This week’s essential cybersecurity and privacy news for the cyber-aware and the cyber-concerned. Designed to educate, support, and advocate.
Stan’s Top of the News
One thing that Americans might be united on is that our tax information is private and is not to be shared. Over the last few years we’ve seen the Supreme Court get involved on whether even the Congress has the right to see personal tax returns. We expect the IRS to protect our tax information and we expect our tax preparers to do the same. Once again our expectations have been dashed.
A congressional report established that H&R Block, TaxSlayer and TaxAct sold our personal tax information to Google and Meta in apparent violation of Federal law. We the people should be outraged at this blatant disregard for the privacy of their customers. I certainly am.
If an accountant shares a taxpayer’s personal financial information, the accountant faces the possibility of criminal prosecution, a $1,000 fine, and a year in prison. H&R Block, TaxSlayer and TaxAct, and their executives who perpetrated this scheme, should be subject to nothing less.
Not only is it important to hold these companies accountable for their flagrant behavior, failure to do so will only embolden others to continue doing the same.
H&R Block, TaxSlayer and TaxAct have crossed an important line in the sand. They deserve whatever penalties the law can provide. And their customers should run – not walk – away as fast as they can.
And Congress needs to quit fighting and pass meaningful strong privacy legislation that represents the interests of we the people, not the interests of the data collectors.
- Tax prep sites gave millions of taxpayers’ info to Facebook and Google: A new congressional report, following reporting by a tech news outlet, finds three tax sites were sharing personal user data. … About 10 million people type their personal financial information into H&R Block, TaxSlayer and TaxAct websites every year to prepare their taxes, trusting the companies to keep their information safe. Instead, the companies shared that personal information with Google and Facebook, some going as far back as 2011, members of Congress wrote in a new report.
- Tax prep companies shared private taxpayer data with Google and Meta for years, congressional probe finds: Some of America’s largest tax-prep companies have spent years sharing Americans’ sensitive financial data with tech titans including Meta and Google in a potential violation of federal law — data that in some cases was misused for targeted advertising, according to a seven-month congressional investigation.
New. Family Protection Newsletter: Did you know we created the Family Protection Newsletter, for non-cyber experts? For your parents, friends, those who need to protect themselves in a digital world. We feature info on how to freeze your credit and what ‘marriage scams’ are in Edition 1. Sign up or share with a friend! Click here to learn more and quickly add to your free subscription!
How Hackable Are You? Take our test. Find out how hackable you are and download our free 8-step guide.
- How Hackable Are You? Think your defenses are strong. Find out as SecureTheVillage tests you on five basics. Please take our short quiz as your answers will help you and guide us to improve community safety.
Upcoming events. Please join us.
- Los Angeles Cybersecurity Workforce Coalition: The monthly meeting of the workforce coalition, Tue, August 1, 1:00 pm – 2:00 pm PT.
- Cybercrime Threat Briefing with SSA Michael Sohn, FBI. Co-hosted with Dep’t Financial Protection & Innovation. Friday, August 18, 8:30 – 10:00 Save the Date.
Cyber Humor
Cybersecurity Nonprofit of the Week … Cyber Readiness Institute
Our kudos this week to the Cyber Readiness Institute (CRI) and the great work they do helping our medium-size and smaller organizations manage their information security challenges. CRI’s Cyber Readiness Program helps organizations protect their data, employees, vendors, and customers. This free, online program is designed to help small and medium-sized enterprises become more secure against today’s most common cyber vulnerabilities. Their free Cyber Leader Certification Program is a personal professional credential for those who have completed the Cyber Readiness Program. Both are highly recommended. Like SecureTheVillage, the Cyber Readiness Institute is a fellow-member of Nonprofit Cyber. Dr. Stahl is a proud member of CRI’s Small Business Advisory Council.
Live on Cyber with Dr. Stan Stahl – Live on LinkedIn and Your Favorite Podcast Platform
Encryption and Privacy: (Video) (Podcast): Stan and Julie take a deep dive into the intricate interplay between encryption and privacy in our ever-evolving digital landscape. Taking the Signal app as an example, they grapple with the conundrum faced by we the people when as we strive to give law enforcement the technology tools they need to prevent crime while we strive to protect our individual privacy rights. Join Stan and Julie as they navigate the complexities of digital privacy, offering invaluable insights and recommendations along the way.
Section 2 – Let’s Be Careful Out There. And Let’s Help Others Who Aren’t Yet Cyber-Aware.
