details before promptly deleting them. Still, the extended availability of the Grenadier data has raised questions about oversight and accountability in how military associations manage sensitive information.  

General Walker, a former commander of the Grenadier Guards, announced that he has mandated an immediate review of all information-sharing practices between the army and regimental associations. His directive aims to ensure that stronger protocols are in place to prevent such incidents in the future, while still supporting the positive role these associations play for veterans and serving members alike. 

The Defence Ministry has not released details on whether those named in the leak will be relocated or reassigned. However, security analysts say the long-term consequences of the breach could be serious, including potential threats to the personnel involved and operational risks to future Special Forces missions. As investigations continue, the British Army is now under pressure to tighten internal controls and better protect its most confidential information from digital exposure.
Read more »
Privacy
Data protection EU GDPR hamburg LLM Meta AI Privacy

Legal Battle Over Meta’s AI Training Likely to Reach Europe’s Top Court

 


The ongoing debate around Meta’s use of European data to train its artificial intelligence (AI) systems is far from over. While Meta has started training its large language models (LLMs) using public content from Facebook and Instagram, privacy regulators in Europe are still questioning whether this is lawful and the issue may soon reach the European Court of Justice (ECJ).

Meta began training its AI using public posts made by users in the EU shortly after getting the go-ahead from several privacy watchdogs. This approval came just before Meta launched AI-integrated products, including its smart glasses, which rely heavily on understanding cultural and regional context from online data.

However, some regulators and consumer groups are not convinced the approval was justified. A German consumer organization had attempted to block the training through an emergency court appeal. Although the request was denied, that was only a temporary decision. The core legal challenges, including one led by Hamburg’s data protection office, are still expected to proceed in court.

Hamburg’s commissioner, who initially supported blocking the training, later withdrew a separate emergency measure under Europe’s data protection law. He stated that while the training has been allowed to continue for now, it’s highly likely that the final ruling will come from the EU’s highest court.

The controversy centers on whether Meta has a strong enough legal reason, known as "legitimate interest" to use personal data for AI training. Meta’s argument was accepted by Irish regulators, who oversee Meta’s EU operations, on the condition that strict privacy safeguards are in place.


What Does ‘Legitimate Interest’ Mean Under GDPR?

Under the General Data Protection Regulation (GDPR), companies must have a valid reason to collect and use personal data. One of the six legal bases allowed is called “legitimate interest.” 

This means a company can process someone’s data if it’s necessary for a real business purpose, as long as it does not override the privacy rights of the individual.

In the case of AI model training, companies like Meta claim that building better products and improving AI performance qualifies as a legitimate interest. However, this is debated, especially when public data includes posts with personal opinions, cultural expressions, or identity-related content.

Data protection regulators must carefully balance:

1. The company’s business goals

2. The individual’s right to privacy

3. The potential long-term risks of using personal data for AI systems


Some experts argue that this sets a broader precedent. If Meta can train its AI using public data under the concept of legitimate interest, other companies may follow. This has raised hopes among many European AI firms that have felt held back by unclear or strict regulations.

Industry leaders say that regulatory uncertainty, specifically surrounding Europe’s General Data Protection Regulation (GDPR) and the upcoming AI Act has been one of the biggest barriers to innovation in the region. Others believe the current developments signal a shift toward supporting responsible AI development while protecting users’ rights.

Despite approval from regulators and support from industry voices, legal clarity is still missing. Many legal experts and companies agree that only a definitive ruling from the European Court of Justice can settle whether using personal data for AI training in this way is truly lawful.


Read more »
Ransomwares
corporate cyber attacks Cyber Security Cyber Security Tool Cyberattack Cyberthreart Data protection data security Enterprise security Ingram Micro Password Security ransomware attacks Ransomwares

Why Major Companies Are Still Falling to Basic Cybersecurity Failures

 

In recent weeks, three major companies—Ingram Micro, United Natural Foods Inc. (UNFI), and McDonald’s—faced disruptive cybersecurity incidents. Despite operating in vastly different sectors—technology distribution, food logistics, and fast food retail—all three breaches stemmed from poor security fundamentals, not advanced cyber threats. 

Ingram Micro, a global distributor of IT and cybersecurity products, was hit by a ransomware attack in early July 2025. The company’s order systems and communication channels were temporarily shut down. Though systems were restored within days, the incident highlights a deeper issue: Ingram had access to top-tier security tools, yet failed to use them effectively. This wasn’t a tech failure—it was a lapse in execution and internal discipline. 

Just two weeks earlier, UNFI, the main distributor for Whole Foods, suffered a similar ransomware attack. The disruption caused significant delays in food supply chains, exposing the fragility of critical infrastructure. In industries that rely on real-time operations, cyber incidents are not just IT issues—they’re direct threats to business continuity. 

Meanwhile, McDonald’s experienced a different type of breach. Researchers discovered that its AI-powered hiring tool, McHire, could be accessed using a default admin login and a weak password—“123456.” This exposed sensitive applicant data, potentially impacting millions. The breach wasn’t due to a sophisticated hacker but to oversight and poor configuration. All three cases demonstrate a common truth: major companies are still vulnerable to basic errors. 

Threat actors like SafePay and Pay2Key are capitalizing on these gaps. SafePay infiltrates networks through stolen VPN credentials, while Pay2Key, allegedly backed by Iran, is now offering incentives for targeting U.S. firms. These groups don’t need advanced tools when companies are leaving the door open. Although Ingram Micro responded quickly—resetting credentials, enforcing MFA, and working with external experts—the damage had already been done. 

Preventive action, such as stricter access control, routine security audits, and proper use of existing tools, could have stopped the breach before it started. These incidents aren’t isolated—they’re indicative of a larger issue: a culture that prioritizes speed and convenience over governance and accountability. 

Security frameworks like NIST or CMMC offer roadmaps for better protection, but they must be followed in practice, not just on paper. The lesson is clear: when organizations fail to take care of cybersecurity basics, they put systems, customers, and their own reputations at risk. Prevention starts with leadership, not technology.
Read more »
Technology
Artificial Intelligence AVT Data protection england NHS Technology

Doctors Warned Over Use of Unapproved AI Tools to Record Patient Conversations

 


Healthcare professionals in the UK are under scrutiny for using artificial intelligence tools that haven’t been officially approved to record and transcribe conversations with patients. A recent investigation has uncovered that several doctors and medical facilities are relying on AI software that does not meet basic safety and data protection requirements, raising serious concerns about patient privacy and clinical safety.

