Hackers stole the personal data of 57 million customers and drivers from Uber Technologies Inc., a massive breach that the company concealed for more than a year. This week, the ride-hailing firm ousted its chief security officer and one of his deputies for their roles in keeping the hack under wraps, which included a $100,000 payment to the attackers. Compromised data from the October 2016 attack included names, email addresses and phone numbers of 50 million Uber riders around the world, the company told Bloomberg on Tuesday. The personal information of about 7 million drivers was accessed as well, including some 600,000 U.S. driver’s license numbers. No Social Security numbers, credit card information, trip location details or other data were taken, Uber said.

At the time of the incident, Uber was negotiating with U.S. regulators investigating separate claims of privacy violations. Uber now says it had a legal obligation to report the hack to regulators and to drivers whose license numbers were taken. Instead, the company paid hackers to delete the data and keep the breach quiet. Uber said it believes the information was never used but declined to disclose the identities of the attackers.

Hackers have successfully infiltrated numerous companies in recent years. The Uber breach, while large, is dwarfed by those at Yahoo, MySpace, Target Corp., Anthem Inc.and Equifax Inc. What’s more alarming are the extreme measures Uber took to hide the attack. The breach is the latest scandal Khosrowshahi inherits from his predecessor, Travis Kalanick.

Kalanick, Uber’s co-founder and former CEO, learned of the hack in November 2016, a month after it took place, the company said. Uber had just settled a lawsuit with the New York attorney general over data security disclosures and was in the process of negotiating with the Federal Trade Commission over the handling of consumer data. Kalanick declined to comment on the hack.

Here’s how the hack went down: Two attackers accessed a private GitHub coding site used by Uber software engineers and then used login credentials they obtained there to access data stored on an Amazon Web Services account that handled computing tasks for the company. From there, the hackers discovered an archive of rider and driver information. Later, they emailed Uber asking for money, according to the company.

A patchwork of state and federal laws require companies to alert people and government agencies when sensitive data breaches occur. Uber said it was obligated to report the hack of driver’s license information and failed to do so.

“At the time of the incident, we took immediate steps to secure the data and shut down further unauthorized access by the individuals,” Khosrowshahi said. “We also implemented security measures to restrict access to and strengthen controls on our cloud-based storage accounts.”

U.K. regulators including the National Crime Agency are also looking into the scale of the breach. London and other governments have previously taken steps toward banning the service, citing what they say is reckless behavior by Uber.

In January 2016, the New York attorney general fined Uber $20,000 for failing to promptly disclose an earlier data breach in 2014. After last year’s cyberattack, the company was negotiating with the FTC on a privacy settlement even as it haggled with the hackers on containing the breach, Uber said. The company finally agreed to the FTC settlement three months ago, without admitting wrongdoing and before telling the agency about last year’s attack.

The new CEO said his goal is to change Uber’s ways. Uber said it informed New York’s attorney general and the FTC about the October 2016 hack for the first time on Tuesday. Khosrowshahi asked for the resignation of Sullivan and fired Craig Clark, a senior lawyer who reported to Sullivan. The men didn’t immediately respond to requests for comment.

The company said its investigation found that Salle Yoo, the outgoing chief legal officer who has been scrutinized for her responses to other matters, hadn’t been told about the incident. Her replacement, Tony West, will start at Uber on Wednesday and has been briefed on the cyberattack.

Uber said it has hired Matt Olsen, a former general counsel at the National Security Agency and director of the National Counterterrorism Center, as an adviser. He will help the company restructure its security teams. Uber hired Mandiant, a cybersecurity firm owned by FireEye Inc., to investigate the hack.

The company plans to release a statement to customers saying it has seen “no evidence of fraud or misuse tied to the incident.” Uber said it will provide drivers whose licenses were compromised with free credit protection monitoring and identity theft protection.

