Enlarge (credit: Getty Images)

Japan-based IT behemoth Fujitsu said it has discovered malware on its corporate network that may have allowed the people responsible to steal personal information from customers or other parties.

“We confirmed the presence of malware on several of our company's work computers, and as a result of an internal investigation, it was discovered that files containing personal information and customer information could be illegally taken out,” company officials wrote in a March 15 notification that went largely unnoticed until Monday. The company said it continued to “investigate the circumstances surrounding the malware's intrusion and whether information has been leaked.” There was no indication how many records were exposed or how many people may be affected.

Fujitsu employs 124,000 people worldwide and reported about $25 billion in its fiscal 2023, which ended at the end of last March. The company operates in 100 countries. Past customers include the Japanese government. Fujitsu’s revenue comes from sales of hardware such as computers, servers, and telecommunications gear, storage systems, software, and IT services.

Enlarge (credit: Bloomberg / Contributor | Bloomberg )

23andMe is "shamelessly" blaming victims of a data breach impacting 6.9 million users , a lawyer representing victims pursuing a class-action lawsuit, Hassan Zavareei, told TechCrunch .

Zavareei shared a letter from 23andMe lawyers that urged users suing to "consider the futility of continuing to pursue an action in this case," because their claims are allegedly meritless and "the information that was potentially accessed cannot be used for any harm."

Last year, hackers accessed 14,000 accounts on 23andMe by using passwords that had been previously breached during security incidents on other websites. By using this tactic, known as credential stuffing, hackers could access the personal data of millions of 23andMe users who opted into a DNA Relatives feature , including genetic information like the percentage of DNA shared with compromised users.

Enlarge / Sen. Ted Cruz (R-Texas) at a Senate Judiciary Committee hearing on Thursday, November 30, 2023. (credit: Getty Images | Bill Clark )

Sen. Ted Cruz (R-Texas) and other Republican senators are fighting a Federal Communications Commission plan to impose new data-breach notification requirements on telecom providers. In a letter sent to FCC Chairwoman Jessica Rosenworcel today, the senators claim the pending FCC action would violate a congressional order.

The letter was sent by Cruz, Sen. Minority Leader Mitch McConnell (R-Ky.), Sen. John Thune (R-S.D.), and Sen. Marsha Blackburn (R-Tenn.). They say the proposed data-breach notification rules are preempted by an action Congress took in 2017 to kill an assortment of privacy and security rules issued by the FCC.

The Congressional Review Act (CRA) was used in 2017 by Congress and then-President Donald Trump to throw out rules that would have required home Internet and mobile broadband providers to get consumers' opt-in consent before using, sharing, or selling Web browsing history, app usage history, and other private information.

Enlarge / A telephone in a prison. (credit: Getty Images | Image Source )

Prison phone company Global Tel*Link leaked the personal information of nearly 650,000 users and failed to notify most of the users that their personal data was exposed, the Federal Trade Commission said today . The company agreed to a settlement that requires it to change its security practices and offer free credit monitoring and identity protection to affected users, but the settlement doesn't include a fine.

"Global Tel*Link and two of its subsidiaries failed to implement adequate security safeguards to protect personal information they collect from users of its services, which enabled bad actors to gain access to unencrypted personal information stored in the cloud and used for testing," the FTC said.

Global Tel*Link has long been controversial because of the prices it charges for inmate-calling services. The company rebranded itself as ViaPath Technologies last year. The subsidiaries targeted in the FTC complaint are Telmate and TouchPay Holdings.

Enlarge / The 23andMe logo displayed on a smartphone screen.

Genetic profiling service 23andMe has confirmed that private user data is circulating for sale online after being scraped off its website.

Friday’s confirmation comes five days after an unknown entity took to an online crime forum to advertise the sale of private information for millions of 23andMe users . The forum posts claimed that the stolen data included origin estimation, phenotype, health information, photos, and identification data. The posts claimed that 23andMe’s CEO was aware the company had been “hacked” two months earlier and never revealed the incident.

