AutoZone alerted authorities on Tuesday that it had been a victim of the Clop ransomware gang's MOVEit attacks earlier this year. According to a breach notification filed with the Office of the Maine Attorney General, the data leak from the auto parts retailer impacted 184,995 people. The hackers acquired personal information, including full names and social security numbers, the notification said. 

The incident happened in May, as a part of a string of attacks linked to Clop. The hackers exploited a vulnerability in file transfer software MOVEit, attacking more then 2,000 organizations and impacting 62 million people, according to researchers at Emsisoft. 

AutoZone realized it had fallen victim to the Clop attack in August, but it didn't suss out what data had been affected by the attack until earlier this month. That said, Clop claimed responsibility for an attack on AutoZone in July, publishing 1.1GB of internal and employee data from the auto retailer, according to Bleeping Computer.

"AutoZone became aware that an unauthorized third party exploited a vulnerability associated with MOVEit and exfiltrated certain data from an AutoZone system that supports the MOVEit application," AutoZone wrote in a notification to customers. It's unclear which parts of the AutoZone systems the Clop hackers accessed and, although the Maine notification says social security numbers had been leaked, AutoZone did not provide any specifics. 

AutoZone rakes in $17.5 billion in revenue each year, operating more than 7,000 retail locations. 

Security experts were skeptical about the New York MTA’s switch to an OMNY tap-and-go system when it was first announced years ago. Then, in August, a 404 Media investigation revealed riders were right to be concerned. As it turned out, the ability to check trip history could be used by nearly anyone to follow specific riders' location patterns. MTA disabled the feature, but it pointed to a deeper problem that exists across modern public transit systems: they make it harder to opt out of having our sensitive data collected,

“You're building a better system, but you're also really stepping into a dangerous cybersecurity minefield,” said Brendan Saltaformaggio, associate professor specializing in cybersecurity at the Georgia Institute of Technology.

Payment information, location data and trip patterns can all be attached to our ridership data. Agencies say they use it to better understand how riders use the services and make improvements. But the flip side is transit agencies selling user data to advertisers like a lot of private companies do, or sharing it with law enforcement. We submitted Freedom of Information Act requests to several large police departments across the country — including in New York City, Baltimore and Chicago — for more information on requests they had made to local transit agencies for data over the past decade.

But even if the data just sits there, it’s increasingly vulnerable to a breach without secure infrastructure in place to protect it. Most ransomware gangs are motivated by money. So while your data could be at risk, the hackers are actually looking to threaten the public transit agencies into paying up to avoid a data leak or being locked out of their systems. It happened to the Washington Metropolitan Area Transit Authority in Washington, DC earlier this year, and in March a ransomware attack disrupted the Washington state bus system. That said, personal data can still be compromised in the process. Hackers leaked personal data after accessing San Francisco’s Bay Area Rapid Transit at the beginning of this year.

“These are organizations that run on shoestring budgets, usually heavily supported by taxpayers, who are probably not going to be very excited to see all of this money being spent purely on cybersecurity with hopes of not having an incident in mind,” Saltaformaggio said.

What exactly each agency does to protect your sensitive information varies widely. The Federal Transit Administration and the American Public Transportation Association both provide guidelines for agencies on how to handle the matter. But experts warn that agencies across the country are still vulnerable to attack, and struggle to keep the data they have access to secure.

Digitizing public transit payments makes sense. But while the public is leaning into going cashless, paper money will always be here to stay. “If an agency tried to get rid of cash payments, they might face some serious backlash because a significant portion of people still use cash to ride transit,” said Joshua Schank, managing principal at transportation and financial advisory firm InfraStrategies. Still, options to pay via an RFID-powered card, an app or even a digital wallet all became popular ways to pay — especially because adoption of these newer methods often comes with perks like allowing riders free transfers between stations or services. Some credit card companies even offer incentives like discounts on rides by partnering with the transit agencies on non-cash payment options.

Using exact cash to ride public transit is still possible in many places, but it means you lose out on the aforementioned perks. There are options to purchase a card with cash and still get those perks, but it's often much less convenient. To get a ConnectCard in Pittsburgh, I have to go to a third-party location in my neighborhood, buy a card for $1 and have cash out to reload it at that third-party location whenever it's empty. It costs $2.75 to ride the bus, so that card fare only adds up to about one-third of a ride.In New York, a physical OMNY card costs $5, or one ride on the subway plus most of your next trip. (It’s worth noting that OMNY currently has a deal selling cards for $1 at all OMNY vending machines, but that’s for a limited time only.)

