The European Commission has fined Elon Musk’s X €120 million (around $140 million) for breaching its transparency rules under the Digital Services Act. The European Union’s executive arm announced that it was investigating the social media company’s blue checkmarking verification system — first introduced when it was still known as Twitter — last year, along with other alleged DSA violations. Today’s verdict concerns the "deceptive design" of the checkmark, as well as "the lack of transparency of [X's] advertising repository, and the failure to provide access to public data for researchers."
The Commission's issue with X’s verification system is that where blue checkmarks were once something that Twitter that Twitter vetted, they can now be bough by anyone. According to the EU, this puts users at risk of scams and impersonation fraud, as they can’t tell if the accounts they’re engaging with are authentic. "While the DSA does not mandate user verification, it clearly prohibits online platforms from falsely claiming that users have been verified, when no such verification took place," it wrote in a statement.
The EU has also ruled that X’s advertisement repository employs "design features and access barriers" that make it difficult for good faith actors and the general public to determine the source of online ads and spot scams or threat campaigns. It says that X fails to provide information pertaining to both the content of an ad and the entity paying for its placement.
The third alleged infringement concerns the public data that companies are required by the DSA to make available to qualifying researchers. The European Commission claims that X’s practices in this area are unnecessarily prohibitive, therefore "effectively undermining research into several systemic risks in the European Union."
X has 60 working days to respond to the EU’s non-compliance decision — the first of its nature — on blue checkmarks, and 90 days to submit an "action plan" of how it will address the alleged breaches relating to its advertising repository and access to public data. Failure to comply could result in financial penalties.
This article originally appeared on Engadget at https://www.engadget.com/big-tech/x-hit-with-140-million-fine-from-the-eu-161259324.html?src=rss
There's a fundamental question you can ask of both the internet and real life: "How do I enjoy my time here without taking unnecessary risks?" In grass-touching meatspace, you can cut out processed foods, carry pepper spray and avoid skydiving without a partner.
But the best methods for staying safe online aren't as intuitive. The internet is a massive town square where people are constantly bellowing deeply personal facts about themselves. It's no surprise that it's become a breeding ground for scams, theft and other criminal activity.
Given the breadth of dangers, it may feel easier to throw up your hands and say that whatever happens will happen. I'm here to tell you, though, that cybersecurity doesn't have to be complex, difficult or time-consuming. You don't need to be a hacker to foil a hacker — you only have to take advantage of simple tips and free apps designed to make you safer online. Whether you commit to all 12 detailed here or only focus on one, you'll be much more secure for it.
1. Install security updates immediately
One of the most important things you can do to ensure your digital security is to install all software updates as soon as they become available on your devices. When you see the notification, don't wait — train yourself to download the update immediately.
Not all software updates are about security, but the ones that are form your best line of defense against technical hacks. When developers discover a flaw that can be exploited, they ship an update to fix it. By the time the flaw gets patched, chances are very high that hackers also know about it, so any time lost means you could be the next to get exploited.
As you go down this list, you'll learn that cybersecurity threats are less technical than you think. To counter the ones that are, however, there's nothing more important you can do than install security updates.
2. Use strong passwords
Weak, easily guessed passwords are one of the most frequent causes of data breaches and malware attacks. If a password is one of the ten or so most common, an attacker may be able to guess it with no other information. If it's connected to you — your birthday, say, or mother's maiden name — it may be guessable from information anyone can look up online.
Even if your password is a random string of characters, it might still be guessable if it's too short. Hackers can use programs to guess all possible combinations and try each one on a target account. The longer a password is, the more exponentially difficult it is to guess.
SEAN GLADWELL via Getty Images
That means you need passwords that are both long and meaningless to you. You might rightly complain that these are bastards to remember, but you're in luck: password managers can do that for you. A password manager app or browser extension can create passwords when you need them, store them securely and fill them in automatically. All you have to remember is the one master password that unlocks all the others.
3. Set up two-factor authentication
Even the strongest password might get revealed through no fault of your own, like if it's stored without encryption and leaked in a data breach. That's why it helps to have two-factor authentication (2FA), also known as multi-factor authentication (MFA), as a second secure layer on every account.
You probably already know 2FA as the irritating extra step that makes you go get your phone — but that's not the only way to do it. Many apps, including Google and Apple, now let you log in through passkeys. These not only don't require you to enter a code or password, but use asymmetric encryption, sharing credentials between your device and the service that runs the passkeys. It's a lot quicker for you, and leaves nothing to steal.
