It turns out, Siri was listening!
Apple has agreed to pay $95 million to settle a lawsuit alleging illicit data gathering activities associated with its Siri personal assistant, reports SC Media. This is a negligible fee, considering the firm's $27 billion profit from $95 billion in net income.
Information from voice queries to Siri has been harvested and provided by Apple to third-party advertisers without user consent, with ads for Olive Garden restaurants and Air Jordan sneakers immediately appearing to users following their Siri inquiries, according to the lawsuit.
The sharing of queries to advertisers not only infringes on user privacy rules but also presents a potentially increased risk of compromise by threat actors.
The lawsuit — the settlement of which awaits the approval of Oakland-based District Court Judge Jeffrey White — could advance additional legal action against Microsoft, Google, Amazon, and other tech vendors that provide devices with personal assistants.
Now, here's today's MSSP update. Drop me a line at [email protected] if you have news to share or want to say hi!
Today's MSSP Market Update
1. Unencrypted email servers vulnerable to network sniffing: Shadowserver found nearly 3.3 million internet-exposed IMAP and POP3 email servers vulnerable to network sniffing attacks due to their lack of TLS encryption that leaked usernames and passwords, BleepingComputer reports. This discovery comes four years after the National Security Agency urged the immediate replacement of archaic TLS protocol versions as Google, Microsoft, Apple, and Mozilla moved to implement the latest TLS 1.3 protocol months earlier.
2. U.S. sanctions Integrity Technology: The U.S. today sanctioned China's Integrity Technology Group, accusing it of being behind a prolific hacking group known as "Flax Typhoon," Reuters reported. In a statement, the State Department said that Integrity Tech was a large Chinese government contractor with ties to the Ministry of State Security and that its hackers were working at the direction of Beijing to target critical infrastructure in the U.S. and overseas.
3. New details of patched MSOFT Dynamics, PowerApps bugs: Stratus Security has released more details about three significant flaws in Microsoft Dynamics 365 and Power Apps Web API, which could be leveraged to facilitate data compromise, The Hacker News reports. Power Platform's OData Web API Filter was impacted by two of the discovered security issues, the first of which stemmed from inadequate access control that enabled access to sensitive data and potential exploitation to obtain complete hashes while the other bug arose from orderby clause utilization in the same API to gather needed database information, according to researchers. Meanwhile, FetchXML API was impacted by the final vulnerability, which could be abused to establish an orderby query while evading access controls.
4. 2025: The year of cybersecurity regulations: TeamViewer CISO Robert Haist told SC Media that most Chief Information Security Officers (CISOs) will focus on cybersecurity regulations this year, amid possible deregulation by the incoming Trump administration and the imminent implementation of the European Union's Digital Operational Resilience Act.
5. Visionworks data breach lawsuit: U.S. optical retail store chain Visionworks has been sued for negligence in informing (or not) 40,000 individuals regarding a data breach in October, according to San Antonio Current. Aside from deferring the delivery of breach notifications two months later, Visionworks also did not sufficiently defend its systems, resulting in the exfiltration of customers' names, birthdates, Social Security numbers, home and email addresses, financial details, and medical information, alleged the lawsuit. Visionworks' complimentary credit monitoring services to certain individuals was deemed insufficient considering the extent of impacted data, and the lawsuit urged the firm to not only offer all impacted customers at least half a decade's worth of free credit monitoring but also monetary compensation along with a promise to bolster its systems' cybersecurity defenses.
