This week’s Cyber Security Headlines – Week in Review is hosted by Rich Stroffolino with guest Phil Beyer, head of security, Flex
Missed the live show? Check it out on YouTube
Cyber Security Headlines – Week in Review is live every Friday at 12:30pm PT/3:30pm ET. Join us each week by registering for the open discussion at CISOSeries.com
IRS Identity Protection PIN now available for filing season
The IRS has relaunched its Identity Protection Personal Identification Number (IP PIN) program. The IP PIN is a six-digit number assigned to an individual taxpayer and must be used when filing a tax return. It number is only valid for the current year. A new one is assigned each tax year. The goal is to “prevent scammers from filing a tax return using a stolen Social Security Number and personal information. As BleepingComputer points out, this program “is even more critical this year, with over 100 million people’s Social Security Numbers exposed in the massive National Public Data data breach.”
New ransomware group leverages AI
Emerging ransomware group FunkSec has claimed responsibility for over 80 attacks in December 2024, using Rust-based ransomware likely created with AI by inexperienced threat actors. Operating under a ransomware-as-a-service model, the group engages in double extortion and sells stolen data at discounted prices. FunkSec has also launched a data leak site featuring custom tools, including a DDoS utility and an AI chatbot, aligning its operations with hacktivist campaigns like the Free Palestine movement. While the group recycles data from prior attacks, its low ransom demands and Tor-based operations have already garnered attention in cybercrime forums.
Allstate accused of selling consumer driving data
Texas Attorney General Ken Paxton has filed a lawsuit against Allstate and its subsidiary Arity, accusing them of illegally collecting, using, and selling cell phone location and movement data from over 45 million Americans without their knowledge. Harvested through embedded software in mobile apps, was used to create a massive driving behavior database that insurers accessed to adjust premiums and price quotes. The collection of the data violates Texas’ new Data Privacy and Security Act and this legal action marks the first state-level enforcement of a comprehensive data privacy law, with automakers and popular mobile apps also implicated in the alleged scheme.
Huge thanks to our sponsor, Dropzone AI
UK mulling public sector ransomware payment ban
This proposed payment ban is part of a Home Office consultation, essentially a survey, launched yesterday, January 14, and running until April 8. The proposed ban is intended to “protect hospitals, schools, railways and other essential public services from the growing ransomware threat, by “making these critical services unattractive targets for ransomware.” The proposal would also offer guidance to ransomware victims on how to respond and would also help “block payments to known criminal groups and sanctioned entities.” The proposals “follow guidance issued by the Counter Ransomware Initiative in October 2024, which encourages organizations to consider other options before making ransomware payments to cybercriminals.”
Illinois to get mobile driver’s licenses in Apple Wallet by end of 2025
Illinois plans to launch digital IDs in Apple Wallet by year-end, allowing residents to add driver’s licenses and state IDs to iPhones and Apple Watches, with Google Wallet support to follow. Secretary of State Alexi Giannoulias emphasizes robust testing to ensure privacy and security, calling this the first step in a cutting-edge mobile ID program. Illinois joins 10 other states and territories offering IDs in Apple Wallet. New Jersey is also pushing for mobile driver’s licenses, citing convenience like real-time address updates. Misconceptions persist, but officials stress that mDLs don’t enable government tracking.
Law firm disclosed data breach from 2023
The firm Wolf Haldenstein Adler Freeman & Herz disclosed it suffered a data breach on December 13, 2023, impacting the personal information of roughly 3.4 million people, including names, social security numbers, medical diagnoses, and claim information. Even though the incident was detected over a year ago, the firm said digital forensic complications delayed its investigation. While it has published a general breach notice and informed Maine’s Attorney General of the incident, it hasn’t been able to send notices to many impacted individuals due to a lack of contact information.