Archive for Lawsuit

Makers Of MOVEit File Transfer Software Served With Class Action Lawsuit

Posted in Commentary with tags on June 24, 2023 by itnerd

The Clop ransomware gang has been pwning organizations right, left and centre via vulnerabilities in the MOVEit file transfer software. And with the scale of these attacks growing by the day, you knew it was a matter of time to before a lawsuit was filed. And now we have a class action lawsuit:

On June 20, three Louisiana individuals headed up a class-action lawsuit filed in a Massachusetts district court against Progress Software, the Bedford, Massachusetts, makers of the MOVEit file Transfer and Cloud file transfer service that are used by thousands of entities and have been exploited over the past month to compromise an ever-growing list of companies and government agencies.

The plaintiffs represent more than 100 individuals who say Progress Software’s security practices were negligent, resulting in their personal data being exposed and stolen through the hack. The complaint characterizes this information as “a gold mine for data thieves” and the victims are seeking damages in excess of $5 million.

One of the lead plaintiffs, Shavonne Diggs, reportedly received “numerous phishing calls” following the breach from scammers who claimed she had signed up to attend different academic institutions, as well as an unauthorized charge on one of her payment cards.

“Armed with the Private Information accessed in the Data Breach, data thieves can commit a variety of crimes including … opening new financial accounts in Class Members’ names, taking out loans in Class Members’ names, using Class Members’ names to obtain medical services, using Class Members’ information to obtain government benefits, filing fraudulent tax returns using Class Members’ information, obtaining driver’s licenses in Class Members’ names but with another person’s photograph, and giving false information to police during an arrest,” lawyers for the plaintiffs wrote.

The company hasn’t really addressed this lawsuit. Instead they said that they are focused on helping those affected by these attacks. But I think it’s a safe bet that this will never go trial. Instead Progress will likely settle this out of court. Having said this, the repetitional damage to Progress will be huge.

Zoetop Ordered To Pay $1.9M Over Data Breach

Posted in Commentary with tags on October 13, 2022 by itnerd

Zoetop, the parent company behind retailers Romwe and Shein, have been ordered by the State of New York to pay $1.9 million over a data breach which affected millions of customers. Zoetop was found guilty of failing to secure customers’ data, not properly notifying customers and trying to keep the extent of the data leak under wraps. This penalty comes after an investigation by the New York Attorney General into a 2018 cyber attack in which credit card and personal information was stolen.

Before I give my thoughts on this, let’s hear from John Stevenson, Product Director at Cyren on this:

“Testament to the scale of the unsolved nature of social engineering attacks, every single of the millions of victims successfully targeted here now face phishing scams abusing their exposed PII in the pursuit of more valuable credentials. 

It is likely many customers’ credentials have already been sold to the highest bidder and may now be used to target their place of work. However, because employees are so busy, they cannot feasibly be expected to detect all fraudulent emails every time. Therefore, organisations must implement additional layers of technology and processes to continually hunt for targeted email attacks like spear phishing and business email compromise to automatically eliminate the threats once identified. 

A silver lining, however, is that hopefully expensive retributions for such failures to responsibly disclose and appropriately respond to a data breach is a step in the right direction towards creating a culture of compliance.”

My $0.02 worth. I am glad that the State of New York held Zoetop accountable for this and I hope that we see more of this going forward. Because if companies know that if they screw up they will get punished, they will take the steps required to make sure that they don’t get pwned.

If You’re Canadian, You Should Claim Your $20 (Or More) From The $30 Million Optical Disc Drive Class Action Payout

Posted in Commentary with tags , on July 20, 2022 by itnerd

If you’re Canadian, chances are you were not aware of a class action lawsuit regarding optical disc drive (ODD) products purchased in Canada between 2004-2010 in B.C., Ontario and Quebec. In short, a settlement of $29.7 million is available for people in B.C. and Quebec Courts because BenQ, Hitachi-LG, NEC, Panasonic, Phillips, Pioneer, Quanta, Sony, TEAC, and Toshiba Samsung are alleged to have “conspired to fix the prices for ODD, with the intention of raising prices for both ODD and ODD Products sold in Canada.”

