Privacy Please

Send us a textDigital privacy is under siege from all sides, and we're bringing you the latest developments along with a major announcement about our growing privacy-focused network. This week has seen a flood of significant data breaches across critical sectors. Air France-KLM and Workday experienced major incidents, with the latter connected to a broader campaign targeting Salesforce CRM systems. These breaches highlight the vulnerability of systems storing vast amounts of customer data and raise serious questions about the security of our critical infrastructure. As we discuss these events, we examine the ripple effects they create and what organizations should be doing differently.The question of who truly owns your digital identity emerges as a central theme in our conversation. Most people don't realize that when using third-party authentication providers like Google or Facebook, they're surrendering control of their identity. Every "Login with Facebook" click allows these companies to track when and where that identity is used across the digital landscape. We explore self-sovereign identity as an alternative approach, where individuals control their own verification infrastructure rather than relying on tech giants.We also tackle the paradox at the heart of data minimization efforts. For years, companies have been told that "data is the new oil" or "currency," yet are now expected to minimize collection. This contradiction makes implementing privacy principles challenging. As we put it: "You told me I'm sitting on gold, and now you want me to minimize it?"Beyond these discussions, we share exciting news about our expansion into a network featuring three distinct shows. In addition to Privacy Please, we're launching "Problem Lounge," exploring the messiness of being human in our technology-driven world, and "Decoded," a technical deep-dive with privacy engineer Jake that will explore privacy-enhancing technologies, cookie audits, and the intersection of privacy and AI.Visit our new website at theproblemlounge.com to learn more about our expanding network and how you can become part of the conversation around privacy in the digital age. Support the show

Send us a textIt starts with a strange letter in the mail. A car loan you never applied for. A credit card you don't own. A digital ghost is quietly living your life, and you have no idea how it got the keys. When you turn to one of the silent guardians of your financial identity for help, you find only chaos, confusion, and a company that seems to be a danger to itself.This week on Digital Fallout, we tell the true story of one of history's most catastrophic data breaches. It's a tale of staggering corporate negligence, a botched public response that became a dark comedy, and a 76-day silent heist where the identities of 147 million people were stolen.What happens when the keepers of our most valuable secrets simply forget to lock the door?Show Notes: SourcesThis story was pieced together from numerous public records, government reports, and in-depth investigative journalism. For those who want to learn more about the 2017 Equifax breach, these are the key sources we consulted:The official report from the U.S. Government Accountability Office (GAO) titled "Data Protection: Actions Taken by Equifax and Federal Agencies in Response to the 2017 Breach," which provides a definitive timeline and analysis of the failures.Federal Trade Commission (FTC) public statements and court filings related to the landmark global settlement with Equifax.In-depth reporting from security journalist Brian Krebs (KrebsOnSecurity), who meticulously covered the botched response, including the fake phishing sites promoted by Equifax's own Twitter account.Technical explainers from outlets like WIRED magazine that broke down the Apache Struts vulnerability and how it was exploited.Ongoing coverage of the corporate and financial fallout from The New York Times and The Wall Street Journal during September and October 2017.The public testimony of former Equifax CEO Richard Smith before the U.S. House Committee on Energy and Commerce, where many of the internal failures were brought to light. Support the show

Send us a textIt started with a few flickering screens in a Danish office. Within minutes, a digital plague had paralyzed global trade, leaving the world's largest shipping company powerless and its massive vessels adrift. But this attack wasn't for ransom—it was for pure destruction. In the premiere of Digital Fallout, we uncover the story of a geopolitical cyber weapon that escaped its cage and the unbelievable, accidental miracle that saved a global empire from permanent deletion. This is the story of how our physical world hangs by a fragile digital thread.Show Notes: SourcesOur story today was built on the foundation of incredible investigative journalism from reporters who covered this event extensively. For listeners who want to dive deeper into the story of the NotPetya attack, these are the primary sources we recommend:"The Untold Story of NotPetya, the Most Devastating Cyberattack in History," an article by Andy Greenberg for WIRED magazine, forms the core of the public narrative regarding Maersk's experience.The book "Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin's Most Dangerous Hackers" by Andy Greenberg provides deep context on the attackers and the geopolitical landscape.Financial and logistical impact reporting from The New York Times, The Wall Street Journal, and Reuters was published in the weeks and months following the June 2017 attack.Public statements and quarterly financial reports from A.P. Møller-Maersk detailing the incident's operational and financial costs. Support the show

Send us a textWe explore how cybercriminals fell victim to their own security mistakes and examine major attacks targeting corporate SharePoint environments. Privacy legislation advances with new protections for children and groundbreaking AI accountability measures in Minnesota.• Cybercrime forum exposes member data through database misconfiguration• SharePoint under active attack with remote code execution vulnerabilities • California passes enhanced children's privacy legislation requiring stricter parental consent• Minnesota Consumer Privacy Act launches July 31st with human review rights for AI decisions• Problem Lounge studio expansion announcement with new podcast launches• Trust and anonymity requirements in criminal digital ecosystems• Corporate IT challenges with ubiquitous software vulnerabilities• Growing complexity of state-by-state privacy compliance requirements Support the show