Agencies stack on burdens for the consumer, incentivizing them to switch to data-collecting apps and RFID smart cards, almost punishing people trying to stick to cash — either because they value their privacy, or because they're among those without consistent access to banking. It shouldn't have to be more annoying, more expensive, or both just to maintain some anonymity while commuting to work.

There’s not much you can do about it, either. Like most data privacy issues, experts say we need federal regulation to put guidelines in place around how public transit agencies collect and use our data. Until then, it’s just another way we’re stuck exchanging our personal information for marginal convenience gains.

Google's Threat Analysis Group revealed on Thursday that it discovered and worked to help patch an email server flaw used to steal data from governments in Greece, Moldova, Tunisia, Vietnam and Pakistan. The exploit, known as CVE-2023-37580, targeted email server Zimbra Collaboration to pilfer email data, user credentials and authentication tokens from organizations. 

It started in Greece at the end of June. Attackers that discovered the vulnerability and sent emails to a government organization containing the exploit. If someone clicked the link while logged into their Zimbra account, it automatically stole email data and set up auto-forwarding to take control of the address. 

While Zimbra published a hotfix on open source platform Github on July 5, most of the activity deploying the exploit happened afterward. That means targets didn't get around to updating the software with the fix until it was too late. It's a good reminder to update the devices you've been ignoring now, and ASAP as more updates become available. "These campaigns also highlight how attackers monitor open-source repositories to opportunistically exploit vulnerabilities where the fix is in the repository, but not yet released to users," the Google Threat Analysis Group wrote in a blog post. 

Around mid-July, it became clear that threat group Winter Vivern got ahold of the exploit. Winter Vivern targeted government organizations in Moldova and Tunisia. Then, a third unknown actor used the exploit to phish for credentials from members of the Vietnam government. That data got published to an official government domain, likely run by the attackers. The final campaign Google's Threat Analysis Group detailed targeted a government organization in Pakistan to steal Zimbra authentication tokens, a secure piece of information used to access locked or protected information.

Zimbra users were also the target of a mass-phishing campaign earlier this year. Starting in April, an unknown threat actor sends an email with a phishing link in an HTML file, according to ESET researchers. Before that, in 2022, threat actors used a different Zimbra exploit to steal emails from European government and media organizations.

As of 2022, Zimbra said it had more than 200,000 customers, including over 1,000 government organizations. "The popularity of Zimbra Collaboration among organizations expected to have lower IT budgets ensures that it stays an attractive target for adversaries," ESET researchers said about why attackers target Zimbra.

Ransomware group LockBit leaked data allegedly belonging to Boeing on Friday, about a week after the aerospace giant confirmed it had fallen victim to a cyberattack. The leak includes more than 43GB of backup files that LockBit says it stole from Boeing, according to Bleeping Computer. 

As of Monday afternoon, the Boeing services website remained out of order. A notice posted to the site acknowledged a cyber incident affecting Boeing's parts and distribution business, but reiterated that it did not impact the safety of its aircrafts. "In connection with this incident, a criminal ransomware actor has released information it alleges to have taken from our systems," a Boeing spokesperson told Engadget. "We continue to investigate the incident and will remain in contact with law enforcement, regulatory authorities, and potentially impacted parties, as appropriate.”

Boeing

The saga started on October 27 when LockBit listed Boeing as a victim on its website, saying that the company had until November 2 to negotiate a payment. While LockBit briefly removed Boeing from its list of victims on its website, the ransomware gang returned on November 7 stating that Boeing had ignored its attempts to negotiate. LockBit initially threatened to release 4GB of sample data before it decided to leak all of the data it had stolen on November 10. 

The Boeing backup data released by LockBit includes configuration data for IT management software, auditing and monitoring logs and some Citrix information believed to be connected to a previous exploit. 

LockBit has grown into a notorious ransomware gang since its first appearance on Russian cybercrime forums in January 2020. There have been about 1,700 attacks in the US linked to LockBit, with companies paying about $91 million in ransoms to the gang, according to the FBI. Victims include the Chinese bank ICBC, chip giant Taiwan Semiconductor Manufacturing Company and Canadian book seller Indigo Books and Music, among others. 

Michigan-based healthcare nonprofit McLaren Health Care notified more than 2 million people about a data breach exposing personal information on Thursday, according to a data breach notification report. Unauthorized access to McLaren systems began on July 28 and lasted through August, but the individual impact varies from person to person. 

According to a notice on the McLaren website, the company learned of the breach on August 31. An investigation into the impacted files concluded on October 10, and if you'll take a look at today's date, it took an additional month for the company to let the public know about the incident.

