The Anatomy of the Attack: How Council Gained Access

SIM-Swapping: A Gateway to High-Profile Accounts

SIM-swapping, a well-documented form of social engineering, involves fraudulently transferring a victim’s phone number to a SIM card controlled by the attacker. This enables cybercriminals to bypass multi-factor authentication (MFA) mechanisms, gaining unauthorized access to digital accounts linked to the phone number.

In Council’s case, he targeted an individual responsible for managing the SEC’s social media accounts. By leveraging a fraudulent identification card, which he fabricated using an identification card printer, he impersonated the victim and successfully seized control of their cellular number.

Once in possession of the phone number, Council executed a password reset on the SEC’s X account, granting himself full control. He then transferred account access to co-conspirators, who compensated him with $50,000 in Bitcoin for his role in facilitating the breach.

The Fake Announcement & Market Manipulation

Shortly after gaining control over the SEC’s official X account, Council and his accomplices published a fabricated post falsely announcing the approval of Bitcoin Exchange-Traded Funds (ETFs). The now-infamous post read:

“Today the SEC grants approval to Bitcoin ETFs for listing on registered national security exchanges. The approved Bitcoin ETFs will be subject to ongoing surveillance and compliance measures to ensure continued investor protection.”

Given the SEC’s authoritative stance on cryptocurrency regulations, the deceptive announcement immediately triggered a spike in Bitcoin’s value, driving prices up by $1,000 in a matter of minutes. However, the celebration was short-lived, as SEC Chair Gary Gensler quickly disavowed the post, confirming that the agency’s account had been compromised. This revelation prompted a swift $2,000 drop in Bitcoin’s price, causing losses for traders who acted on the fraudulent information.

The SEC officially confirmed that a SIM-swapping attack was responsible for the breach, raising urgent concerns over the security of high-profile institutional accounts and the vulnerabilities of SMS-based authentication measures.

The Investigation: Council’s Digital Footprint Led to His Downfall

Following the incident, the FBI launched an extensive investigation, ultimately linking Council to the cyberattack. Forensic analysis of his personal computer revealed that he had conducted multiple searches relating to FBI investigations, including:

• “What are the signs that you are under investigation by law enforcement or the FBI even if you have not been contacted by them?”
• “How can I know for sure if I am being investigated by the FBI?”

These searches, along with evidence of his fraudulent ID card creation activities, provided authorities with sufficient grounds to arrest and charge him.

Legal Consequences: Maximum Five-Year Sentence Looms

After initially pleading not guilty, Council reversed course and pleaded guilty to charges of conspiracy to commit aggravated identity theft and access device fraud. Under federal sentencing guidelines, he faces a maximum penalty of five years in prison.

His sentencing hearing is scheduled for May 16, 2025, where the court will determine his final punishment. Given the severity of the financial impact and the national security implications, legal experts anticipate a harsh sentence to serve as a deterrent to future cybercriminals.

How a SIM-Swap Exploit Works: Technical Breakdown

1. Target Identification & Reconnaissance

• Attackers use OSINT (Open-Source Intelligence) techniques, social media scraping, and dark web data leaks to gather personal information.
• They look for phone numbers, email addresses, dates of birth, and security question answers from past breaches.

2. Gaining Personal Information for Social Engineering

• Cybercriminals phish victims or buy leaked credentials to obtain date of birth, address, and account PINs.
• If needed, they impersonate financial institutions or service providers to trick victims into revealing additional details.

3. Executing the SIM Swap with the Carrier

• The attacker calls the victim’s mobile provider, claiming their phone was lost or stolen.
• They use stolen personal details to verify their identity and convince customer support to transfer the phone number to a new SIM.
• Once the swap is completed, the victim loses service, while the attacker receives their calls and messages.

4. Account Takeover & Exploitation

• The attacker resets passwords for high-value accounts (email, crypto exchanges, financial services).
• They intercept SMS-based two-factor authentication codes, bypassing security measures.
• They take full control of accounts, locking out the original user and executing fraud or financial theft.

Mitigations: How to Prevent SIM-Swapping Attacks

1. Strengthen Mobile Carrier Security

Set a unique PIN or passphrase with your carrier for SIM changes.
Enable port-freezing or no-SIM-swap policies if your provider offers them.
Link security alerts to an alternate email or authentication app.

