In 2024, the European Union’s Artificial Intelligence Act entered into force — the world’s first comprehensive legal framework for regulating AI systems. Like GDPR before it, the AI Act is expected to become a de facto global standard, shaping how AI is developed and deployed well beyond Europe’s borders. The Act takes a risk-based approach. […]
HHS Proposes the First Major HIPAA Security Rule Update in Over a Deca In late 2024, the Department of Health and Human Services proposed the most significant update to the HIPAA Security Rule since it was last revised in 2013. The proposed changes would make several currently “addressable” requirements mandatory: multi-factor authentication, network segmentation, encryption […]
In the summer of 2024, a background check company called National Public Data suffered what may be the largest data breach ever recorded by number of records. A threat actor published a dataset claiming to contain 2.9 billion rows of personal information: Social Security numbers, full names, addresses, and family member relationships — scraped and […]
Ticketmaster, Snowflake, and the Third-Party Credential Problem In May and June 2024, a wave of breaches hit major companies with a common thread: all of them traced back to stolen credentials for Snowflake, the cloud data platform. Ticketmaster lost data on approximately 560 million customers. Santander Bank was breached. Advance Auto Parts, LendingTree, and dozens […]
In March 2024, AT&T confirmed that a dataset containing personal information for approximately 73 million current and former customers had been leaked on a dark web forum. The data included Social Security numbers, account passcodes, names, addresses, phone numbers, and dates of birth. What made the breach notable beyond its scale was the timeline. The […]
Change Healthcare: The Cyberattack That Broke the US Healthcare System In February 2024, a ransomware group called ALPHV/BlackCat breached Change Healthcare, a subsidiary of UnitedHealth Group that processes roughly one in three US patient records. The attackers used stolen credentials — there was multi-factor authentication absent from the targeted remote access portal — and deployed […]