Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Lawsuit. Show all posts
Verizon
AT&T Cyber Security Lawsuit Telecom Verizon

AT&T Wins Legal Challenge While Verizon Faces Privacy Penalties

 

Major U.S. wireless carriers have faced contrasting legal outcomes in their battles against Federal Communications Commission fines for selling customer location data without consent, creating an uncertain landscape for consumer privacy protection .

Background on data selling practices

In 2018, investigations revealed that major telecommunications providers were selling customers' real-time location data to third-party brokers without proper notification or consent. This practice involved carriers selling access to sensitive geolocation information to aggregators, who then resold the data to other companies, creating a gray market for cell phone location data. The exposed data allowed buyers, including law enforcement and bounty hunters, to track individuals' movements without their knowledge.

FCC enforcement actions 

The Federal Communications Commission responded in April 2024 by imposing nearly $200 million in total fines across the industry. AT&T received a $57 million penalty, Verizon faced a $46.9 million fine, T-Mobile was fined over $80 million, and Sprint received more than $12 million . The FCC determined that carriers violated Section 222 of the Communications Act, which requires maintaining customer information confidentiality and obtaining express consent before sharing location data.

Court battle results

All three major carriers challenged their fines in different federal appeals courts, producing divergent outcomes . The Second Circuit Court of Appeals upheld Verizon's $46.9 million fine, rejecting the company's argument that device location data doesn't qualify as protected "customer proprietary network information". The court ruled that location data clearly meets the law's criteria for protection since it's accessible to carriers exclusively due to the customer relationship.

Meanwhile, Verizon had attempted to shift responsibility by largely outsourcing consent verification to third parties through contractual agreements, which the court found inadequate. The carrier's location data was improperly accessed by companies like Securus Technologies, which allowed law enforcement to obtain customer information without proper authorization.

AT&T's legal victory

In contrast to Verizon's defeat, AT&T successfully overturned its fine in a business-friendly appeals court, though specific details of this ruling were not elaborated in available sources. This creates a significant legal inconsistency regarding how telecommunications privacy violations are enforced across different jurisdictions.

The conflicting appellate court decisions may force Supreme Court intervention to resolve the legal uncertainty. This potential review could significantly limit the FCC's authority to penalize companies for privacy violations, potentially weakening federal oversight of telecommunications data practices.

Current settlement landscape

Despite the legal victories and defeats, AT&T simultaneously faces a separate $177 million class-action settlement related to two major data breaches in 2024. The company agreed to pay customers up to $7,500 each for documented losses from breaches that exposed Social Security numbers, addresses, passwords, and other sensitive information. 

This settlement demonstrates ongoing vulnerabilities in telecommunications data security beyond the location-selling controversies.The contrasting legal outcomes highlight the fragmented state of privacy protection enforcement, where identical violations can result in different consequences depending on which court reviews the case.
Read more »
Social Engineering
Clorox Cognizant Data Breach Lawsuit Social Engineering

Clorox Blames $380M Breach on Service Desk Social Engineering, Sues Cognizant

 

In August 2023, the Scattered Spider group orchestrated a devastating social engineering attack against Clorox that resulted in approximately $380 million in damages, demonstrating how a simple phone call can lead to catastrophic business disruption . 

Modus operandi 

The attackers bypassed sophisticated cybersecurity measures through old-fashioned social engineering, repeatedly calling Cognizant's service desk and impersonating locked-out Clorox employees . Rather than exploiting technical vulnerabilities, they manipulated human psychology, using calm, scripted conversations to convince frontline agents to reset passwords and multi-factor authentication without proper verification . 

According to court filings, the attackers conducted thorough reconnaissance, collecting employee names, titles, recent hires, and internal ticket references to make their impersonation attempts more convincing . The legal complaint alleges that Cognizant agents violated agreed procedures by resetting credentials without properly authenticating callers first . 

