Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Lawsuit. Show all posts
US Court
Cyber Fraud Illicit Activity Lawsuit UK Scammer US Court

UK Scammer Made Millions by Breaching Into Execs’ Office365 Inboxes

 

A man has been charged by federal authorities for allegedly engaging in a "hack-to-trade" scam that allowed him to profit millions of dollars by breaching the Office365 accounts of executives at publicly traded firms and accessing their quarterly financial reports ahead of time. 

Robert B. Westbrook, a citizen of the United Kingdom, is accused of making approximately $3.75 million in 2019 and 2020 from stock trades that profited from the illegally obtained information, according to the lawsuit filed by the US Attorney's office for the district of New Jersey. 

Prosecutors claimed that after gaining access to it, he made stock trades. He was able to take action and profit from the information before the wider public did thanks to the prior notice. The US Securities and Exchange Commission filed a separate civil claim against Westbrook, seeking an order to pay civil fines and refund all illicit gains. 

“The SEC is engaged in ongoing efforts to protect markets and investors from the consequences of cyber fraud,” Jorge G. Tenreiro, acting chief of the SEC’s Crypto Assets and Cyber Unit, noted in a statement. “As this case demonstrates, even though Westbrook took multiple steps to conceal his identity—including using anonymous email accounts, VPN services, and utilizing bitcoin—the Commission’s advanced data analytics, crypto asset tracing, and technology can uncover fraud even in cases involving sophisticated international hacking.” 

According to a federal indictment issued in the US District Court for the District of New Jersey, Westbrook hacked the email accounts of executives from five publicly traded US firms. He carried out the intrusions by misusing Microsoft's password reset feature for Office365 accounts. Westbrook allegedly went on to establish forwarding rules in certain cases, that led all incoming emails to be automatically forwarded to an email address under his control. 

Once an individual secures unauthorized access to an email account, it’s possible to hide the breach by disabling or deleting password reset alerts and burying password reset rules deep inside account settings. 

Prosecutors charged Westbrook with one count each of securities and wire fraud, as well as five counts of computer fraud. The securities fraud count has a maximum punishment of up to 20 years in prison and $5 million in fines. 

The maximum penalty for wire fraud is up to 20 years in jail and a fine of either $250,000 or double the gain or loss from the offence, whichever is greater. Each computer fraud count is punishable by up to five years in prison and a maximum penalty of $250,000 or twice the offense's gain or loss, whichever is greater.
Read more »
United States
Data Breach Data Firm Data Leak Lawsuit United States

Lawsuits Pile Up Against Florida-Based Data Firm After Security Breach

 

Given all of the major news events that have dominated headlines this summer, you'd be forgiven for missing yet another: reports that a massive data breach may have disclosed billions of details, including names, social security numbers, and addresses. 

National Public Data (NPD), a background-check data aggregator based in Coral Springs, Florida, recently admitted on its website that "a data security incident"—which was "believed to have involved a third-party bad actor" in December 2023—led to data leaks in April of this year. Bloomberg Law reports that 2.9 billion documents were leaked and then sold on the dark web for $3.5 million. 

Moreover, in recent days, it has become clear that the leak may be worse than previously thought. Brian Krebs, a cybersecurity investigative researcher, revealed on his KrebsOnSecurity website this week that National Public Data exposed its own credentials as part of the breach.

“KrebsOnSecurity has learned that another NPD data broker which shares access to the same consumer records inadvertently published the passwords to its back-end database in a file that was freely available from its homepage until today,” Krebs noted. 

While the breach seems to be getting worse, National Public Data says it is working with law authorities and recommends that users freeze their credit.

The breach was made public earlier this month, following the filing of a class-action lawsuit against National Public Data's parent business, Jerico Pictures, in federal court in Fort Lauderdale. There have also been numerous further lawsuits filed. Since early August, at least 14 complaints have been filed in federal court against National Public Data, according to a Justia database search. 

To get an understanding of what these lawsuits are alleging, in one such filing, filed on August 19, lawyers argue that National Public Data "breached its duties by, among other things, failing to implement and maintain reasonable security procedures and practices to protect individuals' PII [personally identifiable information] from unauthorised access and disclosure," and that "Defendant has not provided any notice to affected individuals, including Plaintiff, who only learnt that her SSN and other PII was posted on the dark web as a result of the Data Breach from LifeLock.” 

