The Securities and Exchange Commission has provided more details about how its official X account was compromised earlier this month. In a statement, the regulator confirmed that it had been the victim of a SIM swapping attack and that its X account was not secured with multi-factor authentication (MFA) at the time it was accessed.

“The SEC determined that the unauthorized party obtained control of the SEC cell phone number associated with the account in an apparent 'SIM swap' attack," it said, referring to a common scam in which attackers persuade customer service representatives to transfer phone numbers to new devices. “Once in control of the phone number, the unauthorized party reset the password for the @SECGov account.”

The hack of its X account, which was taken over in order to falsely claim that bitcoin ETFs had been approved, has raised questions about SEC’s security practices. Government-run social media accounts are typically required to have MFA enabled. The fact that one as high-profile and with potentially market-moving abilities like @SECGiv would not be using the extra layer of security has already prompted questions from Congress.

In its statement, the SEC said that it asked X’s support staff to disable MFA last July following “issues” with its account access. “Once access was reestablished, MFA remained disabled until staff reenabled it after the account was compromised on January 9,” it said. “MFA currently is enabled for all SEC social media accounts that offer it.”

While the lack of MFA likely made it much easier to take over the SEC’s account, there are still numerous questions about the exploit, including how those responsible knew which phone was associated with the X account, how the unnamed telecom carrier fell for the scam and, of course, who was behind it. The regulator said it’s investigating these questions, along with the Department of Justice, FBI, Homeland Security and its own Inspector General.

Another lawmaker is pushing the Securities and Exchange Commission for more information about its security practices following the hack of its verified account on X. In a new letter to the agency’s Inspector general, Senator Ron Wyden, called for an investigation into “the SEC’s apparent failure to follow cybersecurity best practices.”

The letter, which was first reported by Axios, comes days after the SEC’s official X account was taken over in order to post a tweet claiming that spot bitcoin ETFs had been approved by the regulator. The rogue post temporarily juiced the price of bitcoin and forced SEC chair Gary Gensler to chime in from his X account that the approval had not, in fact, happened. (The SEC did approve 11 spot bitcoin ETFs a day later, with Gensler saying in a statement that “bitcoin is primarily a speculative, volatile asset that’s also used for illicit activity.”)

The incident has raised a number of questions about the SEC’s security practices after officials at X said the financial regulator had not been using multi-factor authentication to secure its account. In the letter, Wyden, who chairs the Senate’s finance committee, said it would be "inexcusable" for the agency to not use additional layers of security to lock down its social media accounts.

“Given the obvious potential for market manipulation, if X’s statement is correct, the SEC’s social media accounts should have been secured using industry best practices,” Wyden wrote. “Not only should the agency have enabled MFA, but it should have secured its accounts with phishing-resistant hardware tokens, commonly known as security keys, which are the gold standard for account cybersecurity. The SEC’s failure to follow cybersecurity best practices is inexcusable, particularly given the agency’s new requirements for cybersecurity disclosure”

Wyden isn’t the only lawmaker who has pushed the SEC for more details about the hack. Senators J. D. Vance and Thom Tillis sent a letter of their own, addressed to Gensler, immediately following the incident. They asked for a briefing about the agency’s security policies and investigation into the hack by January 23.

The SEC didn’t immediately respond to a request for comment. The agency said in an earlier statement that it was working with the FBI and the Inspector General to investigate the matter.

AI may or may not take people's jobs in years to come, but in the meantime, there's one thing they cannot obtain: patents. Dr. Stephen Thaler has spent years trying to get patents for two inventions created by his AI "creativity machine" DABUS. Now, the United Kingdom's Supreme Court has rejected his appeal to approve these patents when listing DABUS as the inventor, Reuters reports. 

The court's rationale stems from a provision in UK patent law that states, "an inventor must be a natural person." The ruling stipulated that the appeal was unconcerned with whether this should change in the future. "The judgment establishes that UK patent law is currently wholly unsuitable for protecting inventions generated autonomously by AI machines," Thaler's lawyers said in a statement. 

Thaler first attempt to register the patents — for a food container and a flashing light — was in 2018, as owner of the machine that invented them. However, the UK's Intellectual Property Office said he must list an actual human being on the application, and when he refused, it withdrew his application. Thaler fought the decision in the High Court and then the Court of Appeal, with Lady Justice Elisabeth Laing stating, "Only a person can have rights. A machine cannot." 

