A data breach of credit reporting and ID verification services firm 700Credit affected 5.6 million people, allowing hackers to steal personal information of customers of the firm's client companies. 700Credit executives said the breach happened after bad actors compromised the system of a partner company.
The post Hackers Steal Personal Data in 700Credit Breach Affecting 5.6 Million appeared first on Security Boulevard.
Session 6A: LLM Privacy and Usable Privacy
Authors, Creators & Presenters: Xiaoyuan Wu (Carnegie Mellon University), Lydia Hu (Carnegie Mellon University), Eric Zeng (Carnegie Mellon University), Hana Habib (Carnegie Mellon University), Lujo Bauer (Carnegie Mellon University)
PAPER
Transparency or Information Overload? Evaluating Users' Comprehension and Perceptions of the iOS App Privacy Report
Apple's App Privacy Report, released in 2021, aims to inform iOS users about apps' access to their data and sensors (e.g., contacts, camera) and, unlike other privacy dashboards, what domains are contacted by apps and websites. To evaluate the effectiveness of the privacy report, we conducted semi-structured interviews to examine users' reactions to the information, their understanding of relevant privacy implications, and how they might change their behavior to address privacy concerns. Participants easily understood which apps accessed data and sensors at certain times on their phones, and knew how to remove an app's permissions in case of unexpected access. In contrast, participants had difficulty understanding apps' and websites' network activities. They were confused about how and why network activities occurred, overwhelmed by the number of domains their apps contacted, and uncertain about what remedial actions they could take against potential privacy threats. While the privacy report and similar tools can increase transparency by presenting users with details about how their data is handled, we recommend providing more interpretation or aggregation of technical details, such as the purpose of contacting domains, to help users make informed decisions.
ABOUT NDSS
The Network and Distributed System Security Symposium (NDSS) fosters information exchange among researchers and practitioners of network and distributed system security. The target audience includes those interested in practical aspects of network and distributed system security, with a focus on actual system design and implementation. A major goal is to encourage and enable the Internet community to apply, deploy, and advance the state of available security technologies.
Our thanks to the Network and Distributed System Security (NDSS) Symposium for publishing their Creators, Authors and Presenter’s superb NDSS Symposium 2025 Conference content on the Organizations' YouTube Channel.
The post NDSS 2025 – Evaluating Users’ Comprehension and Perceptions of the iOS App Privacy Report appeared first on Security Boulevard.
Your employees are using AI whether you’ve sanctioned it or not. And even if you’ve carefully vetted and approved an enterprise-grade AI platform, you’re still at risk of attacks and data leakage.
Security leaders are grappling with three types of risks from sanctioned and unsanctioned AI tools. First, there’s shadow AI, all those AI tools that employees use without the approval or knowledge of IT. Then there are the risks that come with sanctioned platforms and agents. If those weren’t enough, you still have to prevent the exposure of sensitive information.
The prevalence of AI use in the workplace is clear: a recent survey by CybSafe and the National Cybersecurity Alliance shows that 65% of respondents are using AI. More than four in 10 (43%) admit to sharing sensitive information with AI tools without their employer’s knowledge. If you haven’t already implemented an AI acceptable use policy, it’s time to get moving. An AI acceptable use policy is an important first step in addressing shadow AI, risky platforms and agents, and data leakage. Let’s dig into each of these three risks and the steps you can take to protect your organization.
The key risks: Each unsanctioned shadow AI tool represents an unmanaged element of your attack surface, where data can leak or threats can enter. For security teams, shadow AI expands the organization's attack surface with unvetted tools, vulnerabilities, and integrations that existing security controls can’t see. The result? You can’t govern AI use. You can try to block it. But, as we’ve learned from other shadow IT trends, you really can’t stop it. So, how can you reduce risk while meeting the needs of the business?
The key risks: Good AI governance means moving users from risky shadow AI to sanctioned enterprise environments. But sanctioned or not, AI platforms introduce unique risks. Threat actors can use sophisticated techniques like prompt injection to trick the tool into ignoring its guardrails. They might employ model manipulation to poison the underlying LLM model and cause exfiltration of private data. In addition, the tools themselves can raise issues related to data privacy, data residency, insecure data sharing, and bias. Knowing what to look for in an enterprise-grade AI vendor is the first step.
The key risks: Even if you’ve done your best to educate employees about shadow AI and performed your due diligence in choosing enterprise AI tools to sanction for use, data leakage remains a risk. Two common pathways for data leakage are:
When your employees adopt AI, you don't have to choose between innovation and security. The unified exposure management approach of Tenable One allows you to discover all AI use with Tenable AI Aware and then protect your sensitive data with Tenable AI Exposure. This combination gives you visibility and enables you to manage your attack surface while safely embracing the power of AI.
