At a glance.
- NSO Group’s appeal denied by US Supreme Court.
- More on the Rackspace ransomware attack.
- Policyholder data exposed in Oregon insurer data breach.
- Should product beta-testers be expected to bare all?
NSO Group’s appeal denied by US Supreme Court.
Yesterday the US Supreme Court rejected the bid of Israeli spyware maker NSO Group to end the lawsuit filed against the company by WhatsApp. The encrypted messaging platform claims that NSO targeted fourteen hundred of its users with NSO’s Pegasus surveillance software, and WhatsApp parent company Meta is attempting to block NSO from all of its platforms and servers, as well as recover unspecified damages. NSO argues that it should be considered a foreign government agent, meaning the company would be entitled to immunity under US law limiting lawsuits against foreign countries, but the US Justice Department wrote that “NSO plainly is not entitled to immunity here.” As Security Week recounts, the WhatsApp suit is just one of many currently being lodged against NSO, which has been accused of selling its spyware to government clients seeking to snoop on journalists, rights activists, and politicians across the globe. NSO has also been blacklisted by the US Commerce Department, which says the company’s products were complicit in “transnational repression.” WhatsApp spokesperson Carl Woog said, “We firmly believe that their operations violate U.S. law and they must be held to account for their unlawful operations.” NSO responded, “We are confident that the court will determine that the use of Pegasus by its customers was legal.”
More on the Rackspace ransomware attack.
As we noted yesterday, popular US cloud computing company Rackspace disclosed that hackers accessed customer data during an attack carried out by the Play ransomware group last month. Help Net Security reports that the cyber gang used an MS Exchange exploit chain to breach Rackspace’s Hosted Exchange email environment. The attack was first detected when Rackspace customers, which include mostly small to medium size businesses, stopped receiving or being able to send out emails and lost access to archived messages. A forensic investigation carried out by Crowdstrike confirmed that the hackers accessed Personal Storage Tables for twenty-seven Hosted Exchange customers, but that there is “no evidence that the threat actor actually viewed, obtained, misused, or disseminated emails or data in the PSTs for any of the 27 Hosted Exchange customers in any way.”
Rackspace plans to deliver an on-demand solution for those customers who wish to download their archived email data, but the company has confirmed that “the Hosted Exchange email environment will not be rebuilt as a go-forward service offering.” Rackspace says that even before the attack, it had planned to migrate their email systems to Microsoft 365, which offers a more flexible pricing structure and more modern features. Several class-action lawsuits linked to the incident have been filed against Rackspace.
Policyholder data exposed in Oregon insurer data breach.
SAIF Corp, a not-for-profit workers compensation insurer located in the US state of Oregon, has confirmed it experienced a data breach that potentially exposed some policyholders’ Social Security numbers and medical information. SAIF says that much of the information compromised in the incident, which occurred last fall, was at least two decades old, but individuals who filed claims in September and October might have had their medical data exposed. SAIF spokesperson Lauren Casler stated, “We are aware of no lingering threat or other illicit activity on our network. We sincerely apologize for any inconvenience this may cause and are committed to further enhancing our cybersecurity defenses moving forward.” GovTech notes that the number of individuals impacted by the incident has not been disclosed.
Should product beta-testers be expected to bare all?
As we noted previously, photos of unsuspecting robot vacuum owners were exposed online after images collected by development versions of iRobot’s Roomba J7 series vacuum during beta-testing were then sent to contract workers employed by Scale AI, a company that uses audio, photo, and video data to train artificial intelligence. The images in question – which included an intimate shot of one Roomba owner using the restroom – ended up in a gig worker social media chat room. The MIT Technology Review takes a closer look at the incident and the questions it raises about consent. Since the images were discovered online, nearly a dozen of the individuals who signed up to be beta-testers have come forward to say that while they knew their data would be used to improve the product design, they feel they were misled about the fact that that data would be shared with iRobot’s global data supply chain.
Albert Fox Cahn, the executive director of the Surveillance Technology Oversight Project, stated, “There is a real concern about whether the company is being deceptive if people are signing up for this sort of highly invasive type of surveillance and never fully understand … what they’re agreeing to.” iRobot feels they were straightforward in how they conveyed the data collection process to the testers, and that such collection is necessary to improve the product. In a LinkedIn post, CEO Colin Angle wrote, “How do our robots get so smart? It starts during the development process, and as part of that, through the collection of data to train machine learning algorithms.” He also alluded to the gray area within which such testers reside. Are they employees or customers? For Angle, at least, the answer is clear; he pointed out that the images came not from customers but from “paid data collectors and employees” who had signed consent agreements.