Thaler, an American, also submitted the two products to the United States Patent and Trademark Office, which rejected his application. Plus, he previously sued the US Copyright Office (USCO) for not awarding him the copyright for a piece of art DABUS created. The case reached the US District Court of Columbia, with Judge Beryl Howell's ruling explaining, "Human authorship is a bedrock requirement of copyright." Thaler has argued that this provision is unconstitutional, but the US Supreme Court declined to hear his case, ending any further chances to argue his stance. While the UK and US have rejected Thaler's petitions, he has succeeded in countries such as Australia and South Africa. 

Following the revelation that our mobile push notification records can be handed over to law enforcements, Apple put the blame on the Department of Justice (DOJ) for preventing tech companies from revealing such process. Meanwhile, the company also updated its Legal Process Guidelines document to state that "a subpoena or greater legal process" was required to obtain the relevant records. However, Reuters spotted that a week later, Apple quietly tweaked this particular line to match Google's stricter policy on this matter:

"The Apple ID associated with a registered APNs token and associated records may be obtained with an order under 18 U.S.C. §2703(d) or a search warrant."

In other words, law enforcement will now need a judge's consent in order to obtain push notification data from Apple — as is the case with Google all this time, according to a statement provided to Reuters. Engadget reached out to Apple, but it refused to comment on the updated guidelines.

The "push notification spying" concerns were originally brought to light by Oregon Senator Ron Wyden who, in an open letter to the DOJ, claimed that foreign governments have been demanding Google and Apple to provide push notification records. Given how push notifications go through these companies' servers, the senator is worried that "Apple and Google are in a unique position to facilitate government surveillance of how users are using particular apps."

Wyden then addressed the elephant in the room, by arguing that these two tech giants "should be permitted to be transparent about the legal demands they receive, particularly from foreign governments." Apple's response regarding the DOJ's suppression appears to align with the senator's claims, but it's unclear whether the department will take action on both tech companies' stepped-up transparency on push notification surveillance.

A Senate Finance Committee inquiry revealed on Tuesday that police departments can get access to private medical information from pharmacies, no warrant needed. While HIPAA may protect some access to personally identifiable health data, it doesn't stop cops, according to a letter from Senator Ron Wyden, Representative Pramila Jayapal and Representative Sara Jacobs to the Department of Health and Human Services. None of the major US pharmacies are doing anything about it, either, the members of Congress say. 

"All of the pharmacies surveyed stated that they do not require a warrant prior to sharing pharmacy records with law enforcement agents, unless there is a state law that dictates otherwise," the letter said. "Those pharmacies will turn medical records over in response to a mere subpoena, which often do not have to be reviewed or signed by a judge prior to being issued."

The committee reached out to Amazon, Cigna, CVS Health, The Kroger Company, Optum Rx, Rite Aid Corporation, Walgreens Boots Alliance and Walmart about their practices for sharing medical data with police. While Amazon, Cigna, Optum, Walmart and Walgreen said they have law enforcement requests reviewed by legal professionals before complying, CVS Health, The Kroger Company and Rite Aid Corporation said they ask in-store staff to process the request immediately. Engadget reached out to the pharmacies mentioned in the letter about the claims. CVS said its pharmacy staff are trained to handle these inquiries and its following all applicable laws around the issue. Walgreens said it has a process in place to assess law enforcement requests compliant with those laws, too, and Amazon said while the law enforcement requests are rare, it does notify patients and comply with court orders when applicable. The others either haven't responded or refuse to comment.

The pharmacies mostly blamed the current lack of legislative protections for patient data for their willingness to comply with cop requests. Most of them told the committee that current HIPAA law and other policies let them disclose medical records in response to certain legal requests. That's why the Senate Finance Committee is targeting HHS to strengthen these protections, especially since the 2023 Dobbs decision let states criminalize certain reproductive health decisions. 

Under current HIPAA law, patients have the right to know who is accessing their health information. But individuals have to request the medical record disclosure data, instead of health care professionals being required to share it proactively. "Consequently, few people ever request such information, even though many would obviously be concerned to learn about disclosures of their private medical records to law enforcement agencies," the letter states. The letter also urges pharmacies to change their policies to require a warrant, and publish transparency reports about how data is shared. 