Let’s briefly explore how these solutions can help you across the areas we covered in this post:
Unsanctioned AI usage across your organization creates an unmanaged attack surface and a massive blind spot for your security team. Tenable AI Aware can discover all sanctioned and unsanctioned AI usage across your organization. Tenable AI Exposure gives your security teams visibility into the sensitive data that’s exposed so you can enforce policies and control AI-related risks.
Threat actors use sophisticated techniques like prompt injection to trick sanctioned AI platforms into ignoring their guardrails. The prompt-level visibility and real-time analysis you get with Tenable AI Exposure can pinpoint these novel attacks and score their severity, enabling your security team to prioritize and remediate the most critical exposure pathways within your enterprise environment. In addition, AI Exposure helps you uncover AI misconfiguration that could allow connections to an unvetted third-party tool or unintentionally make an agent meant only for internal use publicly available. Fixing such misconfigurations reduces the risks of data leaks and exfiltration.
The static, rule-based approach of traditional data loss prevention (DLP) tools can’t manage non-deterministic AI outputs or novel attacks, which leaves gaps through which sensitive information can exit your organization. Tenable AI Exposure fills these gaps by monitoring AI interactions and workflows. It uses a number of machine learning and deep learning AI models to learn about new attack techniques based on the semantic and policy-violating intent of the interaction, not just simple keywords. This can then help inform other blocking solutions as part of your mitigation actions. For a deeper look at the challenges of preventing data leakage, read [add blog title, URL when ready].
The post Security for AI: How Shadow AI, Platform Risks, and Data Leakage Leave Your Organization Exposed appeared first on Security Boulevard.
AI can be used by extremist groups to pump out propaganda or deepfakes at scale, widening their reach and expanding their influence.
The post Militant Groups Are Experimenting With AI, and the Risks Are Expected to Grow appeared first on SecurityWeek.
ServiceNow Inc. is in advanced talks to acquire cybersecurity startup Armis in a deal that could reach $7 billion, its largest ever, according to reports. Bloomberg News first reported the discussions over the weekend, noting that an announcement could come within days. However, sources cautioned that the deal could still collapse or attract competing bidders...
The post ServiceNow in Advanced Talks to Acquire Armis for $7 Billion: Reports appeared first on Security Boulevard.
Campus Technology & THE Journal Name Cloud Monitor as Winner in the Cybersecurity Risk Management Category BOULDER, Colo.—December 15, 2025—ManagedMethods, the leading provider of cybersecurity, safety, web filtering, and classroom management solutions for K-12 schools, is pleased to announce that Cloud Monitor has won in this year’s Campus Technology & THE Journal 2025 Product of ...
The post Cloud Monitor Wins Cybersecurity Product of the Year 2025 appeared first on ManagedMethods Cybersecurity, Safety & Compliance for K-12.
The post Cloud Monitor Wins Cybersecurity Product of the Year 2025 appeared first on Security Boulevard.
Google has also mentioned seeing React2Shell attacks conducted by Iranian threat actors.
The post Google Sees 5 Chinese Groups Exploiting React2Shell for Malware Delivery appeared first on SecurityWeek.
In today’s world, it can be hard for awareness training to keep up with the modern threats that are constantly emerging. Today, KnowBe4 has announced a new custom deepfake training experience to counteract the risk of ‘deepfake’ attacks as they continue to rise. The experience, which is now available, aims to help employees defend against the advanced cybersecurity threats from deepfakes such as fraudulent video conferences and AI-generated phishing attacks.
Deepfakes can be weaponised and utilised for fraud, disinformation campaigns and cause reputational damage across sectors. These types of deepfake attacks are now linked to one in five biometric fraud attempts, with injection attacks increasing 40% year-over-year, according to Entrust’s 2026 Identity Fraud Report. Security incidents related to deepfakes have increased, with 32% of cybersecurity leaders reporting a spike, according to the KnowBe4 The State of Human Risk 2025 report.
Perry Carpenter, chief human risk management strategist at KnowBe4, said: “Deepfakes represent a seismic shift in the threat landscape, weaponising AI to impersonate authority, exploit trust, and short-circuit the human decision-making process”
Carpenter continues: “Our new deepfake training strengthens the workforce’s instincts by providing a safe, tightly controlled environment for learning. All simulations are created and approved by administrators, ensuring ethical use while helping employees recognise narrative red flags, subtle performance inconsistencies, and other cues that manipulated media can reveal. Awareness and preparedness remain our strongest defences, and we are committed to equipping organisations with practical, measurable skills to stay ahead of these emerging threats.”