People who are concerned that their data has been compromised by fraudsters should freeze their credit and monitor their accounts as a first step. You can also use tools like npdbreach.com to see if your data is included in the repository of leaked information. There are other similar tools available, but they need you to enter your name or other information. 

This year is shaping up to be a significant one for cybercrime: The number of data breaches increased by 490% in the first half of 2024 when compared to the same period in 2023.
Read more »
Tax Records
Financial Information Lawsuit Personal Data Privacy Tax Records

Apology Accepted: Ken Griffin’s Tax Records and the IRS


A Case of Privacy Breach and Unintended Disclosure

In an unprecedented turn of events, the Internal Revenue Service (IRS) recently issued a public apology to billionaire investor Ken Griffin. The reason? Leaked tax records that exposed sensitive financial information, including Griffin’s personal wealth and tax liabilities.

The Internal Revenue Service issued a rare apology for the "thousands" of tax data disclosed to the public between 2018 and 2020.

Griffin issued the apology as part of a deal with the IRS after filing a lawsuit in December 2022 over the "unlawful disclosure" of his tax information, which was disclosed to the public by a contractor.

The Breach and Its Origins

The story began with a former IRS contractor named Charles Littlejohn. Littlejohn, who had access to confidential tax returns, allegedly leaked information about several high-profile taxpayers, including Griffin. 

The recipient of this unauthorized disclosure was the nonprofit news organization ProPublica. The leaked data revealed intricate details about the financial lives of some of the wealthiest Americans.

Ken Griffin: The Billionaire at the Center of the Storm

Ken Griffin, founder of the hedge fund Citadel, is no stranger to the limelight. With a net worth approaching $42 billion, he ranks among the world’s wealthiest individuals. His investment strategies, philanthropic endeavors, and influence in financial circles have made him a prominent figure. However, the leak of his tax records thrust him into an unexpected controversy.

The Fallout and Legal Battle

Upon discovering the breach, Griffin took legal action against the IRS and the U.S. Treasury Department. His lawsuit alleged negligence, violation of privacy, and reputational harm resulting from the unauthorized disclosure. 

The leak not only exposed his financial data but also raised concerns about the security of taxpayer information within the IRS.

The IRS Apology

According to the IRS, the contractor, Charles Littlejohn, "violated" his job contract by disclosing the material to the press. The government also stated that Littlejohn "betrayed the trust" of Americans, including billionaire Elon Musk.

In a rare move, the IRS publicly acknowledged its mistake and issued an apology directly to Ken Griffin. The agency expressed regret for the inadvertent release of his tax records. 

The apology came after Griffin dropped his lawsuit, signaling a resolution to the matter. However, questions remain about the broader implications of such breaches and the safeguards in place to prevent future incidents.

Read more »
Safe Browsing
Google Incognito Lawsuit Privacy Safe Browsing

Google’s Incognito Mode: Privacy, Deception, and the Path Forward

Google’s Incognito Mode: Privacy, Deception, and the Path Forward

In a digital age where privacy concerns loom large, the recent legal settlement involving Google’s Incognito mode has captured attention worldwide. The tech giant, known for its dominance in search, advertising, and web services, has agreed to delete billions of records and make significant changes to its tracking practices. Let’s delve into the details and explore the implications of this landmark decision.

The Incognito Mode Controversy

Incognito mode promises users a private browsing experience. It suggests that their online activities won’t be tracked, cookies won’t be stored, and their digital footprints will vanish once they exit the browser. However, the reality has been far from this idealistic portrayal.

The Illusion of Privacy: Internal documents revealed that Google employees referred to Incognito mode as “effectively a lie” and “a confusing mess”. Users believed they were operating in a secure, private environment, but Google continued to collect data, even in this supposedly incognito state.

Data Collection Despite Settings: The class action lawsuit filed against Google in 2020 alleged that the company tracked users’ activity even when they explicitly set their browsers to private modes. This revelation shattered the illusion of privacy and raised serious questions about transparency.