So if you purchased a computer or a game console with an optical drive, you are eligible for a $20 payment if you don’t have supporting documents. Or if you do you can get more than that. Though you have to wonder who would still have the receipt from a computer or a Playstation or Xbox that they bought 12 or more years ago. In any case, you can put in a request by going to this website.

Cafe Press Fined $500K For Data Breach

Posted in Commentary with tags on June 27, 2022 by itnerd

This is the sort of story that I like writing about as it illustrates that companies who don’t seriously protect their customer’s data will be held to account. In this case Cafe Press who I’ve written about before has been fined $500,000 for a data breach that affected 23 million customers. You can read about it here, but I’ll hit the highlights for you:

  • Residual Pumpkin and PlanetArt who now own Cafe Press have to implement multi-factor authentication
  • They have to minimize the amount of collected and retained data
  • They have to encrypt all stored Social Security numbers.
  • PlanetArt is being ordered to alert buyers and sellers whose personal info was accessed or stolen during the security breaches and provide them with information on how they can protect themselves

All of this centers around a February 2019 breach of CafePress’ servers where unknown attackers gained access to, stole, and later put up for sale on the dark web personal information belonging to 23,205,290 CafePress users. Then CafePress tried to cover this up until it was reported by Bleeping Computer. And to top it all off, the company knew they had issues but didn’t do anything about it. And they also didn’t investigate any of the attacks. Which makes it pretty clear that dealing with Cafe Press is a bad idea. Though this fine may have them rethink how they handle customer data going forward.

FTC Slaps Twitter With A $150M Fine For Using 2FA Info For Advertising

Posted in Commentary with tags , on May 26, 2022 by itnerd

If you used two factor authentication or 2FA to protect your Twitter account, chances are Twitter used your phone number to target you for advertising. According to court documents, Twitter asked over 140 million users for this information to protect their accounts starting in 2013, but it failed to inform them that the data would also be used to allow advertisers to target them with ads.

This really seems underhanded at first glance.

What’s worse is that this is a direct violation of the FTC act. And even worse than that, it also violates an administrative order between Twitter and the FTC which banned Twitter from misrepresenting its security and privacy practices and profiting from deceptively collected data.

Now that’s truly underhanded.

Twitter has agreed to settle the FTC’s allegations. But the optics of this really suck for Twitter. And they really need to explain why this won’t happen again.

Zoom To Pay Up Big Time In “Zoom-Bombing” Class Action Lawsuits

Posted in Commentary with tags , on April 24, 2022 by itnerd

For those of you who aren’t aware of this. “Zoom-Bombing” is when uninvited guests crash your Zoom meeting and do anything from just listen in to playing porn, or anything in between. It was a big deal a couple of years ago. This led to a string of class action lawsuits against Zoom claiming:

  • Zoom failed to prevent “Zoombombings”
  • Zoom unlawfully shared data with authorized third parties such as Facebook, Google and LinkedIn
  • Zoom lied about the strength of its end-to-end encryption protocols

I guess Zoom decided that it was cheaper to settle than to fight. Which has led to them settling 14 different class action lawsuits:

As part of the settlement agreement, Zoom Video Communications, the company behind the teleconference application that grew popular during the pandemic, will pay the $85m to users in cash compensation and also implement reforms to its business practices.

And here are the changes that Zoom must make:

As part of the settlement, Zoom has agreed to over a dozen changes to its business practices that are designed to “improve meeting security, bolster privacy disclosures and safeguard consumer data”, according to court documents.

As part of those changes, the company is required to develop and maintain a user-support ticket system to track reports of meeting disruptions, a documented process for communicating with law enforcement regarding disruptions that include illegal content, a suspend-meeting button and the ability to block users from certain countries.

A lawyer representing Zoom put out a comment putting some spin on this:

Mark Molumphy, a partner at Cotchett, Pitre & McCarthy, LLP said:

“Millions of Americans continue to use Zoom’s platform with the expectation that their conversations will be kept private and secure. This groundbreaking settlement will provide a substantial cash recovery to Zoom users and implement privacy practices that, going forward, will help ensure that users are safe and protected.”