4. Back everything up
Ransomware and its cousins are a growth industry within the cybercrime economy. These attacks corrupt your files or lock you out of them until you pay a fee to get them back. The easiest way to foil a ransomware attack, or to clear any other kind of malware off a device, is to restore the entire system from the most recent backup.
To make sure you actually have a backup, experts recommend the 3-2-1 rule: three different backups, on two different types of storage, with at least one physically distant from the main system. For example, you could have one backup on another device in your house, one in the cloud and one on a portable hard drive. Automatic backup services can save disk images for you at set intervals so you don't have to remember to do it yourself.
5. Learn to spot social engineering
Despite all the technobabble flying around the cybersecurity world, a great many scams and hacks are accomplished through methods a 19th-century con artist would recognize. Scammers pose as experts or authority figures to gain your trust, and use frightening language to bypass your critical thinking. Ticking clocks, emotional manipulation and fake identities are all in the toolbox.
Alex Cristi via Getty Images
Take phishing, in which hackers trick you into giving up your information willingly. A typical phishing email might pose as a bank, credit bureau or other authoritative service. In red letters, it may demand your bank password or social security number to immediately fix an irregularity with your account. Other common approaches include warning you about speeding tickets you never incurred or sending receipts for subscriptions you never bought.
Social engineering attacks are constantly evolving, but they often fall back on the same strategies. The best way to foil them is to take a deep breath every time you receive a frightening email or text message, then research it in detail: look up the email address, check the visual design to make sure the sender is who they claim to be, and ask yourself if there's any way the message could be true. I highly recommend working through this phishing quiz — it's tough, but fair, and extremely educational.
6. Always check links before clicking
This is a companion to the previous tip. Social engineering scams don't always try to get you to give up information yourself. They also get you to click on links that put secret malware on your device — like keyloggers that watch you type your passwords or ransomware programs that corrupt your files.
If you're ever not sure about an email attachment or a link you're being asked to click, copy the link (without opening it) and paste it into a URL checker like this one from NordVPN. These free tools can tell you if a link is associated with any known malware domains.
Sam Chapman for Engadget
You can also mouse over any link, then look at the bottom-left of your browser to see what URL it will take you to. If an email is from your bank, any links within it should go to your bank's website. If it's going anywhere else, especially to an unidentifiable string of characters, be suspicious.
A related tip is to never copy and paste something into your URL bar if you aren't absolutely sure of what it will do. Social engineering doesn't always get you to click the link — sometimes attackers leave it un-hyperlinked so mousing over it doesn't reveal anything. This also goes for the command modules on desktop and laptop computers. In a recent documented attack, hackers convinced AI chatbots to suggest a command that gave them root access to the victim's device. Never copy-paste anything into the command window without verifying it first, especially if an AI told you to do it.
7. Don't overshare
Over the last two decades, lots of us have gotten into the habit of dumping all sorts of personal information on social media. This trend has supercharged the scam economy. It may seem harmless to broadcast the names of your kids or the dates you'll be on vacation, but every piece of data you put into the world makes it easier for a stranger to get hooks into you.
For example, "grandparent scams" are on the rise right now. Grifters contact a target, usually a senior, pretending to be their grandchild. They'll claim to be in a crisis and need money fast. The more information they have on their target, the more convincing their tale of woe will be. Social media is a prime place to study a potential victim.
Oversharing can also be a compounding problem. If you use weak passwords, your public information can be used to guess your credentials or answer your security questions. So, if you don't have a password manager yet, think twice before you engage with that quiz post on Facebook that asks for the name of your childhood pet.
8. Use a VPN
I'm a big booster of virtual private networks (VPNs), but it's important to be realistic about what they can and can't do. Even the best VPNs aren't total cybersecurity solutions — you can't just set one and assume you're safe forever. A VPN can't protect you if you use easily guessed passwords, for example, or click on a malware link. It's about hiding your identity, not making you invulnerable.
So what can a VPN do? In short, it replaces your IP address (a fingerprint that identifies you online) with another IP address, belonging to a server owned by the VPN. The VPN server does business with the internet on your behalf, while its conversations with your device are encrypted so it can't be traced back to you.
Sam Chapman for Engadget
This means no third party can connect your online actions with your real-world identity. Nobody will be harvesting data on the websites you visit to sell to advertisers, nor building a file on you that an unscrupulous government might misuse. VPNs also protect you from fake public Wi-Fi networks set up by cybercriminals — even if a hacker tricks you with a man-in-the-middle attack, they can't do much without your real IP address.
