News

Ticketmaster, Snowflake, and the Third-Party Credential Problem In May and June 2024, a wave of breaches hit major companies with a common thread: all of them traced back to stolen credentials for Snowflake, the cloud data platform. Ticketmaster lost data on approximately 560 million customers. Santander Bank was breached. Advance Auto Parts, LendingTree, and dozens […]

In March 2024, AT&T confirmed that a dataset containing personal information for approximately 73 million current and former customers had been leaked on a dark web forum. The data included Social Security numbers, account passcodes, names, addresses, phone numbers, and dates of birth. What made the breach notable beyond its scale was the timeline. The […]

Change Healthcare: The Cyberattack That Broke the US Healthcare System In February 2024, a ransomware group called ALPHV/BlackCat breached Change Healthcare, a subsidiary of UnitedHealth Group that processes roughly one in three US patient records. The attackers used stolen credentials — there was multi-factor authentication absent from the targeted remote access portal — and deployed […]

When ChatGPT crossed 100 million users in early 2023, it became the fastest-growing consumer application in history. It also became one of the most consequential unresolved data privacy questions of the year. By default, conversations with ChatGPT are used to train future models. Users who paste in sensitive information — internal business documents, patient information, […]

In July 2023, the Securities and Exchange Commission adopted new rules requiring public companies to disclose material cybersecurity incidents within four business days of determining they are material. The rules also require annual disclosures describing a company’s cybersecurity risk management program, governance, and the board’s oversight of cyber risk. The four-day clock is aggressive. Many […]

In July 2023, the European Commission formally adopted the EU-US Data Privacy Framework, establishing a new legal mechanism for transferring personal data from the European Union to the United States. The Framework replaces the Privacy Shield arrangement that was invalidated by the Court of Justice of the European Union in 2020. Under the new agreement, […]