Holiday shoppers beware, consumer advocates are warning: Danger lurks in U.S. toy aisles, where dolls and robots can be used as spies and unlabeled potential choking hazards are disguised as "Disney Princess Punchball Balloons." "My Friend Cayla," a popular talking doll, uses a hidden microphone and an unsecured Bluetooth connection that can allow anyone within range to spy on your family and talk back to your child, said Kara Cook-Schultz, one of the authors of the U.S. Public Interest Research Group's annual "Trouble in Toyland" report.

"If you are an adult and have decided to share data with an internet-connected device, fine. But if you're a child, you probably have no idea that this doll that you think of as a friend can be used to spy on you," she said.

German authorities banned the Cayla doll in February, saying it violates Germany's privacy laws. Last summer, the FBI also issued a consumer warning about Internet-connected devices, saying that toys containing sensors, microphones, cameras, data storage and other multi-media capabilities could put the privacy and safety of children at risk because of the large amount of personal information that your children — and you, when you're in earshot of the device — might unwittingly disclose.

And Cayla isn't the only culprit.

The Mozilla Foundation, a non-profit aimed at fostering a free and functioning Internet, issued a report Tuesday that cited several other toys with identical Bluetooth risks — "Dash the Robot" and "BB-8 by Sphere," a Star Wars themed toy. Both Bluetooth-enabled devices could allow everyone from neighbors to the person sitting next to you at the park purposefully (or inadvertently) connect to the toys, listen to your kids' conversations and even talk back to them.

Worse, says Mozilla Foundation's vice president of advocacy, Ashley Boyd, is that these devices store all the personal information they've gathered. Yet it's not clear whether the data is stored in the device, in the "cloud" or elsewhere, nor is it clear how this data is secured.

"There isn't a lot of transparency," Boyd said. "As parents, we should know where the data is stored and whether it could be shared with others."

"Adidas miCoach" soccer ball poses even greater privacy risks, according to the Mozilla report. The ball has a camera, microphone and location tracker, but no privacy controls. Consumrs are also invited to create an account to use the game system, which could reveal more of their information.

"Privacy has really emerged as a theme with all of these Internet-connected devices," Boyd said.

Cheers to a cybersecure holiday season! Cyber Monday 2017 is expectedto be the biggest shopping day in U.S. history. According to a Pew Research Center survey, Americans use a wide range of digital tools and platforms to shop, and roughly 80 percent of adults purchase products online. Mobile has taken over holiday gift giving: last year, half of website visits and 30 percent of online sales were conducted via mobile devices. Gift givers are going mobile to conveniently compare products, read reviews and make purchasing decisions while out and about. Technology also ranks high on shopping lists – from new laptops and gaming systems to tablets, the latest phones and Internet of Things (IoT) devices like video cameras, toys and appliances.

Whether you are giving the gift of connectivity or using it yourself, don’t let hackers mess with the merriment. The National Cyber Security Alliance (NCSA) reminds everyone that all devices connected to the internet – including mobile and IoT – must be protected. And young people receiving technology for the first time need to understand how to use it safely and securely. In addition, older adults must make it their mission to continue to learn about and practice good cyber hygiene.

“All tech users – especially vulnerable audiences like teens and seniors – need to take responsibility and protect themselves against cyber threats, scams and identity theft – not only during prime shopping time, but every day,” said Michael Kaiser, NCSA’s executive director. “In past years, we have seen that scammers, hackers and cybercriminals are actively on the prowl during the holidays. Stay alert for phishing emails, deals that look to good to be true and warnings about packages that can’t be delivered or orders that have problems. Continually learn about and always initiate basic safety and security practices, and you will connect with more peace of mind during the holidays and year-round.”