"Potentially affected current and former patients of McLaren are encouraged to remain vigilant against incidents of identity theft by reviewing account statements and explanations of benefits for unusual activity and to report any suspicious activity promptly to your insurance company, health care provider, or financial institution," the nonprofit said in a statement.

While McLaren hasn't released any details about the attack, such as who is behind it or possible motivations, the ALPHV/BlackCat ransomware group claimed responsibility for the attack, according to Bleeping Computer. Ransomware groups are known to do this for publicity, but the actor behind an attack usually can't be confirmed until a third-party security researcher independently verifies it.

McLaren encompasses 13 hospitals and employs 490 physicians across Michigan and Indiana, with an annual revenue of $6.6 billion. Its offering identity protection services to affected people that enroll by February 9. There's currently no evidence that data leaked in the breach has been misused, according to McLaren. 

Mozilla recently reported that of the car brands it reviewed, all 25 failed its privacy tests. While all, in Mozilla's estimation, overreached in their policies around data collection and use, some even included caveats about obtaining highly invasive types of information, like your sexual history and genetic information. As it turns out, this isn’t just hypothetical: The technology in today’s cars has the ability to collect these kinds of personal information, and the fine print of user agreements describes how manufacturers get you to consent every time you put the keys in the ignition.

“These privacy policies are written in a way to ensure that whatever is happening in the car, if there's an inference that can be made, they are still ensuring that there is protection, and that they are compliant with different state laws,” Adonne Washington, policy council at the Future of Privacy Forum, said. The policies also account for technological advances that could happen while you own the car. Tools to do one thing could eventually do more, so manufacturers have to be mindful of that, according to Washington.

So, it makes sense that a car manufacturer would include every type of data imaginable in its privacy policy to cover the company legally if it stumbled into certain data collection territory. Nissan’s privacy policy, for example, covers broad and frankly irrelevant classes of user information, such as “sexual orientation, sexual activity, precise geolocation, health diagnosis data, and genetic information” under types of personal data collected. 

Companies claim ownership in advance, so that you can’t sue if they accidentally record you having sex in the backseat, for example. Nissan claimed in a statement that this is more or less why its privacy policy remains so broad. The company says it "does not knowingly collect or disclose customer information on sexual activity or sexual orientation," but its policy retains those clauses because "some U.S. state laws require us to account for inadvertent data we have or could infer but do not request or use." Some companies Engadget reached out to — like Ford, Stellantis and GM — affirmed their commitment, broadly, to consumer data privacy; Toyota, Kia and Tesla did not respond to a request for comment.

Beyond covering all imaginable legal bases, there simply isn't any way to know why these companies would want deeply personal information on their drivers, or what they'd do with it. And even if it's not what you would consider a “smart” car, any vehicle equipped with USB, Bluetooth or recording capabilities can capture a lot of data about the driver. And in much the same way a "dumb" tv is considerably harder to find these days, most consumers would be hard pressed to find a new vehicle option that doesn't include some level of onboard tech with the capacity to record their data. A study commissioned by Senator Ed Markey nearly a decade ago found all modern cars had some form of wireless technology included. Even the ranks of internet listicles claiming to contain low-tech cars for "technophobes" are riddled with dashboard touchscreens and infotainment systems.

“How it works in practice we don’t have as much insight into, as car companies, data companies, and advertising companies tend to hold those secrets more close to the vest,” Jen Caltrider, a researcher behind Mozilla’s car study, said. “We did our research by combing through privacy policies and public documentation where car companies talked about what they *can* do. It is much harder to tell what they are actually doing as they aren’t required to be as public about that.”

The unavailability of disconnected cars combined with the lack of transparency around driver data use means consumers have essentially no choice to trust their information is being used responsibly, or that at least some of the classes of data — like Nissan's decision to include "genetic information" — listed in these worrying privacy policies are purely related to hypothetical liability. The options are essentially: read every one of these policies and find the least draconian, buy a very old, likely fuel-inefficient car with no smart features whatsoever or simply do without a car, period. To that last point, only about eight percent of American households are carless, often not because they live in a walkable city with robust public transit, but because they cannot afford one.

This gets even more complicated when you think about how cars are shared. Rental cars change drivers all the time, or a minor in your household might borrow your car to learn how to drive. Unlike a cell phone, which is typically a single user device, cars don’t work like and vehicle manufacturers struggle to address that in their policies. And cars have the ability to collect information not just on drivers but their passengers.