Send us a textThe US military has issued a stark warning to all forces to operate under the assumption that their networks have been compromised by Salt Typhoon, a sophisticated threat actor with ties to the Chinese government. This breach highlights the urgency for organizations to adopt Zero Trust principles as cyber warfare becomes the new battlefield.• Zero Trust is a framework, not a single product or technology• The first tenant of Zero Trust is treating networks as already compromised• Salt Typhoon remained undetected in networks for almost a year• The threat actor targeted telecommunications, energy, and transportation infrastructure• Critical national infrastructure remains at high risk from similar focused attacks• Traditional security approaches focusing solely on perimeter defense are inadequate• Once compromised, networks may never be fully trusted again• Verification must occur upon every access request, not just initially Support the show

Send us a textThe European Parliament has released a groundbreaking 175-page study concluding that AI companies' practice of training on copyrighted material without permission constitutes mass reproduction not covered by current laws. This study recommends transforming the landscape through an opt-in system, radical transparency requirements, and fair compensation models for creators whose work trains AI systems.• EU study reveals AI companies are treating the internet like a free "all-you-can-eat buffet" of creative content• Recommendation to shift from opt-out to opt-in system requiring AI companies to request permission• Call for mandatory transparency about what data AI models are trained on• Proposal for fair licensing models similar to Spotify where creators get paid when their work trains AI• New EU AI Act regulations taking effect in August will incorporate some of these protectionsStay safe, stay informed, and always question the code. Support the show

Send us a textCameron and Gabe dive into Healthline Media's record-breaking $1.55 million settlement for CCPA violations, examining whether such penalties are sufficient deterrents against improper sharing of sensitive health data.• Healthline violated CCPA by sharing sensitive user health data with advertisers without proper consent• First U.S. regulatory action against a company for disclosing "inferred sensitive data"• Violation included failing to provide mechanisms to opt out of sensitive data sharing• Discussion of whether fines proportional to company revenue would be more effective• Comparison of data brokers to other harmful entities in society• Brief preview of upcoming episode about a major data breach potentially larger than EquifaxStay safe this holiday weekend and don't put fireworks where they don't belong! Tune in next time for our breakdown of a massive data breach of "epic proportions." Support the show

Send us a textSeveral popular Chrome extensions, including privacy and security tools, have been found leaking sensitive data through unencrypted HTTP and hard-coded credentials in their code. Security is both hard and easy - hard because of existing unencrypted protocols and trust placed in developers, but easy because fundamental security practices should be common knowledge in 2025.• Chrome extensions including DualSafe Password Manager and Avast Online Security are leaking sensitive user data• HTTP vs HTTPS - the 'S' stands for security and encrypts data transmission over the internet• HTTPS Only extension from EFF forces secure connections when browsing• Hard-coded credentials in extensions create permanent security vulnerabilities• Developers sometimes collect excessive data "just in case" rather than minimizing collection• OWASP (Open Web Application Security Project) provides essential resources for developers• Technology abstraction makes users less aware of security fundamentals• The newly restarted OWASP Nomad chapter offers virtual community for application securityCheck out our GitHub repository of privacy resources at "Awesome Privacy Engineering Tools" for more information on implementing better privacy practices in development. Support the show

Send us a textWe explore the recent LexisNexus data breach that exposed sensitive personal information of over 364,000 individuals through a third-party platform accessing their GitHub account. This incident highlights critical vulnerabilities in how data brokers handle our most sensitive information and raises questions about regulatory oversight.• Data exposed included names, date of birth, phone numbers, social security numbers, and driver's license numbers• The breach occurred when someone accessed the company's GitHub account through a third-party platform• Attackers likely found hard-coded credentials that allowed them to move laterally through systems • Data brokers operate with minimal regulation despite handling massive amounts of sensitive information• Better governance policies and automated privacy operations could significantly reduce these risks• Both technical solutions and regulatory approaches are needed to protect consumer dataBreach Occurred: December 25, 2024.Discovery: April 1, 2025.Public Notification: May 27, 2025.Notice Letters Sent: May 24, 2025.Shameless plus: Check out tools like Transcend's autonomous privacy operations to help prevent similar incidents and continue to monitor your privacy activities. Support the show

Send us a textGabe and Cameron dive into the unseen dangers of AI systems, exploring how inherent biases shape our perception and how prompt injection attacks pose serious security threats.• Generative AI models contain built-in biases based on their training data, favoring Western and particularly North American perspectives• A recent study shows ChatGPT-4 with personalization is more persuasive than humans 64.4% of the time• Most users accept AI outputs without questioning the underlying biases• Prompt injection allows hackers to insert malicious instructions into AI systems that can lead to data leaks and security breaches• Security professionals don't yet understand the full scope of AI vulnerabilities• Google's new video generation technology makes it impossible to distinguish between real and AI-created content• Despite digital concerns, it's important to appreciate real-world experiences like enjoying ice cream on a hot summer day Support the show