23andMe officials on Friday confirmed that private data for some of its users is, in fact, up for sale. The cause of the leak, the officials said, is data scraping, a technique that essentially reassembles large amounts of data by systematically extracting smaller amounts of information available to individual users of a service. Attackers gained unauthorized access to the individual 23andMe accounts, all of which had been configured by the user to opt in to a DNA relative feature that allows them to find potential relatives.

Enlarge (credit: SOPA Images / Contributor | LightRocket )

An ex-Ubiquiti engineer, Nickolas Sharp, was sentenced to six years in prison yesterday after pleading guilty in a New York court to stealing tens of gigabytes of confidential data, demanding a $1.9 million ransom from his former employer, and then publishing the data publicly when his demands were refused.

Sharp had asked for no prison time, telling United States District Judge Katherine Polk Failla that the cyberattack was actually an "unsanctioned security drill" that left Ubiquiti "a safer place for itself and for its clients,” Bloomberg reported . In a court document , Sharp claimed that Ubiquiti CEO Robert Pera had prevented Sharp from "resolving outstanding security issues," and Sharp told the judge that this led to an "idiotic hyperfixation" on fixing those security flaws.

However, even if that was Sharp's true motivation, Failla did not accept his justification of his crimes, which include wire fraud, intentionally damaging protected computers, and lying to the FBI.

Enlarge (credit: Getty Images | Bloomberg )

T-Mobile on Monday said it experienced a hack that exposed account PINs and other customer data in the company's second network intrusion this year and the ninth since 2018.

The intrusion, which started on February 24 and lasted until March 30, affected 836 customers, according to a notification on the website of Maine Attorney General Aaron Frey.

“The information obtained for each customer varied but may have included full name, contact information, account number and associated phone numbers, T-Mobile account PIN, social security number, government ID, date of birth, balance due, internal codes that T-Mobile uses to service customer accounts (for example, rate plan and feature codes), and the number of lines,” the company wrote in a letter sent to affected customers. Account PINs, which customers use to swap out SIM cards and authorize other important changes to their accounts, were reset once T-Mobile discovered the breach on March 27.

Enlarge (credit: Getty Images)

Rubrik, the Silicon Valley data security company, said that it experienced a network intrusion made possible by a zero-day vulnerability in a product it used called GoAnywhere.

In an advisory posted on Tuesday, Rubrik CISO Michael Mestrovich said an investigation into the breach found that the intruders gained access to mainly internal sales information, including company names and contact information, and a limited number of purchase orders from Rubrik distributors. The investigation, which was aided by an unnamed third-party company, concluded there was no exposure of sensitive information such as Social Security numbers, financial account numbers, or payment card data.

Tight-lipped

“We detected unauthorized access to a limited amount of information in one of our non-production IT testing environments as a result of the GoAnywhere vulnerability,” Mestrovich wrote. “Importantly, based on our current investigation, being conducted with the assistance of third-party forensics experts, the unauthorized access did NOT include any data we secure on behalf of our customers via any Rubrik products.”

Enlarge

In the past 24 hours, the world has learned of serious breaches hitting chat service Slack and software testing and delivery company CircleCI, though giving the companies' opaque wording—“security issue” and “security incident,” respectively—you'd be forgiven for thinking these events were minor.

The compromises—in Slack’s case, the theft of employee token credentials and for CircleCI, the possible exposure of all customer secrets it stores—come two weeks after password manager LastPass disclosed its own security failure : the theft of customers’ password vaults containing sensitive data in both encrypted and clear text form. It’s not clear if all three breaches are related, but that’s certainly a possibility.

The most concerning of the two new breaches is the one hitting CircleCI. On Wednesday evening, the company reported a “security incident” that prompted it to advise customers to rotate “all secrets” they store on the service. The alert also informed customers that it had invalidated their Project API tokens, an event requiring them to go through the hassle of replacing them .