This comes despite growing interest in using artificial intelligence to help doctors with routine tasks like note-taking. Known as Ambient Voice Technology (AVT), these tools are designed to save time by automatically recording and summarising patient consultations. In theory, this allows doctors to focus more on care and less on paperwork. However, not all AVT tools being used in medical settings have passed the necessary checks set by national authorities.

Earlier this year, NHS England encouraged the use of AVT and outlined the minimum standards required for such software. But in a more recent internal communication dated 9 June, the agency issued a clear warning. It stated that some AVT providers are not following NHS rules, yet their tools are still being adopted in real-world clinical settings.

The risks associated with these non-compliant tools include possible breaches of patient confidentiality, financial liabilities, and disruption to the wider digital strategy of the NHS. Some AI programs may also produce inaccurate outputs— a phenomenon known as “hallucination”— which can lead to serious errors in medical records or decision-making.

The situation has left many general practitioners in a difficult position. While eager to embrace new technologies, many lack the technical expertise to determine whether a product is safe and compliant. Dr. David Wrigley, a senior representative of the British Medical Association, stressed the need for stronger guidance and oversight. He believes doctors should not be left to evaluate software quality alone and that central NHS support is essential to prevent unsafe usage.

Healthcare leaders are also concerned about the growing number of lesser-known AI companies aggressively marketing their tools to individual clinics and hospitals. With many different options flooding the market, there’s a risk that unsafe or poorly regulated tools might slip through the cracks.

Matthew Taylor, head of the NHS Confederation, called the situation a “turning point” and suggested that national authorities need to offer clearer recommendations on which AI systems are safe to use. Without such leadership, he warned, the current approach could become chaotic and risky.

Interestingly, the UK Health Secretary recently acknowledged that some doctors are already experimenting with AVT tools before receiving official approval. While not endorsing this behaviour, he saw it as a sign that healthcare workers are open to digital innovation.

On a positive note, some AVT software does meet current NHS standards. One such tool, Accurx Scribe, is being used successfully and is developed in close consultation with NHS leaders.

As AI continues to reshape healthcare, experts agree on one thing: innovation must go hand-in-hand with accountability and safety.

Read more »
UK
Data Breach Data protection Dior Fashion UK

Dior Confirms Hack: Personal Data Stolen, Here’s What to Do


Christian Dior, the well-known luxury fashion brand, recently experienced a cyberattack that may have exposed customer information. The brand, owned by the French company LVMH, announced that an outsider had managed to break into part of its customer database. This has raised concerns about the safety of personal information, especially among shoppers in the UK.

Although no bank or card information was stolen, Dior said the hackers were able to access names, email addresses, phone numbers, mailing addresses, purchase records, and marketing choices of customers. Even though financial details remain safe, experts warn that this kind of personal data could still be used for scams that trick people into giving away more information.


How and When the Breach Happened

The issue was first noticed on May 7, 2025, when Dior’s online system in South Korea detected unusual activity involving customer records. Their technical team quickly responded by shutting down the affected servers to prevent more damage.

A week later, on May 14, French news sources reported the incident, and the following day, Dior publicly confirmed the breach on its websites. The company explained that while no payment data was involved, some customer details were accessed.


What Dior Is Doing Now

Following the European data protection rules, Dior acted quickly by resetting passwords, isolating the impacted systems, and hiring cybersecurity experts to investigate the attack. They also began informing customers where necessary and reassured the public that they are working on making their systems more secure.

Dior says it plans to improve security by increasing the use of two-factor login processes and monitoring accounts more closely for unusual behavior. The company says it takes customer privacy very seriously and is sorry for any trouble this may cause.


Why Luxury Brands Are Often Targeted

High-end brands like Dior are popular targets for cybercriminals because they cater to wealthy customers and run large digital operations. Earlier this month, other UK companies like Marks & Spencer and Co-op also reported customer data issues, showing that online attacks in the retail world are becoming more common.


What Customers Can Do to Stay Safe

If you’re a Dior customer, there are simple steps you can take to protect yourself:

1. Be careful with any messages that claim to be from Dior. Don’t click on links unless you are sure the message is real. Always visit Dior’s website directly.

2. Change your Dior account password to something new and strong. Avoid using the same password on other websites.

3. Turn on two-factor login for extra protection if available.

4. Watch your bank and credit card activity regularly for any unusual charges.

Be wary of fake ads or offers claiming big discounts from Dior, especially on social media.


Taking a few minutes now to secure your account could save you from a lot of problems later.

Read more »
Sensitive Information
Customer Data Cyber Attacks Data Leak Data protection data security Data Theft Employee Data Identity Theft Prevention Radio Station Sensitive Information

iHeartMedia Cyberattack Exposes Sensitive Data Across Multiple Radio Stations

 

iHeartMedia, the largest audio media company in the United States, has confirmed a significant data breach following a cyberattack on several of its local radio stations. In official breach notifications sent to affected individuals and state attorney general offices in Maine, Massachusetts, and California, the company disclosed that cybercriminals accessed sensitive customer information between December 24 and December 27, 2024. Although iHeartMedia did not specify how many individuals were affected, the breach appears to have involved data stored on systems at a “small number” of stations. 

The exact number of compromised stations remains undisclosed. With a network of 870 radio stations and a reported monthly audience of 250 million listeners, the potential scope of this breach is concerning. According to the breach notification letters, the attackers “viewed and obtained” various types of personal information. The compromised data includes full names, passport numbers, other government-issued identification numbers, dates of birth, financial account information, payment card data, and even health and health insurance records. 

Such a comprehensive data set makes the victims vulnerable to a wide array of cybercrimes, from identity theft to financial fraud. The combination of personal identifiers and health or insurance details increases the likelihood of victims being targeted by tailored phishing campaigns. With access to passport numbers and financial records, cybercriminals can attempt identity theft or engage in unauthorized transactions and wire fraud. As of now, the stolen data has not surfaced on dark web marketplaces, but the risk remains high. 