Devastating impact 

The breach caused operational paralysis at Clorox, with production systems taken offline, manufacturing paused, and manual order processing implemented . The company experienced significant shipment delays that depressed sales volumes, with the total financial impact reaching roughly $380 million, including $49 million in direct remedial costs and hundreds of millions in business-interruption losses . 

Why outsourcing amplified risk

Outsourced help desks present unique vulnerabilities due to their broad cross-tenant privileges and high-volume workflows that can lead to shortcuts in verification processes . Large vendors handling numerous calls may experience "process drift," where agents prioritize getting users working over strict security verification . Additionally, third-party systems often create visibility gaps, with actions logged in separate systems that aren't fully integrated into customers' security monitoring . 

Defense recommendations 

Security experts recommend treating help-desk resets as privileged operations requiring out-of-band verification through company-owned phone callbacks or emailed tokens . High-risk resets should mandate two-person approval and automatic manager notifications . 

Organizations should implement automated telemetry to log every reset with immutable audit trails and alert on suspicious patterns like multiple resets from the same external number . Contract language with vendors must require technical controls, auditability, and regular social-engineering simulations to measure and improve verification processes .
Read more »
User Security
Data Breach Lawsuit M&S Thompsons Solicitors User Security

M&S Faces Multi-million Lawsuit Following Major Data Breach

 

Following the cyberattack that affected the retailer for a month, Marks & Spencer is reportedly facing a multimillion-pound lawsuit over the loss of customer data.

It acknowledged earlier this month that customer information, including names, email addresses, postal addresses, and dates of birth, had been stolen by hackers. Chief Executive Stuart Machin stated that the "sophisticated nature of the incident" had allowed access to the data, although he emphasised that it does not include account passwords or payment and card information, which M&S claims it does not store on its servers. 

According to The Sunday Mail, Thompsons Solicitors is now pursuing a class action lawsuit against M&S for exposing customers to the risk of scams by failing to safeguard their data. 

Senior Partner Patrick McGuire of Thompsons Solicitors stated that the firm has been "inundated by Scots M&S clients who have been caught up in this online heist and are contacting Thompsons. We have a situation here where one of the most famous retailers in the UK has allowed criminals to pillage the personal details of hundreds of thousands of Scottish customers. I think this will be the biggest data theft case we have ever been involved in.”

Investors will be expecting that Marks & Spencer will provide further information on the impact of the disastrous cyber assault that has interrupted all online orders at the retail giant. On Friday, the company will provide an update to the stock market on its financial performance over the past year. However, emphasis will be focused on how the company is dealing with weeks of interruption. It's been a month since the retailer was hit by a major "cyber incident" allegedly tied to hacking organisation Scattered Spider.

As a result, the company has suspended online orders for the past three weeks, and payments and click-and-collect orders have also been affected. M&S's store availability was also impacted by the outage, resulting in some bare shelves as it replaced elements of its IT systems, but said it was recovering swiftly in an update last Thursday.

Its stores have remained open, and availability is "now in a much more normal place, with stores well stocked this week". The retailer is yet to reveal the financial cost of the incident, although it is believed to have lost tens of millions of pounds in sales. 

Analysts at Barclays believe the cyber attack might cost £200 million in the fiscal year 2025/26, but this will be mitigated by an insurance payout of roughly £100 million. The attack struck the business following an excellent run under Stuart Machin's leadership, with shares reaching a nearly nine-year high last month before falling recently.
Read more »
User Security
Data Breach Lawsuit Treasury Department US Citizens User Security

19 US States Sue to Prevent DOGE From Accessing Americans' Private Data

 

In an effort to prevent Elon Musk's Department of Government Efficiency from gaining access to Treasury Department documents that hold private information like Social Security numbers and bank account numbers for millions of Americans, 19 Democratic attorneys general filed a lawsuit against President Donald Trump on Friday last week. 