Deepfake video content is becoming more realistic and harder to discern from reality. Cybersecurity leaders must prepare their organisations for new and emerging threats, taking a proactive approach to their overall protection efforts. Through this new experience, cybersecurity and IT professionals now have the ability to generate a custom deepfake training experience featuring a leader from their organisation to demonstrate how convincing AI-powered social engineering has become and to deliver clear, actionable guidance on how to detect these attacks.
The post Next Gen Awareness Training: KnowBe4 Unveils Custom Deepfake Training appeared first on IT Security Guru.
Cast your mind back to May of this year: Congress was in the throes of debate over the massive budget bill. Amidst the many seismic provisions, Senator Ted Cruz dropped a ticking time bomb of tech policy: a ten-year moratorium on the ability of states to regulate artificial intelligence. To many, this was catastrophic. The few massive AI companies seem to be swallowing our economy whole: their energy demands are overriding household needs, their data demands are overriding creators’ copyright, and their products are triggering mass unemployment as well as new types of clinical ...
The post Against the Federal Moratorium on State-Level Regulation of AI appeared first on Security Boulevard.
This is the third installment in our four-part 2025 Year-End Roundtable. In Part One, we explored how accountability got personal. In Part Two, we examined how regulatory mandates clashed with operational complexity.
Now … (more…)
The post LW ROUNDTABLE: Part 3, Cyber resilience faltered in 2025 — recalibration now under way first appeared on The Last Watchdog.
The post LW ROUNDTABLE: Part 3, Cyber resilience faltered in 2025 — recalibration now under way appeared first on Security Boulevard.
Navigating the Most Complex Regulatory Landscapes in Cybersecurity Financial services and healthcare organizations operate under the most stringent regulatory frameworks in existence. From HIPAA and PCI-DSS to GLBA, SOX, and emerging regulations like DORA, these industries face a constant barrage of compliance requirements that demand not just checkboxes, but comprehensive, continuously monitored security programs. The
The post Compliance-Ready Cybersecurity for Finance and Healthcare: The Seceon Advantage appeared first on Seceon Inc.
The post Compliance-Ready Cybersecurity for Finance and Healthcare: The Seceon Advantage appeared first on Security Boulevard.
The cybersecurity battlefield has changed. Attackers are faster, more automated, and more persistent than ever. As businesses shift to cloud, remote work, SaaS, and distributed infrastructure, their security needs have outgrown traditional IT support. This is the turning point:Managed Service Providers (MSPs) are evolving into full-scale Managed Security Service Providers (MSSPs) – and the ones
The post Managed Security Services 2.0: How MSPs & MSSPs Can Dominate the Cybersecurity Market in 2025 appeared first on Seceon Inc.
The post Managed Security Services 2.0: How MSPs & MSSPs Can Dominate the Cybersecurity Market in 2025 appeared first on Security Boulevard.
The sovereign smartphone OS runs along Android or iOS, allowing users to switch between secure, isolated environments.
The post Soverli Raises $2.6 Million for Secure Smartphone OS appeared first on SecurityWeek.
Atlassian has released software updates for Bamboo, Bitbucket, Confluence, Crowd, Fisheye/Crucible, and Jira.
The post Atlassian Patches Critical Apache Tika Flaw appeared first on SecurityWeek.
Nathan Austad admitted in court to launching a credential stuffing attack against a fantasy sports and betting website.
The post Third DraftKings Hacker Pleads Guilty appeared first on SecurityWeek.
The post office has once again come under scrutiny after avoiding a fine for a data breach. In the data breach, more than 500 former post office workers who were wrongfully convicted during the Horizon IT scandal had their names and personal information leaked. Despite the seriousness of the breach, the post office received what equated to a light scolding from the Information Commissioner’s Office (ICO). This course of action has sparked strong criticism from privacy groups and advocates for the victims.
Data breaches occurring in top governmental agencies like the post office once again bring into question the strength and readiness of public agencies’ cybersecurity protocols. Amidst increasing occurrences of data and data breaches, cybersecurity experts are calling for government and federal agencies to adopt more stringent IT security measures.
Overview of the Data Breach
The breach involved the accidental publication of an uncensored legal settlement document that revealed the identities and addresses of more than 500 former post office employees.
As the news of the breach spread, commentators pointed out how data breaches create serious risks for victims. They highlight how the leaking of sensitive information can cause years of damage, like falling victim to online fraud or exploitation.
Examples of this have been seen in the online entertainment industry, where users’ email addresses and passwords have been leaked, causing mass account takeovers. Video streaming platforms and social media have become popular online forms of entertainment.