No cybercrime group has claimed responsibility for the breach as of yet. However, the level of detail and sensitivity in the data accessed suggests the attackers had a specific objective and targeted the breach with precision. 

In response, iHeartMedia is offering one year of complimentary identity theft protection services to impacted individuals. The company has also established a dedicated hotline for those seeking assistance or more information. While these actions are intended to mitigate potential fallout, they may offer limited relief given the nature of the exposed information. 

This incident underscores the increasing frequency and severity of cyberattacks on media organizations and the urgent need for enhanced cybersecurity protocols. For iHeartMedia, transparency and timely support for affected customers will be key in managing the aftermath of this breach. 

As investigations continue, more details may emerge regarding the extent of the compromise and the identity of those behind the attack.
Read more »
Pop-ups
AI Tool Brave Browser Browser Extension Cookie Blocker Cookie Pop-Ups Cookies Cyber Security Data protection GDPR GDPR protection Pop-ups

Brave Browser’s New ‘Cookiecrumbler’ Tool Aims to Eliminate Annoying Cookie Consent Pop-Ups

 

While the General Data Protection Regulation (GDPR) was introduced with noble intentions—to protect user privacy and control over personal data—its practical side effects have caused widespread frustration. For many internet users, GDPR has become synonymous with endless cookie consent pop-ups and hours of compliance training. Now, Brave Browser is stepping up with a new solution: Cookiecrumbler, a tool designed to eliminate the disruptive cookie notices without compromising web functionality. 

Cookiecrumbler is not Brave’s first attempt at combating these irritating banners. The browser has long offered pop-up blocking capabilities. However, the challenge hasn’t been the blocking itself—it’s doing so while preserving website functionality. Many websites break or behave unexpectedly when these notices are blocked improperly. Brave’s new approach promises to fix that by taking cookie blocking to a new level of sophistication.  

According to a recent announcement, Cookiecrumbler combines large language models (LLMs) with human oversight to automate and refine the detection of cookie banners across the web. This hybrid model allows the tool to scale effectively while maintaining precision. By running on Brave’s backend servers, Cookiecrumbler crawls websites, identifies cookie notices, and generates custom rules tailored to each site’s layout and language. One standout feature is its multilingual capability. Cookie notices often vary not just in structure but in language and legal formatting based on the user’s location. 

Cookiecrumbler accounts for this by using geo-targeted vantage points, enabling it to view websites as a local user would, making detection far more effective. The developers highlight several reasons for using LLMs in this context: cookie banners typically follow predictable language patterns, the work is repetitive, and it’s relatively low-risk. The cost of each crawl is minimal, allowing the team to test different models before settling on smaller, efficient ones that provide excellent results with fine-tuning. Importantly, human reviewers remain part of the process. While AI handles the bulk detection, humans ensure that the blocking rules don’t accidentally interfere with important site functions. 

These reviewers refine and validate Cookiecrumbler’s suggestions before they’re deployed. Even better, Brave is releasing Cookiecrumbler as an open-source tool, inviting integration by other browsers and developers. This opens the door for tools like Vivaldi or Firefox to adopt similar capabilities. 

Looking ahead, Brave plans to integrate Cookiecrumbler directly into its browser, but only after completing thorough privacy reviews to ensure it aligns with the browser’s core principle of user-centric privacy. Cookiecrumbler marks a significant step forward in balancing user experience and privacy compliance—offering a smarter, less intrusive web.
Read more »
Ransomwares
Cyber Attacks Cyber Breach Cyber Defenses Data protection financial attack Financial Loss Ransomware attack Ransomwares

Fourlis Group Confirms €20 Million Loss from IKEA Ransomware Attack

 

Fourlis Group, the retail operator responsible for IKEA stores across Greece, Cyprus, Romania, and Bulgaria, has revealed that a ransomware attack targeting its systems in late November 2024 led to significant financial losses. The cyber incident, which coincided with the busy Black Friday shopping period, disrupted critical parts of the business and caused damages estimated at €20 million (around $22.8 million). 

The breach initially surfaced as unexplained technical problems affecting IKEA’s e-commerce platforms. Days later, on December 3, the company confirmed that the disruptions were due to an external cyberattack. The attack affected digital infrastructure used for inventory restocking, online transactions, and broader retail operations, mainly impacting IKEA’s business. Other brands under the Fourlis umbrella, including Intersport and Holland & Barrett, were largely unaffected.  

According to CEO Dimitris Valachis, the company experienced a loss of approximately €15 million in revenue by the end of 2024, with an additional €5 million impact spilling into early 2025. Fourlis decided not to comply with the attackers’ demands and instead focused on system recovery through support from external cybersecurity professionals. The company also reported that it successfully blocked a number of follow-up attacks attempted after the initial breach. 

Despite the scale of the attack, an internal investigation supported by forensic analysts found no evidence that customer data had been stolen or exposed. The incident caused only a brief period of data unavailability, which was resolved swiftly. As part of its compliance obligations, Fourlis reported the breach to data protection authorities in all four affected countries, reassuring stakeholders that personal information remained secure. Interestingly, no known ransomware group has taken responsibility for the attack. This may suggest that the attackers were unable to extract valuable data or are holding out hope for an undisclosed settlement—though Fourlis maintains that no ransom was paid. 

The incident highlights the growing risks faced by digital retail ecosystems, especially during peak sales periods when system uptime is critical. As online platforms become more central to retail operations, businesses like Fourlis must invest heavily in cybersecurity defenses. Their experience reinforces the importance of swift response strategies, external threat mitigation support, and robust data protection practices to safeguard operations and maintain customer trust in the face of evolving cyber threats.
Read more »
Ransomwares
cloud storage Cyber Attacks Cyber Researchers Data Backup Data protection data security Ransomware attack Ransomwares

Ransomware Attacks Surge in Q1 2025 as Immutable Backup Emerges as Critical Defense

Ransomware attacks have seen a dramatic rise in the first quarter of 2025, with new research from Object First revealing an 84% increase compared to the same period in 2024. This alarming trend highlights the growing sophistication and frequency of ransomware campaigns, with nearly two-thirds of organizations reporting at least one attack in the past two years. 