GET READY TO CYBER SHOP SAFELY:

KEEP CLEAN MACHINES: Before searching for that perfect gift, be sure that all web-connected devices ‒ including PCs, smartphones and tablets ‒ are free from malware and infections by running only the most current versions of software and apps. LOCK DOWN YOUR LOGIN: One of the most critical things you can do in preparation for the online shopping season is to fortify your online accounts by enabling the strongest authentication tools available, such as biometrics, security keys or a unique one-time code through an app on your mobile device. Your usernames and passwords are not enough to protect key accounts like email, banking and social media. CONDUCT RESEARCH: When using a new website for your holiday purchases, read reviews and see if other customers have had positive or negative experiences with the site. WHEN IN DOUBT, THROW IT OUT: Links in emails, social media posts and text messages are often how cybercriminals try to steal your information or infect your devices. PERSONAL INFORMATION IS LIKE MONEY. VALUE IT. PROTECT IT: When making a purchase online, be alert to the kinds of information being collected to complete the transaction. Make sure you think it is necessary for the vendor to request that information. Remember that you only need to fill out required fields at checkout.

NAVIGATING THE DIGITAL MARKETPLACE WHILE ON THE GO:

GET SAVVY ABOUT WI-FI HOTSPOTS: If you are out and about, limit the type of business you conduct over open public Wi-Fi connections, including logging in to key accounts such as email and banking. Adjust the security settings on your phone to limit who can access your device. SECURE YOUR DEVICES: Use strong passwords or touch ID features to lock your devices. These security measures can help protect your information if your devices are lost or stolen and keep prying eyes out. THINK BEFORE YOU APP: Information about you, such as the games you like to play, your contacts list, where you shop and your location, has value – just like money. Be thoughtful about who gets that information and how it’s collected through apps. NOW YOU SEE ME, NOW YOU DON’T: Some stores and other locations look for devices with Wi-Fi or Bluetooth turned on to track your movements while you are within range. Disable Wi-Fi and Bluetooth when they’re not in use.

Future of Privacy Forum (FPF) released a new infographic: Microphones & the Internet of Things: Understanding Uses of Audio Sensors in Connected Devices (read the press release here). From Amazon Echos to smart TVs, we are seeing more home devices integrate microphones, often to provide a voice user interface powered by cloud-based speech recognition. Last year, we wrote about the “voice first revolution” in a paper entitled “Always On: Privacy Implications of Microphone-Enabled Devices.” This paper created early distinctions between different types of consumer devices and provided initial best practices for companies to design their devices and policies in a way that builds trust and understanding. Since then, microphones in home devices — and increasingly, in city sensors and other out-of-home systems — have continued to generate privacy concerns. This has been particularly notable in the world of children’s toys, where the sensitivity of the underlying data invites heightened scrutiny (leading the Federal Trade Commission to update to its guidance and clarify that the Children’s Online Privacy Protection Act applies to data collected from toys). Meanwhile, voice-first user interfaces are becoming more ubiquitous and may one day represent the “normal,” default method of interacting with many online services and connected devices, from our cars to our home security systems.

As policymakers consider the existing legal protections and future direction for the Internet of Things, it’s important to first understand the wide range of ways that these devices can operate. In this infographic, we propose that regulators and advocates thinking about microphone-enabled devices should be asking three questions: (1) how the device is activated; (2) what kind of data is transmitted; and, on the basis of those two questions, (3) what are the legal protections that may already be in place (or not yet in place).

#1. ACTIVATION

In this section, we distinguish between Manual, Always Ready (i.e., speech-activated), and Always On devices. Always Ready devices often have familiar “wake phrases” (e.g. “Hey Siri,”). Careful readers will notice that the term “Always Ready” applies broadly to devices that buffer and re-record locally (e.g., for Amazon Echo it is roughly every 1-3 seconds), and transmit data when they detect a sound pattern. Sometimes that pattern is a specific phrase (“Alexa”), but it can sometimes be customizable (e.g. Moto Voice let’s you record your own launch phrase) and sometimes it need not be a phrase at all — for example, a home security camera might begin recording when it detects any noise. Overall, Always Ready devices have serious benefits and (if designed with the right safeguards) can be more privacy protective than devices designed to be on and running 100% of the time.