The Settlement: What It Means

Google’s proposed legal settlement aims to address these concerns and bring about meaningful changes:

Data Deletion: Google will wipe out “hundreds of billions” of private browsing data records it had collected. This move is a step toward rectifying past privacy violations.

Blocking Third-Party Cookies: For the next five years, Google Chrome’s Incognito mode will automatically block third-party cookies by default. These cookies, often used for tracking, will no longer infiltrate users’ private sessions.

Global Impact: The settlement extends beyond U.S. borders. Google’s commitment to data deletion and cookie blocking applies worldwide. This global reach emphasizes the significance of the decision.

The Broader Implications

Transparency and Accountability: The settlement represents an “historic step” in holding tech giants accountable. Lawyer David Boies, who represented users in the lawsuit, rightly emphasized the need for honesty and transparency. Users deserve clarity about their privacy rights.

User Trust: Google’s actions will either restore or further erode user trust. By deleting records and blocking cookies, the company acknowledges its missteps. However, rebuilding trust requires consistent adherence to privacy commitments.

Ongoing Legal Battles: While this settlement is a milestone, Google still faces other privacy-related lawsuits. The outcome of these cases could result in substantial financial penalties. The tech industry is on notice: privacy violations won’t go unnoticed.

The Road Ahead

As users, we must remain vigilant. Privacy isn’t just a checkbox; it’s a fundamental right. Google’s actions should prompt us to reevaluate our digital habits, understand the trade-offs, and demand transparency from all tech companies.

In the end, the battle for privacy isn’t won with a single settlement. It’s an ongoing struggle—one that requires vigilance, legal scrutiny, and a commitment to safeguarding our digital lives. Let’s hope that this landmark decision serves as a catalyst for positive change across the tech landscape.

Read more »
WhatsApp
Cyber Attacks CyberCrime Cybersecurity Jews Lawsuit NSO WhatsApp

WhatsApp Debunks Baseless Claims of Cyberattack Targeting Jews

 


Forwarded messages spewing rumours of cyberattacks targeting Jewish people, or stoking fears that Jewish people might be the target of cyberattacks, have no basis in reality, according to Meta's WhatsApp messaging service. 

Numerous online platforms have appeared to be spreading the warnings in recent days, with warnings beginning to circulate on Saturday. Scott Melker, one of the most influential crypto influencers on X, who has over one million followers, posted a warning on the social network asking that people share it with others. 

Hackers will use the WhatsApp app to lure WhatsApp users to download a file called "Seismic Waves CARD" the app, which will allow them to hack their phones in less than 10 seconds after installing the app. A post by Melker has been retweeted 200 times and has been viewed more than 250,00 times as of this writing. 

As reported by NBC News, the warning has been posted more than 30 times on X and has also spread to other social media and messaging services, including Facebook, Twitter, WhatsApp and WhatsApp Messenger. There have been more than a dozen other posts since then, including one that was posted by a former Twitter user who spread the warning across Twitter, Facebook, and other social media platforms. 

In a recent interview with the New York Times, WHO Communications Manager Emily Westcott stated that similar rumours have circulated before and that the company had previously confirmed that the messages hacked by "seismic waves" had been false. There have been several hoaxes popping up of late, warning of the download of a “Seismic Waves CARD”, which supposedly relates to the Moroccan earthquakes. 

The message copycats elements of a previous hoax warning issued just several weeks ago. A Snopes report in September confirmed that those messages were also false and that WhatsApp had lied about them.

A Similar Hoax Has Been Reported in The Past 

In a report published by multiple news outlets, Emily Westcott, a communications manager at WhatsApp, owned by Meta, stated that this type of hoax has been reported in the past. 

According to her, similar messages regarding the September earthquake in Morocco had also been falsely reported by the company in a previous statement that was made to fact-checking website Snopes. Even though spyware has cropped up in the past, this issue is rare to date and the spread of the hoax plays to the fears that victims may have about spyware on their phones.

As per researchers, Israeli cyber-intelligence company NSO Group created spyware in 2019 which was capable of infecting cell phones through the app's voice calling function based on a vulnerability found in WhatsApp's code. 