These platforms have inherent security flaws though, as passwords can easily be hacked. For this reason, many online users are turning to platforms that run on more secure blockchain networks, such online games that include top crypto casinos. Firstly, these platforms offer much more entertainment value, providing users with access to thousands of online casino games. The major appeal comes from the safety and transparency offered by blockchain technology. Thanks to blockchain networks, these platforms offer provably fair games, faster and more secure transactions, and strong data protection.
How the Data Leak was Completely Preventable
The data breach happened when a member of the Post Office’s press team uploaded an uncensored version of the 2019 litigation settlement to the agency’s public website by mistake. Two months passed by before the file was finally removed. The presence of the file online was eventually brought to attention by an external law firm rather than internal safeguards. Further highlighting the agency’s internal failings. ICO officials made it clear that the leak was preventable should proper publishing controls and data-handling procedures had been followed. A few major issues were pointed out by the ICO, mainly the lack of quality-assurance processes for online publication. In addition, the regulator pointed to minimal staff training and a lack of technical systems to detect or prevent the upload of sensitive data.
For the victims still dealing with the fallout of their wrongful convictions, the leak was just another institutional betrayal. Many of the workers whose information was leaked spent years trying to clear their names. They faced bankruptcy, damaged reputations, and in some cases, imprisonment.
Why the ICO Issued Only a Reprimand
The regulatory body sees the data breach as not serious enough to meet the requirements for a fine. Under its regulatory framework for the public sector, the ICO can impose financial penalties of up to £1.09 million for serious breaches. In the case of this leak, the ICO felt that a public admonishment would suffice instead of issuing a fine. This decision received strong criticism and backlash, especially from privacy advocates. Privacy advocates and cybersecurity groups argue that a public reprimand does nothing to remedy the situation. Instead, they argue, it gives public agencies the impression that they can continue to get away with data breaches unscathed.
The Open Rights Group called the decision “ludicrous”, warning that it risked sending the signal to other public organisations that a lack of proper data-protection standards carries few consequences. These concerns were mirrored by the victims of the breach and their legal representatives. They pointed out that data relating to exonerated individuals carries unique risks. In their criticism, they highlighted that a lack of fines or any tangible consequences minimises the harm caused and reduces the pressure on the Post Office to improve its internal processes and systems.
The Horizon Scandal’s Lasting Impact
The Post Office’s data breach cannot be separated from the history of the Horizon IT scandal. More than 500 post office employees, many of whom were sub-postmasters, were wrongfully accused of theft, fraud, and false accounting. These accusations were made after the Horizon software, which had software bugs, generated financial shortfalls in branch accounts. This software error caused many people to lose their livelihoods, their homes, and affected their mental health. In the worst cases, some were even imprisoned or died before their names could be cleared.
Compensation and Mitigation Measures Taken by the Post Office
After the data breach, the Post Office offered the victims financial compensation. While the compensation was a welcome relief, it was limited. Depending on the case, victims could receive up to £5000, with payouts based on whether the leaked addresses of the victims were current or outdated. Although some victims accepted the payout, critics of how the Post Office handled the situation say that the compensation was too little when compared to the seriousness of the breach.
Beyond financial settlements, the Post Office also offered two years of identity-protection services for the victims. These services included fraud monitoring, credit alerts, and dark-web surveillance. Again, these interim measures are aimed at helping the immediate victims of the data breach, but legal experts are still calling for more robust security systems and risk mitigation protocols to be put in place so that future breaches can be avoided.
The post ICO Issues Post Office Public Reprimand Instead of Fine Over Data Breach appeared first on IT Security Guru.
Launching an AI initiative without a robust data strategy and governance framework is a risk many organizations underestimate. Most AI projects often stall, deliver poor...Read More
The post Can Your AI Initiative Count on Your Data Strategy and Governance? appeared first on ISHIR | Custom AI Software Development Dallas Fort-Worth Texas.
The post Can Your AI Initiative Count on Your Data Strategy and Governance? appeared first on Security Boulevard.
Learn why modern SaaS platforms are adopting passwordless authentication to improve security, user experience, and reduce breach risks.
The post Why Modern SaaS Platforms Are Switching to Passwordless Authentication appeared first on Security Boulevard.
Most enterprise breaches no longer begin with a firewall failure or a missed patch. They begin with an exposed identity. Credentials harvested from infostealers. Employee logins are sold on criminal forums. Executive personas impersonated to trigger wire fraud. Customer identities stitched together from scattered exposures. The modern breach path is identity-first — and that shift …
The post Identity Risk Is Now the Front Door to Enterprise Breaches (and How Digital Risk Protection Stops It Early) appeared first on Security Boulevard.
Login