But at the same time a lawyer representing the plaintiffs had this to say:

Tina Wolfson, a partner at Ahdoot Wolfson said:

“In the age of corporate surveillance, this historic settlement recognizes that data is the new oil and compensates consumers for unwittingly providing data in exchange for a free service. It also compensates those who paid for a product they did not receive and commits Zoom to changing its corporate behavior to better inform consumers about their privacy choices and provide stronger cybersecurity.”

Now, you don’t have to wait for Zoom to make changes to protect yourself from being “Zoom-Bombed”. Here’s my tips for using Zoom safely:

  • When you send out a meeting invite, ensure that the meeting has a password associated with it. This support document can help you with that.
  • Don’t share the meeting invite on social media. Send it directly to the invitees.
  • Use the waiting room function which puts users who join your meeting into a virtual waiting room that allows you to identify them and admit them to the meeting if they are supposed to be there. This support document will explain how to use that feature.
  • Don’t use your personal meeting ID for meetings if you can avoid it.
  • Keep your audio and video off by default when joining a meeting. That way when you join, you can enable what you need to or feel comfortable enabling. This support document will tell you how to do that.
  • Don’t keep Zoom running on your computer if you don’t need it.
  • Make sure you have a strong password for your Zoom account. This support document can help you with that.

The first four items will help you to mitigate “Zoom-Bombings”. The last three are more of a suggestion to protect your privacy.

Hopefully Zoom learns from this as this is not the first time that Zoom has paid up to make a lawsuit go away. And I have to imagine that cutting these cheques is starting to get expensive.

Ok Google, You’re Getting Sued Over Play Store Abuse

Posted in Commentary with tags , on July 8, 2021 by itnerd

The attorneys general of 36 states and Washington, D.C., sued Google “alleging that the company illegally abused its power over developers that distribute apps through the Google Play store on mobile devices,” according to Bloomberg:

State attorneys general are targeting the fees Google takes from developers for purchases and subscriptions inside apps. The complaint was filed by 36 states and the District of Columbia in San Francisco federal court Wednesday. The complaint marks a new attack by government officials in the U.S. against the search engine’s business practices. The Justice Department and a group of states filed separate complaints over Google’s search business last year, while another state coalition sued over Google’s digital advertising business. The states are taking on Google even after a federal judge in Washington last week threw out their antitrust lawsuit against Facebook. That case accused Facebook of illegally crushing competition by buying Instagram and WhatsApp because it saw them as threats to its business. The judge said the states waited too long to challenge the acquisitions.

This article didn’t have anything about the states suing Apple, who has a similar app policy as Google. Actually, Apple’s stance is worse since they prevent users from side-loading apps or using alternate app stores. So this seems like a strange lawsuit to me. And I wonder if it will actually go the distance. I guess we’ll see.

UPDATE: There’s a story that outlines the accusation that Google used anticompetitive practices in an attempt to “preemptively quash” Samsung’s Galaxy Store, and prevent it from becoming a viable competitor to its own Play Store. 

BREAKING: Trump Sues The CEOs Of Twitter And Facebook

Posted in Commentary with tags , on July 7, 2021 by itnerd

Former President Donald Trump, who has complained about censorship by social media giants, plans to announce class action lawsuits today against Facebook CEO Mark Zuckerberg and Twitter CEO Jack Dorsey, Axios reported today:

It’s the latest escalation in Trump’s yearslong battle with Twitter and Facebook over free speech and censorship. Trump is completely banned from Twitter and is banned from Facebook for another two years. Trump is scheduled to make an announcement at a press conference today at 11 am. Trump’s legal effort is supported by the America First Policy Institute, a non-profit focused on perpetuating Trump’s policies. The group’s president and CEO and board chair, former Trump officials Linda McMahon and Brooke Rollins, will accompany him during the announcement. Class action lawsuits would enable him to sue the two tech CEOs on behalf of a broader group of people that he argues have been censored by biased policies. To date, Trump and other conservative critics have not presented any substantial evidence that either platform is biased against conservatives in its policies or implementation of them.

I am not a lawyer, but I’m betting he’s going to lose. Here’s why.

What he is asking the court to do is violate both companies first amendment right not to be forced to carry speech they don’t want to publish. In less democratic countries, companies are frequently forced to publish things praising the government. That is not permitted in the USA. Thus he’s going to lose. By a lot.