According to WhatsApp's lawsuit against NSO, the spyware was allegedly targeting 1,400 users, including journalists, lawyers, human rights activists, political dissidents, diplomats, and foreign officials in a position to represent a foreign government. It has been reported that NSO's products were at least a minor part of the murder of the Washington Post journalist Jamal Khashoggi. 

Elon Musk has been criticized heavily for his more relaxed approach to content moderation and the spread of misinformation at X, and as a result, Musk himself has commented on conspiracy theories that are spreading throughout the site. After Musk posted a message on Sunday urging X users to stay updated on the Israel-Hamas fighting by following accounts known for promoting lies, Musk deleted the post after a few hours. 

A number of those accounts have also posted antisemitic content in the past, including a statement that said, "The overwhelming majority of people who work in the media and banks are Zionists," which is antisemitic. Several videos from previous conflicts have been repackaged and distributed on the Internet in the days following the outbreak of the war, including videos repurposing to show footage from the ground, video game clips claiming to show footage from the ground, and a false press release from the White House claiming the Biden administration had provided $8 billion in emergency aid to Israel.
Read more »
The Met
Class Action Lawsuit Data Breach Lawsuit Manhattan Supreme Court Metropolitan Opera Breach NYC Metropolitan Opera The Met

NYC’s Metropolitan Opera Faces Lawsuit for 2022 Data Breach


World’s largest opera house, the New York City’s Metropolitan Opera has recently been charged with a class action lawsuit following a data breach that took place in year 2022 and apparently compromised private information of around 45,000 employees and patrons. The lawsuit has been filed in the Manhattan Supreme Court.

According to Anthony Viti, former Met employee – the largest performing arts organization in the country – and the lead plaintiff in the lawsuit, the private information that is compromised in the breach includes victim’s Social Security number, driver’s license number, date of birth and financial account information.

When the breach was first reported by The New York Times in December, the company's website and box office had been down for more than 30 hours.

The lawsuit reads, “For approximately two months, The Met failed to detect an intruder with access to and possession of The Met’s current/former employees and consumers’ data[…]It took a complete shutdown of The Met’s website and box office for The Met to finally detect the presence of the intruder.”

Following the incident, The Met requested a third-party forensic investigation, which revealed that cybercriminals had stolen personally identifiable information over a two-month period between September and December.

“Through an investigation conducted by third-party specialists, the Met learned that an unknown actor gained access to certain of their systems between September 30, 2022 and December 6, 2022 and accessed or took certain information from those systems,” Stephanie Basta, the opera’s lawyer, wrote in a letter submitted to the Maine Attorney General on May 3.

Following the lawsuit, The Met responded by offering victims with a year of credit monitoring services.


The lawsuit condemned The Met, stating "The Met failed to detect an intruder with access to and possession of The Met's current/former employees' and consumers' data[…]It took a complete shutdown of The Met's website and box office for The Met to finally detect the presence of the intruder."

Viti said The Met's response to the data breach has been "woefully insufficient" and alleged that the organization did not disclose to affected parties that their data had been compromised until May 3, nearly five months after the incident.

However, The Met dejects the claims, saying “We strongly believe this case has no merit.”  

Read more »
User Security
Australian Mayor Bribery ChatGPT Lawsuit Technology User Security

ChatGPT: Mayor Announces Legal Action in Response to Fake Bribery Allegations

 

A mayor from Australia claimed he would file a lawsuit because of the misleading information advanced chatbot ChatGPT presented. 

Mayor of Hepburn Shire Council Brian Hood claims a tool owned by OpenAI falsely claimed he was jailed for bribery while employed by a division of Australia's largest bank. In reality, Mr. Hood was a tip-off source who was never indicted. 

The first official step in a defamation lawsuit in Australia was delivered by his attorneys to OpenAI: a concerns notice.

Following a 28-day response period, OpenAI must address the concerns raised in the notice; otherwise, Mr. Hood may file a lawsuit against the business in accordance with Australian law.

If he proceeds with the lawsuit, it would be the first time in the public eye that OpenAI has been sued for defamation regarding ChatGPT-produced content.

Since ChatGPT's debut in November 2022, millions of individuals have utilised it. Using the internet as it was in 2021 as its database, it can respond to queries in language that is natural and human-like and can imitate different writing styles. In February 2023, it was added to Bing after Microsoft invested billions in it. 