Filed in federal court in New York City, the lawsuit claims that the Trump administration violated federal law by giving Musk's team access to the Treasury Department's central payment system. 

The payment system manages tax refunds, Social Security payments, veterans' benefits, and much more. It sends out trillions of dollars annually and contains a vast network of financial and personal information about Americans. To identify and cut out what the Trump administration has determined to be unnecessary federal spending, Musk established his Department of federal Efficiency, or DOGE. 

Supporters have applauded the concept of limiting bloated government finances, but critics have expressed wide concern over Musk's growing authority as a result of DOGE's access to Treasury documents and its review of other government agencies. 

The case was filed by the office of New York Attorney General Letitia James, who stated that DOGE's access to the Treasury Department's data presents security issues and the potential for an illegal federal fund freezing. 

“This unelected group, led by the world’s richest man, is not authorized to have this information, and they explicitly sought this unauthorized access to illegally block payments that millions of Americans rely on, payments for health care, child care and other essential programs,” James noted in a video message published by her office. 

James, a Democrat who has been one of Trump's main opponents, stated that the president cannot stop federal payments that Congress has authorised or give out Americans' private information to anybody he wants. Moreover, Arizona, California, Colorado, Connecticut, Delaware, Hawaii, Illinois, Maine, Maryland, Massachusetts, Minnesota, Nevada, New Jersey, North Carolina, Oregon, Rhode Island, Vermont, and Wisconsin are parties to the complaint.

The suit claims that DOGE's access to Treasury records may interfere with funding already approved by Congress, which would go beyond the Treasury Department's legislative power. The case further contends that DOGE access violates federal administrative law as well as the separation of powers doctrine of the US Constitution. 

It also accuses Treasury Secretary Scott Bessent of altering the department's long-standing policy of safeguarding sensitive personally identifiable information and financial information in order to grant Musk's DOGE team access to the payment systems. 

The Treasury Department has stated that the review is intended to assess the system's integrity and that no adjustments would be made. According to two people familiar with the situation, Musk's team began exploring ways to block payments made by the US Agency for International Development, which Trump and Musk are aiming to abolish. The two persons spoke to The Associated Press on the condition of anonymity for fear of punishment.
Read more »
sensitive data exposure
Confidential Data Cyber Crime data security Data Theft Google Google Pixel Lawsuit sensitive data exposure

Google Sues Ex-Employee for Leaking Pixel Chip Trade Secrets Online

 


Google has filed a lawsuit against Harshit Roy, a former employee, accusing him of leaking sensitive information about the company's chip designs. The lawsuit, filed in a Texas federal court, alleges that Roy, who worked as an engineer at Google from 2020 to 2024, disclosed confidential details about Pixel processing chips on social media platforms, including X (formerly Twitter) and LinkedIn. 
 
According to the complaint, Roy captured internal documents containing proprietary chip specifications before resigning in February 2024. After leaving Google, he moved from Bangalore, India, to Austin, Texas, to pursue a doctoral program at the University of Texas. 
 

The lawsuit claims that Roy:   

 
- Shared these confidential documents publicly, violating his confidentiality agreement with Google.  
- Posted statements such as, “Don’t expect me to adhere to any confidentiality agreement,” and “Empires fall, and so will you,” along with images of internal documents.   
- Ignored multiple takedown requests from Google and continued posting proprietary information online.  
- Tagged competitors like Apple and Qualcomm in some of his posts, allegedly drawing attention to the leaked information. 
 
Google asserts that the leaked materials contained trade secrets critical to its operations. The disclosures reportedly led to media outlets publishing stories based on the leaked information, further exacerbating the breach. 
 
Jose Castaneda, a spokesperson for Google, emphasized the company's commitment to addressing the situation. “We discovered that this former employee unlawfully disclosed numerous confidential documents. We are pursuing legal action to address these unauthorized disclosures, as such behavior is completely unacceptable,” Castaneda stated. 
 

