The Wall Street Journal reports that electric vehicle giant Tesla has agreed to modify its cars’ camera settings following complaints from EU consumers raising concerns about compliance with the General Data Protection Regulation (GDPR). Tesla will issue a software settings update so that security cameras in cars in the EU are disabled by default until a user turns them on, and so that only the last ten minutes (instead of an hour) of recorded footage will be saved. The GDPR requires companies that collect personal data to prove that they have consent and to include product features that protect such data. Tesla’s Sentry Mode setting, which is designed to protect cars from theft and damage, has been under scrutiny from EU data privacy regulators for years, and the Dutch privacy regulator determined the previous settings allowed serious privacy violations. Dutch regulator board member Katja Mur explained, “If a person parked one of these vehicles in front of someone’s window, they could spy inside and see everything the other person was doing.”
Video game publisher Activision has disclosed it suffered a December data breach after a successful SMS phishing attempt. Vice reports that an employee was tricked into clicking on a malicious link contained in a text message, allowing the attackers to take over the staffer’s Slack account and post offensive messages. An Activision spokesperson told Bleeping Computer, “On December 4, 2022, our information security team swiftly addressed an SMS phishing attempt and quickly resolved it. Following a thorough investigation, we determined that no sensitive employee data, game code, or player data was accessed.” The maker of popular video game Call of Duty says that the incident did not compromise game source code or player details, but security research group VX-Underground says that the attacker "exfiltrated sensitive work place documents" along with the company’s upcoming content release schedule. (Dot Esports spills the stolen details on the new game’s features, for any gamers who might be interested.) Gaming news site 'Insider Gaming' says the cache of data also includes employees’ full names, email addresses, phone numbers, salaries, and work locations. A screenshot from an infiltrated Slack chat displays a message posted through the compromised account that reads “i touch children,” and other screenshots reveal games’ planned release dates.
David Maynor, Senior Director of Threat Intelligence at Cybrary, noted that there is no single approach to handling a data breach:
"There is no one 'SOP' for breaches. This timeline shows a typical public reaction to a breach. Some entity, in this case VX-Underground, notices something on a market and tells the world about it. Reporters that follow VX-Underground use it as a tip and suddenly the victims switchboard/email server gets loaded with requests for comment.
“There is also the fog of war effect where different people have different parts of a puzzle and make assumptions. This leads to different hot takes contradicting each other.
“From the trial last year of the Uber CISO, Joseph Sullivan, we know that big corps can handle breaches differently. What I can say from personal experience is that the responses to questions as well as public statements are approved by if not written by a crisis communications team. The default response is deescalate, deflect, then deny. This is why the infosec community values technically insightful Root Cause Analysis (RCA) from a victim.”
An investigation conducted by the 74 has revealed that the mental health records of possibly thousands of California students were leaked online after a 2022 ransomware attack targeting the Los Angeles Unified School District (LAUSD). The Russian-speaking threat group Vice Society has taken responsibility for the data dump, which includes highly sensitive, personally identifiable details on students who received special education services. Making matters worse, the district officials say they haven’t alerted the victims of the leak. In fact, when LAUSD Superintendent Alberto Carvalho disclosed the attack back in October, he stated, “We have seen no evidence that psychiatric evaluation information or health records, based on what we’ve seen thus far, has been made available publicly.” Existing federal privacy rules do not require school districts to notify the public when students’ personal data are exposed, a legislation gap that some experts feel is a detriment to the victims. Doug Levin, the national director of the K12 Security Information eXchange, stated, “It’s deeply disturbing that an organization that you’ve entrusted with such sensitive information is either significantly delaying — or even hiding — the fact that individuals had very sensitive information exposed. For a school system to wait six months, a year or longer before notifying someone that their information is out on the dark web and being potentially abused is a year that those individuals can’t take steps to protect themselves.”
Dror Liwer, co-founder of cybersecurity company Coro, sees a rising threat to the education sector as a whole:
“In the last four months we have seen a significant increase (over 35%) in attacks on our educational clients. Educational institutions have a treasure trove of valuable data on their students, staff, contractors and donors, making them an extremely attractive target. Couple that with most institution's cybersecurity programs being underfunded, and we are facing a perfect storm.
"In this case, the continuous release of information is designed to terrorize other institution's into paying the ransom. By releasing information in waves, the attackers keep the hack in the public eye, and on educational administrators' minds.
"Just as schools prioritize physical security measures, cybersecurity must be prioritized the same way and funded appropriately.”