2. Avoid SMS-Based Multi-Factor Authentication (MFA)

Use app-based authenticators (Google Authenticator, Authy, Microsoft Authenticator).
Prefer security keys (YubiKey, Titan Key) for high-risk accounts.

3. Monitor & Lock Personal Data

Freeze your credit to prevent identity theft.
Enable real-time SMS/email alerts for suspicious logins or account changes.

4. Be Aware of Phishing & Social Engineering

Never share personal details over the phone unless you initiated the call.
Ignore suspicious SMS links or emails claiming “account security alerts.”
Regularly review security settings for sensitive accounts.

A Wake-Up Call for Cybersecurity & Financial Markets

The Council case underscores several critical cybersecurity vulnerabilities, particularly within financial institutions and regulatory bodies. It also serves as a warning that social engineering exploits, when combined with weak authentication protocols, can lead to high-impact financial fraud and market manipulation.

While individuals must take steps to protect themselves, mobile carriers, financial regulators, and social media platforms must enhance their security frameworks to reduce the risk of SIM-swapping attacks. The cryptocurrency and financial trading sectors, in particular, remain prime targets for cybercriminals seeking to exploit market movements for illicit gain.

With the SEC breach demonstrating the real-world consequences of inadequate security measures, organizations must move beyond SMS-based authentication and adopt stronger, more resilient security strategies. As cybercriminals evolve, so must the defensive measures protecting high-value targets.

The sentencing of Eric Council Jr. on May 16, 2025, will be a defining moment for law enforcement’s stance on cyber fraud—one that could shape the future of digital security policies across regulatory agencies, financial institutions, and telecommunications providers.

The post Hacker’s Google Search Gave Him Away – You Won’t Believe What He Looked Up! appeared first on Information Security Newspaper | Hacking News.

The post 50,000 Users Hacked via WhatsApp! appeared first on Information Security Newspaper | Hacking News.

GhostGPT is not the only AI being used for illegal activities. Similar tools like WormGPT are also on the rise, offering criminals ways to bypass security controls that are present in ethical AI models like ChatGPT, Google Gemini, Claude, and Microsoft Copilot. These unethical AI models are designed to assist in writing malicious code and carrying out cyberattacks, posing a major risk to businesses and individuals.The rise of cracked AI models—which are modified versions of legitimate AI tools—has made it easier for hackers to gain access to powerful AI systems without restrictions. Security experts have been tracking the rise of these tools since late 2024 and report an increase in their usage for cybercrime. This development is alarming for the tech industry and security professionals because AI was meant to help people and businesses, not be used as a weapon. If these malicious AI models continue to grow, companies and individuals could face more sophisticated cyberattacks, making cybersecurity more challenging. The need for stronger regulations and better security measures to prevent AI abuse is now more critical than ever.

The post GhostGPT is out – Write your own Malicious Code appeared first on Information Security Newspaper | Hacking News.

This vulnerability allows remote attackers to gain unauthorized access, modify patient data, and disrupt device functionality—posing a severe cybersecurity threat to hospitals and medical institutions. If exploited, the flaw could enable an attacker to manipulate real-time vital sign monitoring, potentially leading to fatal medical errors or ransomware-style device takeovers.

Technical Analysis of the Vulnerability

The vulnerabilities, tracked under CVE-2025-0626,CVE-2025-0626 and CVE-2025-0683, enable attackers to execute arbitrary commands on the device.

Breakdown of the Exploit Path

The Contec CMS8000 patient monitor firmware contains hardcoded credentials and an undocumented remote access protocol, which serve as a backdoor into the system. This backdoor allows an attacker to:

1. Authenticate remotely without proper credentials, using a weak or publicly known factory-set username and password.
2. Access a command-line interface (CLI) over an open network port, allowing direct system manipulation.
3. Overwrite system files, modify patient telemetry data, and even disable alarms and notifications.