False accusations

A disclaimer alerting users that the content produced by ChatGPT may contain "inaccurate information about people, places, or facts" is displayed when they use the service. 

Additionally, OpenAI notes that one drawback of the tool is that it "occasionally writes plausible-sounding but incorrect or nonsensical answers." Mr. Hood served as the corporate secretary for the Reserve Bank of Australia subsidiary Notes Printing Australia in 2005. He revealed to journalists and government representatives that bribery was occurring at the organisation connected to Securency, a company that the bank partially owned.

In 2010, police stormed Securency, which resulted in arrests and prison terms across the globe. Mr. Hood, who was not among those detained, expressed his "horror" at what ChatGPT was informing people.

"I was stunned at first that it was so incorrect," he stated to Australian broadcaster ABC News. "It's one thing to get something a little bit wrong, it's entirely something else to be accusing someone of being a criminal and having served jail time when the truth is the exact opposite. "I think this is a pretty stark wake-up call. The system is portrayed as being credible and informative and authoritative, and it's obviously not."
Read more »
Tech Giant
Cyber Crime Cyber Squatting Domain Provider Lawsuit phishing Tech Giant

Freenom Suspends Domain Registrations After Being Sued by Meta

 

Freenom, a domain name registrar that has attracted spammers and phishers with its free domain names, no longer accepts new domain name registrations. The action was taken just days after Meta filed a lawsuit against the Netherlands registrar, alleging that the latter ignored abuse reports concerning phishing websites while generating revenue from visitors to such abusive domains, according to Brian Krebs.

Five so-called "country code top level domains" (ccTLDs) are managed by Freenom, including.cf for the Central African Republic,.ga for Gabon,.gq for Equatorial Guinea,.ml for Mali, and.tk for Tokelau. 

Freenom has never charged for the registration of domains in these country-code extensions, likely to entice consumers to pay for services that are related to them, such as registering a.com or.net domain, for which Freenom does charge a fee. 

Social media giant Meta filed a lawsuit against Freenom in Northern California on March 3, 2023, citing trademark infringement and violations of cybersquatting. The lawsuit also demands information on the names of 20 separate "John Does" — Freenom customers that Meta says have been particularly active in phishing assaults against Facebook, Instagram, and WhatsApp users. 

The lawsuit makes reference to a 2021 study on domain abuse done for the European Commission, which found that those ccTLDs run by Freenom comprised five of the Top Ten TLDs most frequently utilised by phishers. 

As per Brian Krebs, the complaint asserts that the five ccTLDs to which Freenom offers its services are the TLDs of choice for cybercriminals because Freenom offers cost-free domain name registration services and hides the identities of its customers even after being shown proof that the domain names are being used for unlawful purposes. Freenom keeps granting those same clients additional infringing domain names even after getting complaints from them about infringement or phishing. 

Meta further claims that "Freenom has repeatedly failed to take appropriate steps to investigate and respond appropriately to reports of abuse," and that it monetizes traffic from infringing domains by reselling them and by including "parking pages" that direct visitors to other commercial websites, pornographic websites, and websites used for malicious activities like phishing. 

Requests for comment have not yet received a response from Freenom. However, as at the time of writing, attempts to register a domain via the business' website resulted in the following error message: 

“Because of technical issues the Freenom application for new registrations is temporarily out-of-order. Please accept our apologies for the inconvenience. We are working on a solution and hope to resume operations shortly. Thank you for your understanding.” 

Freenom has its headquarters in The Netherlands, but the case also names a few of its other sister firms as defendants, some of which are established in the US. When Meta first filed this action in December 2022, it requested that the case be sealed in order to limit the public's access to court records related to the case. Following the denial of that request, Meta modified and re-filed the case last week. 

According to Meta, this isn't just an instance of another domain name registrar ignoring abuse concerns because it's bad for business. According to the lawsuit, Freenom's proprietors "are a part of a web of businesses established to promote cybersquatting, all for the advantage of Freenom." 

“On information and belief, one or more of the ccTLD Service Providers, ID Shield, Yoursafe, Freedom Registry, Fintag, Cervesia, VTL, Joost Zuurbier Management Services B.V., and Doe Defendants were created to hide assets, ensure unlawful activity including cybersquatting and phishing goes undetected, and to further the goals of Freenom,” Meta claimed. 