Google is seeking:   

 
  • Monetary damages to compensate for the breach.   
  • A court order to prevent Roy from further distributing or using the leaked information. 

As part of the legal proceedings, a judge issued a temporary restraining order on Wednesday, prohibiting Roy from sharing additional proprietary details. Google argues that such measures are necessary to:   
 
  • Protect its intellectual property.   
  • Maintain trust within its operations. 
 
This case highlights the ongoing challenges faced by companies in safeguarding trade secrets, especially in highly competitive industries like technology. As the legal battle unfolds, it is expected to shed light on the legal and ethical boundaries of confidentiality agreements and the potential consequences of breaching such agreements in the tech industry.
Read more »
US Court
Cyber Fraud Illicit Activity Lawsuit UK Scammer US Court

UK Scammer Made Millions by Breaching Into Execs’ Office365 Inboxes

 

A man has been charged by federal authorities for allegedly engaging in a "hack-to-trade" scam that allowed him to profit millions of dollars by breaching the Office365 accounts of executives at publicly traded firms and accessing their quarterly financial reports ahead of time. 

Robert B. Westbrook, a citizen of the United Kingdom, is accused of making approximately $3.75 million in 2019 and 2020 from stock trades that profited from the illegally obtained information, according to the lawsuit filed by the US Attorney's office for the district of New Jersey. 

Prosecutors claimed that after gaining access to it, he made stock trades. He was able to take action and profit from the information before the wider public did thanks to the prior notice. The US Securities and Exchange Commission filed a separate civil claim against Westbrook, seeking an order to pay civil fines and refund all illicit gains. 

“The SEC is engaged in ongoing efforts to protect markets and investors from the consequences of cyber fraud,” Jorge G. Tenreiro, acting chief of the SEC’s Crypto Assets and Cyber Unit, noted in a statement. “As this case demonstrates, even though Westbrook took multiple steps to conceal his identity—including using anonymous email accounts, VPN services, and utilizing bitcoin—the Commission’s advanced data analytics, crypto asset tracing, and technology can uncover fraud even in cases involving sophisticated international hacking.” 

According to a federal indictment issued in the US District Court for the District of New Jersey, Westbrook hacked the email accounts of executives from five publicly traded US firms. He carried out the intrusions by misusing Microsoft's password reset feature for Office365 accounts. Westbrook allegedly went on to establish forwarding rules in certain cases, that led all incoming emails to be automatically forwarded to an email address under his control. 

Once an individual secures unauthorized access to an email account, it’s possible to hide the breach by disabling or deleting password reset alerts and burying password reset rules deep inside account settings. 

Prosecutors charged Westbrook with one count each of securities and wire fraud, as well as five counts of computer fraud. The securities fraud count has a maximum punishment of up to 20 years in prison and $5 million in fines. 

The maximum penalty for wire fraud is up to 20 years in jail and a fine of either $250,000 or double the gain or loss from the offence, whichever is greater. Each computer fraud count is punishable by up to five years in prison and a maximum penalty of $250,000 or twice the offense's gain or loss, whichever is greater.
Read more »
United States
Data Breach Data Firm Data Leak Lawsuit United States

Lawsuits Pile Up Against Florida-Based Data Firm After Security Breach

 

Given all of the major news events that have dominated headlines this summer, you'd be forgiven for missing yet another: reports that a massive data breach may have disclosed billions of details, including names, social security numbers, and addresses. 

National Public Data (NPD), a background-check data aggregator based in Coral Springs, Florida, recently admitted on its website that "a data security incident"—which was "believed to have involved a third-party bad actor" in December 2023—led to data leaks in April of this year. Bloomberg Law reports that 2.9 billion documents were leaked and then sold on the dark web for $3.5 million. 

Moreover, in recent days, it has become clear that the leak may be worse than previously thought. Brian Krebs, a cybersecurity investigative researcher, revealed on his KrebsOnSecurity website this week that National Public Data exposed its own credentials as part of the breach.