Many top VPNs, including my top pick Proton VPN, include ad blockers that can also keep cookies and tracking pixels from latching onto you. So, even if a VPN can't do everything, you'll be far safer and more private with one than without one. If you don’t want to pay for a new subscription right now, I've also compiled a list of the best free VPNs that are actually safe to use.
9. Run regular virus scans
The most important time to look for malware is when you're downloading a file from the internet. Not only can unwanted apps hitch rides on seemingly safe files, but links can start downloads in secret, even if you don't think they're meant to be downloading anything. A solid antivirus program can catch malware as it arrives on your system, and if it's uncertain, can lock suspicious files in quarantine until it knows whether they're safe or not.
Dedicated antivirus apps are sometimes even capable of catching malware that hasn't been seen or used yet. AV software uses machine learning to identify the common patterns of malware, filtering out new viruses that behave like old ones.
But what about malware that's already gotten through the perimeter? An antivirus app can also check your computer at set intervals in search of unwanted apps, including those that might be masquerading as system files. Windows computers now come pre-installed with Windows Defender, which is enough to handle most of these tasks, but I recommend at least one anti-malware program on any device.
10. Use email maskers and private search engines
If you're concerned about your information being misused or mishandled, remember that the less you put out into the world, the less danger you're in. Keeping your private data off social media is one important step, but there are other ways your data gets disseminated — and other options for responding.
For example, you often need an email address to sign up for an online account. If you use your real email, your contact information is now floating around online, increasing the chance of someone using it to scam you (or at least adding you to mailing lists you never signed up for). To stay safe, use an email masker. These services give you a fake email address you can use to create accounts, which automatically forwards messages to your real address.
Sam Chapman for Engadget
Search engines, especially Google, are also notorious for building profiles on users by watching the terms they search for. You can dodge that by switching to a private search engine like DuckDuckGo, which doesn't track anything you do — it's funded by non-targeted ad sales on its search results pages, not by selling your data to brokers.
11. Use a data removal service
Speaking of data brokers: unfortunately, if you've been on the internet at any point in the last 10 years without taking intense precautions, your data is probably in the hands of at least one business that makes money by hoarding and selling it. These data brokers range from public-facing, people-search sites to private backend dealers.
Data brokers are poorly regulated and lax about safety. The longer one has your personal information, the more likely it is to leak. The good news is that most brokers (though not all of them) are legally required to delete your data if you ask them to.
However, there are a lot of data brokers out there, and they really want to keep your data. Each one makes opting out harder than uninstalling a Norton product — and hundreds of them may have files on you. To make the process easier, you can use a data removal service like DeleteMe or Surfshark VPN's partner service Incogni.
12. Practice physical security
Let's close out the list by getting a little old school. I've already discussed how many online scams depend on classic con artistry to work. By the same token, physical infiltration and smash-and-grab tactics still pose a threat to cybersecurity.
It doesn't take too much imagination to see how this could work. If you leave your laptop or phone unattended in public, for example, someone might insert a flash drive that loads malware onto the system. In one illustrative case, a thief in the Minneapolis area would loiter in bars, watch people unlock their phones, then steal those phones and unlock them himself.
I'm not saying you need to be paranoid every second you're in public. Just use the same level of caution you'd use to protect your car. Lock your phone with a biometric key so only you can open it, and make sure not to leave any device lying around if it can access your online accounts. And at work, be careful not to let anyone into a secure area if they don't have the proper credentials.
This article originally appeared on Engadget at https://www.engadget.com/cybersecurity/12-steps-you-can-take-right-now-to-be-safer-online-130008335.html?src=rss
The Federal Trade Commission (FTC) can now go after scammers posing as tech support providers even if it's the consumer who called them up. It has just approved amendments to its Telemarketing Sales Rule that expands its coverage to include "inbound" calls to companies pitching "technical support services through advertisements or direct mail solicitations." Samuel Levine, Director of the FTC's Bureau of Consumer Protection, explained that the new rule will allow the agency to hold these scammy businesses accountable and to get money back for the victims.
"The Commission will not sit idle as older consumers continue to report tech support scams as a leading driver of fraud losses," Levine also said, because the rule's expansion would mostly help protect consumers 60 years and older. According to the agency, older adults reported losing $175 million to tech support scams in 2023 and were five times more likely to fall for them than younger consumers.
