Enlarge (credit: Getty Images )

Game company 2K on Thursday warned users to remain on the lookout for suspicious activity across their accounts following a breach last month that allowed a threat actor to obtain email addresses, names, and other sensitive information provided to 2K's support team.

The breach occurred on September 19, when the threat actor illegally obtained system credentials belonging to a vendor 2K uses to run its help desk platform. 2K warned users a day later that the threat actor used unauthorized access to send some users emails that contained malicious links. The company warned users not to open any emails sent by its online support address or click on any links in them. If users already clicked on links, 2K urged them to change all passwords stored in their browsers.

On Thursday, after an outside party completed a forensic investigation, 2K sent an unknown number of users an email warning them that the threat actor was able to obtain some of the personal information they supplied to help desk personnel. The email stated:

Enlarge (credit: Nathan Stirk / Contributor | Getty Images News )

On Wednesday, a jury found former Uber security chief Joe Sullivan guilty of hiding a massive data breach from federal regulators who were already investigating the ride-share company for a different breach. With that verdict, Sullivan has likely become the first executive to be criminally prosecuted over a hack, The New York Times reported .

A jury of six men and six women started deliberating last Friday. After 19 hours, they decided that Sullivan was guilty on one count of obstructing the Federal Trade Commission’s investigation and “one count of misprision, or acting to conceal a felony from authorities,” according to the Times.

Sullivan’s legal team did not immediately provide comment for Ars, but one of his lawyers, David Angeli, told NYT how Sullivan received the verdict. “While we obviously disagree with the jury’s verdict, we appreciate their dedication and effort in this case,” Angeli told the paper. “Mr. Sullivan’s sole focus—in this incident and throughout his distinguished career—has been ensuring the safety of people’s personal data on the Internet.”

(credit: xxdigipxx )

The head of Kiwi Farms, the Internet forum best known for organizing harassment campaigns against trans and non-binary people, said the site experienced a breach that allowed hackers to access his administrator account and possibly the accounts of all other users.

On the site, creator Joshua Moon wrote :

The forum was hacked. You should assume the following.

• Assume your password for the Kiwi Farms has been stolen.
• Assume your email has been leaked.
• Assume any IP you've used on your Kiwi Farms account in the last month has been leaked.

Moon said that the unknown individual or individuals behind the hack gained access to his admin account by using a technique known as session hijacking, in which an attacker obtains the authentication cookies a site sets after an account holder enters valid credentials and successfully completes any two-factor authentication requirements. The session hijacking was made possible after uploading malicious content to XenForo, a site Kiwi Farms uses to power its user forums.

Enlarge (credit: JOSH EDELSON / Contributor | AFP )

After the Federal Trade Commission began investigating a massive Uber data breach in 2016 , the tech company was hit with another breach that was seemingly just as concerning. Rather than report the second data breach to the FTC and risk further public embarrassment , then-Uber security chief Joe Sullivan consulted with lawyers and then negotiated with the hackers. He allegedly set up a deal under which Uber paid the hackers a $100,000 "bug bounty" to delete the data, then pretended the data breach was part of a planned test of Uber's security and had the hackers sign a nondisclosure agreement.

Now, Sullivan faces criminal obstruction charges , and The Wall Street Journal reports that his case has raised alarms for tech company security chiefs everywhere, who think Sullivan shouldn't be taking the fall for Uber. One former security chief from AT&T, Edward Amoroso, told the Journal that "many top security officers believe" that Sullivan "did nothing wrong."

Amoroso argued that by criminalizing reporting decisions of security chiefs like Sullivan, the US Department of Justice risks setting back the entire security profession. He said the debate was best left up to security communities, not a court, to decide who is responsible. Ars couldn't immediately reach Amoroso for additional comment.

Enlarge (credit: tupungato | iStock Editorial / Getty Images Plus )

When T-Mobile compromised the sensitive personal information of more than 76 million current, former, and prospective customers in 2021 , plaintiffs involved in a class action lawsuit complained that the company continued profiting off their data while attempting to cover up “one of the largest and most consequential data breaches in US history.”

Now, T-Mobile has admitted no guilt but has agreed to pay a $500 million settlement (pending a judge’s approval), out of which $350 million will go to the settlement fund and “at least $150 million” will go toward enhancing its data security measures through 2023.

T-Mobile declined to tell Ars about specific upcoming plans to improve data security, instead linking to a statement that outlines measures it has taken to “double down” on security in the past year. That includes creating a Cybersecurity Transformation Office that directly reports to T-Mobile CEO Mike Sievert; collaborating with cybersecurity firms to “further transform our cybersecurity program;” ramping up employee cybersecurity training; and investing “hundreds of millions of dollars to enhance our current cybersecurity tools and capabilities.”

It’s no secret that I hate predictions — not least because the security field changes rapidly, making it difficult to know what’s next. But given what we know about the past year, we can make some best-guesses at what’s to come.

Ransomware will get worse, and local governments will feel the heat

File-encrypting malware that demands money for the decryption key, known as ransomware, has plagued local and state governments in the past year. There have been a near-constant stream of attacks in the past year — Pensacola, Florida and Jackson County, Georgia to name a few. Governments and local authorities are particularly vulnerable as they’re often underfunded, unresourced and unable to protect their systems from many major threats. Worse, many are without cybersecurity insurance, which often doesn’t pay out anyway.

Sen. Mark Warner (D-VA), who sits on the Senate Intelligence Committee, said ransomware is designed to “inflict fear and uncertainty, disrupt vital services, and sow distrust in public institutions.”

“While often viewed as basic digital extortion, ransomware has had materially adverse impacts on markets, social services like education, water, and power, and on healthcare delivery, as we have seen in a number of states and municipalities across the United States,” he said earlier this year.

As these kinds of cyberattacks increase and victims feel compelled to pay to get their files back, expect hackers to continue to carry on attacking smaller, less prepared targets.

California’s privacy law will take effect — but its repercussions won’t be immediately known

On January 1, California’s Consumer Privacy Act (CCPA) began protecting the state’s 40 million residents. The law, which has similarities to Europe’s GDPR , aims to put much of a consumer’s data back in their control. The law gives consumers a right to know what information companies have on them, a right to have that information deleted and the right to opt-out of the sale of that information.

But many companies are worried — so much so that they’re lobbying for a weaker but overarching federal law to supersede California’s new privacy law. The CCPA’s enforcement provisions will kick in some six months later , starting in July. Many companies are not prepared and it’s unclear exactly what impact the CCPA will have.

One thing is clear: expect penalties. Under GDPR, companies can be fined up to 4% of their global annual revenue. California’s law works on a sliding scale of fines, but the law also allows class action suits that could range into the high millions against infringing companies.

More data exposures to be expected as human error takes control

If you’ve read any of my stories over the past year , you’ll know that data exposures are as bad, if not worse than data breaches. Exposures, where people or companies inadvertently leave unsecured information online rather than an external breach by a hacker, are often caused by human error.

The problem became so bad that Amazon has tried to stem the flow of leaks by providing tools that detect inadvertently public data. Those tools will only go so far. Education and awareness can go far further. Expect more data exposures over the next year, as companies — and staff — continue to make mistakes with their users’ data.

Voter databases and election websites are the next target