CBS News: At least 17 members of Congress had sensitive information exposed in data breach. “The hacking of the DC Health Benefit Exchange Authority data system has triggered at least three investigations and a federal civil lawsuit against the District of Columbia government, CBS News has learned. It has also sent a significant shock through Congress and its staffers.”
Bleeping Computer: Microsoft pushes OOB security updates for Windows Snipping tool flaw. “Now tracked as CVE-2023-28303, the Acropalypse vulnerability is caused by image editors not properly removing cropped image data when overwriting the original file. For example, if you take a screenshot and crop out sensitive information, such as account numbers, you should have reasonable expectations that this cropped data will be removed when saving the image. However, with this bug, both the Google Pixel’s Markup Tool and the Windows Snipping Tool were found to be leaving the cropped data within the original file.”
The Next Web: Big Tech gives EU access to thousands of user accounts each year. “Most of us share huge amounts of personal information online, and Big Tech companies are in many ways the gatekeepers of this data. But how much do they share with the authorities? And how often do governments request user data? According to new research by VPN provider SurfShark, the answer is a lot, and a lot again.”
Engadget: OpenAI says a bug leaked sensitive ChatGPT user data. “In Tuesday’s incident, users posted screenshots on Reddit that their ChatGPT sidebars featured previous chat histories from other users. Only the title of the conversation, not the text itself, were visible. OpenAI, in response, took the bot offline for nearly 10 hours to investigate. The results of that investigation revealed a deeper security issue: the chat history bug may have also potentially revealed personal data from 1.2 percent of ChatGPT Plus subscribers.”
9to5 Google: Pixel Markup vulnerability lets some screenshots be un-redacted, un-cropped; fixed by March update. “For example (as shared on Twitter), let’s say you upload a screenshot from a hypothetical bank app/website that includes a picture of your credit/debit card. You crop out everything save for the card and then use Markup’s Pen tool to black out the 16-digit number. You then share that message on a service, like Discord. Given a vulnerability in how Markup works, somebody that downloads the image is able to perform a ‘partial recovery of the original, unedited image data of [the] cropped and/or redacted screenshot.'”
Dallas Morning News: Dallas deputy streamed traffic stop to TikTok, revealed man’s personal info, lawsuit says. “A Tarrant County man is suing Dallas County and a sheriff’s deputy after he says his personal information was revealed to more than 100 people after the deputy livestreamed a traffic stop through TikTok.”
Krebs on Security: Two U.S. Men Charged in 2022 Hacking of DEA Portal. “Two U.S. men have been charged with hacking into a U.S. Drug Enforcement Agency (DEA) online portal that taps into 16 different federal law enforcement databases. Both are alleged to be part of a larger criminal organization that specializes in using fake emergency data requests from compromised police and government email accounts to publicly threaten and extort their victims.”
TechCrunch: Telehealth startup Cerebral shared millions of patients’ data with advertisers. “Cerebral has revealed it shared the private health information, including mental health assessments, of more than 3.1 million patients in the United States with advertisers and social media giants like Facebook, Google and TikTok.”
Universitat Oberta de Catalunya: The most visited websites in Spain do not comply correctly with privacy laws and track their users. “Only a small percentage of the 500 most visited websites in Spain (which include everything from government sites to streaming and adult content platforms) correctly fulfil the requirements set out in the General Data Protection Regulation (GDPR).”
Gizmodo: We Found 28,000 Apps Sending TikTok Data. Banning the App Won’t Help.. “Gizmodo has learned that tens of thousands of apps—many which may already be installed on federal employees’ work phones—use code that sends data to TikTok.”
UChicago News: UChicago, NYU team find online education tools pose privacy risks. “A group of researchers from the University of Chicago and New York University studied online learning and shared their findings in a paper that explored how educational technologies get into schools and what privacy risks these technologies pose to students. The paper, which will be presented at the upcoming ACM CHI Conference on Human Factors in Computing Systems, discloses that many of the technologies were unvetted before they were used with students, possibly leading to critical data security risks.”
Yonhap News Agency: Google, Meta file lawsuit against S. Korean data protection watchdog’s ruling . “Google and Meta Platforms have filed a lawsuit against a ruling by the South Korean data protection watchdog to fine the global tech giants for illegally collecting personal data here, industry sources said Monday.”
Bleeping Computer: FBI investigates data breach impacting U.S. House members and staff. “The FBI is investigating a data breach affecting U.S. House of Representatives members and staff after their account and sensitive personal information was stolen from DC Health Link’s servers.”
Mercer University: Federal laws needed to protect users from confusing privacy policies, research shows. “Many companies use tactics that intentionally discourage users from reading and understanding what they’re agreeing to, ultimately resulting in users giving broad access to their personal information, according to a recent paper by a Mercer University professor and alumnus. Federal regulations are needed to address the problems of these unfair contracts, they concluded.”
TechCrunch: Hackers steal gun owners’ data from firearm auction website. “Hackers breached a website that allows people to buy and sell guns, exposing the identities of its users, TechCrunch has learned. The breach exposed reams of sensitive personal data for more than 550,000 users, including customers’ full names, home addresses, email addresses, plaintext passwords and telephone numbers. Also, the stolen data allegedly makes it possible to link a particular person with the sale or purchase of a specific weapon.”
