Security

Australian businesses now have a list of best practices to refer to when using commercial AI products. The Office of the Australian Information Commissioner (OAIC) published on October 21 guidance on the use of commercially available AI products. The document explains in detail organizations’ obligations when using personal information in the context of off-the-shelf AI

Microsoft has uncovered a macOS vulnerability that can enable attackers to gain access to users’ protected data, and warned active exploitation may be taking place. The flaw, dubbed “HM Surf,” allows attackers to bypass the operating system’s Transparency, Consent, and Control (TCC) technology to access sensitive user data, including browsed pages and the device’s camera,

Most of Internet Archive’s services have resumed after a series of distributed denial-of-service (DDoS) attacks took the world’s largest digital library’s website offline several times over the past few days. In a blog post published on October 18, the non-profit confirmed that many services are now up and running, including its Wayback Machine, Archive-It, scanning

Meta’s Instagram has announced new security measures to protect people on its platform from sextortion scams. Sextortion is a crime where scammers threated to expose intimate imagery of their victims if they do not comply with the criminal’s demands, typically financial payment. These features included hiding follower and following lists from potential sextortion scammers, preventing

North Korean threat actors have adopted new tactics to escalate fake IT worker insider attacks, including extorting their former employers, researchers from Secureworks have found. The cybersecurity firm said the development, attributed to the Nickel Tapestry threat group, marks a significant deviation from previously established tactics. In many earlier North Korea fake IT worker schemes,

Cyber-threats are escalating beyond the collective ability to defend against them, new UK National Cyber Security Centre (NCSC) head Dr Richard Horne has warned. In his first international speech at Singapore International Cyber Week, Horne said that increased dependence on technology is widening the gap between the escalating threats to societies, critical services, and businesses,

A new sophisticated malicious campaign is using an undetected Cerberus Android banking Trojan payload, according to cybersecurity provider Cyble. In a new report published on October 14, Cyble Research and Intelligence Labs (CRIL) identified 15 malicious samples posing as Chrome and Play Store apps from mid-September through the end of October. These samples use a multi-stage

Japanese game developer Game Freak, the firm behind the Pokémon franchise, has suffered a security breach exposing the data of 2606 employees and partners. The leak first appeared on forum 4chan in early October and is now circulating on social media and online forums under the name ‘TeraLeak’, following the naming trend of the 2020

The US Customs and Border Protection (CBP) agency has been forced to release documentation on CBP One, its border control app accused of mishandling migrants’ personal data. In December 2022, digital rights advocacy organization Access Now submitted a Freedom of Information Act (FOIA) request in the US, seeking all records from the CBP One app’s

NHS England has posted an alert relating to a critical Veeam Backup & Replication vulnerability which is now under active exploitation by ransomware groups. Successful exploitation of the vulnerability (CVE-2024-40711) could lead to remote code execution (RCE), the alert noted. RCE could allow attackers to run code on a remote device without the need for

As open source software (OSS) consumption soars, there has been a 156% surge in open source malware, according to new findings by Sonatype. More than 704,102 malicious packages have been identified since 2019, and 512,847 of these have been discovered since November 2023, the firm’s 10th Annual State of the Software Supply Chain report found.

The world’s most famous digital library has suffered a series of cyber-attacks that rendered its site, including its Wayback Machine, temporarily unavailable and exposed the data of 31 million users. On October 8, 2024, Internet Archive founder, Brewster Kahle, confirmed on X that archive.org was hit by a distributed denial-of-service (DDoS) attack before announcing a

The Australian government has introduced the country’s first standalone cybersecurity law to Parliament. The new legislation aims to better protect citizens and organizations against a heightened geopolitical and cyber threat environment. The Cyber Security Bill 2024 covers a range of areas, including mandating minimum cybersecurity standards for IoT devices and mandatory ransomware reporting for critical

Cyber-enabled fraud resulted in up to $37bn in losses for victims in East and Southeast Asia in 2023, with governments left unable to contain these threats, a United Nations (UN) report has warned. The analysis by the United Nations Office on Drugs and Crime (UNODC) highlighted that organized crime groups in the region have rapidly

New rules introduced in the UK today to refund victims of authorized push payment (APP) scams could still leave many high and dry, a non-profit has warned. The UK Chartered Trading Standards Institute (CTSI), which is dedicated to consumer protection and fair business practices, argued that the cap on the Mandatory APP Reimbursement Scheme is