If simply trusting manufacturers after they ask for the right to collect your genetic characteristics tests credulity, the burden of anyone other than a contract lawyer reading back a software license agreement to the folks in the backseat is beyond absurd. Ford’s privacy policy explicitly states that the owners of its vehicles “must inform others who drive the vehicle, and passengers who connect their mobile devices to the vehicle, about the information in this Notice.” That’s about 60 pages of information to relay, if you’re printing it directly from Ford’s website — just for the company and not even the specific car.

And these contracts tend to compound on one another. If that 60-page privacy policy seems insurmountable, well, there's also a terms of service and a separate policy regarding the use of Sirius XM (on a website with its own 'accept cookies' popover, with its own agreement.) In fairness to Ford, its privacy notice does allow drivers to opt out of certain data sharing and connected services, but that would require drivers to actually comb through the documentation. Mozilla found many other manufacturers offered no such means to avoid being tracked, and a complete opt-out is something which the Alliance for Automotive Innovation — a trade group representing nearly all car and truck makers in the US, including Ford — has actively resisted. To top things off, academics, legal scholars and even one cheeky anti-spyware company have repeatedly shown consumers almost universally do not read these kinds of contracts anyway. 

The burden of these agreements doesn't end with their presumptive data collection, or the onus to relay them to every person riding in or borrowing your car. The data held in-vehicle and manufacturer's servers becomes yet another hurdle for drivers should they opt to sell the thing down the line. According to Privacy4Cars founder Andrea Amico, be sure to get it in writing from the dealer how they plan to delete your data from the vehicle before reselling it. “There's a lot of things that consumers can do to actually start to protect themselves, and it's not going to be perfect, but it's going to make a meaningful difference in their lives,” Amico said.

Consumers are effectively hamstrung by the state of legal contract interpretation, and manufacturers are incentivized to mitigate risk by continuing to bloat these (often unread) agreements with increasingly invasive classes of data. Many researchers will tell you the only real solution here is federal regulation. There have been some cases of state privacy law being leveraged for consumers' benefit, as in California and Massachusetts, but on the main it's something drivers aren't even aware they should be outraged about, and even if they are, they have no choice but to own a car anyway.

Third parties selling our personal data is annoying. But for certain sensitive populations like military service members, the selling of that information could quickly become a national security threat. Researchers at Duke University released a study on Monday tracking what measures data brokers have in place to prevent unidentified or potentially malign actors from buying personal data on members of the military. As it turns out, the answer is often few to none — even when the purchaser is actively posing as a foreign agent.

A 2021 Duke study by the same lead researcher revealed that data brokers advertised that they had access to — and were more than happy to sell —information on US military personnel. In this more recent study researchers used wiped computers, VPNs, burner phones bought with cash and other means of identity obfuscation to go undercover. They scraped the websites of data brokers to see which were likely to have available data on servicemembers. Then they attempted to make those purchases, posing as two entities: datamarketresearch.org and dataanalytics.asia. With little-or-no vetting, several of the brokers transferred the requested data not only to the presumptively Chicago-based datamarketresearch, but also to the server of the .asia domain which was located in Singapore. The records only cost between 12 to 32 cents a piece.

The sensitive information included health records and financial information. Location data was also available, although the team at Duke decided not to purchase that — though it's not clear if this was for financial or ethical reasons. “Access to this data could be used by foreign and malicious actors to target active-duty military personnel, veterans, and their families and acquaintances for profiling, blackmail, targeting with information campaigns, and more,” the report cautions. At an individual level, this could also include identity theft or fraud.

This gaping hole in our national security apparatus is due in large part to the absence of comprehensive federal regulations governing either individual data privacy, or much of the business practices engaged in by data brokers. Senators Elizabeth Warren, Bill Cassidy and Marco Rubio introduced the Protecting Military Service Members' Data Act in 2022 to give power to the Federal Trade Commission to prevent data brokers from selling military personnel information to adversarial nations. They reintroduced the bill in March 2023 after it stalled out. Despite bipartisan support, it still hasn’t made it past the introduction phase.

Home improvement retailer Ace Hardware still can't take online orders as of Friday while it recovers from "a malicous cyberattack." News of the outage first started circulating on Sunday, after a Reddit user shared a note from CEO John Venhuizen detailing the incident. Ace Hardware has not responded to a request for comment to verify the email, but the website confirms that it is "currently unable to process orders online" and directs customers to make their purchases in-store. 

The cyber incident impacted warehouse management, invoice and other delivery systems, according to Venhuizen's memo. "The impact of this incident is resulting in disruptions to your shipments," Venhuizen wrote. An update issued on Monday urged stores to stay open, and confirmed there were no known impacts to its in-store payment and service systems.

