Latest news with #securityflaw
Russia Today
3 days ago
- Business
- Russia Today
Hackers exploit Microsoft flaw to launch global attack
Hackers have exploited a major security flaw in Microsoft's SharePoint software to breach document-sharing systems used by government agencies and businesses worldwide, the Washington Post reported Monday, citing state officials and private researchers. The attack, which unfolded over the past several days, targeted organizations in the US, the EU, China, and Brazil. The hackers leveraged a previously unknown vulnerability that allowed them to steal cryptographic keys, giving them access to sensitive systems even after reboot. The flaw remained undetected despite Microsoft's latest security update just two weeks earlier. 'Anybody who's got a hosted SharePoint server has got a problem,' Adam Meyers of cybersecurity firm CrowdStrike said, describing the issue as 'a significant vulnerability." It was not immediately clear who is behind the hack attack, the Washington Post noted. Microsoft acknowledged the breach and said it was working with the US Department of Homeland Security and the Department of Defense to contain the damage. As there is currently no fix available, the company advised affected customers to disconnect their servers from the internet. The latest hack attack adds to a wave of concern about Microsoft's ability to secure its software. One of the world's most entrenched vendors of government software, the company has suffered a series of embarrassing failures over the past two years, including breaches of its corporate networks and the email accounts of top executives. Governments worldwide have sought to reduce dependence on Western technology providers and assert greater digital sovereignty, not only to guard against cybersecurity risks, but also to shield their digital infrastructure from the geopolitical leverage of the US. The EU has accelerated efforts to curb reliance on American cloud and AI services, backing domestic alternatives and exploring procurement mandates. China is pursuing a sweeping campaign to replace foreign hardware and software by 2027. Russia, which views US tech as a national security threat, is developing isolated systems and promoting state-run platforms. Microsoft, which suspended new software sales in Russia following the escalation of the Ukraine conflict in 2022, now offers only limited services in the country.
Washington Post
4 days ago
- Washington Post
Global hack on Microsoft product hits U.S., state agencies, researchers say
Hackers exploited a major security flaw in widely used Microsoft server software to launch a global attack on government agencies and businesses in the past few days, breaching U.S. federal and state agencies, universities, energy companies and an Asian telecommunications company, according to state officials and private researchers. The U.S. government and partners in Canada and Australia are investigating the compromise of SharePoint servers, which provide a platform for sharing and managing documents. Tens of thousands of such servers are at risk, experts said, and Microsoft has issued no patch for the flaw, leaving victims around the world scrambling to respond.
Forbes
14-07-2025
- Business
- Forbes
McDonald's ‘123456' Password Scare Reframes Responsible AI Debate
A security flaw on the McHire platform jeopardized 64 million applicants' data. Set aside aspirational AI rhetoric, alarmist consultant pitches and techno-babble. AI success requires candor about incentives, incompetence and indifference. McDonald's learned that harsh lesson (in a relatively costless way) when two security researchers used '123456' as the username and password to astonishingly fully access the Golden Arches hiring platform — and over 64 million applicants' personal data. The noble cyber sleuths, Ian Carroll and Sam Curry, reported the flaw to McDonald's and its AI vendor, Paradox, for swift technical resolution. If nefarious actors found the lax vulnerability, McDonald's leadership would be mired in a costly, public crisis. So, will the fast-food goliath learn from this 'near-miss' to improve tech governance? Will others tap this averted disaster for overdue responsible AI introspection and action? It depends. Widespread and hushed AI deployment problems need thornier fixes than many boards and senior executives will acknowledge, admit or address. Super-sized opportunities Workplace crises can be proactively prevented (or eventually explained) by tackling incentives, incompetence and indifference with stewardship, capability and care. The Golden Arches 'near miss' exemplifies that and the timing couldn't be better. While 88% of executives surveyed by PwC expect agentic AI spending increases this year, many struggle to articulate how AI will drive competitive advantage. Nearly 70% indicated that still half or fewer of their workforce interacts with agents daily. Indiscriminately 'throwing money' at issues can create more problems than it solves. Here's a better start. Dissect incentives. Talent, culture and bureaucratic entrenchment stymie big firms desperate to innovate. Nimble, bootstrapped startups tantalizingly fill those voids, but crave revenue and reputation. Stalled AI implementations only fuel that magnetism. Typically, the