Canadian-based ticketing agency admits data breach, and more on the proposed halt to AI systems
Welcome to Cyber Security Today. It’s Monday, April 3rd, 2023. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com and TechNewsday.com in the U.S.
A Canadian event ticketing agency has started notifying over 13,000 people in the U.S., and possibly many in Canada, about a data breach in its service for universities and colleges. AudienceView Ticketing Corp., which is headquartered in Toronto, says in a breach notification letter to Americans that it detected suspicious activity on its IT system on February 21st. It determined that between February 14th and the 21st data of ticket purchasers was copied. That data included names, billing and shipping addresses, email addresses and payment card information. AudienceView is a cloud-based service with a payment button embedded in customers’ websites. According to the student newspaper of Ithaca College in New York State, American institutions hit include Ithaca College, Cornell University, Virginia Tech University, Colorado State University and Loyola College Chicago. In Canada, Hamilton’s McMaster University sent out a notice to its students on February 28th.
The call for a six-month halt in the development of advanced artificial intelligence systems continues to fan debate. Here are observations from commentators at the SANS Institute for cybersecurity training. Johannes Ullrich, dean of research, doesn’t think a pause would be useful. “Exposing and developing these tools will give us all a chance to figure out what their capabilities and limitations are and how to use them responsibly,” he said. Lee Neely, an instructor who is also a security professional at Lawrence Livermore National Laboratory, worries that adversaries working on AI won’t honor a slowdown. Still, he said, developers and users of AI have to cross-check any information those systems provide. William Murray, a member of the SANS NewsBites editorial board, said that there are things governments can do to ease the labour disruption AI systems will cause. Those actions include taxing automation, not labour; taxing robots, not people; and taxing AI, not jobs.
By the way, the latest company to make use of ChatGPT is video conference platform Zoom. It will make the Zoom IQ feature more like a smart companion, the company says. So if a team member joins a Zoom meeting late, they can ask Zoom IQ to summarize what they missed.
Meanwhile, Italy’s data protection authority has limited the web version of ChatGPT from processing the data of Italian users. The app will be blocked until ChatGPT respects privacy, the regulator said. The regulator is asking whether the chatbot’s developer, OpenAI, had legal justification for its “massive collection and processing of personal data” used to train the platform’s algorithms.
Another cybersecurity firm watching Russian tactics has picked up on a shift in attacks away from Ukraine. French-based Thales Group says that since last fall cyber attacks are up against many European and Nordic countries. The attacks are either cyber harassment in the form of denial of service, or targeted IT data destruction campaigns.
Over 4.2 million American residents who borrowed money from a chain of finance companies are being notified their personal information was compromised in a data breach. The companies are TitleMax, TitleBucks and InstaLoan, all owned by TMX Finance of Savannah, Georgia. In a letter sent to victims TMX Financial says on February 13th it detected suspicious activity on its IT systems. It believes this stemmed from an attack that started early last December. Data was stolen between February 3rd and the 14th. Data stolen could have included people’s names, date of birth, passport number, driver’s license number, Social Security number and more.
A criminal group is trying to defraud companies hit recently by ransomware from other crooks. It’s doing it by sending emails claiming their gang, called Midnight Group, was behind the attack. They threaten to release stolen data unless paid. But according to researchers at Arete, the Midnight Group is bluffing: It had nothing to do with the attack. In several instances the Midnight Group claims to be associated with other ransomware gangs. This, too, is a lie. The Midnight Group has been doing this since 2019, the report says. But recently its tempo has stepped up.
Finally, for those wondering how Twitter recommends tweets you see it has started releasing some of its source code. The code for the recommendation algorithm is now up on GitHub. Other parts of source code were also released. No code that would compromise user safety or privacy has been released.
Follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.