Key Technical Issues Enabling Exploitation

1. Hardcoded Administrative Credentials
   • The firmware contains static, factory-set credentials that cannot be changed by hospital IT staff.
   • Attackers can easily retrieve these credentials from firmware dumps or leaked documentation.
   • Once obtained, these credentials allow full device control over Telnet or SSH.
2. Exposed Network Services
   • The CMS8000 runs multiple unnecessary services on open ports:
     • Telnet (Port 23) – Legacy unencrypted command-line access.
     • HTTP (Port 80) – Web interface without proper authentication mechanisms.
     • TFTP (Port 69) – Allows remote firmware updates without validation.
   • These services lack proper access control, enabling remote manipulation.
3. Arbitrary Code Execution
   • Due to a lack of input validation, an attacker can inject malicious commands via network-based API calls.
   • This can be leveraged to deploy malware, install a persistent backdoor, or modify the firmware.
4. File System Modification and Log Manipulation
   • Attackers can overwrite core system files and alter log data, making it difficult for administrators to detect malicious activity.

Potential Exploitation Scenarios

Given the vulnerability’s severity, several exploitation scenarios exist:

1. Remote Device Takeover

• An attacker scans the network for vulnerable CMS8000 monitors using Shodan or Nmap.
• They identify an active device running the affected firmware version.
• Using leaked hardcoded credentials, they gain remote CLI access over Telnet or SSH.
• The attacker executes commands to disable monitoring functions, shut down alerts, or falsify patient readings.

2. Ransomware Attack Targeting Medical Devices

• A threat actor deploys a custom script via the backdoor, encrypting all patient records stored on the device.
• The monitor’s display is replaced with a ransom note, demanding payment in cryptocurrency to restore normal functionality.
• Because the device is integral to patient care, hospitals may feel pressured to pay the ransom to restore operations quickly.

3. Man-in-the-Middle (MitM) Attack on Patient Data

• An attacker positions themselves on the same network segment as the medical monitors.
• Using ARP spoofing, they intercept real-time telemetry data sent from the CMS8000 to hospital monitoring stations.
• They modify patient data in transit, causing medical professionals to make incorrect treatment decisions.

4. Attack on Healthcare IoT Infrastructure

• Since many hospitals run unsegmented internal networks, compromising the CMS8000 can act as a pivot point for lateral movement.
• Attackers could escalate privileges to access hospital record systems, imaging devices, and even electronic health records (EHRs).

Mitigation Strategies

1. Immediate Steps for Healthcare Organizations

CISA and the FDA strongly urge hospitals and IT administrators to take the following actions immediately to protect against potential exploits:

Apply the Latest Firmware Updates

• If a security patch is available from Contec, it must be applied immediately.
• Devices that cannot be updated should be segmented from the network.

Disable Unused Network Services

• Telnet and TFTP should be disabled where possible.
• Restrict SSH access to only trusted internal IP addresses.

Implement Network Segmentation

• Healthcare institutions should place patient monitoring devices on a dedicated VLAN with strict firewall rules.
• Blocking public access to CMS8000 monitors is essential to prevent remote exploitation.

Change Default Credentials (If Possible)

• If the firmware allows it, administrators should change factory-set usernames and passwords.
• Deploy multi-factor authentication (MFA) for remote access.

Continuous Monitoring & Threat Detection

• IT teams should deploy intrusion detection systems (IDS) to monitor for suspicious activity on medical device networks.
• Regular penetration testing should be conducted to assess security posture.

The Larger Cybersecurity Challenge in Healthcare

The CMS8000 vulnerability is just one example of a larger systemic issue within the healthcare industry:
Many legacy medical devices were not designed with cybersecurity in mind.

Broader Industry Risks Include:

• Medical IoT (IoMT) Devices Lacking Updates
  • Many medical devices are still running outdated operating systems (e.g., Windows XP, Windows 7).
• High-Value Targets for Cybercriminals
  • Hospitals store highly sensitive patient data, making them attractive targets for ransomware and espionage.
• Regulatory Compliance Challenges
  • Many institutions struggle to balance HIPAA compliance with modern cybersecurity best practices.

The cybersecurity of medical devices must become a higher priority for manufacturers, regulators, and healthcare providers. Moving forward, medical device manufacturers must adopt “Security by Design” principles, ensuring that future devices:

• Require firmware authentication
• Disallow hardcoded credentials
• Enforce encrypted communications by default

Until these security issues are addressed at the design level, hospitals must take proactive steps to secure vulnerable devices and prevent catastrophic cyberattacks.

Final Thoughts

The discovery of a critical backdoor in the Contec CMS8000 is a wake-up call for the healthcare industry. This incident highlights the inherent risks in unpatched, insecure medical devices and the potential life-threatening consequences of cyber vulnerabilities in healthcare infrastructure.