The findings suggest that ransomware is no longer a matter of “if” but “when” for most businesses. Despite the increased threat, Object First’s study offers a silver lining. A large majority—81% of IT decision-makers—now recognize that immutable backup storage is the most effective defense against ransomware. Immutable storage ensures that once data is written, it cannot be changed or deleted, offering a critical safety net when other security measures fail. This form of storage plays a key role in enabling organizations to recover their data without yielding to ransom demands. 

However, the report also highlights a concerning gap between awareness and action. While most IT professionals acknowledge the benefits of immutable backups, only 59% of organizations have actually implemented such storage. Additionally, just 58% maintain multiple copies of their data in separate locations, falling short of the recommended 3-2-1 backup strategy. This gap leaves many companies dangerously exposed. The report also shows that ransomware actors are evolving their methods. A staggering 96% of organizations that experienced ransomware attacks in the last two years had their backup systems targeted at least once. Even more concerning, 10% of them had their backup storage compromised in every incident. 

These findings demonstrate how attackers now routinely seek to destroy recovery options, increasing pressure on victims to pay ransoms. Many businesses still place heavy reliance on traditional IT security hardening. In fact, 61% of respondents believe this approach is sufficient. But ransomware attackers are adept at bypassing such defenses using phishing emails, stolen credentials, and remote access tools. That’s why Object First recommends adopting a “breach mentality”—an approach that assumes an eventual breach and focuses on limiting damage. 

A Zero Trust architecture, paired with immutable backup, is essential. Organizations are urged to segment networks, restrict user access to essential data only, and implement multi-factor authentication. As cloud services grow, many companies are also turning to immutable cloud storage for flexible, scalable protection. Together, these steps offer a stronger, more resilient defense against today’s aggressive ransomware landscape.
Read more »
Security Keys
Cyber Security Data protection Hardware MFA online account security online accounts Online attacks Security Keys

Why Securing Online Accounts is Critical in Today’s Cybersecurity Landscape

 

In an era where cybercriminals are increasingly targeting passwords through phishing attacks, data breaches, and other malicious tactics, securing online accounts has never been more important. Relying solely on single-factor authentication, such as a password, is no longer sufficient to protect sensitive information. Multi-factor authentication (MFA) has emerged as a vital tool for enhancing security by requiring verification from multiple sources. Among the most effective MFA methods are hardware security keys, which provide robust protection against unauthorized access.

What Are Hardware Security Keys?

A hardware security key is a small physical device designed to enhance account security using public key cryptography. This method generates a pair of keys: a public key that encrypts data and a private key that decrypts it. The private key is securely stored on the hardware device, making it nearly impossible for hackers to access or replicate. Unlike SMS-based authentication, which is vulnerable to interception, hardware security keys offer a direct, offline authentication method that significantly reduces the risk of compromise.

Hardware security keys are compatible with major online platforms, including Google, Microsoft, Facebook, GitHub, and many financial institutions. They connect to devices via USB, NFC, or Bluetooth, ensuring compatibility with a wide range of hardware. Popular options include Yubico’s YubiKey, Google’s Titan Security Key, and Thetis. Setting up a hardware security key is straightforward. Users simply register the key with an online account that supports security keys. For example, in Google’s security settings, users can enable 2-Step Verification and add a security key.

Once linked, logging in requires inserting or tapping the key, making the process both highly secure and faster than receiving verification codes via email or SMS. When selecting a security key, compatibility is a key consideration. Newer devices often require USB-C keys, while older ones may need USB-A or NFC options. Security certifications also matter—FIDO U2F provides basic security, while FIDO2/WebAuthn offers advanced protection against phishing and unauthorized access. Some security keys even include biometric authentication, such as fingerprint recognition, for added security.

Prices for hardware security keys typically range from $30 to $100. It’s recommended to purchase a backup key in case the primary key is lost. Losing a security key does not mean being locked out of accounts, as most platforms allow backup authentication methods, such as SMS or authentication apps. However, having a secondary security key ensures uninterrupted access without relying on less secure recovery methods.

Maintaining Strong Online Security Habits

While hardware security keys provide excellent protection, maintaining strong online security habits is equally important. This includes creating complex passwords, being cautious with email links and attachments, and avoiding oversharing personal information on social media. For those seeking additional protection, identity theft monitoring services can offer alerts and assistance in case of a security breach.

By using a hardware security key alongside other cybersecurity measures, individuals can significantly reduce their risk of falling victim to online attacks. These keys not only enhance security but also ensure convenient and secure access to their most important accounts. As cyber threats continue to evolve, adopting advanced tools like hardware security keys is a proactive step toward safeguarding your digital life.

Read more »
Privacy
Cyberattacks CyberCrime Cyberhacker CyberThreat Data protection Privacy

Smart Meter Privacy Under Scrutiny as Warnings Reach Millions in UK

 


According to a campaign group that has criticized government net zero policies, smart meters may become the next step in "snooping" on household energy consumption. Ministers are discussing the possibility of sharing household energy usage with third parties who can assist customers in finding cheaper energy deals and lower carbon tariffs from competitors. 

The European watchdog responsible for protecting personal data has been concerned that high-tech monitors that track households' energy use are likely to pose a major privacy concern. A recent report released by the European Data Protection Supervisor (EDPS) states that smart meters, which must be installed in every home in the UK by the year 2021, will be used not only to monitor energy consumption but also to track a great deal more data. 

According to the EDPS, "while the widespread rollout of smart meters will bring some substantial benefits, it will also provide us with the opportunity to collect huge amounts of personal information." Smart meters have been claimed to be a means of spying on homes by net zero campaigners. A privacy dispute has broken out in response to government proposals that will allow energy companies to harvest household smart meter data to promote net zero energy. 

In the UK, the Telegraph newspaper reports that the government is consulting on the idea of letting consumers share their energy usage with third parties who can direct them to lower-cost deals and lower carbon tariffs from competing suppliers. The Telegraph quoted Neil Record, the former economist for the Bank of England and currently chairman of Net Zero Watch, as saying that smart meters could potentially have serious privacy implications, which he expressed concerns to the paper. 