Tech support scams typically trick potential victims into calling them by sending them emails or triggering pop-up alerts claiming that their computer has been infected with malware. Scammers then ask their targets to pay for their supposed services by wiring them money, by putting money in gift or prepaid cars or by sending them cryptocurrency coins, because those methods can be hard to trace and reverse. They've long been a problem in the US — the agency shut down two massive Florida-based telemarketing operations that had scammed victims out of $120 million in total way back in 2014 — but the issue has been growing worse over time. The $175 million victims reported losing in 2023 was 10 percent higher than the reported losses to tech support scams in 2022.
As the FTC notes, the Telemarketing Sales Rule has been updated several times since the year 2000 before this latest amendment. The first amendment in 2003 led to the creation of the Do Not Call Registry for telemarketers, while subsequent changes were made to cover pre-recorded telemarketing calls and debt collection services.
This article originally appeared on Engadget at https://www.engadget.com/cybersecurity/ftc-expands-rules-to-hold-tech-support-scammers-accountable-143051612.html?src=rss
Meta is making progress in its fight against pig butchering scams. In an update, the company said it has taken down more than 2 million accounts associated with such scams this year and that its effort to work with other companies to take down fraudsters has had some success.
Described by Meta as “one of the most egregious and sophisticated” online scams, pig butchering is an increasingly common ruse in which scammers trick victims, who they often find on social media and dating apps, into making crypto investments and other financial schemes before disappearing with their funds. One study, published earlier this year and reported byBloomberg, found that these scams “have likely stolen more than $75 billion from victims around the world” since 2020.
Meta says it’s been tracking the criminal networks behind these scams for the last two years as these groups have increasingly grown their geographic footprint. “This year alone, we’ve taken down over two million accounts associated with scam centers in Cambodia, Myanmar, Laos, the United Arab Emirates and the Philippines,” the company said in a blog post. “We also continue to update behavioral and technical signals associated with these hubs to help us scale automated detection and block malicious infrastructure and recidivist attempts.”
Earlier this year, Meta joined Match Group, Coinbase and others in forming a coalition to jointly fight financial scams. In its latest update, Meta notes that it has also worked with other firms exploited by scammers. It says that OpenAI recently tipped off the social media company to “a newly stood up scam compound in Cambodia” after the AI company caught the would-be scammers attempting to translate scam content.
This article originally appeared on Engadget at https://www.engadget.com/social-media/meta-says-its-taken-down-2-million-accounts-linked-to-pig-butchering-scams-180036668.html?src=rss
One of the Gemini AI-powered features Google introduced at I/O this year was a solution for never-ending scam calls. It has the capability to detect whether a call is suspicious while it's still ongoing and can alert you so that you could drop the call as soon as possible. That live scam detection feature for phone calls is now available for Pixel 6 and newer devices, as long as you're part of the Phone by Google public beta program in the English language.
"[S]cam calls are evolving, becoming increasingly more sophisticated, damaging and harder to identify," the company said in its announcement. Scam Detection uses on-device AI to determine whether a call is a potential scam in real time. For instance, if the caller tells you it's your bank and asks you to transfer funds to another account because yours had allegedly been breached — a common scam tactic — you'll get an audio and a haptic alert. When you look at your phone, you'll see a visual warning, along with a button to easily end the call. If the AI ends up making a mistake, you can tap on the "Not a scam" button instead.
Google
Scam Detection is off by default, and it's up to you whether you want to activate it. Google says it doesn't send your calls or their transcripts to a remote server, because the feature processes phone calls on-device. On the Pixel 9 series, it's powered by Gemini Nano, which Google describes as its "most efficient model for on-device tasks." On Pixel devices older than the Pixel 9, it's powered by the company's other machine learning models.
Google didn't say when live scam detection will make it out of beta, but it promised that it's coming soon to more Android devices. In October, the company also rolled out enhanced scam detection for Messages, which also uses on-device machine learning models to identify scam texts.
This article originally appeared on Engadget at https://www.engadget.com/mobile/smartphones/googles-live-scam-detection-for-phone-calls-is-now-out-for-pixel-devices-143017096.html?src=rss
Lyft has agreed to to tell its drivers how much they can truly earn on the ride-hailing platform — and back it up with evidence — as part of its settlement for a lawsuit filed by the US Justice Department and the Federal Trade Commission. The lawsuit accused the company of making "numerous false and misleading claims" in the advertisements it released in 2021 and 2022, when the demand for rides recovered following COVID-19 lockdowns in the previous years. Lyft promised drivers up to $43 an hour in some locations, the FTC said, without revealing that those numbers were based on the earnings of its top drivers.
