At a glance.
- Update on the intercept (spyware) market.
- The continuing effects of the NHS data breach.
- Further reflections on the Sephora enforcement action.
Update on the intercept (spyware) market.
CyberNews reports that Tykelab, an RCS subsidiary based in Rome, has been found to be spying on behalf of its clients on countries with undesirable traits, such as authoritarian regimes or poor human rights records. Countries targeted include Libya, Iraq, Nicaragua, Malaysia, Mali, Costa Rica, Greece, Portugal, and Italy. The loophole allowing for the surveillance has been unpatched for eight years.
Intellexa, an Israeli surveillance firm has also been found to be offering zero-day exploits for iOS devices for $8 million, Security Affairs reports. Leaked documentation by Twitter user Vx-underground shows that remote data extraction is offered by the company for both Android and iOS devices. The exploits are said to work with Android 12 and iOS 15.4.1, which was released in March.
Gearrice reports that the NSO Group is reorganizing. The group is reportedly facing difficulties during a period of transition, having laid off 100 of its 700 employees, and the CEO, Shalev Hulio, is leaving. The group said in a statement that “Shalev Hulio [sera] replaced by Yaron Shohat, current director of operations who will preside over the reorganization. The company is reorganizing to prepare for its next wave of growth.” They added, “NSO will ensure that its advanced technologies are used in a fair and commendable way”.
The continuing effects of the NHS data breach.
BBC reports that doctors in the UK are in their fourth week of pen-and-paper care notes following the NHS data breach. The NHS says it may take another 12 weeks for some services to be brought back online. Dr Fay Wilson, an urgent-care center manager in the West Midlands, said that patient care has been affected because of a lack of ability (and staff) to manually handle notifications to GP practices. She also noted that a backlog is forming, and that it could take up to six months to input a growing backlog of "probably a few hundred thousand" patient records once services are back up. Professor Martin Marshall, chairman of the Royal College of General Practitioners, called the lack of access “"concerning and needs to be addressed as a matter of urgency.”
Further reflections on the Sephora enforcement action.
Sephora has been fined $1.2 million in a settlement following a breach of the California Consumer Privacy Act (CCPA), Cosmetics Business reports. Customers reportedly were not informed of the beauty giant selling their data. Yotam Segev, Cyera, co-founder and CEO, wrote to say, “What I find most interesting about the Sephora settlement is that it started with a spot-check audit of more than 100 retailers. This is the sort of thing that keeps security and risk professionals up at night. Business leaders are tasked with finding ways to leverage data to create new revenue streams. Especially with the shift to remote work, permissive access and applications like Google Drive or Slack make it easy to access and spread information across a business. The people or teams involved may have believed they were permitted to monetize this data. How many businesses are prepared for this kind of action? Security and risk teams need a simple way to answer basic questions like: What data do I have? Where is it now? Who is accessing it? How should it be governed and secured? Those are questions you need answers to at your fingertips, not something to be found after a lengthy audit process following a security incident."