Microsoft and Apple both issued urgent update patches. Keeping the programs on your computer patched and updated is one of the most important things you can do to keep your computer safe. Check our Weekend Patch Report for other updates. There were a total of 15 updates this week.
- Urgent Windows update patches over 100 flaws — update your PC now: The latest security update from Microsoft patches a total of 132 flaws including six actively exploited zero-day vulnerabilities.
- Apple Issues Urgent Patch for Zero-Day Flaw Targeting iOS, iPadOS, macOS, and Safari: Apple has released Rapid Security Response updates for iOS, iPadOS, macOS, and Safari web browser to address a zero-day flaw that it said has been actively exploited in the wild.
Three more stories for families and individuals.
- Getting Locked Out of Your Digital Life Is Bad. Here’s How to Avoid It: Prevent lockouts by using multiple forms of verification. … A warning to those feeling secure with two-factor authentication. If you lose or break your phone, you could lose access to your authenticator app’s essential codes…and the online accounts they’re supposed to protect.
- Google Play will enforce business checks to curb malware submissions: Google is fighting back against the constant invasion of malware on Google Play by requiring all new developer accounts registering as an organization to provide a valid D-U-N-S number before submitting apps. The new measure aims to enhance the platform’s security and trustworthiness and is part of the effort to curb malware submissions from new accounts.
- Selling Your Cellphone Location Data Might Soon Be Banned in U.S. for First Time: Massachusetts considers law at the vanguard of a broader movement to protect consumer privacy. … Massachusetts lawmakers are weighing a near total ban on buying and selling of location data drawn from consumers’ mobile devices in the state, in what would be a first-in-the-nation effort to rein in a billion-dollar industry. … The proposal would also institute a warrant requirement for law-enforcement access to location data, banning data brokers from providing location information about state residents without court authorization in most circumstances.
Section 3 – Cybersecurity and Privacy News for the Cyber-Concerned.
National Cybersecurity: The White House releases its implementation plan for its National Cybersecurity Strategy. A Scientific American story demonstrates why it’s needed.
- White House releases National Cybersecurity Strategy implementation plan: The White House released the first version of its multiyear implementation plan for the National Cybersecurity Strategy on Thursday, setting into motion a significant overhaul of how the federal government will regulate digital security issues. The plan is a roadmap for the U.S. government to accomplish the goals outlined in the National Cybersecurity Strategy.
- Cyberspace Solarium Co-Chairs Praise “Forward-Thinking” National Cybersecurity Strategy Implementation Plan: U.S. Senator Angus King (I-Maine) and Representative Mike Gallagher (R-Wisc.), Co-chairs of the Cyberspace Solarium Commission (CSC), today released the following statement on the Biden administration’s newly unveiled National Cybersecurity Strategy (NCS) Implementation Plan. “The National Cybersecurity Strategy issued in March provided a well thought-out vision for our nation’s cyber defense; this Implementation Plan is a forward-thinking, comprehensive policy plan that can turn the Strategy into action.” The Implementation Plan outlines how the administration will carry out the NCS’s objectives, many of which were initially key cybersecurity priorities of the CSC.
- Hackers Could Use Electric Vehicle Chargers to Attack the Power Grid: Hackers have already infiltrated electric vehicle chargers, usually for innocuous reasons, but bad actors could use that foothold to bring down the power grid. … With his electric Kia EV6 running low on power, Sky Malcolm pulled into a bank of fast-chargers near Terre Haute, Indiana, to plug in. As his car powered up, he peeked at nearby chargers. One in particular stood out. …
Also in national cybersecurity news, The State Department alerted Microsoft of an email breach allegedly from China. The story illustrates why we need Security / Privacy by Design / Default. One’s ability to defend against an attack that succeeds because of a Microsoft vulnerability should not depend on whether you pay Microsoft for additional security protection.
- Chinese Hackers Breached Government Email Accounts, Microsoft Says: Chinese hackers intent on collecting intelligence on the United States gained access to government email accounts, Microsoft disclosed on Tuesday night. Microsoft said the Chinese hacking group began gaining access to email accounts in May and was not discovered until June.
- China Hacking Was Undetectable for Some Who Had Less Expensive Microsoft Services: Officials call for changes to Microsoft cloud services following hacks. Biden administration officials and an influential senator are calling for changes to Microsoft’s cloud computing services after victims of a recent Chinese cyber intrusion were unable to detect the hack because they weren’t enrolled in the software company’s premium service. … “Offering insecure products and then charging people for premium features necessary to not get hacked is like selling a car and then charging extra for seatbelts and airbags,” Senator Ron Wyden said.