Key Takeaways for Cybersecurity Experts & Healthcare IT Teams:

Assess and patch all network-connected medical devices.
Implement strict access controls and disable unnecessary network services.
Enforce continuous monitoring of hospital IoT networks.
Pressure vendors to release security updates and adopt stronger cybersecurity measures.

Cyberattacks on medical devices are no longer hypothetical—they are happening now. As healthcare increasingly relies on digital technology, securing these critical systems is a matter of life and death.

The post Hackers Can Manipulate Your Heart Rate Monitor – Unbelievable Security Flaw! appeared first on Information Security Newspaper | Hacking News.

AI technologies have exploded across industries, but APIs that power AI models often lack robust security. Over 57% of AI-enabled APIs are publicly exposed, while only 11% employ strong authentication and access controls. Attackers exploit these weak points to inject malicious code, siphon training data, or even manipulate machine learning pipelines. Wallarm’s researchers see these tactics succeeding in major breaches, such as those targeting Twilio and Tech in Asia, where attackers bypassed insufficient API protections to gain unauthorized access.

A standout finding is the new “Memory Corruption & Overflows” category in the Top-10 threat list. AI workloads push hardware boundaries, triggering buffer overflows and integer overflows that let attackers execute arbitrary code or crash systems. This kind of flaw used to be rare in web applications but has surged as binary APIs become standard in high-performance AI contexts. Malicious actors quickly seize these opportunities, using them to exfiltrate data or take over critical infrastructure.

API issues are now the number one attack vector, eclipsing older exploit types like kernel or supply-chain vulnerabilities. More than half of CISA’s known exploited flaws involve APIs, underscoring the shift to attacks that aim for direct entry points. Legacy endpoints—like .php files or AJAX calls—add another layer of exposure, because they often remain unpatched in production environments, from healthcare providers to government agencies.

Wallarm’s analysis covers 99% of 2024’s API-related CVEs and bug bounty disclosures, classifying them by CWE categories to produce actionable insights. Security teams can use these findings to prioritize fixes, especially for APIs supporting AI services. Strong memory-safety checks, real-time threat monitoring, and tightened authentication should become the norm.

Organizations that embrace AI must address API security head-on. Failure to do so risks data theft, operational chaos, and damaged reputations. As AI reshapes core business operations—from predictive modeling to customer engagement—protecting the APIs behind these systems is no longer optional.

Download the report:
https://www.wallarm.com/resources/2025-api-threatstats-report-ai-security-at-raise

The post 2025 API ThreatStats Report: AI Vulnerabilities Surge 1,025%, 99% Connected to APIs appeared first on Information Security Newspaper | Hacking News.

The post “Enter0” is selling access appeared first on Information Security Newspaper | Hacking News.

What is Apple’s App Privacy Report?

The App Privacy Report is a feature that allows users to monitor apps’ activities, particularly in terms of data access and network communication. This report provides detailed insights into how apps access sensitive device resources and communicate with external domains. By providing this transparency, Apple aims to help users make more informed decisions about which apps they trust with their data.

Key Features of the App Privacy Report:

1. Data & Sensor Access: Tracks when apps access your camera, microphone, location, photos, and contacts.
2. Network Activity: Displays the domains that apps communicate with, including third-party services and trackers.
3. Website Network Activity: Shows network interactions when using apps with built-in browsers.
4. Most Contacted Domains: Lists the domains most frequently contacted by your apps.

This feature aligns with Apple’s broader privacy initiatives, such as App Tracking Transparency and Privacy Nutrition Labels in the App Store.

How to Enable App Privacy Report

Setting up the App Privacy Report is simple and takes just a few steps:

1. Open Settings: On your iPhone or iPad, navigate to the Settings app.
2. Go to Privacy & Security: Scroll down and select the “Privacy & Security” option.
3. Enable App Privacy Report: Tap on “App Privacy Report” (near the bottom) and turn it on.

Once enabled, the feature will begin collecting data on app activities. Note that it may take some time (a few hours to a day) for the report to populate with meaningful insights.

Navigating the App Privacy Report

After enabling the feature, you can access detailed reports by returning to Settings > Privacy & Security > App Privacy Report. The report is divided into four main sections:

1. Data & Sensor Access

This section shows how often apps have accessed sensitive data and device sensors, such as:

• Camera: Did an app access your camera unexpectedly?
• Microphone: Are there any apps using your microphone when they shouldn’t?
• Location: Are apps requesting your location more frequently than necessary?

