Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Lawsuits. Show all posts

Columbus Faces Scrutiny for Handling of Ransomware Attack and Lawsuit Against IT Consultant

 

In July, Columbus, Ohio, experienced a ransomware attack, which initially appeared to be a typical breach. However, the city’s unusual response sparked concern among cybersecurity experts and legal professionals. IT consultant David Leroy Ross, also known as Connor Goodwolf, uncovered a significant breach exposing sensitive data from various city databases, including arrest records, domestic violence cases, and personal information. 

This attack, carried out by the Rhysida Group, affected the city, police, and prosecutor’s office, with some databases going back to 1999. Goodwolf, whose expertise involves monitoring dark web activities, discovered that over three terabytes of data had been stolen. Among the exposed data were personal identifiable information, protected health information, and social security numbers. Goodwolf expressed particular concern over the exposure of sensitive information involving minors and domestic violence victims, emphasizing that they were now victimized a second time. 

Despite the serious implications, the city’s response appeared to downplay the breach. At a press conference in mid-August, Columbus Mayor Andrew Ginther claimed that the stolen data was encrypted or corrupted, making it largely unusable. Goodwolf, however, contradicted this statement, revealing that the data he found was intact and usable. When he attempted to notify city officials, he was met with resistance and a lack of cooperation. As a result, Goodwolf turned to the media, which led the city of Columbus to file a lawsuit and secure a temporary restraining order against him. The lawsuit, intended to prevent the further dissemination of sensitive information, raised concerns in the cybersecurity community. 

Legal experts pointed out that such lawsuits against data security researchers are uncommon and could have broader implications. Raymond Ku, a professor of law, noted that lawsuits against researchers typically arise when the disclosure of a vulnerability puts others at risk. However, cybersecurity professionals, such as Kyle Hanslovan, CEO of Huntress, argued that Goodwolf was acting as a responsible researcher. Hanslovan warned that this approach could set a dangerous precedent, silencing individuals who work to expose breaches. The city defended its actions, stating that it sought to prevent the release of confidential information, including undercover police identities. Although the restraining order expired, Columbus continues its civil lawsuit against Goodwolf, seeking up to $25,000 in damages. 

As Columbus works to recover from the attack, the broader implications of its actions toward Goodwolf remain a point of contention. Experts argue that the case highlights the need for a legal framework that balances the protection of sensitive information with the role of security researchers in revealing vulnerabilities. As Columbus strives to position itself as a tech hub, this legal battle could affect its reputation and relationships within the tech industry.

Georgia Tech Faces DOJ Lawsuit Over Alleged Lapses in Cybersecurity for Defense Contracts

 

Researchers at the Georgia Institute of Technology, who have received over $1 billion in Defense Department contracts, are facing scrutiny for allegedly failing to secure their computers and servers, citing that doing so was too “burdensome.” Since 2013, the Department of Defense has mandated that any contractor handling sensitive data provide “adequate security” on their systems. 

However, at Georgia Tech, laboratory directors reportedly resisted developing a security plan and opposed IT department efforts to implement basic antivirus and anti-malware software. Two IT department employees filed a whistleblower lawsuit, leading the Department of Justice (DOJ) to join the case against the university and the Georgia Tech Research Corporation (GTRC), the nonprofit entity managing government contracts. The lawsuit claims that the Astrolavos Lab at Georgia Tech delayed creating and implementing a security plan, as required by the government contracts. 

When a plan was finally created in 2020, it did not cover all relevant devices, according to the DOJ. Furthermore, the lab, whose mission is to address the security of emerging technologies critical to national security, did not install or update antivirus or anti-malware tools until December 2021. The lab allegedly fabricated compliance reports sent to the Defense Department. The reasons behind these alleged security lapses reportedly stem from campus politics. The DOJ complaint suggests that researchers bringing in substantial government funding were viewed as “star quarterbacks,” using their influence to resist compliance with federal cybersecurity mandates. 

Between 2019 and 2022, GTRC secured more than $1.6 billion in government contracts, with over $423 million in 2022 alone. The whistleblowers, Christopher Craig and Kyle Koza, filed the suit under the False Claims Act, allowing them to receive a portion of any recovered funds. Georgia Tech and GTRC face nine counts, including fraud, breach of contract, negligence, and unjust enrichment, with the DOJ seeking damages to be determined at trial. The DOJ stressed the importance of cybersecurity compliance by government contractors to safeguard U.S. information against threats from malicious actors. 

Meanwhile, Georgia Tech expressed disappointment at the DOJ’s filing, arguing it misrepresents the university’s culture and integrity, claiming that the government itself had indicated that the research did not require cybersecurity restrictions. Georgia Tech has vowed to dispute the case in court, maintaining that there was no data breach or leak and reaffirming its commitment to cybersecurity and collaboration with federal agencies.  

This case is notable given recent cybersecurity threats faced by major universities, such as the University of Utah and Howard University, where ransomware attacks have resulted in significant financial losses.

DISH Network: Multiple Lawsuits Filed Against Dish After a Ransomware Attack


A multiple class action class lawsuit has been filed against Dish Network, following a ransomware incident that caused the company’s multi-day “network outage.” 