BREAKING: US Government And Numerous States Sue Facebook In An Attempt To #DeleteFacebook

Posted in Commentary with tags , on December 9, 2020 by itnerd

Last week we got the first hint that Facebook was about to get sued. Now it’s happened. CNN is reporting that Facebook is being sued for anticompetitive behavior by dozens of states and the US Government:

The parallel lawsuits, months in the making, represent an unprecedented challenge to one of Silicon Valley’s most powerful corporations. The complaints zero in on Facebook’s acquisition and control over Instagram and WhatsApp, two key services in its social media empire. 

The suits come roughly 14 months after New York Attorney General Letitia James announced that her office was leading a group of attorneys general in investigating Facebook for potential anticompetitive practices. More than 40 attorneys general ultimately signed onto Wednesday’s complaint. The Federal Trade Commission, meanwhile, has been conducting its own antitrust investigation of Facebook since June 2019. 

Much of the scrutiny of Facebook concerns the companies it has purchased to build up a massive audience that now totals more than 3 billion users across its portfolio of apps, according to its financial statements. That dominance has raised questions by some legal experts, including US lawmakers, about whether Facebook CEO Mark Zuckerberg set out to neutralize competitive threats by gobbling them up.

Facebook however is ready for a fight:

As the drumbeat in Washington against Facebook has grown louder, the company has had years to prepare for a showdown. It’s moved to tightly integrate its apps on a technical level, a decision some critics have suggested is a strategy to frustrate any potential breakup. It’s stepped up its hiring of lawyers with antitrust and litigation experience. And the company has fine-tuned its talking points, settling on a narrative that Facebook welcomes regulation but that cracking down too hard could risk giving other countries like China a competitive edge in the fast-moving technology sector. 

The company has also argued that regulators reviewed the WhatsApp and Instagram deals at the time and did not see a reason to block them then. Instagram was acquired particularly early on in its lifecycle, before many came to view it as the successful giant it is today.

We’ll see who’s right as you can bet that this will be an all out fight by everyone involved to take down Facebook. And I for one hope that they take down Facebook as this is one company that needs to be taken down because of their horrible handling of user data on many levels.

Feds Plan To Sue Google For Anti-Trust As Early As Today [UPDATE]

Posted in Commentary with tags , on October 20, 2020 by itnerd

The US Justice Department plans to accuse Google of maintaining an illegal monopoly over search and search advertising in a lawsuit to be filed on Tuesday, the government’s most significant legal challenge to a tech company’s market power in a generation, according to officials at the agency:

In its suit, to be filed in a federal court in Washington, D.C., the agency will accuse Google, a unit of Alphabet, of illegally maintaining its monopoly over search through several exclusive business contracts and agreements that lock out competition, said the officials, who were not authorized to speak on the record. Such contracts include Google’s payment of billions of dollars to Apple to place the Google search engine as the default for iPhones. The agency will argue that Google, which controls about 80 percent of search queries in the United States, struck agreements with phone makers using Alphabet’s Android operating system to pre-load the search engine on their phones and make it hard for rival search engines to become a replacement. By using contracts to maintain its monopoly, competition and innovation has suffered, the suit with argue.

The suit reflects the pushback against the power of the nation’s largest corporations, and especially technology giants like Google, Amazon, Facebook and Apple. Conservatives like President Trump and liberals like Senator Elizabeth Warren have been highly critical of the concentration of power in a handful of tech behemoths. Attorney General William P. Barr, who was appointed by Mr. Trump, has played an unusually active role in the investigation. He pushed career Justice Department attorneys to bring the case by the end of September, prompting pushback from lawyers who wanted more time and complained of political influence. Mr. Barr has spoken publicly about the inquiry for months and set tight deadlines for the prosecutors leading the effort.

This will be interesting to watch because this can be the first of many lawsuits to be filed by the feds. Lawyers at Amazon, Facebook and Apple have to be very worried as it looks like Google is going to be made an example of. If and when the lawsuit gets announced, I’ll update this post.

UPDATE: The Lawsuit has dropped.

UPDATE #2: Google calls the lawsuit “deeply flawed” in a blog post.