According to him, energy companies collect a large amount of consumer information, which is why he advised the public to remain vigilant about the increasing number of external entities getting access to household information. Further, Record explained that, once these measures are authorized, the public would be able to view detailed details of the activities of households in real-time. 

The record even stated that the public might not fully comprehend the extent to which the data is being shared and the possible consequences of this access. Nick Hunn, founder of the wireless technology consulting firm WiFore, also commented on the matter, highlighting the original intent behind the smart meter rollout, He noted that the initiative was designed to enable consumers to access their energy usage data, thereby empowering them to make informed decisions regarding energy consumption and associated costs. Getting to net zero targets will be impossible without smart meters. 

They allow energy companies to get real-time data on how much energy they are using and can be used to manage demand as needed. Using smart meters, for instance, households will be rewarded for cutting energy use during peak hours, thereby reducing the need for the construction of new gas-fired power plants. Energy firms can also offer free electricity to households when wind energy is in abundance. Using smart meters as a means of controlling household energy usage, the Government has ambitions to install them in three-quarters of all households by the end of 2025, at the cost of £13.5 billion. 

A recent study by WiFore, which is a wireless technology consulting firm, revealed that approximately four million devices are broken in homes. According to Nick Hunn, who is the founder of the firm: "This is essentially what was intended at the beginning of the rollout of smart meters: that consumers would be able to see what energy data was affecting them so that they could make rational decisions about how much they were spending and how much they were using."
Read more »
kiberphant0m
BSNL data breach CERT-In Critical Data cyberattack on BSNL cybercriminals Dark web marketplace Data Breach Data protection data security kiberphant0m

U.S. soldier linked to BSNL data breach: Arrest reveals cybercrime

 

The arrest of Cameron John Wagenius, a U.S. Army communications specialist, has unveiled potential connections to a significant data breach targeting India’s state-owned telecom provider, BSNL. The breach highlights the global reach of cybercrime networks and raises concerns about the security of sensitive data across continents. 

Wagenius, stationed in South Korea, was apprehended on December 20, 2023, for allegedly selling hacked data from U.S. telecom companies. According to cybersecurity experts, he may also be the individual behind the alias “kiberphant0m” on a dark web marketplace. In May 2023, “kiberphant0m” reportedly attempted to sell 278 GB of BSNL’s critical data, including subscriber details, SIM numbers, and server snapshots, for $5,000. Indian authorities confirmed that one of BSNL’s servers was breached in May 2023. 

While the Indian Computer Emergency Response Team (CERT-In) reported the intrusion, the identity of the perpetrator remained elusive until Wagenius’s arrest. Efforts to verify the hacker’s access to BSNL servers through Telegram communication and sample data proved inconclusive. The breach exposes vulnerabilities in telecom providers’ security measures, as sensitive data such as health records, payment details, and government-issued identification was targeted. 

Additionally, Wagenius is accused of selling call records of prominent U.S. political figures and data from telecom providers across Asia. The arrest also sheds light on Wagenius’s links to a broader criminal network led by Connor Riley Moucka. Moucka and his associates reportedly breached multiple organizations, extorting millions of dollars and selling stolen data. Wagenius’s involvement with this network underscores the organized nature of cybercrime operations targeting telecom infrastructure. 

Cybersecurity researchers, including Allison Nixon of Unit 221B, identified Wagenius as the individual behind illicit sales of BSNL data. However, she clarified that these activities differ from state-sponsored cyberattacks by groups such as Salt Typhoon, a Chinese-linked advanced persistent threat actor known for targeting major U.S. telecom providers. The case has also exposed challenges in prosecuting international cybercriminals. Indian authorities have yet to file a First Information Report (FIR) or engage with U.S. counterparts on Wagenius’s case, limiting legal recourse. 

Experts suggest leveraging international treaties and cross-border collaboration to address such incidents. As the investigation unfolds, the breach serves as a stark reminder of the growing threat posed by insider actions and sophisticated cybercriminal networks. It underscores the urgent need for robust data protection measures and international cooperation to counter cybercrime.
Read more »
Salt Typhoon
China Hackers Cyber Attacks cyber espionage Cybersecurity awareness Data protection data security FBI Salt Typhoon

T-Mobile Thwarts Cyberattack Amid Growing Telecom Threats

 

Between September and November, T-Mobile successfully defended against a cyberattack attributed to the Chinese state-sponsored group Salt Typhoon. Unlike previous incidents, this time, no data was compromised. However, the attack highlights growing cybersecurity vulnerabilities in the U.S. telecom sector. 

The Federal Bureau of Investigation (FBI) has identified nine telecom carriers targeted by cyberattacks, with Verizon, AT&T, and Lumen among the known victims. The identity of the ninth carrier remains undisclosed. Hackers reportedly accessed SMS metadata and communication patterns from millions of Americans, including high-profile figures such as presidential candidates and government officials. 

While China denies any involvement in the cyberattacks, its alleged role in the breach underscores the persistent threat of state-sponsored cyber espionage. Though the attackers did not obtain classified information, they managed to collect substantial data for analyzing communication patterns, fueling concerns over national security. 

In response, the Federal Communications Commission (FCC) is weighing penalties for carriers that fail to secure their networks. The agency is also considering a ban on China Telecom operations within the United States. Additionally, the U.S. government has advised citizens to use encrypted telecom services to bolster their privacy and security. 

Senator Ben Ray Luján called the Salt Typhoon incident one of the most significant cyberattacks on the U.S. telecom industry. He stressed the urgent need to address vulnerabilities within national infrastructure to prevent future breaches. 

Anne Neuberger, Deputy National Security Advisor, highlighted the inadequacy of voluntary cybersecurity measures. The FCC is now working on a proposed rule requiring telecom companies to submit annual cybersecurity reports, with penalties for non-compliance. The rule aims to make it harder for hackers to exploit weak networks by encouraging stronger protections.  

Neuberger also emphasized the importance of network segmentation to limit the damage from potential breaches. By isolating sections of a network, companies can contain attackers and reduce the scope of compromised data. She cited a troubling example where a single administrative account controlling 100,000 routers was breached, granting attackers widespread access. 