The lawsuit, filed across several states, asserts that DISH “overstated” its operating efficiency while operating with inferior cybersecurity and IT infrastructure. The objective of the lawsuit is to recover losses suffered by DISH investors who suffered adversities as a result of what has been referred to as "securities fraud." 

Dish Sued After Ransomware Incident 

After the issue came to light, at least six law firms are now pursuing a class action lawsuit against Dish to recoup losses for Dish stockholders due to the alleged "securities fraud" between February 22, 2021, and February 27, 2023. 

The complaint alleges Dish Network of attempting to conceal its operational effectiveness while maintaining "deficient" cybersecurity and IT infrastructure. 

"...As a result of the foregoing, the Company was unable to properly secure customer data, leaving it vulnerable to access by malicious third parties," states a court complaint, filed in the U.S. District Court of Colorado. 

The law firms representing the plaintiffs include Rosen Law Firm, Levi & Korsinsky, the New York-based Law firm of Vincent Wong, San Diego- based Robins LLP, Bragar Eagle & Squire, P.C., and Bernstein Liebhard LLP. 

"The foregoing cybersecurity deficiencies also both rendered Dish's operations susceptible to widespread service outages and hindered the Company's ability to respond to such outages; and... as a result, the company's public statements were materially false and misleading at all relevant times," states the complaint. 

Dish Stock Crumbled After Cyberattack 

DISH, a major American TV provider and satellite broadcaster, inexplicably went offline around February 24. Both its websites and applications ceased to work for several days. The "network outage" that the company had previously described also affected Boost Mobile. 

On February 28, in an SEC filing, DISH eventually confirmed being hit by a ransomware attack. 

After the disclosure, DISH continued to struggle for days to restore its IT infrastructure and the website Dish.com. Following the news of the ransomware attacks, the company’s stocks faced repercussions, with stock prices falling $0.79 per share, "or 6.48%, to close at $11.41 per share on February 28, 2023."

Since then, the company has kept up the battle against the widespread disruption to its cyber systems, notably the client site MyDISH. The company is informing its clients that they will be receiving paper bills for the month of March as a result.  

Facebook to give $550 Million as a Settlement in a Lawsuit


Social Media giant Facebook is to pay an amount of $550 million as a settlement in what appears to be another series of lawsuits, and this time, it is a Facial Recognition issue. The lawsuit is not good for the brand perception of Facebook as it puts further questions to the credibility of the privacy laws of the social networking site.


"Facebook has agreed to pay a settlement of $550 million related to a claim filed for FB's facial recognition technique," said Facebook this Wednesday. The incident that appeared in Illinois is said to be a great triumph for privacy organizations as it raises the question of privacy laws of the company Facebook which is already among the controversies of data laws. The issue emerged from FB's image labeling technique named 'Tag Suggestions,' which uses facial recognition techniques to suggest the name of users present in the photo.

The company that has filed lawsuit accused Facebook of collecting the facial data of the company's employees that violate Ilionis Biometric Privacy law. It accuses Fb of storing data of millions of users for Tag suggestions without the knowledge of the company's employees and also without them knowing how long the data will be kept. Facebook has dismissed the allegations saying it has no basis of proof. As per the settlement, FB has to pay $550 Million as legal fees to the affected users of the Illinois company. This payment even surpasses the $380 Million amount that the reporting agency 'Equifax' had agreed to pay for the settlement of a 2017 consumer data breach incident.

"Facebook agreed to settle the case by giving back what was rightful to the community and in the goodwill of public interest, as it affects our stakeholders," says FB's spokesperson. "The settlement highlighted the importance of user privacy and security," says lawyer Joey Edelson, whose firm addressed the issue on behalf of the affected users of Facial Recognition suit. He further says, "people worried about issues related to gun rights concerning women safety or people who like to participate in societal issues by not disclosing their identity hold the same importance and we should respect their privacy."

Amazon, Rings Sued by a Man Claiming that the Camera was Hacked and used to Harass his Kids


A class-action lawsuit has been filed against Amazon-owned Rings by Alabama resident John Orange. The company has been accused mainly of negligence and invasion of privacy amid other side claims namely breach of an implied warranty, breach of implied contract and violation of California’s Unfair Competition Law against false advertising as it failed to provide enough protection against hacks.

Orange claimed that his internet-connected Ring camera which he bought in July 2019 was hacked and used to harass his three children aged seven, nine and ten, as per the lawsuit. Reportedly, the hacker spoke to the kids as they were playing basketball.

The argument for a class-action was supported by seven other similar incidents reported by media wherein these devices were hacked as the two-way talk function was used by hackers to talk to unsuspecting children.

A mother shared one such disturbing incident which made rounds on social media, it took place in Mississippi wherein the hacker attempted to engage with her eight-year-old daughter. While, another one which took place in Texas, witnessed a couple being threatened to pay a ransom of $350,000 in bitcoin.

According to the lawsuit, "An unknown person engaged with Mr. Orange’s children commenting on their basketball play and encouraging them to get closer to the camera."

