Table of Contents
Automobile Makers Are Selling Consumer Driving Behavior To Insurers
The TikTok Threat
Nevada AG Seeks Ban On Meta's End-To-End Encryption For Minors
Telco Manager Pleads Guilty in SIM Swap Conspiracy
State AGs Demand Action from Meta Over Account Hacking
Healthcare Hack Will Burden US With Hundreds of Millions in Costs
Lawmakers Propose a New Federal Office to Regulate Workplace Surveillance Technology
McKinsey to Boards of Directors: You’re the Final Line of Cybersecurity Defense
Automobile Makers Are Selling Consumer Driving Behavior To Insurers
What happened:
Automakers like General Motors (GM) are gathering extensive data on driving habits such as speed, braking, and acceleration patterns through connected car technologies.
This data is being sold to insurance providers without drivers' knowledge.
What to know:
Lexis Nexis, a data broker, received detailed driving data from GM vehicles, including trip details and driving behaviors.
Many drivers have experienced spiking insurance premiums based on data collected without their explicit consent.
They were enrolled in driver feedback programs, which tracked driving habits without their full awareness, leading to privacy concerns.
The practice of sharing driving data extends beyond GM, involving other automakers like Kia, Subaru, and Mitsubishi.
Business Impact:
Brands involved in intrusive data collection practices can face growing consumer outrage and potential backlash.
There are also potential legal implications regarding data privacy and the need for transparent consent mechanisms for data collection.
What to do:
Companies should reassess their data collection practices, ensuring transparent disclosure and explicit consent from consumers. Review your consumer facing marketing materials for deceptive language about how data is used.
Insurance providers should consider the ethical implications of using data obtained without full consumer awareness and consent.
For more information, check out this article.
The TikTok Threat
What happened:
Despite widespread concerns and legislative actions targeting TikTok, U.S. intelligence has no evidence of TikTok coordinating with Beijing, labeling the national security threat as only hypothetical for now.
What to know:
The bill to force ByteDance to sell TikTok passed a full vote in the House on March 13.
Allegations against TikTok suggest it could be used by the Chinese government for manipulation, data collection, and espionage.
Business Impact:
Continued uncertainty about TikTok's security and privacy could prompt regulatory or legislative actions, potentially resulting in bans or forced sales.
Businesses utilizing TikTok for marketing or engagement strategies may face challenges due to ongoing scrutiny and regulatory concerns.
What to do:
Companies relying on TikTok for marketing or engagement should monitor developments closely and be prepared to adapt to potential regulatory changes.
For more information, check out this article.
Nevada Attorney General Seeks Ban On Meta's End-To-End Encryption For Minors
What happened:
Nevada's Attorney General (AG) has filed a motion to block Meta from providing end-to-end encryption to users under eighteen in the state.
The AG cites concerns about child predators targeting minors online and argues that encrypted communication would hinder law enforcement investigations.
What to know:
End-to-end encryption ensures that communication is encrypted on the sender's device and decrypted only on the recipient's device, preventing intermediaries from accessing its contents.
Meta has offered optional end-to-end encryption since 2016 and recently made it default on Messenger.
Despite Meta's claims that law enforcement can access messages from criminals and minors’ devices, the AG aggressively pushes for encryption restrictions.
Identifying minors based on IP addresses and self-disclosure is challenging and risks compromising adults' privacy if wrongly identified.
Meta opposes the injunction, arguing encryption is essential for user privacy and protection against online threats.
Business Impact:
Granting the AG's request could set a precedent affecting privacy and security standards for minors on various messaging platforms, including Apple iMessages and WhatsApp, across multiple states.
What to do:
Businesses involved in providing communication platforms should review their encryption policies and compliance with state regulations to mitigate legal risks.
For more information, check out this article.
Telco Manager Pleads Guilty in SIM Swap Conspiracy
What happened:
Jonathan Katz, a former manager at a telecommunications company in New Jersey, admitted to performing unauthorized SIM swaps for payment, enabling an accomplice to hack customer accounts.
The swaps occurred between May 10 and 20, 2021.
What to know:
SIM swapping involves transferring a target's phone number to a physical SIM card or eSIM controlled by attackers to bypass two-factor authentication.
Katz received $1,000 in Bitcoin per swap, totaling $5,000, and a share of profits from illicit access to victims' accounts.
Court documents revealed victims across multiple states, whose accounts were compromised, including email, social media, and cryptocurrency wallets.
Katz faces up to five years in prison and a significant fine.
Telecom service providers have now enacted measures to prevent unauthorized number porting events without the owner's involvement or authorization.
Business Impact:
Customers may lose trust in telecom providers if such similar insider threats occur, potentially leading to reputational damage and loss of business.
What to do:
Telecom companies should review and enhance security measures to prevent similar insider abuses, safeguarding customer trust and data integrity.
Users should remain vigilant by monitoring their accounts for suspicious activity and promptly reporting any unauthorized access.
For more information, check out this article.