The FCC’s proposed rule is expected to be voted on by January 15. If passed, it could mandate fundamental security practices to protect critical infrastructure from cyberattacks by adversarial nations. 

The telecom industry’s repeated exposure to breaches highlights the necessity of robust security frameworks and accountability measures. As hackers evolve their tactics, stronger regulations and proactive measures are essential to safeguarding sensitive data and national security. By adopting stricter cybersecurity practices, telecom companies can mitigate risks and enhance their resilience against state-sponsored threats.
Read more »
SEV
Advantech vulnerabilities Cyber Privacy Cyber Technology Cyberattacks CyberCrime Cyberhackers Cybersecurity Cyberthreats Data Breach Data protection nAMD System SEV

AMD Systems Vulnerability Could Threaten Encrypted Data Protection

 


There has been an announcement of a new technique for bypassing key security protections used in AMD chips to gain access to the clients of those services. Researchers believe that hackers will be able to spy on clients through physical access to cloud computing environments. Known as the "badRAM" security flaw, it has been described as a $10 hack that undermines the trust that the cloud has in it. 

This vulnerability was announced on Tuesday. Like other branded vulnerabilities, this vulnerability is being disclosed on a website with a logo and will be explained in a paper to be presented at next May's IEEE Symposium on Security and Privacy 2025. 

There is an increasing use of encryption in today's computers to protect sensitive data in their DRAM, especially in shared cloud environments with multiple data breaches and insider threats, which are commonplace. The Secure Encrypted Virtualization (SEV) technology of AMD enables users to protect privacy and trust in cloud computing by encrypting the memory of virtual machines (VMs) and isolating them from advanced attackers, including those who compromise critical infrastructure like the virtual machine manager and firmware, which is a cutting-edge technology. 

According to researchers, AMD's Secure Encrypted Virtualization (SEV) program, which protects processor memory from prying eyes in virtual machine (VM) environments, is capable of being tricked into letting someone access the contents of its encrypted memory using a test rig which costs less than $10 and does not require additional hardware. It is important to note that AMD is among the first companies to leverage the capabilities of chipset architecture to improve processor performance, efficiency, and flexibility. 

It has been instrumental in extending and building upon Moore's Law performance gains and extending them further. As a result of the firm's research, performance gains under Moore's Law have been extended and built upon, and the company announced in 2018 that the first processor would have a chipset-based x86 CPU design that was available. Researchers at the University of Lübeck, KU Leven, and the University of Birmingham have proposed a conceptually easy and cheap attack called “BadRAM”. 

It consists of a rogue memory module used to trick the CPU into believing that it has more memory than it does. Using this rogue memory module, you get it to write its supposedly secret memory contents into a "ghost" space that is supposed to contain the hidden memory contents. In order to accomplish this task, researchers used a test rig anyone could afford to buy, composed of a Raspberry Pi Pico, which costs a couple of dollars, and a DIMM socket for DDR4/5 RAM modules. 

The first thing they did was manipulate the serial presence detection (SPD) chip within the memory module so that it would misreport the amount of memory onboard when the device was booted up – the “BadRAM” attack. Using reverse engineering techniques to locate these memory aliases, they had access to memory contents by bypassing the system's trusted execution environment (TEE), as this created two physical addresses referencing the same DRAM location. 

According to the CVE description, the issue results from improper input validation of DIM SPD metadata, which could potentially allow an attacker with certain access levels to overwrite guest memory, as the issue is described as a result of improper input validation. It has been deemed a medium severity threat on the CVSS, receiving a 5.3 rating owing to the high level of access that a potential attacker would need to engage to successfully exploit the problem. 

According to AMD, the issue may be a memory implementation issue rather than a product vulnerability, and the barriers to committing the attack are a lot higher than they would be if it were a software product vulnerability. AMD was informed of the vulnerability by the researchers in February, which has been dubbed CVE-2024-21944, as well as relates specifically to the company’s third and fourth-generation EPYC enterprise processors. According to AMD’s advisory, the recommendation is to use memory modules that lock SPD and to follow physical security best practices. 

A firmware update has also been issued, although each OEM's BIOS is different, according to AMD. As the company has stated on several occasions, it will make mitigations more prominent in the system; there is specific information on the condition of a Host OS/Hypervisor, and there is also information available on the condition of a Virtual Machine (Guest) to indicate that mitigation has been applied.

The AMD company has provided an in-depth explanation of the types of access an attacker would need to exploit this issue in a statement given to ITPro, advising clients to follow some mitigation strategies to prevent the problem from becoming a problem. The badRAM website states that this kind of tampering may occur in several ways — either through corrupt or hostile employees at cloud providers or by law enforcement officers with physical access to the computer. 

In addition, the badRAM bug may also be exploited remotely, although the AMD memory modules are not included in this process. All manufacturers, however, that fail to lock the SPD chip in their memory modules, will be at risk of being able to modify their modules after boot as a result of operating system software, and thus by remote hackers who can control them remotely. 

According to Recorded Future News, Oswald has said that there has been no evidence of this vulnerability being exploited in the wild. However, the team discovered that Intel chips already had mitigations against badRAM attacks. They could not test Arm's modules because they were unavailable commercially. An international consortium of experts led by researchers from KU Leuven in Belgium; the University of Luebeck in Germany; and the University of Birmingham in the United Kingdom conducted the research.
Read more »
Streaming Platform
Amazon Data Breach Data Leak Data protection data security Fines Hacker attack Personal Data Streaming Platform

Amazon Fined for Twitch Data Breach Impacting Turkish Nationals

 

Türkiye has imposed a $58,000 fine on Amazon for a data breach that occurred on its subsidiary, Twitch, in 2021. The breach exposed sensitive personal information of thousands of Turkish citizens, drawing scrutiny from the country’s Personal Data Protection Board (KVKK). The incident began when an anonymous hacker leaked Twitch’s entire source code, along with personally identifiable information (PII) of users, in a massive 125 GB torrent posted on the 4chan imageboard. The KVKK investigation revealed that 35,274 Turkish nationals were directly affected by the leak. 