US Senator Ron Wyden wants the public to know about the details surrounding the long-running Hemisphere phone surveillance program. Wyden has written US Attorney General Merrick Garland a letter (PDF), asking him to release additional information about the project that apparently gives law enforcement agencies access to trillions of domestic phone records. In addition, he said that federal, state, local and Tribal law enforcement agencies have the ability to request "often-warrantless searches" from the project's phone records that AT&T has been collecting since 1987. 

The Hemisphere project first came to light in 2013 when The New York Times reported that the White House Office of National Drug Control Policy (ONDCP) was paying AT&T to mine and keep records of its customers' phone calls. Four billion new records are getting added to its database every day, and a federal or state law enforcement agency can request a query with a subpoena that they can issue themselves. Any law enforcement officer can send in a request to a single AT&T analyst based in Atlanta, Georgia, Wyden's letter says, even if they're seeking information that's not related to any drug case. And apparently, they can use Hemisphere not just to identify a specific number, but to identify the target's alternate numbers, to obtain location data and to look up the phone records of everyone who's been in communication with the target. 

The project has been defunded and refunded by the government several times over the past decade and was even, at one point, receiving federal funding under the name "Data Analytical Services (DAS)." Usually, projects funded by federal agencies would be subject to a mandatory Privacy Impact Assessment conducted by the Department of Justice, which means their records would be made public. 

However, Hemisphere's funding passes through a middleman, so it's not required to go through mandatory assessment. To be specific, ONDCP funds the program through the Houston High Intensity Drug Trafficking Area, which is a regional funding organization that distributes federal anti-drug law grants and is governed by a board made up of federal, state and local law enforcement officials. The DOJ had provided Wyden's office with "dozens of pages of material" related to the project in 2019, but they had been labeled "Law Enforcement Sensitive" and cannot be released to the public. 

"I have serious concerns about the legality of this surveillance program, and the materials provided by the DOJ contain troubling information that would justifiably outrage many Americans and other members of Congress," Wyden wrote in his letter. "While I have long defended the government’s need to protect classified sources and methods, this surveillance program is not classified and its existence has already been acknowledged by the DOJ in federal court. The public interest in an informed debate about government surveillance far outweighs the need to keep this information secret."

The Senate Judiciary Committee will hold a hearing on online child sexual exploitation on December 6 and the CEOs of major tech companies are set to testify. The committee expects Meta CEO Mark Zuckerberg and his counterpart at TikTok, Shou Zi Chew, to testify voluntarily. It also wants to hear from the CEOs of X (formerly Twitter), Discord and Snap, and it has issued subpoenas to them.

"Big Tech’s failure to police itself at the expense of our kids cannot go unanswered," committee chair Sen. Dick Durbin (D-IL) and ranking member Sen. Lindsey Graham (R-SC) said in a joint statement, as Reuters reports. "I’m hauling in Big Tech CEOs before the Senate Judiciary Committee to testify on their failure to protect kids online," Durbin wrote on X.

According to the committee, X and Discord refused to accept service of the subpoenas on their CEO's behalf, "requiring the committee to enlist the assistance of the US Marshals Service" to serve them personally. "We have been working in good faith to participate in the Judiciary committee’s hearing on child protection online as safety is our top priority at X," Wifredo Fernandez, head of US and Canada government affairs at X, told Engadget in a statement. "Today we are communicating our updated availability to participate in a hearing on this important issue." Engadget has also contacted Discord for comment.

The issue of tech platforms allegedly facilitating harms against kids has become an increasingly pressing issue. Earlier this month, former Meta executive Arturo Béjar testified that Zuckerberg failed to respond to his email detailing concerns about harms facing children on the company's platforms. Senators then demanded documents from the company's CEO "related to senior executives’ knowledge of the mental and physical health harms associated with its platforms, including Facebook and Instagram."

The Federal Communications Commission (FCC) is keeping a close eye on internet providers to make sure they provide Americans with equal access to broadband services regardless of customers' "income level, race, ethnicity, color, religion or national origin." Two years after the Bipartisan Infrastructure Law became official, the FCC has adopted (PDF) a final set of relevant rules to enforce. 

The Commission will have the power to investigate possible instances of "digital discrimination" under the new rules and could penalize providers for violating them. It could, for instance, look into a company's pricing, network upgrades and maintenance procedures to decide whether a provider is keeping an affluent area well-maintained while failing to provide the same level of service to a low-income area. As The Wall Street Journal explains, it could even hold companies like AT&T and Comcast liable even if they weren't intentionally discriminatory, as long as their actions "differentially impact consumers' access to broadband." If the FCC does receive complaints against a particular provider, though, it will take into account any technical and economic challenges it may be facing that prevents it from providing equal access to its services. 