A financially-motivated threat actor has been observed targeting organizations globally with a MedusaLocker ransomware variant, according to an analysis by Cisco Talos. The variant, known as “BabyLockerKZ,” has been around since at least late 2023, and this is the first time it has been specifically called out as a MedusaLocker variant. This variant uses the

Playbooks and tools are only as good as the people using them and a lack of trust and cooperation can derail even the most carefully crafted cyber response. Both technical teams and non-cyber business leaders must have the right skills and experiences to successfully deal with inevitable cyber incidents in an evolving threat landscape. The

Sellafield Ltd has been fined £332,500 ($437,440) for cybersecurity failings running the Sellafield nuclear facility in Cumbria, North-West England. The fine was issued by Westminster Magistrates Court following a prosecution brought by the Office for Nuclear Regulation (ONR), the UK’s independent nuclear regulator. Sellafield Ltd has also been ordered to pay prosecution costs of £53,253.20

The Police Service of Northern Ireland (PSNI) has been criticized for procedural failings that exposed the personal data of its officers and other staff. Meanwhile, a fine of £750,000 ($984,000) has been issued by the Information Commissioner’s Office (ICO). The data protection watchdog highlighted the significant harm and distress caused to personnel by the incident,

Meta has announced what it claims to be a “first-of-its-kind” information-sharing agreement with UK banks in a bid to arrest a growing social media fraud epidemic. The Fraud Intelligence Reciprocal Exchange (FIRE) will see high street lenders share threat intelligence with the social media giant so that it can take more targeted action to remove

Millions of Brits have fallen victim to fraud over the past three years, costing the wider economy an estimated £16bn ($21bn), according to a new study sponsored by Santander UK. The banking giant enlisted the help of cross-party think tank the Social Market Foundation (SMF) to poll 28,000 respondents across 15 European countries, to better understand

Cyber-resilience efforts are lagging among global organizations, partly because they’re failing to get CISOs involved in strategic technology investments, according to PwC. The consulting giant polled over 4000 business and technology executives to compile its annual Global Digital Trust Insights report. It found that just 2% of responding organizations have implemented cyber resilience actions across

Following an inquiry into Meta Platforms Ireland Limited (MPIL), the Data Protection Commission (DPC) in Ireland has fined the firm €91m ($102m) for mishandling social media users’ passwords and GDPR infringement. The DPC launched the initial inquiry in April 2019 after MPIL notified the DPC that it had inadvertently stored certain passwords of social media

The US government and global partners have urged action to strengthen the security and resiliency of undersea cable infrastructure, thereby protecting global communications and data from compromise. This includes incorporating cybersecurity best practices in the design of undersea cable infrastructure, reducing the risk of these services being hacked.   The joint statement, endorsed by the

A man has been arrested on suspicion of involvement in the hack of UK railway stations, which resulted in Islamophobic messages being displayed to passengers attempting to connect to public Wi-Fi. The British Transport Police (BTP) revealed that the suspect is an employee of Global Reach Technology, which provides some Wi-Fi services to Network Rail.

Security researchers have discovered a new phishing campaign that capitalizes on excitement around the start of the League of Legends (LoL) World Championship this week to spread info-stealing malware. Bitdefender explained in a blog post that it’s spotted malicious social media ads promoting a free download of League of Legends, a popular PC-only game that

Security experts have repeated warnings not to use work email addresses to sign-up to third-party sites, after finding that thousands of US Congress staffers could be exposed to account hijacking and phishing. Secure mail provider Proton teamed up with Constella Intelligence to search on the dark web for over 16,000 publicly available email addresses associated

Telegram boss Pavel Durov has committed the platform to working more closely with law enforcement, while also cracking down on illegal activity. The Russian-born founder and CEO of the messaging platform said IP addresses and telephone numbers of those who break the app’s rules will be shared with police “in response to valid legal requests.” This is

UK data protection regulator the Information Commissioner’s Office (ICO) has welcomed a decision by LinkedIn to stop training its generative AI (GenAI) models on UK users’ information. Executive director for regulatory risk, Stephen Almond, argued that for organizations to extract maximum value from GenAI, the public must be able to trust that their privacy rights

HSBC claims to have successfully trialed the first application of quantum-secure technology for buying and selling tokenized physical gold. One year after the bank started tokenizing gold bullions using distributed ledger technology (DLT), HSBC announced on September 19 that it successfully tested quantum-secure methods to protect these assets against potential future quantum computing attacks. For