TikTok has been fined 345 million euros ($370 million) for breaching privacy laws regarding the processing of children's personal data in the European Union, its lead regulator in the bloc said on Friday.
The Chinese-owned short-video platform, which has grown rapidly among teenagers around the world in recent years, breached a number of EU privacy laws between July 31, 2020, and Dec. 31, 2020, Ireland's Data Protection Commissioner (DPC) said in a statement. (Reuters)
“TikTok, which surged in popularity during the pandemic, has been scrutinized globally due to concerns regarding user safety and data privacy, especially for minors. Despite addressing specific concerns related to youth accounts, repeated inquiries like this suggest that ByteDance, TikTok’s parent company, consistently compromises the safety and privacy of its younger users and mishandles their data. However, it remains true that any platform with age restrictions can typically have its authorization easily circumvented by providing falsified birthdates, putting the onus on parents or guardians to monitor internet use and have ongoing and meaningful conversations about online safety.
– Jessica Owens, Tier 1 SOC Analyst at Ingalls Information Security
A Microsoft employee accidentally exposed 38 terabytes of private data while publishing a bucket of open-source AI training data on GitHub, according to Wiz security researchers who spotted the leaky account and reported it to the Windows giant.
Redmond, in a Monday write-up, downplayed the blunder, saying it was merely "sharing the learnings" to help customers avoid making similar mistakes. This is despite Wiz claiming the leaky data bucket had private keys, passwords, and over 30,000 internal Microsoft Teams messages, as well as backup data from two employees' workstations. (The Register)
A sophisticated phishing campaign uses a Microsoft Word document lure to distribute a trifecta of threats, namely Agent Tesla, OriginBotnet, and RedLine Clipper, to gather a wide range of information from compromised Windows machines.
"A phishing email delivers the Word document as an attachment, presenting a deliberately blurred image and a counterfeit reCAPTCHA to lure the recipient into clicking on it," the researcher said. (The Hacker News)
Last week, the US Department of Homeland Security (DHS) released a report titled the Harmonization of Cyber Incident Reporting to the Federal Government, that lays out a working template for how the Cybersecurity and Infrastructure Security Agency (CISA) might implement its upcoming cyber incident reporting regulations. (CSO)
Apple has released yet another round of security patches to address three actively exploited zero-day flaws impacting iOS, iPadOS, macOS, watchOS, and Safari, taking the total tally of zero-day bugs discovered in its software this year to 16. The list of security vulnerabilities is as follows -
- CVE-2023-41991 - A certificate validation issue in the Security framework that could allow a malicious app to bypass signature validation.
- CVE-2023-41992 - A security flaw in Kernel that could allow a local attacker to elevate their privileges.
- CVE-2023-41993 - A WebKit flaw that could result in arbitrary code execution when processing specially crafted web content. (The Hacker News)