According to The Journal, the FCC approved the new rules in a 3-2 vote. Their critics — mainly internet providers and Republican members of the Congress — argued that the decision could affect investments and that the commission is taking things too far by penalizing unintentional discrimination. But FCC Chairwoman Jessica Rosenworcel found the rules to be reasonable, especially since the agency will "accept genuine reasons of technical and economic feasibility as valid reasons." 

In addition to adopting a set of rules for digital discrimination, the FCC has also updated its protections against SIM swapping and port-out scams (PDF). It will now require wireless providers to notify customers immediately when a SIM change or a port-out is requested for their account and phone number. Further, providers are required to take additional steps to protect their subscribers from the schemes. Finally, the FCC has voted to begin a formal inquiry (PDF) to look into the impact of artificial intelligence on robocalls. It could, after all, be used to block unwanted voice and text messages, but it could also be used to more easily defraud people through calls and texts. 

The state agencies of Maine had fallen victim to cybercriminals who exploited a vulnerability in the MOVEit file transfer tool, making them the latest addition to the growing list of entities affected by the massive hack involving the software. In a notice the government has published about the cybersecurity incident, it said the event impacted approximately 1.3 million individuals, which basically make up the state's whole population. The state first caught wind of the software vulnerability in MOVEit on May 31 this year and found that cybercriminals were able to access and download files from its various agencies on May 28 and 29. 

While the nature of stolen data varies per person based on their interaction with a particular agency, the notice says that the bad actors had stolen names, Social Security numbers, birthdates, driver's license and state identification numbers, as well as taxpayer identification numbers. In some cases, they were also able to get away with people's medical and health insurance information. Over 50 percent of the stolen data came from the Maine Department of Health and Human Services, followed by the Maine Department of Education.

The state government had blocked internet access to and from the MOVEit server as soon as it became aware of the incident. However, since the cybercriminals were already able to steal residents' information, it's also offering two years of complimentary credit monitoring and identity theft protection services to people whose SSNs and taxpayer numbers were compromised. As TechCrunch notes, the Clop ransomware gang that's believed to be behind previously reported incidents, has yet to release data stolen from Maine's agencies.

Clop took credit for an earlier New York City Department of Education hack, wherein the information of approximately 45,000 students was stolen. Cybercriminals exploiting the vulnerability haven't only been targeting the government, though, but also companies around the world. Sony is one of them. There's also Maximus Health Services, Inc, a US government contractor, whose breach has been the biggest MOVEit-related incident, so far. 

The Securities and Exchange Commission is already investigating MOVEit creator Progress Software, though it only just sent the company a subpoena in October and is still in the "fact-finding inquiry" phase of its probe. 

Apple will pay $25 million in backpay and civil penalties to settle allegations that it favored visa holders and discriminated against US citizens and permanent residents during its hiring process, the Department of Justice said in a statement on Thursday. This is the largest amount that the DOJ has collected under the anti-discrimination provision of the Immigration and Nationality Act.

At the heart of the issue is a federal program administered by the Department of Labor and the Department of Homeland Security called the Permanent Labor Certification Program (PERM). PERM allows US employers to file for foreign workers on visas to become permanent US residents. As part of the PERM process, employers are required to prominently advertise open positions so that anyone can apply to them regardless of citizenship status.

The DOJ said that Apple violated these rules by not advertising PERM positions on their recruiting website, and also made it harder for people to apply by requiring mailed-in paper applications, something that it did not do for regular, non-PERM positions. As a result, a DOJ investigation found that Apple received few or no applications for these positions from US citizens or permanent residents who do not require work visas.

As part of the settlement, Apple will pay $6.75 million in civil penalties and set up a $18.25 million fund to pay back eligible discrimination victims, the DOJ's statement said. 

Apple disagreed with the DOJ’s characterization. “Apple proudly employs more than 90,000 people in the United States and continues to invest nationwide, creating millions of jobs,” a company spokesperson told CNBC. “When we realized we had unintentionally not been following the DOJ standard, we agreed to a settlement addressing their concerns. We have implemented a robust remediation plan to comply with the requirements of various government agencies as we continue to hire American workers and grow in the US”