“KrebsOnSecurity has learned that another NPD data broker which shares access to the same consumer records inadvertently published the passwords to its back-end database in a file that was freely available from its homepage until today,” Krebs noted. 

While the breach seems to be getting worse, National Public Data says it is working with law authorities and recommends that users freeze their credit.

The breach was made public earlier this month, following the filing of a class-action lawsuit against National Public Data's parent business, Jerico Pictures, in federal court in Fort Lauderdale. There have also been numerous further lawsuits filed. Since early August, at least 14 complaints have been filed in federal court against National Public Data, according to a Justia database search. 

To get an understanding of what these lawsuits are alleging, in one such filing, filed on August 19, lawyers argue that National Public Data "breached its duties by, among other things, failing to implement and maintain reasonable security procedures and practices to protect individuals' PII [personally identifiable information] from unauthorised access and disclosure," and that "Defendant has not provided any notice to affected individuals, including Plaintiff, who only learnt that her SSN and other PII was posted on the dark web as a result of the Data Breach from LifeLock.” 

People who are concerned that their data has been compromised by fraudsters should freeze their credit and monitor their accounts as a first step. You can also use tools like npdbreach.com to see if your data is included in the repository of leaked information. There are other similar tools available, but they need you to enter your name or other information. 

This year is shaping up to be a significant one for cybercrime: The number of data breaches increased by 490% in the first half of 2024 when compared to the same period in 2023.
Read more »
Tax Records
Financial Information Lawsuit Personal Data Privacy Tax Records

Apology Accepted: Ken Griffin’s Tax Records and the IRS


A Case of Privacy Breach and Unintended Disclosure

In an unprecedented turn of events, the Internal Revenue Service (IRS) recently issued a public apology to billionaire investor Ken Griffin. The reason? Leaked tax records that exposed sensitive financial information, including Griffin’s personal wealth and tax liabilities.

The Internal Revenue Service issued a rare apology for the "thousands" of tax data disclosed to the public between 2018 and 2020.

Griffin issued the apology as part of a deal with the IRS after filing a lawsuit in December 2022 over the "unlawful disclosure" of his tax information, which was disclosed to the public by a contractor.

The Breach and Its Origins

The story began with a former IRS contractor named Charles Littlejohn. Littlejohn, who had access to confidential tax returns, allegedly leaked information about several high-profile taxpayers, including Griffin. 

The recipient of this unauthorized disclosure was the nonprofit news organization ProPublica. The leaked data revealed intricate details about the financial lives of some of the wealthiest Americans.

Ken Griffin: The Billionaire at the Center of the Storm

Ken Griffin, founder of the hedge fund Citadel, is no stranger to the limelight. With a net worth approaching $42 billion, he ranks among the world’s wealthiest individuals. His investment strategies, philanthropic endeavors, and influence in financial circles have made him a prominent figure. However, the leak of his tax records thrust him into an unexpected controversy.

The Fallout and Legal Battle

Upon discovering the breach, Griffin took legal action against the IRS and the U.S. Treasury Department. His lawsuit alleged negligence, violation of privacy, and reputational harm resulting from the unauthorized disclosure. 

The leak not only exposed his financial data but also raised concerns about the security of taxpayer information within the IRS.

The IRS Apology

According to the IRS, the contractor, Charles Littlejohn, "violated" his job contract by disclosing the material to the press. The government also stated that Littlejohn "betrayed the trust" of Americans, including billionaire Elon Musk.

In a rare move, the IRS publicly acknowledged its mistake and issued an apology directly to Ken Griffin. The agency expressed regret for the inadvertent release of his tax records. 

The apology came after Griffin dropped his lawsuit, signaling a resolution to the matter. However, questions remain about the broader implications of such breaches and the safeguards in place to prevent future incidents.

Read more »
Subscribe to: Comments (Atom)