#2 – DATA TRANSMITTED

In this section, we demonstrate the variety of data that can be transmitted via microphones. If a device is designed to enable speech-to-text translation, for example, it will probably need to transmit data from within the normal range of human hearing — which, depending on the sensitivity, might include background noises like traffic or dogs barking. Other devices might be designed to detect sound in specialized ranges, and still others might not require audio to be transmitted at all. With the help of efficient local processing, we may begin to see more devices that operate 100% locally and only transmit data about what they detect. For example, a city sensor might alert law enforcement when a “gunshot” pattern is detected.

#3 – WHAT ARE THE EXISTING LEGAL PROTECTIONS?

In this section, we identify the federal and state laws in the United States that may be leveraged to protect consumers from unexpected or unfair collection of data using microphones. Although not all laws will apply in all cases, it’s important to note that certain sectoral laws (e.g. HIPAA) are likely to apply regardless of whether the same kind of data is collected through writing or through voice. In other instances, the broad terms of state anti-surveillance statutes and privacy torts may be broadly applicable. Finally, we outline a few considerations for companies seeking to innovate, noting that privacy safeguards must be two-fold: technical and policy-driven.

Download the full infographic here.

Source: FPF.org

Doctors — particularly the ones that work in emergency rooms — need to have strong stomachs and level heads, since they see illness and injury at their most serious. Violence, accidents and serious diseases are all a matter of routine in the ER.

Dr. Christian Dameff is a faculty member at UC San Diego’s medical school, has seen all of that and more, since he’s also a white-hat hacker and expert in medical IoT security. He warned the audience on Thursday at the Security of Things USA convention in San Diego that the state of that security is, frankly, alarming.

Technology is a central underpinning of all modern medical treatment, according to Dameff. Many younger doctors have never worked with paper charts, or written paper prescriptions, or looked at x-rays on a lightbox – it’s all digital.

“Software powers modern healthcare. It is as essential as antibiotics, x-rays and surgery combined.” he said. “Without our technical systems, doctors today are essentially helpless for taking care of strokes, heart attacks and traumas.”

There are two central issues, according to Dameff. Part of the problem is that the emphasis on security discussions in the medical field focus heavily on data security, mostly for regulatory reasons.

“When we talk about information security in healthcare, we talk about the HIPAA hammer,” he said, “because the fear of a HIPAA fine, and the fact that we have hundreds of data breaches every single year, has made this the focal point of your conversation.”

But a bigger issue is that the connected devices used to automate and speed up the tasks of care required by modern medicine are cripplingly, astonishingly vulnerable to compromise by outside agents.

The problem has existed for a long time, Dameff said, but the 2011 story of Jay Radcliffe, a diabetic security expert who discovered that a connected insulin pump he used was trivially easy to hack, helped bring the scale of the problem to the public’s attention.

“What surrounds the patient are dozens of wirelessly connected devices that are running legacy operating systems, that are unpatched, that have hard-coded credentials you can Google – that are controlling potent medications being infused into this patient that, if miscalculated or altered, can cause this patient to die. That is the state of modern healthcare IoT. We need to change it.”

Device makers need to work with doctors directly, Dameff argued, in order to usher in a newly holistic approach to the creation of medical IoT gear.

“Have them help you identify points of your product that, if it should fail, would result in patient harm, not just a compromise of their medical health information,” he said.”

Hacked hospitals

Nor are connected devices the only way that poor security affects hospitals. Aging, unpatched IT systems are vulnerable to a huge array of known hacks, and notorious attacks like WannaCry can knock whole systems full of hospitals with custom hardware offline.

For the everyday user, this is a headache, but for a healthcare provider, it’s a much more serious issue. Ransomware and denial of service kill people, Dameff stated, by inches – when the hospital’s systems are down, it hinders urgent care, so patients suffering from heart attacks or strokes have their treatment delayed by crucial minutes or even hours. That can mean permanent disability or death.

“We can’t take care of stroke patients without functioning CT scanners. We just can’t,” he said.