2. App Network Activity

See the domains that apps communicate with. This is particularly useful for identifying apps that:

• Use third-party analytics or trackers.
• Share data with external servers.

3. Website Network Activity

For apps with built-in browsers, this section reveals the websites you’ve visited and any associated network activity.

4. Most Contacted Domains

This section highlights the domains that are most frequently contacted by apps. If you notice repeated communication with unfamiliar or suspicious domains, it could indicate potential privacy concerns.

How to Use the App Privacy Report Effectively

The App Privacy Report provides powerful insights, but knowing how to act on the information is key. Here’s a guide to making the most of the report:

1. Review Data Access

Pay close attention to which apps access your sensitive data and sensors. Ask yourself:

• Is the access necessary for the app’s functionality?
• Does the app’s behavior align with your expectations?

For example, a weather app may need location access, but it should not be accessing your microphone.

2. Monitor Network Activity

Look for:

• Apps communicating with unknown domains.
• Excessive contact with third-party services.

If you identify apps sharing data with suspicious or unnecessary domains, consider revoking their permissions or uninstalling them.

3. Adjust App Permissions

To control data access:

1. Go to Settings > Privacy & Security.
2. Select the specific data type (e.g., Camera, Microphone, or Location Services).
3. Adjust permissions for individual apps as needed.

4. Uninstall Suspicious Apps

If an app exhibits excessive or unjustified access to data or communicates with too many unknown domains, it may be worth uninstalling it.

5. Reset the Report (Optional)

If you want to start monitoring from scratch:

1. Go to Settings > Privacy & Security > App Privacy Report.
2. Scroll down and tap “Turn Off App Privacy Report.”
3. Re-enable it to reset the data collection.

Why the App Privacy Report Matters

1. Transparency

The App Privacy Report empowers users by shining a light on app behavior. It helps you understand which apps are respecting your privacy and which might be overstepping boundaries.

2. Control

By providing detailed insights, the feature allows you to take control of your data. You can adjust permissions, restrict access, or uninstall apps based on their behavior.

3. Privacy Awareness

The report raises awareness about how apps communicate with third-party services, helping you spot potential privacy risks.

4. Aligns with Apple’s Privacy Goals

Apple’s commitment to user privacy is evident in features like App Tracking Transparency and Privacy Nutrition Labels. The App Privacy Report is yet another step toward giving users greater control over their data.

Conclusion

Apple’s App Privacy Report is a powerful tool for anyone who values their privacy. By providing transparency into how apps access your data and communicate with external domains, it empowers you to make informed decisions about which apps to trust. Whether you’re monitoring data access, adjusting permissions, or identifying suspicious behavior, the App Privacy Report is an essential feature for maintaining your digital privacy.

Enable it today and take the first step toward a more secure and private app experience!

The post Unlocking Privacy: A Comprehensive Guide to Apple’s App Privacy Report appeared first on Information Security Newspaper | Hacking News.

What is an AI Paraphrasing Tool?

To put it simply, an artificial intelligence (AI) paraphrase tool assists in rewriting sentences and paragraphs while preserving their meaning. Artificial intelligence is used as a tool to comprehend context and recommend different words. For me, it is perfect when I want to avoid repetition or when I am struggling to express a thought clearly. I have even used them to give my writing a fresh twist.

I remember struggling with a blog post about technology once. My ideas were there – but the writing felt stiff. Using a paraphrasing tool helped me reword sentences, making the blog flow better and sound more natural.

Why I Use AI Paraphrasing Tools

Over time, I realized that AI paraphrasing tools aren’t just for fixing awkward sentences—they are a great way to spark creativity. When writing about a familiar topic – the tool helps me think of new ways to present my ideas. Instead of sticking to my first draft, I can use the AI to suggest new phrasing, giving me a wider range of expression.

Another reason I love using paraphrasing tools is the time they save. When I am on a tight deadline – they help me quickly generate alternatives for a sentence or paragraph. This way, I can keep the momentum going without getting stuck on one line for too long.

How to Use AI Paraphrasing Tools Effectively

I have learned that using these tools wisely is key. 