Brian further explained that although the reason for Freenom's decision to stop offering domain registration is yet unknown, it's possible that the company has recently been the target of disciplinary action by the nonprofit Internet Corporation for Assigned Names and Numbers (ICANN), which regulates domain registrars. 

In June 2015, ICANN put a 90-day hold on Freenom's ability to register new domain names or start inbound transfers of existing ones. ICANN's conclusion that Freenom "has engaged in a pattern and practise of trafficking in or use of domain names identical or confusingly similar to a trademark or service mark of a third party in which the Registered Name Holder has no rights or legitimate interest" is the basis for the suspension, according to Meta.


Read more »
US Secretary
Crypto Ban Lawsuit Technology Tornado Cash US Secretary

US Secretary of the Treasury Janet Yellen Sued Over Tornado Cash Sanctions

 

The US Treasury Department is facing a second lawsuit after its decision in August to sanction Tornado Cash, a crypto-mixing service that conceals the sources of coin transactions. 

The lawsuit filed Wednesday in the U.S. District Court for the Northern District of Florida asserts the Treasury’s sanctions misused its power and targeted US cryptocurrency investors. 

A crypto advocacy group, Coin Center, and a host of the popular industry podcast Bankless, who relied on Tornado Cash for regular privacy issues, named the 78th United States secretary of the treasury, Janet Yellen, as one of the defendants in their lawsuit. 

“The Administration’s use of the foreign-affairs power to punish domestic cryptocurrency users was unprecedented and unlawful,” the lawsuit reads, referring to the sanctions imposed by the Office of Foreign Asset Control (OFAC). 

Earlier this year in August, the Treasury’s Office of Foreign Assets Control accused Tornado of laundering more than $7 billion of cryptocurrencies since its establishment in 2019, including some virtual currencies siphoned by a North Korea-sponsored hacking group. 

Moreover, the governing agency imposed a ban on crypto wallets linked with Tornado Cash, in addition to a related piece of code known as smart contracts, a type of computer program that automatically executes transactions. 

Tornado Cash is a coin mixing service on the Ethereum (ETH) network created to enhance the privacy of customers. The service was banned by OFAC in August, with the government agency claiming North Korean hackers had laundered hundreds of millions of dollars using the service. 

Last month, the US Treasury Department clarified that the sanctions do not restrict users in the US from viewing and distributing the open-source Tornado Cash code. 

The lawsuit claimed that there are valid reasons for customers to utilize privacy-enhancing technologies such as Tornado Cash. As a result of OFAC’s sanctions against the privacy mixer these individuals now essentially disclose their complete transaction history to anybody who is looking at the network data.

“An order effectively requiring Defendants to decriminalize the use of the 20 Tornado Cash addresses would allow Plaintiffs to conduct their legitimate activities with some measure of anonymity, use their preferred software tool without fear of penalties, and engage in important expressive associations,” the suit added.
Read more »
Spam Bots
cybercriminals Data Breach Lawsuit Loans Spam Bots

Security Breach Impacting 2.5 Million Users Revealed by Mortgage Servicer

 

In October, Lakeview Loan Servicing revealed a significant data breach that went unnoticed for more than a month and exposed the personal details of above 2 million customers. Any incident that leads to unauthorized access to data, applications, networks, or devices is referred to as a security breach. As a result, information is accessed without permission. It usually happens when an invader can get past security measures. 

The breach that was discovered in early December, harmed 2,537,261 borrowers between Oct. 27, 2021, and Dec. 7, 2021, as per the firm. According to public notice The letters, an unauthorized person gained access to the firm's servers and data, including names, addresses, loan information, and Social Security numbers. One of the notices described the occurrence as an "external system breach."

Mortgage servicers receive mortgage payments from homeowners and remit them to investors, tax officials, and insurers via escrow accounts. Investors' assets in mortgaged properties are also protected by servicers, who ensure the homeowners have enough insurance coverage. Customers have lodged eight class-action lawsuits in a Florida federal court since the servicer's revelation in mid-March, alleging Lakeview of breach of fiduciary responsibility, among other things, for failing to preserve personally identifiable information. In a complaint filed on behalf of Jennifer Morrill, a California client, Daniel Rosenthal, an advocate with DBR Law, P.A., said, "This PII was exposed due to Defendant's negligent, reckless, and willful acts and failures and the fails to secure the PII of Plaintiff and Class Members." 