The rates it published allegedly didn't represent drivers' average earnings and inflated actual earnings by up to 30 percent. Further, the FTC said that Lyft "failed to disclose" that information, as well as the fact that the amounts it published included passengers' tips. The company also promised in its ads that drivers will get paid a set amount if they complete a certain number of rides within a specific timeframe. A driver is supposed to make $975, for instance, if they complete 45 rides over a weekend.
Lyft allegedly didn't clarify that it will only pay the difference between the what the drivers' earn and its promised guaranteed earnings. Drivers thought they were getting those guaranteed payments on top of their ride payments as a bonus for completing a specific number of rides. The FTC accused Lyft of continuing to make "deceptive earnings claims" even after it sent the company a notice of its concerns in October 2021, as well.
Earlier this month, the company launched an earnings dashboard that showed the estimated hourly rate for each ride, along with the driver's daily, weekly and yearly earnings. But under the settlement, Lyft will have to explicitly tell drivers how much their potential take-home pay is based on typical, instead of inflated, earnings. It has to take tips out of the equation, and it has to to clarify that it will only pay the difference between what the drivers get from rides and its guaranteed earnings promise. Finally, it will have to pay a $2.1 million civil penalty.
This article originally appeared on Engadget at https://www.engadget.com/transportation/lyft-will-have-to-tell-drivers-how-much-they-can-truly-earn-with-evidence-120011572.html?src=rss
Lyft has agreed to to tell its drivers how much they can truly earn on the ride-hailing platform — and back it up with evidence — as part of its settlement for a lawsuit filed by the US Justice Department and the Federal Trade Commission. The lawsuit accused the company of making "numerous false and misleading claims" in the advertisements it released in 2021 and 2022, when the demand for rides recovered following COVID-19 lockdowns in the previous years. Lyft promised drivers up to $43 an hour in some locations, the FTC said, without revealing that those numbers were based on the earnings of its top drivers.
The rates it published allegedly didn't represent drivers' average earnings and inflated actual earnings by up to 30 percent. Further, the FTC said that Lyft "failed to disclose" that information, as well as the fact that the amounts it published included passengers' tips. The company also promised in its ads that drivers will get paid a set amount if they complete a certain number of rides within a specific timeframe. A driver is supposed to make $975, for instance, if they complete 45 rides over a weekend.
Lyft allegedly didn't clarify that it will only pay the difference between the what the drivers' earn and its promised guaranteed earnings. Drivers thought they were getting those guaranteed payments on top of their ride payments as a bonus for completing a specific number of rides. The FTC accused Lyft of continuing to make "deceptive earnings claims" even after it sent the company a notice of its concerns in October 2021, as well.
Earlier this month, the company launched an earnings dashboard that showed the estimated hourly rate for each ride, along with the driver's daily, weekly and yearly earnings. But under the settlement, Lyft will have to explicitly tell drivers how much their potential take-home pay is based on typical, instead of inflated, earnings. It has to take tips out of the equation, and it has to to clarify that it will only pay the difference between what the drivers get from rides and its guaranteed earnings promise. Finally, it will have to pay a $2.1 million civil penalty.
This article originally appeared on Engadget at https://www.engadget.com/transportation/lyft-will-have-to-tell-drivers-how-much-they-can-truly-earn-with-evidence-120011572.html?src=rss
A 25-year-old Alabama man has been arrested by the FBI for his alleged role in the takeover of the Securities and Exchange Commission's X account earlier this year. The hack resulted in a rogue tweet that falsely claimed bitcoin ETFs had been approved by the regulator, which temporarily juiced bitcoin prices.
Now, the FBI has identified Eric Council Jr. as one of the people allegedly behind the exploit. Council was charged with conspiracy to commit aggravated identity theft and access device fraud, according to the Justice Department. While the SEC had previously confirmed that its X account was compromised via a SIM swap attack, the indictment offers new details about how it was allegedly carried out.
According to the indictment, Council worked with co-conspirators who he coordinated with over SMS and encrypted messaging apps. These unnamed individuals allegedly sent him the personal information of someone, identified only as “C.L,” who had access to the SEC X account. Council then printed a fake ID using the information and used it to buy a new SIM in their name, as well as a new iPhone, according to the DoJ. He then coordinated with the other individuals so they could access the SEC’s X account, change its settings and send the rogue tweet, the indictment says.
The tweet from @SECGov, which came one day ahead of the SEC’s actual approval of 11 spot bitcoin ETFS, caused bitcoin prices to temporarily spike by more than $1,000. It also raised questions about why the high profile account wasn’t secured with multi-factor authentication at the time of the attack. “Today’s arrest demonstrates our commitment to holding bad actors accountable for undermining the integrity of the financial markets,” SEC Inspector General Jeffrey said in a statement.