First, I write a rough draft. Once I have got my ideas down – I run my sentences through the paraphrasing tool. If something feels awkward or too formal, the AI suggests alternative ways to phrase it. The AI detector can also spot areas where the rewording needs adjustment to ensure the content remains natural.

The best part of using AI paraphrasing tools is that they do not just replace words—they can also simplify complicated sentences, making my writing clearer and more readable. For example – if I am explaining a technical concept – the tool can suggest simpler ways to get the point across.

AI Paraphrasing Tools for Creativity

Sometimes, when I face a roadblock – the AI paraphrasing tool acts as a brainstorming partner. I will input a sentence or paragraph, and the tool provides several options. Some of these are great – while others need tweaking – but they help me think in new directions.

I recall once working on a marketing campaign and struggling to find the right catchy phrase. I used the paraphrasing tool – and within minutes – I had a few creative suggestions that were better than what I had initially thought.

Caution – AI Detector and Authenticity

Of course, it is important to use these tools in moderation. Relying too much on AI can make your writing sound mechanical. AI detectors can sometimes identify when a sentence has been rewritten by a tool. That’s why I always review the paraphrased text to make sure it still sounds like me and conveys my message authentically.

Final Thoughts

AI paraphrasing tools are now a vital part of my writing process. They help me improve clarity, save time, and spark creativity. Whether you are a professional writer or just starting out, these tools can be incredibly helpful. Just remember to use them as a supplement to your own ideas – not a replacement for them. With the right balance – they can make your writing more efficient and creative.

The post How to Use AI Paraphrasing Tools for Improved Writing and Creativity appeared first on Information Security Newspaper | Hacking News.

This particular attack was extremely big—it was recorded at 5.6 terabits per second. To give you an idea, that’s an enormous amount of internet traffic being used to disrupt a service. The attack targeted an internet company in East Asia. The hackers used a tool called Mirai, which is a type of malware. This malware takes over devices like cameras or routers, and in this case, it controlled around 13,000 devices to launch the attack.

The attack lasted for only 80 seconds, but it was so powerful that it set a record. According to Cloudflare January 21, 2025 , which helps protect websites from attacks like these, managed to stop it without any disruption to the service. This attack was part of a larger trend. In the last few months, Cloudflare has noticed a sharp increase in these kinds of attacks. In just one quarter, they stopped almost 7 million attacks. Some of these attacks were smaller, but many were very large, with over 420 of them being bigger than 1 terabit per second. This shows how cyberattacks are getting more frequent and more dangerous.

The post Record breaking 5,600,000 megabits per second (Mbps) DDoS attack appeared first on Information Security Newspaper | Hacking News.

How it works

• Attackers created fake links that look like they are from YouTube. For example, the link might start with something like “hxxp[://]youtube” (instead of the usual “https://youtube”), making it seem real but hiding its true purpose.
  
• When someone clicks these fake links, they are secretly redirected through multiple websites before reaching the final fake page. This makes it harder for security systems to detect the phishing attempt.
  
• The final page looks like a legitimate login page, but when users enter their credentials, the attackers steal them.
• According to researchers, this specific campaign was likely conducted by a hacking group called Storm1747. They used a tool called “Tycoon 2FA phishing kit,” which is designed for large-scale attacks and can even bypass two-factor authentication.
  
  

How to protect

• Verify Links Before Clicking: Always check if a link is legitimate by hovering over it to see the full URL. Avoid clicking on suspicious or shortened links.
• Enable 2FA: Use two-factor authentication for all accounts, but be cautious of phishing attempts designed to bypass it.
• Use Antivirus and Anti-Phishing Tools: Install security software that can detect and block phishing sites.
• Educate Yourself and Others: Stay informed about the latest phishing tactics and share this knowledge with family and colleagues.
• Report Suspicious Activity: If you encounter a fake link or phishing attempt, report it to the website or service it claims to represent.

The post Phishing youtube channels and links are stealing credentials appeared first on Information Security Newspaper | Hacking News.

This regulatory intervention underscores the critical need for transparency and consumer protection in the rapidly evolving landscape of connected automotive technologies.