“Although Ring is in the business of home security and was certainly aware that its Wi-Fi-enabled product, was vulnerable to attack, it took no steps to ‘require camera owners to use two-factor authentication, which could help prevent these types of attacks…,’” the lawsuit stated.

“Moreover, it knew, or should have known, in an era of pervasive data breaches, that logging in with user emails instead of unique account names, and not requiring at least 2FA [two-factor authentication], put its Wi-Fi-enabled product at an unreasonable risk of being compromised.”

“Unfortunately, Ring did not fulfill its core promise of providing privacy and security for its customers as its camera systems are fatally flawed,” the lawsuit further claimed.

On being asked by Gizmodo, a spokesman from Ring declined to comment as he told that the company "does not comment on legal matters."

If the matter qualifies for gaining the status of class action, Amazon and Ring would be asked to provide compensation for the affected parties and implement better security measures.

Amazon Sued Over Illegal Retention of Child Recordings Through Alexa



Amazon is being sued by a Massachusetts woman for unlawfully recording and storing the voices of children with its Alexa-enabled devices; the lawsuit filed in Seattle this week, claims that Amazon is contributing to a massive database by harnessing private details of millions of Americans via voice recordings.
Children, as a matter of fact, don’t fully understand the “potentially invasive uses of big data by a company the size of Amazon” and they “use Alexa without any understanding or warning that Amazon is recording and voice-printing them”, according to the lawsuit.
Criticizing Amazon’s methodologies, the two law firms, Quinn Emanuel Urquhart & Sullivan and Keller Lenkner alleged that the company decides to retain the actual voice recordings in spite of having an option to encrypt user voices. According to the complaint filed by these firms on behalf of an anonymous minor, Amazon stores the voices to examine it in the future and deploy the same for commercial profit.
Referencing from the Lawsuit, “It takes no great leap of imagination to be concerned that Amazon is developing voiceprints for millions of children that could allow the company (and potentially governments) to track a child’s use of Alexa-enabled devices in multiple locations and match those uses with a vast level of detail about the child’s life, ranging from private questions they have asked Alexa to the products they have used in their home,
The company is “allowing workers around the world to listen to the voice recordings and creating voiceprints of the users, which can be used to identify them when they speak to other devices in other locations,” the lawsuit reads.
Referenced from the statements given by a spokeswoman to BBC, “Amazon has a longstanding commitment to preserving the trust of our customers and their families, and we have strict measures and protocols in place to protect their security and privacy.”
Commenting on the matter during his conversation with Yahoo Finance,” Travis Lenkner, one of the plaintiffs’ attorneys, said,
“The legal theory is very straightforward. These kids themselves never consented, if they even could. No one such as a parent ever consented on their behalf,”
“Amazon purports to obtain consent to record individuals who set up an Alexa-enabled device,” the complaint states. “But there is a large group of individuals who do not consent to be recorded when using an Alexa-enabled device and who use Alexa without any understanding or warning that Amazon is recording and voice printing them: children.”
“Every recording that is made of a child, by Amazon through the Alexa software in one of these nine states is ... a per se violation of the privacy laws of those states and carries statutory penalties along with it,”
Delving further into the matter, Lenkar explains “It builds voiceprints of individual users”, “so if a child uses an Alexa device in California, and then uses another one in Washington, Amazon theoretically knows it’s the same person.” The device creates a unique identity for each person based on their voice.”
The fact that Amazon could potentially overwrite the voice recordings and yet chose not to, given that doing so would not hinder the performance of the assistant, further worsens the matter on which the company is expected to provide answers in greater detail very soon.




Microsoft Sues IP Address for Windows, Office Piracy

Microsoft has filed a lawsuit against an individual IP address that was reportedly attempting to activate a pirated version of Windows and Office. The IP address points to a Comcast office in New Jersey and is accused of trying to activate over 1,000 copies of the software.

It is unclear who the complaint is filed against as the lawsuit mentions “John Does 1-10” and the IP address (73.21.204.220).

The full complaint can be seen below.

“During the software activation process, Defendants contacted Microsoft activation servers in Washington over 2800 times from December 2014 to July 2017, and transmitted detailed information to those servers in order to activate the software,” Microsoft claims in the complaint.

Microsoft is suing for both copyright and trademark infringement and has asked the court to seize all copies of the unlicensed software.

Apple Admits to Slowing Down Old iPhones, Faces Lawsuits

Earlier this week, in response to a blog post by John Poole at Geekbench, Apple revealed that the company actually does slow down their iPhones when they get older, a fact that has been long suspected by iPhone users.

Apple said that it started the practice a year ago, to compensate for battery degradation, rather than push people to upgrade their smartphones faster.

This fact has led to a social media storm and outrage amongst users. Many have pointed out that a better solution may have been to make the battery replaceable and to inform customers, providing them an opt-out.

Apple is now facing two class-action lawsuits alleging that the company was intentionally and deceptively slowing down its phones so that users would buy the latest model, thus bringing more profits for Apple.

According to the lawsuit’s press release by a law firm in Chicago, Apple’s this move is “deemed purposeful, and if proven, constitutes the unlawful and decisive withholding of material information.” The second lawsuit comes from California stating that Apple should have provided its customers an option to choose between the slow-down, or opt out.