Data breach law firm hit by data breach
In an incredibly ironic start to the New Year, an international law firm that works with companies affected by security incidents has experienced its own cyber attack that exposed the sensitive health information of hundreds of thousands of data breach victims.
Orrick, Herrington & Sutcliffe, a San Francisco-based firm, have reported that hackers stole the personal information and sensitive health data of more than 637,000 data breach victims from a file share on its network during an intrusion last year. The stolen data included consumer names, dates of birth, postal address and email addresses, and government-issued identification numbers, such as Social Security numbers, passport and driver license numbers, and tax identification numbers.
Read more here.
Microsoft & OpenAI hit with new lawsuit
In another blow to the AI power couple, Microsoft and OpenAI have been hit with another lawsuit from creators claiming their work had been used to train AI models without their consent.
Writers Nicholas Basbanes and Nicholas Gage told the court in a proposed class action that the companies infringed their copyrights by including several of their books as part of the data used to train OpenAI’s GPT large language model. This lawsuit follows others from writers such as George RR Martin and even the New York Times.
Read more here.
23andMe blames victims for data breach
Facing more than 30 lawsuits from victims of its massive data breach, it has been reported that 23andMe is now deflecting the blame onto the victims themselves in an attempt to shield themselves from responsibility.
The attack started with hackers accessing a smaller group of accounts with brute force credential stuffing. From there however, attackers were able to access the data of 6.9 million others through 23andMe’s DNA Relatives feature.
As a result of how the attack originated, 23andMe are claiming that as users “negligently recycled and failed to update their passwords” following other security incidents unrelated to 23andMe, that the incident was therefore “not a result of 23andMe’s alleged failure to maintain reasonable security measures.”
Read more here.