Key Findings

1. Unauthorized Data Collection:
   • GM and OnStar collected geolocation data at three-second intervals, along with detailed driving behaviors such as acceleration, braking, and speeding. This was done without obtaining prior consumer consent, violating privacy expectations.
2. Misleading Practices:
   • OnStar’s “Smart Driver” feature was marketed as a tool to help drivers assess and improve their habits. However, the FTC revealed it was primarily a mechanism to collect and monetize driver data.
   • GM’s privacy disclosures failed to adequately inform consumers about how their data was being collected, shared, or sold, creating a false sense of security among vehicle owners.
3. Data Monetization:
   • The data collected was sold to consumer reporting agencies, including Verisk, Lexis Nexis, and Jacobs Engineering. These entities used the data to adjust insurance rates or deny coverage outright, impacting consumers financially and undermining trust in GM’s services.

FTC’s Proposed Settlement

To address these violations, the FTC has proposed a settlement that includes the following key provisions:

1. Data Sharing Ban:
   • GM and OnStar are prohibited from sharing geolocation and driving behavior data with consumer reporting agencies for five years.
2. Mandatory Consumer Consent:
   • The settlement requires GM to obtain explicit consumer consent before collecting or selling their data.
3. Data Deletion Requirements:
   • Previously retained consumer data must be deleted unless consumers explicitly opt in to its retention and use.
4. Enhanced Consumer Controls:
   • Drivers must be provided with clear and accessible tools to view, manage, and delete their personal data, as well as options to disable data collection entirely.
5. Transparency and Disclosure Improvements:
   • GM must provide comprehensive and plain-language disclosures about the types of data collected, its purpose, and how it will be used.
6. Civil Penalties:
   • Although no immediate fines were levied, the FTC has set a potential penalty of $51,744 per violation. GM and OnStar have been given 180 days to comply with the settlement.

Broader Implications for the Automotive and Cybersecurity Communities

This enforcement action highlights growing concerns over data privacy and security within the automotive sector. The increasing integration of connected technologies in vehicles has created new avenues for data collection, often outpacing regulatory frameworks and consumer awareness.

1. Regulatory Shift in Data Practices:
   • The FTC’s intervention signals a more aggressive stance on holding companies accountable for mishandling consumer data. It also sets a precedent for stricter oversight in the automotive industry, where privacy considerations are becoming as critical as physical safety features.
2. Implications for Cybersecurity:
   • The sale of sensitive driver data to third parties increases the risk of cyberattacks and misuse. Data brokers and other entities handling such information could become targets for hackers, potentially compromising personal and financial information on a massive scale.
3. Corporate Accountability:
   • This case serves as a reminder for corporations to prioritize consumer trust by implementing robust cybersecurity measures and transparent data governance policies. Non-compliance with emerging regulations could result in hefty fines and reputational damage.

Similar Cases and Industry Context

The GM case is not isolated. Similar concerns have arisen across the automotive and technology sectors:

• Allstate Lawsuit: The Texas Attorney General recently sued Allstate and its subsidiary Arity for collecting and selling driving data from over 45 million Americans without consent.
• Global Scrutiny: Automotive giants such as Toyota, Chrysler, and Mazda have faced allegations of engaging in unauthorized data collection practices, intensifying calls for uniform privacy standards across industries.

These developments highlight the pressing need for cohesive data privacy legislation that holds corporations accountable for protecting consumer information.

Looking Ahead

The FTC’s action against GM and OnStar may serve as a watershed moment, prompting automakers and tech companies to reevaluate their data collection practices. For cybersecurity professionals, it emphasizes the importance of implementing systems that not only secure data but also respect consumer rights.

As the automotive industry continues to innovate, the balance between technological advancement and privacy protection will remain a central challenge. Governments, corporations, and cybersecurity experts must collaborate to ensure that consumer trust is not eroded in the pursuit of profit.

The post Are Your Driving Habits and Location for Sale? GM Says Yes, FTC Says No appeared first on Information Security Newspaper | Hacking News.

Introduction:

In recent cyber incidents, attackers have been targeting Microsoft 365 accounts using a sophisticated and fast-paced method. On January 6, 2025, cybercriminals began exploiting a tool called “FastHTTP” to carry out large-scale automated password-guessing attacks. This method leverages the tool’s capability for high-speed login attempts, making it a serious threat to organizations relying on Microsoft 365 for email and collaboration. Let us break this down in simple terms.

The Attack:

It’s critical for organizations to enhance their defenses, educate users on MFA fatigue, and adopt measures like conditional access policies to protect against such threats.

The post How Microsoft 365 account are getting hacked appeared first on Information Security Newspaper | Hacking News.