As we discussed on this week’s podcast, the complex privacy / surveillance challenge continues to heat up as governments insist on access.
- Encryption faces legal threats around the globe: Privacy advocates have a stacked agenda this summer as they fight legislative proposals in three key markets that threaten the security of encrypted messaging services.
This week in cybercrime: More fallout from the MOVEit debacle along with an in-depth article on the gang behind MOVEit. And more medical breaches, including the breach of a Beverly Hills plastic surgeon which exposed sensitive medical information along with patients’ topless pictures, financial information. Meanwhile Hayward, CA is battling a ransomware attack as local governments seem too often to be sitting ducks.
- Clop: Behind MOVEit Lies a Loud, Adaptable and Persistent Threat Group: The MOVEit cyber-attack continues to grow, with more organizations falling victim every day. Brett Callow, a threat analyst at Emsisoft, counted 257 organizations and 17,750,524 individuals impacted by the attack on July 11, 2023. … Meanwhile, the Clop ransomware group, which is reportedly responsible for the attack, keeps adding names to the list of victims on its leak site, with newer ones including big financial companies (Deutsche Bank, ING Bank and Post Bank) and 25 US schools.
- Charles Schwab announces TD Ameritrade data breach: Tens of thousands of clients could have been affected in huge attack resulting from vulnerabilities found in MOVEit file transfer software.
- Tennessee retirees exposed in cyberattack: Personal information of more than 170,000 retired State of Tennessee employees and/or their beneficiaries was accessed in a hack in May. … Tennessee Consolidated Retirement System (TCRS), which provides pension benefits for state retirees, was among several state and federal organizations impacted by a global cyberattack on the file transfer software MOVEit. The software was utilized by Pension Benefits Information, a vendor that TCRS contracts for services.
- HCA Healthcare patient data stolen and for sale by hackers: CA Healthcare patient data has been hacked and is now for sale, according to the company. … The dataset has approximately 27 million rows and includes patients’ personal information and certain visit records. … The hack affects patients in nearly two dozen states, including patients at dozens of facilities in Florida and Texas.
- UK battles hacking wave as ransomware gang claims ‘biggest ever’ NHS breach: Barts Health NHS Trust, the U.K.’s largest NHS trust, has confirmed it’s investigating a ransomware incident as the country’s public sector continues to battle a rising wave of cyberattacks. Barts Health runs five London-based hospitals and serves more than 2.5 million patients
- Major data breach at Beverly Hills plastic surgeon’s office exposes patients’ sensitive information: A former patient spoke with the NBC4 I-Team about the hack, which includes patients’ topless pictures, financial information, and medical records. … The major data breach of Dr. Gary Motykie, a popular Beverly Hills plastic surgeon, led to sensitive information being posted on a public website, along with what appears to be very private images of the doctor himself.
- ‘Systems have gone down’: Emergency declared as Hayward cyberattack impedes emergency dispatch system: The Hayward City Council declared a local emergency Thursday over an ongoing cyberattack, in an effort to more quickly acquire resources to respond to what officials have described as intruders trying to hold municipal computer systems and networks hostage. … The attack has gripped the city since it was discovered Sunday — affecting an array of services from emergency dispatching to electronic payments to library check-out systems — and left officials without an answer for when the disruption will be fully resolved.
Section 4 – Managing Information Security and Privacy in Your Organization.
California Attorney General Bonta investigating compliance with CA Consumer Privacy act.
- Attorney General Bonta Seeks Information from California Employers on Compliance with California Consumer Privacy Act: California Attorney General Rob Bonta today announced an investigative sweep, through inquiry letters sent to large California employers requesting information on the companies’ compliance with the California Consumer Privacy Act (CCPA) with respect to the personal information of employees and job applicants. Effective January 1, 2023, covered businesses must also comply with the CCPA’s robust privacy protections as it relates to employee data. Businesses subject to the CCPA have specific legal obligations, such as providing notice of privacy practices and fulfilling consumer requests to exercise their rights to access, delete, and opt out of the sale and sharing of personal information.
The Cybersecurity & Infrastructure Security Agency (CISA) has added several vulnerabilities to its the Known Exploited Vulnerability (KEV) catalog. CISA strongly recommends all organizations review and monitor the KEV catalog and prioritize remediation of the listed vulnerabilities to reduce the likelihood of compromise by known threat actors.