State AGs Demand Action from Meta Over Account Hacking
What happened:
A coalition of 41 state attorney generals penned a letter to Meta's top attorney, expressing concerns over the surge in complaints about Facebook and Instagram accounts being stolen.
What to know:
Reports indicate instances of fraudulent charges to stored credit cards, unauthorized use of personal information and advertisements, disruptions in communication, and more.
The spike in complaints poses a significant drain on governmental resources, as many stolen accounts are linked to financial crimes.
Meta faces criticism for allegedly failing to assist hacked users promptly, leaving them unable to salvage their accounts or their businesses.
Complaints have surged over recent years, with a tenfold increase in New York alone.
The surge in complaints coincided with Meta's layoffs of approximately 11,000 employees in November 2022.
Business Impact:
Businesses using Meta face the risk of losing their account along with all the resources invested.
What to do:
Meta is urged to take immediate action to address the surge in hacking complaints and provide timely assistance to affected users.
Users experiencing hacking incidents should follow reporting procedures provided by Meta and seek legal recourse if necessary to protect their accounts and businesses.
Secure your personal and business accounts with strong passwords and two-factor authentication.
For more information, check out this article.
Healthcare Hack Will Burden US With Hundreds of Millions in Costs
What happened:
The Feb 21st cyberattack on Change Healthcare, an UnitedHealth subsidiary, has disrupted medical payments, causing financial strain on providers.
Insurance executives and US health officials believe the situation is improving, with approximately 95% of claims being processed compared to pre-hack levels.
What to know:
The cyberattack halted billions of dollars in medical payments and left many providers struggling financially.
Insurance companies, doctors, hospitals, and pharmacies have been working to resolve the fallout, but there's no clear timeline for when backlogs will be cleared.
UnitedHealth has advanced over $2 billion to medical providers affected by the hack, but the total amount of disrupted claims remains uncertain.
Smaller medical providers relying on Change may face credit profile impacts, while larger companies have more financial flexibility.
UnitedHealth has restored its payments platform as of March 15.
Business Impact:
Companies in the healthcare industry should be mindful of and have backup plans for potential financial strains and disruptions caused by cyberattacks on payment systems.
What to do:
Healthcare companies should continue efforts to restore disrupted services and processes.
Implement robust cybersecurity measures to mitigate the risk of future cyberattacks and protect critical systems and data.
For more information, check out this article.
Lawmakers propose a new federal office to regulate workplace surveillance technology
What happened:
Two House Democrats, Chris Deluzio and Suzanne Bonamici, introduced the Stop Spying Bosses Act to increase transparency and protect workers' rights regarding workplace surveillance technologies.
The bill aims to regulate the surveillance, monitoring, and collection of certain worker data by employers, requiring disclosure and prohibiting specific surveillance activities.
What to know:
The Department of Labor would establish a "privacy and technology division" to oversee workplace surveillance technologies under the proposed legislation.
Similar legislation was previously introduced in the Senate in February 2023 by Senators Bob Casey, Cory Booker, and Brian Schatz.
The proposed rules would mandate timely and conspicuous disclosure of data collection activities to workers, prohibit certain surveillance practices, and empower workers in AI-based decision-making processes.
Business Impact:
Companies should prepare for increased transparency requirements and restrictions on surveillance activities in the workplace.
This will also effect BYOD (bring your own device) policies.
What to do:
Employers should stay informed about developments in workplace surveillance regulation to adapt policies and procedures accordingly.
For more information, check out this article.
McKinsey to Boards of Directors: You’re the Final Line of Cybersecurity Defense
What happened:
In a new McKinsey article, they urged boards of directors are positioned to provide oversight, guidance, and risk prioritization in addressing cybersecurity challenges of the organizations in the industrial sector.
What to know:
Cybercrimes are escalating and is projected to have an annual impact of $10.5 trillion by 2025.
The cyber attack surface is expanding with the integration of digital operational technology (OT), cloud and edge computing, Internet of Things (IoT) & Industrial IoT, and AI.
Attackers are evolving, pooling skills, and leveraging AI for novel attack techniques.
Hacker-for-hire markets are thriving, with freelancers offering tailored attacks for personal profit.
Time to exploit vulnerabilities has decreased from several months to only days.
Despite the growing volume of cyberattacks, security professionals are improving defense capabilities.
Business Impact:
Boards of directors play a crucial role in ensuring cybersecurity initiatives are planned, funded, and embedded in organizational strategies and digital transformations.
Boards have the role of providing strategic cyber planning versus the day to day tasks of putting out fires.
Boards should play a role in risk prioritization and managing the trade-offs, as this also relates to budget and resources.
Organizations across all sectors face heightened cybersecurity risks and must prioritize building resilience against evolving threats.
What to do:
Organizations should strengthen their cyber defense capabilities through human capital investment, integration of cyber governance, secure third-party and supply chain management, proactive response and recovery planning, embedded security architecture & engineering and AI.
A board member doesn’t have to be a cyber expert to help add value or to ensure accountability.
Boards of directors should provide oversight, guidance, and risk prioritization, and hold executives and cyber teams accountable for achieving security goals.
For more information, check out this article.