The indictment further notes that Council allegedly performed some seemingly incriminating searches on his personal computer. Among his searchers were: "SECGOV hack," "telegram sim swap," "how can I know for sure if I am being investigated by the FBI," "What are the signs that you are under investigation by law enforcement or the FBI even if you have not been contacted by them," "what are some signs that the FBl is after you,” “Verizon store list," "federal identity theft statute," and "how long does it take to delete telegram account," the indictment says.
This article originally appeared on Engadget at https://www.engadget.com/cybersecurity/the-fbi-arrested-an-alabama-man-for-allegedly-helping-hack-the-secs-x-account-193508179.html?src=rss
Another breach of a huge financial institution has leaked the personal information of thousands of customers to the public. TechCrunch reported that an unidentified hacker obtained 77,009 customers’ personal data from the asset management firm Fidelity Investments.
A filing by Maine’s attorney general posted yesterday revealed that the unidentified third party obtained the information in mid-August using two phony customer accounts. It’s not yet known how these accounts were used to access customer data. Fidelity said in a letter to its customers that it discovered the breach on August 19. The letter also said that the unidentified party did not access customers’ Fidelity accounts but after Fidelity completed its review, it confirmed that customers’ personal data had been breached.
The New Hampshire attorney general’s office filed a second data breach notice yesterday revealing another “data security incident” of Fidelity Investments’ customer data. The notice says the unauthorized third party obtained access to “an internal database that houses images of documents pertaining to Fidelity customers” by submitting fake requests for access also on August 19. The second data breach did not provide unwanted access to any customer accounts or funds and the leaked information only “related to a small subset of Fidelity’s customers.”
If you believe your data has been obtained by unwanted parties or is part of a data leak, the Federal Trade Commission recommends putting a freeze and fraud alerts on your credit reports and personal bank and credit card accounts. You can also report any identity theft incidents at IdentityTheft.gov or by calling 1-877-438-4338.
This article originally appeared on Engadget at https://www.engadget.com/cybersecurity/data-breach-of-fidelity-leaks-77000-customers-personal-data-214248985.html?src=rss
Comcast is warning that hackers stole the personal data of more than 230,000 customers during a ransomware attack on a third-party debt collector, according to a court filing. The bad actors targeted a Pennsylvania-based debt collection agency called Financial Business and Consumer Solutions (FBCS.)
The attack occurred back in February, but Comcast claims that FBCS initially said that the incident didn’t involve any customer data. FBCS changed its tune by July, when it notified Comcast that customer information had been compromised, according to reporting by TechCrunch.
All told, 237,703 subscribers were impacted by the breach. The attackers were thorough, scooping up names, addresses, Social Security numbers, dates of birth, Comcast account numbers and ID numbers. Comcast says the stolen data belongs to customers who signed up with the company “around 2021.” It also says it has stopped using FBCS for the purposes of debt collection.
“From February 14 and February 26, 2024, an unauthorized party gained access to FBCS’s computer network and some of its computers,” the filing states. “During this time, the unauthorized party downloaded data from FBCS systems and encrypted some systems as part of a ransomware attack.”
No group has stepped forward to claim credit for the incident. FBCS has only referred to the attacker as an “unauthorized actor.” The debt collection agency was hit hard by this attack, with Comcast customers being just one group of victims. The company says more than four million people were impacted and that the cybercriminals accessed medical claims and health insurance information, in addition to standard identification data.
To that end, medical debt-purchasing company CF Medical confirmed that 600,000 of its customers were involved in the breach. Truist Bank also confirmed it was affected by the attack.
It’s notable that this incident primarily impacts debtors, opening them up to potential scams. Chris Hauk, consumer privacy advocate at Pixel Privacy, told Engadget that “the bad actors that get their paws on this information may use it to pose as debt relief agencies, which many turn to as a way out of their situation, meaning many of the involved debtors may be defrauded out of large sums of money, something they can ill-afford.”
In other words, keep an eye out for suspicious phone calls, emails and texts. This is good advice for anyone, and not just debtors who had data stored with FBCS. After all, it was revealed that hackers stole more than 2.7 billion records from American consumers earlier this year, which likely includes data on everyone who lives in the country.
This article originally appeared on Engadget at https://www.engadget.com/cybersecurity/comcast-says-230000-customers-affected-by-debt-collection-data-breach-184554728.html?src=rss