As a result, KVKK levied fines totaling 2 million lira, including 1.75 million lira for Amazon’s failure to implement adequate preemptive security measures and 250,000 lira for not reporting the breach in a timely manner. According to the regulatory body, Twitch’s risk and threat assessments were insufficient, leaving users’ data vulnerable to exploitation. The board concluded that the company only addressed the vulnerabilities after the breach had already occurred. Twitch, acquired by Amazon in 2014 for $970 million, attempted to minimize concerns by assuring users that critical login credentials and payment information had not been exposed. The company stated that passwords were securely hashed with bcrypt, a strong encryption method, and claimed that systems storing sensitive financial data were not accessed. 

However, the leaked information still contained sensitive PII, leading to significant privacy concerns, particularly for Turkish users who were impacted. The motivation behind the hack was reportedly ideological rather than financial. According to reports from the time, the hacker expressed dissatisfaction with the Twitch community and aimed to disrupt the platform by leaking the data. The individual claimed their intent was to “foster more disruption and competition in the online video streaming space.” While this rationale highlighted frustrations with Twitch’s dominance in the industry, the data breach had far-reaching consequences, including legal action, reputational damage, and increased regulatory scrutiny. Türkiye’s actions against Amazon and Twitch underline the growing importance of adhering to local data protection laws in an increasingly interconnected world. 

The fines imposed by KVKK serve as a reminder that global corporations must ensure compliance with regional regulations to avoid significant penalties and reputational harm. Türkiye’s regulations align with broader trends, as data privacy and security become critical components of global business practices. This incident also underscores the evolving nature of cybersecurity challenges. Hackers continue to exploit vulnerabilities in popular platforms, putting pressure on companies to proactively identify and address risks before they lead to breaches. As regulatory bodies like KVKK become more assertive in holding companies accountable, the need for robust data protection frameworks has never been more urgent. The Twitch breach also serves as a case study for the importance of transparency and swift response in the aftermath of cyberattacks. 

While Twitch’s reassurances regarding encrypted data helped mitigate some concerns, the lack of prompt reporting to Turkish authorities drew criticism. Companies handling large amounts of user data must prioritize both preventive measures and clear communication strategies to regain user trust after incidents. Looking forward, the Twitch data breach highlights the necessity for all companies—especially those managing sensitive user data—to invest in proactive cybersecurity strategies. As hackers grow increasingly sophisticated, businesses must adopt a forward-thinking approach to safeguard their platforms, comply with local laws, and ensure users’ privacy remains uncompromised.
Read more »
Personal Data
Data Breach Data breaches attacks Data protection Data Theft Financial Data Hacker attack Hackers Personal Data

Set Forth Data Breach: 1.5 Million Impacted and Next Steps

 

The debt relief firm Set Forth recently experienced a data breach that compromised the sensitive personal and financial information of approximately 1.5 million Americans. Hackers gained unauthorized access to internal documents stored on the company’s systems, raising serious concerns about identity theft and online fraud for the affected individuals. Set Forth, which provides administrative services for Americans enrolled in debt relief programs and works with B2B partners like Centrex, has initiated notification protocols to inform impacted customers. The breach reportedly occurred in May this year, at which time Set Forth implemented incident response measures and enlisted independent forensic specialists to investigate the incident. 

However, the full extent of the attack is now coming to light. According to the company’s notification to the Maine Attorney General, the hackers accessed a range of personal data, including full names, Social Security numbers (SSNs), and dates of birth. Additionally, information about spouses, co-applicants, or dependents of the affected individuals may have been compromised. Although there is currently no evidence that the stolen data has been used maliciously, experts warn that it could end up on the dark web or be utilized in targeted phishing campaigns. This breach highlights the ongoing risks associated with storing sensitive information digitally, as even companies with incident response plans can become vulnerable to sophisticated cyberattacks. 

To mitigate the potential damage, Set Forth is offering free access to Cyberscout, an identity theft protection service, for one year to those affected. Cyberscout, which has over two decades of experience handling breach responses, provides monitoring and support to help protect against identity fraud. Impacted customers will receive notification letters containing instructions and a code to enroll in this service. For those affected by the breach, vigilance is critical. Monitoring financial accounts for unauthorized activity is essential, as stolen SSNs can enable hackers to open lines of credit, apply for loans, or even commit crimes in the victim’s name. 

Additionally, individuals should remain cautious when checking emails or messages, as hackers may use the breach as leverage to execute phishing scams. Suspicious emails—particularly those with urgent language, unknown senders, or blank subject lines—should be deleted without clicking links or downloading attachments. This incident serves as a reminder of the potential risks posed by data breaches and the importance of proactive protection measures. While Set Forth has taken steps to assist affected individuals, the breach underscores the need for businesses to strengthen their cybersecurity defenses. For now, impacted customers should take advantage of the identity theft protection services being offered and remain alert to potential signs of fraud.
Read more »
trending news
cyberattacks news Data protection Data Theft Privacy smart home devices trending news

UK Watchdog Urges Data Privacy Overhaul as Smart Devices Collect “Excessive” User Data

 

A new study by consumer group Which? has revealed that popular smart devices are gathering excessive amounts of personal data from users, often beyond what’s required for functionality. The study examined smart TVs, air fryers, speakers, and wearables, rating each based on data access requests. 

Findings suggested many of these devices may be gathering and sharing data with third parties, often for marketing purposes. “Smart tech manufacturers and their partners seem to collect data recklessly, with minimal transparency,” said Harry Rose from Which?, calling for stricter guidelines on data collection. The UK’s Information Commissioner’s Office (ICO) is expected to release updated guidance on data privacy for smart devices in 2025, which Rose urged be backed by effective enforcement. 

The study found all three tested air fryers, including one from Xiaomi, requested precise user locations and audio recording permissions without clarification. Xiaomi’s fryer app was also linked to trackers from Facebook and TikTok, raising concerns about data being sent to servers in China, though Xiaomi disputes the findings, calling them “inaccurate and misleading.” 

Similar privacy concerns were highlighted for wearables, with the Huawei Ultimate smartwatch reportedly asking for risky permissions, such as access to location, audio recording, and stored files. Huawei defended these requests, stating that permissions are necessary for health and fitness tracking and that no data is used for marketing. 