larger organization the makes headlines when deals falter. How many leadership teams meaningfully assess third-party risk from an incentives perspective? Or do expedited results more strongly appeal to their own compensation and prestige hunger? Is anyone seriously assessing which party has more (or less) to lose? Nearly 95% of McDonald's 43,000 restaurants are franchised. With over 2 million workers and aggressive growth aims, automating job applications is a logical AI efficiency move. Its selected vendor, whose tagline boasts 'meet the AI assistant for all things hiring' seemed like a natural partner. At what hidden costs? Successful strategic alliances require an 'outside-in' look at a counterparty's interests. Three of the seven-member Paradox board are private equity partners, including chair Mike Gregoire. In Startups Declassified, acclaimed business school professor and tech thought leader Steve Andriole emphasizes flagship revenue's valuation criticality, 'There's no more important start-up activity than sales — especially important are the 'lighthouse' customers willing to testify to the power and greatness of products and services. Logo power is [vital] to start-ups.' 'Remember that no one wants to buy start-ups unless the company has killer intellectual property or lists of recurring customers. Profitable recurring revenue is nirvana. Exits occur when a start-up becomes empirically successful,' he continued. Assess skill and will. Despite its global presence, digital strategy imperatives and daily transaction volume, the 2025 McDonald's proxy reveals three common AI-era oversight shortfalls: inadequate boardroom cyber expertise, no technology committee and cybersecurity relegated to audit oversight. Those are serious signaling problems. In fact, the word 'cybersecurity' only appears nine times across the 100-page filing. In the director qualifications section, information technology is grouped with cybersecurity and vaguely defined 'contributes to an understanding of information technology capabilities, cloud computing, scalable data analytics and risks associated with cybersecurity matters.' Just four of the eleven directors are tagged as such. While three of those four worked in the tech sector, none has any credible IT or cybersecurity expertise. Intriguingly, not one of the four, board member and former Deloitte CEO Cathy Engelbert has the best experience to push stronger governance. Is she, now the prominent WNBA league commissioner, willing to take such contentious risk? To start, she can tap longtime McDonald's CFO Ian Borden and auditors EY for guidance and ideas on bolstering board composition. Nearly 95% of McDonald's 43,000 restaurants worldwide are franchised. When tech issues arise, fingers, by default, point at the IT team. However, responsible AI design and deployment truly require cross-functional leadership commitment. McDonald's CEO Chris Kempczinski routinely touts a 4D strategy (digital, delivery, drive-thru and development) and characterizes the fast-food frontrunner's tech edge as 'unmatched.' That bravado brings massive expectations and he can't be happy with the '123456' password distraction. With annual compensation approaching $20 million annually, he also has a responsible AI obligation to current and future McDonald's workers making, on average, 1,014 times less — as well as the 40,000 franchisees. Valerie Ashbaugh, McDonald's commercial products and platform SVP, rotates into the US CIO seat next month. The timing is ideal to institute policies, procedures and accountability for stronger third-party IT access controls. Alan Robertson, UK ambassador to the Global Council for Responsible AI, astutely notes, 'The damage is done — not by hackers, but by sheer negligence. McDonald's has pinned the issue on Paradox. Paradox says they fixed it and have since launched a bug bounty program. It raises bigger questions for all of us. Who audits the third-party vendors we automate hiring with? Where does the liability sit when trust is breached at this scale? And what does 'responsible AI' even mean when basic cybersecurity hygiene isn't in place? We talk about ethics — but sometimes it's just about setting a password.' That's prototypical indifference — especially when the access key is "123456." Likewise, HR leaders have a chance to meaningfully shape AI rollouts. 'HR needs to resist the urge to 'just go along.' There will be many HR leaders who simply wait for the various software lines they current license to add AI functionality. To do so would be a mistake. AI will become a critical part of the employee experience and HR should have a hand in that,' advises AthenaOnline SVP of customer solutions Mark Jesty. At McDonald's, EVP and global chief people officer Tiffanie Boyd holds that golden opportunity to elevate responsible AI on the board and c-suite agendas. Will she? Responsibility knocks The McHire 'near-miss' highlights how boards and c-suites can remain dangerously unprepared for AI design, deployment and oversight. Strategy speed and tech wizardry must never be at stewardship's cost. "If you're deploying AI without basic security hygiene, you're not innovating. You're endangering people. Security is not optional,' implores CEO Ivan Rahman. Who's opting for drive-thru AI governance?
