Feeling thankful this season? Us too—especially when it comes to dodging data disasters! In this episode, Donna and David dive headfirst into some eyebrow-raising cybersecurity tales, from job application breaches exposing sensitive information to the ever-creepy risks of unsecured IoT devices (yes, even your vacuum might be plotting against you). Whether it’s researchers discovering unsecured data files or hackers turning robot vacuums into racially inappropriate terrors, we’re reminded to never take our digital safety for granted. Grab your popcorn (or an encrypted snack, if that’s a thing) and join us as we talk about what it means to truly be grateful for solid security practices this year.
In this episode:
Thankful It Is Not Me – Ep 486
Today’s Episode is brought to you by:
Kardon
and
HIPAA for MSPs with Security First IT
Subscribe on Apple Podcast. Share us on Social Media. Rate us wherever you find the opportunity.
Great idea! Share Help Me With HIPAA with one person this week!
Learn about offerings from the Kardon Club
and HIPAA for MSPs!
Thanks to our donors. We appreciate your support!
If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com
Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA
If you see a couple of numbers on the left side you can click that and go directly to that part of the audio. Get the best of both worlds from the show notes to the audio and back!
Thanks to our donors.
Thankful It Is Not Me
This time of year those of us in the US are supposed to spend some time being thankful for what we have. While it may not be a tradition for everyone, some have a tradition where you go around the table where each person says what they are thankful for right now. Here are some things we are thankful for this year. You too can say you are “thankful it was not me”
Thankful we weren’t involved with this breach
[04:54]2 Million Records, Including the PII of Job Seekers, Exposed Online by a Tech Recruitment Service
Cybersecurity Researcher, Jeremiah Fowler, discovered and reported to Website Planet about millions of non-password-protected files that contained the PII of an estimated 200,000 job seekers in the technology sector. The records belonged to Alltech Consulting Services — a company that matches job seekers from around the world with employers throughout the United States and Canada.
The NJ company involved, Alltech Consulting Services, provides job placement services for the technology and IT sector. BTW, they also list an office in Charlotte, NC. The article explains that the researcher found the information and reached out to Alltech. They got no response so they went public with the story.
A folder labeled Documents which had not even a password to protect it had over 2.3 million records including PII on an estimated 216k job seekers. There were details like demographics. But more things that aren’t usually seen in these type breaches like passport numbers and details about work visas. There were even internal notes about the experience, qualifications, and type of job they are looking for in the folder. Much more job related information was in there! More from the article:
Some of the records contained employer details such as names, company names, email addresses, and phone numbers. The files also contained worker information such as salary expectations, work history, and whether they were willing to relocate. Many of the applicant files indicated if the individual held an H-1B visa. This is a non-immigrant visa that allows U.S. companies to employ foreign workers in specialty occupations that require technical expertise, typically in fields like IT, engineering, and healthcare. This detailed information combined with internal notes could signify additional potential risks if they were to fall in the hands of cyber criminals.
There are so many things that can be done with this kind of data, it blows the mind. Targeted attack potential at so many levels with so many methods on these people are just endless.
It also looks like this company provides the services themselves for all kinds of tech projects. They aren’t just a placement firm. That doesn’t mean they weren’t relying on a third party to secure these things but it does serve as a reminder that you don’t just assume because they are a tech company they won’t have something like this happen.
The only good news, we hope, is that they didn’t learn about it when criminals held it hostage or published it for sale. Note, that makes this a security incident, it is not a breach. Remember, all incidents are not breaches. We would need to know if the data had been accessed from any unknown addresses.
I have seen this happen before where a folder was exposed publicly which made it an incident. The investigation reviewed all access hitting the folder for the dates it was open and they were able to account for every single IP address that accessed it. Thankfully, it wasn’t on a big file server but something APIs used. So the incident never rose to the status of a data breach.
There is a press release stating that a “leading” data breach law firm is investigating the company regarding its recent cybersecurity incident. Alltech Consulting Services Data Breach Investigation – Strauss Borrelli PLLC
As for Alltech the release says: “As of November 13, 2024, Alltech has not publicly acknowledged the data exposure or confirmed whether the incident resulted in a data breach.”
They do say to contact them if they are involved, of course. Gearing up for the first round of lawsuits.
Anyone involved is going to need to assume every single thing they see is a scam no matter what it may be related to, not just job offers. It could be immigration, financial, and much more. It could also be cybercriminals using the info to recruit talent to join them.
Thankful to not be dealing with ridiculous things like this
[16:30]Russia fines Google $20 decillion (that’s 20 billion trillion trillion dollars)
Puh-leeeaaasse!!!! A crazy amount of money means you are just messing with people! This was the Russian response after Google took some action about their propaganda being spread.
Thankful my vacuum cleaner is better behaved than these
[22:04]Hacked Robot Vacuums Hurl Racial Slurs, Show IoT Devices Risks
…owners of robot vacuums across the U.S. have reported that their devices have been hacked. One particularly alarming case involved a man whose Ecovacs Deebot X2 began yelling racial slurs at him.
The incidents appear to be linked to a security vulnerability in the Chinese-made Ecovacs Deebot X2 model, according to a report by the Australian Broadcast Corporation. The flaw has exposed the widely distributed smart vacuums to manipulation by bad actors, raising concerns about the cybersecurity of internet-connected home devices.
He shockingly discovered someone else was accessing its camera and remote control settings.
Swenson reset the vacuum’s password, only for it to begin zooming around and yelling the N-word repeatedly, all within earshot of one of his children. He turned the robot vacuum off and never turned it back on.
The IoT devices we have all gotten used to having around really are connected to the world. Definitely, thankful we put a lot of effort into securing the device access. Although, this one could be the device itself came with the ability to access it remotely. Don’t just go out and purchase any IoT device that does something you want for the cheapest price on the web. You may be getting something like this.
[29:27]Here are some security tips for gifting IoT devices:
- Connect it to a segmented WiFi network
- Update the firmware
- Change the default password
- Enable 2FA if the device has a portal
- If there is an app involved, do a little research before using
- Be aware of permissions
- Monitor network traffic
Now, you can be thankful you have an idea of what to do to keep your IoT from yelling at you!
We are thankful you listen and support HMWH.
As we wrap up this episode, let’s take a moment to be thankful—not just for the lack of rogue vacuums in our lives, but for the awareness and tools we have to keep our networks and devices secure. From creating segmented networks to avoiding default passwords, there’s plenty we can do to stay a step ahead of cyber mischief. And remember, when it comes to digital security, a little paranoia is a good thing! So, this holiday season, let’s be grateful for vigilance, strong passwords, and the wisdom to question every suspicious device. Because nothing says “peace on earth” like a breach-free network.
Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!
HIPAA is not about compliance,
it’s about patient care.TM
Special thanks to our sponsors Security First IT and Kardon.