Out of the company's 1,400 servers and 3,500 networked devices, 1,202 were impacted by the attack, according to a notice obtained by Bleeping Computer. About half had been restored as of early Thursday morning. "This frustration and all of this effort is the direct result of a malicious cyber attack on Ace," the update said. "This was perpetuated by criminals. Though they are hiding in this shadows, they are no different than thugs who break into your store attempting to steal your stuff." The details of the attack, such as who is responsible and how they accessed the systems, hasn't been confirmed yet.

Ace Hardware also warned retailers to be aware of cybercriminals trying to take advantage of the chaos by spoofing email updates or trying to remotely access in-store systems. Ace Hardware operates on a retailer-owned model, in which store owners form the cooperative of shareholders behind the retail giant. The retailer operates more than 5,800 stores.

Proton sells a suite of privacy products, from email to document storage, so when I used Proton VPN I was already familiar with the company. We tested nine of the best VPN services available for our overall guide, including ExpressVPN, NordVPN, Surfshark and Tunnelbear. Proton promises “privacy by default,” but that left me wondering if the company meant rigorous security testing — and if a focus on privacy would take away from ease of use. Because it balanced all of the above, Proton VPN landed at the top of our list.

VPNs can be used for general web browsing, but I tested each one by streaming, gaming and evading geoblocking on the servers. I measured streaming speeds by watching Canadian Netflix from my home in the US, playing an online game from a UK-based VPN server and watching a live news channel on YouTube from a Hong Kong-based VPN.

How much does Proton VPN cost?

Proton offers a free, but limited, version of its VPN. It can be used on one device with access to servers in the Netherlands, United States and Japan. For $5.99 per month, Proton VPN’s paid subscription includes access to more than 3,000 servers in over 65 countries, use on up to 10 devices and an included ad-blocker and malware protection. Or for $9.99 per month, Proton sells an “unlimited” package with access to all of its mail, calendar, drive, VPN and password manager products.

Privacy and security

When I tried out VPNs, I looked for options that kept my information secure without impacting my ability to easily browse the web. Proton VPN has a no-logs policy, meaning it doesn't collect data that passes through its network. It’s passed external audits, is based on an open-source framework and it runs a vulnerability disclosure program. Proton VPN has a policy not to comply with law enforcement requests and has no forced logging requirements because it's based in Switzerland, according to the company.

Speed and availability

There was little to no lag when I used Proton VPN for its streaming, geoblocking and gaming capabilities. I also did a ping test to measure internet latency. Without a VPN, it took 43 milliseconds, but connected to Proton VPN, it took 49 milliseconds, which is not a big difference at all.

For paid users, Proton VPN is available on more than 1,800 servers in 64 countries. It’s available across iPhone, Android, Mac, Windows, Linux, streaming services and more. Because it supports up to 10 devices at once, it’s also easy to use across an entire household of tech.

Proton VPN pros and cons

Even our top choice isn’t perfect. The free version can be a bit finicky, and struggles to stay connected at times. According to Consumer Reports, it doesn’t meet password complexity requirements and didn’t offer clear protections against unauthorized access. Like many of its competitors, Proton VPN also tends to use misleading marketing language. Proton VPN makes lofty claims — like bypassing censorship, keeping you safe from hackers and surfing the web without surveillance — that can’t always be factually backed up.

The VPNs I tested were consistently good. They made it easy to browse the web securely. Proton VPN took the top spot because of its overall security and ease of use.

You could be entitled to a small chunk of a $16 million class action settlement against anime streaming service Crunchyroll. The Sony-owned company settled a data privacy lawsuit this week that will result in about $30 settlements for individuals impacted, according to firm behind the class action. 

The complaint, filed in September 2022, claims that Sony shared individual Crunchyroll viewing information with third-party sites without user's permission. That means Google or Facebook might have seen your anime watch history without your knowledge. It's a violation of the Video Privacy Protection Act, which makes it illegal to video streaming services to disclose personally identifiable information without the individual's consent. Crunchyroll denies wrongdoing. 

Anyone in the US who used Crunchyroll services between September 8, 2020 and September 20, 2023 could be eligible for the settlement. Claim forms can be submitted online, and must be turned in by December 12 to receive payment. Or, if you don't agree with the settlement, you can object by November 27 and attend the hearing on December 19. If you do nothing, you forfeit your right to any settlement amount. 

The settlement coincided with Crunchyroll news that it would be launching a 24-hour news channel.