BBC News
23-05-2025
- Business
- BBC News
OxBykes customer data leak treated with 'utmost urgency'
A bicycle rental company that accidentally made customer data available on its mobile app has said it is treating the matter "with the utmost urgency". A user of OxBykes, which operates its own fleet of bicycles for rental and sale in Oxford, Cambridge and London, said they had accidently been granted administrative level access to its database on 13 shown to the BBC by the customer - who asked to remain anonymous - display confidential data including names, contact details and order said the security flaw had been resolved and that potentially affected customers would be contacted. OxBykes has 25 depots across Oxford, 14 in Cambridge and three in London. It makes bicycles available for collection instantly after user said they had come across the glitch while trying to contact the support team after struggling to find a bike they had said the data was found via a button on the mobile app and "was accessible throughout the past week".The customer added that they received a personal WhatsApp message from OxBykes founder Louis Wright on Sunday, explaining the error and requesting that they did not release any confidential CEO Tom Widgery replied to BBC's request for comment on Wednesday. He said the company was "made aware today that a very limited selection of customer data from a small number of customers may have been accessed as a result of a previously resolved vulnerability"."We are treating this matter with the utmost urgency and are currently speaking to our lawyers to understand the full implications of the situation," he said."We have already taken steps to patch the security flaw and are working to understand the extent of any data exposure. "We are also reporting the incident to the Information Commissioner's Office and are preparing to contact any potentially affected customers directly." You can follow BBC Oxfordshire on Facebook, X (Twitter), or Instagram.
Yahoo
06-05-2025
- Yahoo
iPhone Users Issued Urgent Warning After Major Flaw
Billions of iPhone users and Apple device owners worldwide are being warned to update their devices immediately after a major security flaw puts them at risk of malware attacks. Apple's AirPlay feature conveniently enables Apple devices to seamlessly integrate with other devices, allowing iPhones and Macbooks to play music or show videos on other Apple devices or third-party speakers and televisions. However, that same technology has also opened up those devices to a major security flaw. As first reported by Wired this week, the cybersecurity firm Oligo revealed a security flaw in Apple's Airplay software that allowed devices to be hacked if the hackers were connected to the same Wi-Fi network as the devices which includes public places like airports, coffee shops, or even your work office. The flaw, which Oligo has named "AirBorne" could allow hackers to deploy malware, snoop on your private data, or even eavesdrop on your conversations using microphones in the devices. Apple told Wired that it has patched the bugs on its own devices in recent months, so iPhone and Macbook users have been urged to make sure their devices are up to date. However, even if your Apple device is up to date, that does not necessarily mean you are safe from potential hacks, because third-party devices are vulnerable to the attacks, too. Oligo's chief technology officer and co-founder Gal Elbaz estimates that there are tens of millions of third-party AirPlay-enabled devices that are potentially vulnerable to attacks – gadgets like smart TVs or Bluetooth speakers, even if they are not in use. The vulnerability even applies to CarPlay, putting the car's automotive computer at risk of a hack. 'Because AirPlay is supported in such a wide variety of devices, there are a lot that will take years to patch—or they will never be patched,' Elbaz told Wired. 'And it's all because of vulnerabilities in one piece of software that affects everything.' These third-party devices are likely to remain hackable unless users intentionally act to update them. And even if you update all of your devices, you still could be at risk from someone else's device that has not been updated if it is connected to the same public Wi-Fi network at the airport, a coffee shop, or even at work. 'The amount of devices that were vulnerable to these issues, that's what alarms me,' says Oligo researcher Uri Katz. 'When was the last time you updated your speaker?' Apple has worked with its certified third-party partners to come up with a security patch, but the risk will still remain from other manufacturers who might incorporate Apple's AirPlay feature without notifying Apple and becoming a "certified" AirPlay device. These devices might never receive a patch. As for how you can best keep yourself secure from malware attacks and hacks, make sure all of your AirPlay-enabled devices are up to date and be wary of which Wi-Fi networks you connect to your devices.