Smart TVs from brands like Samsung and LG also collected extensive data, with both brands connecting to Facebook and Google trackers, while Samsung’s app made additional phone permission requests. Smart speakers weren’t exempt from scrutiny; the Bose Home Portable speaker reportedly had several trackers, including from digital marketing firms.  

Slavka Bielikova, ICO’s principal policy adviser, noted, “Smart products know a lot about us and that’s why it’s vital for consumers to trust that their information is used responsibly.” She emphasized the ICO’s upcoming guidance, aiming to clarify expectations for manufacturers to protect consumers. 

As the debate over data privacy intensifies, Which? recommends that consumers opt out of unnecessary data collection requests and regularly review app permissions for added security.
Read more »
training
Awareness Cyber Attacks Cyberattacks Cybersecurity Data protection Digital Security Education human error legislation malware training

Addressing Human Error in Cybersecurity: The Unseen Weak Link

 

Despite significant progress in cybersecurity, human error remains the most significant vulnerability in the system. Research consistently shows that the vast majority of successful cyberattacks stem from human mistakes, with recent data suggesting it accounts for 68% of breaches.

No matter how advanced cybersecurity technology becomes, the human factor continues to be the weakest link. This issue affects all digital device users, yet current cyber education initiatives and emerging regulations fail to effectively target this problem.

In cybersecurity, human errors fall into two categories. The first is skills-based errors, which happen during routine tasks, often when someone's attention is divided. For instance, you might forget to back up your data because of distractions, leaving you vulnerable in the event of an attack.

The second type involves knowledge-based errors, where less experienced users make mistakes due to a lack of knowledge or not following specific security protocols. A common example is clicking on a suspicious link, leading to malware infection and data loss.

Despite heavy investment in cybersecurity training, results have been mixed. These initiatives often adopt a one-size-fits-all, technology-driven approach, focusing on technical skills like password management or multi-factor authentication. However, they fail to address the psychological and behavioral factors behind human actions.

Changing behavior is far more complex than simply providing information. Public health campaigns, like Australia’s successful “Slip, Slop, Slap” sun safety campaign, demonstrate that sustained efforts can lead to behavioral change. The same principle should apply to cybersecurity education, as simply knowing best practices doesn’t always lead to their consistent application.

Australia’s proposed cybersecurity legislation includes measures to combat ransomware, enhance data protection, and set minimum standards for smart devices. While these are important, they mainly focus on technical and procedural solutions. Meanwhile, the U.S. is taking a more human-centric approach, with its Federal Cybersecurity Research Plan placing human factors at the forefront of system design and security.

Three Key Strategies for Human-Centric Cybersecurity

  • Simplify Practices: Cybersecurity processes should be intuitive and easily integrated into daily workflows to reduce cognitive load.
  • Promote Positive Behavior: Education should highlight the benefits of good cybersecurity practices rather than relying on fear tactics.
  • Adopt a Long-term Approach: Changing behavior is an ongoing effort. Cybersecurity training must be continually updated to address new threats.
A truly secure digital environment demands a blend of strong technology, effective policies, and a well-educated, security-conscious public. By better understanding human error, we can design more effective cybersecurity strategies that align with human behavior.
Read more »
unauthorized software
ChatGPT risks Cybersecurity Data Leaks Data protection Digital Assets Information Security privacy laws server vulnerabilities Shadow IT Technology unauthorized software

Mitigating the Risks of Shadow IT: Safeguarding Information Security in the Age of Technology

 

In today’s world, technology is integral to the operations of every organization, making the adoption of innovative tools essential for growth and staying competitive. However, with this reliance on technology comes a significant threat—Shadow IT.  

Shadow IT refers to the unauthorized use of software, tools, or cloud services by employees without the knowledge or approval of the IT department. Essentially, it occurs when employees seek quick solutions to problems without fully understanding the potential risks to the organization’s security and compliance.

Once a rare occurrence, Shadow IT now poses serious security challenges, particularly in terms of data leaks and breaches. A recent amendment to Israel’s Privacy Protection Act, passed by the Knesset, introduces tougher regulations. Among the changes, the law expands the definition of private information, aligning it with European standards and imposing heavy penalties on companies that violate data privacy and security guidelines.

The rise of Shadow IT, coupled with these stricter regulations, underscores the need for organizations to prioritize the control and management of their information systems. Failure to do so could result in costly legal and financial consequences.

One technology that has gained widespread usage within organizations is ChatGPT, which enables employees to perform tasks like coding or content creation without seeking formal approval. While the use of ChatGPT itself isn’t inherently risky, the lack of oversight by IT departments can expose the organization to significant security vulnerabilities.

Another example of Shadow IT includes “dormant” servers—systems connected to the network but not actively maintained. These neglected servers create weak spots that cybercriminals can exploit, opening doors for attacks.

Additionally, when employees install software without the IT department’s consent, it can cause disruptions, invite cyberattacks, or compromise sensitive information. The core risks in these scenarios are data leaks and compromised information security. For instance, when employees use ChatGPT for coding or data analysis, they might unknowingly input sensitive data, such as customer details or financial information. If these tools lack sufficient protection, the data becomes vulnerable to unauthorized access and leaks.

A common issue is the use of ChatGPT for writing SQL queries or scanning databases. If these queries pass through unprotected external services, they can result in severe data leaks and all the accompanying consequences.

Rather than banning the use of new technologies outright, the solution lies in crafting a flexible policy that permits employees to use advanced tools within a secure, controlled environment.

Organizations should ensure employees are educated about the risks of using external tools without approval and emphasize the importance of maintaining information security. Proactive monitoring of IT systems, combined with advanced technological solutions, is essential to safeguarding against Shadow IT.

A critical step in this process is implementing technologies that enable automated mapping and monitoring of all systems and servers within the organization, including those not directly managed by IT. These tools offer a comprehensive view of the organization’s digital assets, helping to quickly identify unauthorized services and address potential security threats in real time.

By using advanced mapping and monitoring technologies, organizations can ensure that sensitive information is handled in compliance with security policies and regulations. This approach provides full transparency on external tool usage, effectively reducing the risks posed by Shadow IT.
Read more »
Subscribe to: Posts (Atom)