According to Morrill's lawsuit, the sum at risk surpasses $5 million, and the proposed class has more than 100 members. In Morrill's case, a filing on Friday asks that the court cases be consolidated, pending a judge's consent. On Monday, Rosenthal declined to speak on the lawsuit. Lakeview refused to respond to the claims in a statement but said it contacted the proper third parties and people after discovering the incident. "Lakeview, like many other firms, encountered a security incident in 2021," according to the statement. "Steps were taken to contain the problem right once, law enforcement was alerted, and a forensic investigation firm conducted a comprehensive investigation." The operations of Lakeview were not hampered." 

According to a public document with the State Attorney General's Office made by an outside counsel for the firm, the servicer didn't witness a breach in the previous 12 months. Affected consumers received a free year of Kroll free credit and identity theft protection from Lakeview. The news comes amid an increase in fraud risk for mortgage lenders, who are more vulnerable to cyber attacks than other financial institutions. According to a new FundingShield Q1 2022 study, one out of every three transactions involves components of wire or title fraud risk, and wire errors and instances of perpetuated fraud are increased in about 6% of transactions. 

"Keep in mind," warned Ike Suri, chairman, and CEO of FundingShield, a loan and title fraud protection service. "And when it comes to these percentages, we're talking big figures." As per Security experts, the percentage of visitors affected by the Lakeview breach, as well as the volume of information exposed, was substantial. "It's a lot of data which will have repercussions on those people's current business and ongoing relationships, as well as the business itself," Suri said.

The operating assets to a mortgage loan are owned by Lakeview. They work with several Servicing companies to process payments, manage a trust, as well as provide customer support for their current mortgage. 
Read more »
User Security
Bank Data customer privacy Cyber Security Data Data Leak data security Lawsuit Morgan Stanley Privacy Sensitive data User Data User Privacy User Security

Morgan Stanley to Pay $60M to Resolve Data Security Lawsuit

 

Morgan Stanley agreed to pay $60 million in a preliminary settlement of a class-action lawsuit filed against the company on Friday, according to Reuters, for allegedly neglecting to secure customers' personal data before retiring outdated information technology. 

The settlement offer awaits the approval of New York District Judge Analisa Torres. The lawsuit was filed on behalf of around 15 million Morgan Stanley clients in response to two separate occurrences that occurred in 2016 and 2019. 

Morgan Stanley decommissioned two wealth management data centres in the first incident. Before removing the unencrypted computer equipment from the centres, the bank's vendor, Triple Crown, was tasked with deleting or destroying it. Even after it had left the vendor's control, this device was later discovered to contain data. According to Morgan Stanley, the vendor removed the devices and resold them to a third party without permission. 

As part of a hardware refresh programme, the second incident entailed the replacement and removal of branch office equipment. The bank was unable to discover some of these devices, which could have retained previously deleted information on discs in an unencrypted version due to a software error. 

Customers will receive a minimum of two years of fraud insurance coverage as part of the proposed settlement, as well as compensation for up to $10,000 in related out-of-pocket losses. The bank also stated that it would improve its data security procedures. 

Morgan Stanley maintains that there was no wrongdoing on its part, even though it is seeking a settlement. In a move to dismiss the complaint filed in August 2021, the bank said that despite extensive investigations and ongoing surveillance over the years, it has not discovered a single instance of data misuse generated from any of its own sources. Morgan Stanley was fined $60 million in civil penalties in October 2020 for failing to adequately supervise the decommissioning of its data centres in 2016. 

The Office of the Comptroller of the Currency imposed the penalty after discovering that the bank: failed to effectively assess or address risks associated with decommissioning its hardware; failed to adequately assess the risk of subcontracting the decommissioning work, including exercising adequate due diligence in selecting a vendor and monitoring its performance; and failed to maintain appropriate inventory of customer data stored on the decommissioned hardware devices.
Read more »
Subscribe to: Posts (Atom)