Post Content Read More
Related Posts
“We will hold them accountable”: General Motors sued for selling customer driving data to third parties
“We will hold them accountable”: General Motors sued for selling customer driving data to third parties
Texas Attorney General Ken Paxton has sued General Motors (GM) for the unlawful collection and sale of over 1.5 million Texans’ private driving data to insurance companies without their knowledge or consent.
In June, the Attorney General (AG) announced he had opened an investigation into several car manufacturers over allegations that the companies had improperly collected mass amounts of data about drivers directly from the vehicles and then sold the information to third parties.
Following that investigation, the AG explained in a press release, he decided to sue General Motors:
“Our investigation revealed that General Motors has engaged in egregious business practices that violated Texans’ privacy and broke the law. We will hold them accountable.”
The court filing provides some more detail. It reasons that when consumers buy a vehicle, they want a mode of transportation to get them from one point to another, but with GM (and its subsidiary OnStar) they unwittingly opt-in to an all-seeing surveillance system.
GM collected scores of data points from consumers about their driving habits and monetized that data by selling it on to other commercial parties. The AG accuses GM of installing technology that allegedly improves the safety, functionality, and operability of its vehicles, but at the same time this technology gathers driving data about the vehicle’s usage.
The driving data collected and sold by GM included trip details like speed, seatbelt status, and driven distance. On top of that, GM gathered data through other products like its mobile apps.
GM had agreements with various companies which allowed them to the driving data to calculate a driving score based on risk analysis. After buying a license from GM, an insurer could access the driving scores of over 16 million customers. Based on those scores the insurer could and did increase monthly premiums, drop coverage, or deny coverage.
GM claimed to have consent, but according to the AG it “engaged in a series of misleading and deceptive acts” to obtain that consent.
Among others, the onboarding process was treated as a mandatory pre-requisite to take ownership of the car. But it was nothing short of a deceptive flow to ensure customers would agree to sign up for GM’s products and get enrolled in the driving data collection scheme. Customers were presented electronically with some fifty pages of disclosures about its OnStar products, which consisted of product descriptions and a confusing series of applicable user terms and privacy notices.
At no point did GM disclose that it would sell any of their data, much less their driving data, nor did it disclose that it had contracts in place to make driving scores available to other companies or permit companies to re-sell driving scores to insurance companies.
Last year on the Malwarebytes Lock and Code podcast, David Ruiz spoke to a team of researchers at Mozilla who had reviewed the privacy and data collection policies of various product categories over several years. They reported that classified cars were the worst product category they ever reviewed for privacy.
A modern car hasn’t solely been a transportation vehicle for a long time. With multiple digital systems, they are increasingly plugged into web applications and digital processes—both of which are vulnerable to security flaws.
But at least those flaws are not intentional; some of the privacy issues apparently are. So it’s good to see a raised awareness among consumers about these issues, and investigations conducted.
As we noted, an ongoing US Senate investigation indicated that connected car makers violate consumer privacy by sharing and selling drivers’ data, including their location, on a vast scale, and that the same car makers often obtain consumer consent through deception.
Based on this investigation, senators have urged the Federal Trade Commission (FTC) to investigate automakers’ disclosure of millions of Americans’ driving data to data brokers, and to share new-found details about the practice.
As always, we will keep an eye on the developments in this field.
We don’t just report on threats—we remove them
Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.
8220 Gang Exploiting Oracle WebLogic Server Vulnerability to Spread Malware
8220 Gang Exploiting Oracle WebLogic Server Vulnerability to Spread Malware
The threat actors associated with the 8220 Gang have been observed exploiting a high-severity flaw in Oracle WebLogic Server to propagate their malware.
The security shortcoming is CVE-2020-14883 (CVSS score: 7.2), a remote code execution bug that could be exploited by authenticated attackers to take over susceptible servers.
"This vulnerability allows remote authenticated Read More
The Hacker News | #1 Trusted Cybersecurity News Site
Chinese Attackers Hack American Businesses Digital Locks To Steal Sensitive Data
Chinese Attackers Hack American Businesses Digital Locks To Steal Sensitive Data
[[{“value”:”
United States Senator Ron Wyden warned and notified the Director of the National Counterintelligence and Security Center (NCSC), Michael C. Casey, that Chinese hackers are actively backdooring digital locks to steal sensitive data.
As a result, Hackers target and backdoor the digital locks to gain unauthorized access to sensitive information and resources.
Backdooring allows hackers to maintain access even after the initial breach, facilitating the threat actors’ ability to keep ongoing unauthorized activities active.
Document
Free Webinar: Mitigating Vulnerability & 0-day Threats
Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.
:
The problem of vulnerability fatigue today
Difference between CVSS-specific vulnerability vs risk-based vulnerability
Evaluating vulnerabilities based on the business impact/risk
Automation to reduce alert fatigue and enhance security posture significantly
AcuRisQ, that helps you to quantify risk accurately:
Technical Analysis
Ryden urges NCSC to warn businesses about substandard commercial safe lock risks. Many have undisclosed manufacturer backdoor reset codes that are known only to makers.
According to the report, Lock companies receive demands from agencies for these codes granting safe access. Foreign threat actors could exploit the backdoors to steal trade secrets and IP stored in business safes.
The Department of Defense (DoD) emailed on November 8, 2023, that manufacturer reset codes are prohibited in approved government locks due to a threat.
On December 15, 2023, the white paper showed that standards omit backdoor mentions to hide their existence. The public was kept in the dark after the government secured itself against vulnerability.
Chinese firm SECURAM dominates the consumer safe lock market with low-cost models. Website docs confirm products have undisclosed reset codes.
As a result, SECURAM must assist with the surveillance demands, potentially compromising business safety.
The U.S. rival S&G has confirmed that many products have reset codes that must be disclosed to the government and litigants.
The policy on code turnover is also provided, as the codes are enticing targets for hacking and espionage.
Only S&G (Sargent and Greenleaf) locks without backdoors are approved for U.S. government-classified data storage.
NCSC should warn businesses about foreign spy threats to intellectual property. Firms can’t defend trade secrets if unaware of safe lock vulnerabilities.
Ron Wyden urges NCSC to update the public guidance recommending business safes meet strict government security standards.
Besides this, transparent advisory is needed to protect America’s economic edge from espionage exploitation.
Also Read: CyberSec Firm i-Soon Leak Exposes The Tools Used By Chinese Hackers
Keep informed about the latest Cyber Security News by following us on Google News, Linkedin, Twitter, and Facebook.
The post Chinese Attackers Hack American Businesses Digital Locks To Steal Sensitive Data appeared first on Cyber Security News.
“}]] Read More
Cyber Security News