Security

Qantas Confirms Data Breach Impacts 5.7 Million Customers (bleepingcomputer.com) 2

Qantas has confirmed that 5.7 million customers have been impacted by a recent data breach through a third-party platform used by its contact center. The breach, attributed to the Scattered Spider threat group, exposed various personal details but did not include passwords, financial, or passport data. BleepingComputer reports: In a new update today, Qantas has confirmed that the threat actors stole data for approximately 5.7 million customers, with varying types of data exposed in the breach:

4 million customer records are limited to name, email address and Qantas Frequent Flyer details. Of this:
- 1.2 million customer records contained name and email address.
- 2.8 million customer records contained name, email address and Qantas Frequent Flyer number. The majority of these also had tier included. A smaller subset of these had points balance and status credits included.

Of the remaining 1.7 million customers, their records included a combination of some of the data fields above and one or more of the following:
- Address - 1.3 million. This is a combination of residential addresses and business addresses including hotels for misplaced baggage delivery.
- Date of birth - 1.1 million
- Phone number (mobile, landline and/or business) - 900,000
- Gender - 400,000. This is separate to other gender identifiers like name and salutation.
- Meal preferences - 10,000

The Courts

German Court Rules Meta Tracking Tech Violates EU Privacy Laws (therecord.media) 7

An anonymous reader quotes a report from The Record: A German court has ruled that Meta must pay $5,900 to a German Facebook user who sued the platform for embedding tracking technology in third-party websites -- a ruling that could open the door to large fines down the road over data privacy violations relating to pixels and similar tools. The Regional Court of Leipzig in Germany ruled Friday that Meta tracking pixels and software development kits embedded in countless websites and apps collect users' data without their consent and violate the continent's General Data Protection Regulation (GDPR).

The ruling in favor of the plaintiff sets a precedent which the court acknowledged will allow countless other users to sue without "explicitly demonstrating individual damages," according to a Leipzig Regional Court press release. "Every user is individually identifiable to Meta at all times as soon as they visit the third-party websites or use an app, even if they have not logged in via the Instagram and Facebook account," the press release said.
"This may very well be one of the most substantial rulings coming out of Europe this year," said Ronni K. Gothard Christiansen, the CEO of AesirX, a consultancy which helps businesses comply with data privacy laws. "$5,900 in damages for one visitor adds up quickly if you have tens of thousands of visitors, or even millions."
The Courts

Judge Throws Out Lawsuit Accusing Apple of Taking Bribes To Avoid Competing With Visa and Mastercard (reuters.com) 7

A federal judge has dismissed an antitrust lawsuit that accused Apple, Visa and Mastercard of conspiring to suppress competition in the payments network market and inflate merchant transaction fees.

U.S. District Judge David Dugan in Illinois ruled that merchants failed to provide sufficient evidence supporting claims that Apple illegally declined to launch a competing payment network to rival Visa and Mastercard.

The lawsuit, filed by beverage retailer Mirage Wine & Spirits and other businesses representing thousands of merchants, alleged the payment networks paid Apple hundreds of millions of dollars annually to avoid competition. Dugan found the plaintiffs offered only "a slew of circumstantial allegations" but permitted them to amend their complaint.
Privacy

Swedish Bodyguards Reveal Prime Minister's Location on Fitness App (politico.eu) 17

Swedish security service members who shared details of their running and cycling routes on fitness app Strava have been accused of revealing details of the prime minister's location, including his private address. Politico: According to Swedish daily Dagens Nyheter, on at least 35 occasions bodyguards uploaded their workouts to the training app and revealed information linked to Prime Minister Ulf Kristersson, including where he goes running, details of overnight trips abroad, and the location of his private home, which is supposed to be secret.
AI

McDonald's AI Hiring Bot Exposed Millions of Applicants' Data To Hackers 25

An anonymous reader quotes a report from Wired: If you want a job at McDonald's today, there's a good chance you'll have to talk to Olivia. Olivia is not, in fact, a human being, but instead an AI chatbot that screens applicants, asks for their contact information and resume, directs them to a personality test, and occasionally makes them "go insane" by repeatedly misunderstanding their most basic questions. Until last week, the platform that runs the Olivia chatbot, built by artificial intelligence software firm Paradox.ai, also suffered from absurdly basic security flaws. As a result, virtually any hacker could have accessed the records of every chat Olivia had ever had with McDonald's applicants -- including all the personal information they shared in those conversations -- with tricks as straightforward as guessing the username and password "123456."

On Wednesday, security researchers Ian Carroll and Sam Curryrevealedthat they found simple methods to hack into the backend of the AI chatbot platform on McHire.com, McDonald's website that many of its franchisees use to handle job applications. Carroll and Curry, hackers with along track record of independent security testing, discovered that simple web-based vulnerabilities -- including guessing one laughably weak password -- allowed them to access a Paradox.ai account and query the company's databases that held every McHire user's chats with Olivia. The data appears to include as many as 64 million records, including applicants' names, email addresses, and phone numbers.

Carroll says he only discovered that appalling lack of security around applicants' information because he was intrigued by McDonald's decision to subject potential new hires to an AI chatbot screener and personality test. "I just thought it was pretty uniquely dystopian compared to a normal hiring process, right? And that's what made me want to look into it more," says Carroll. "So I started applying for a job, and then after 30 minutes, we had full access to virtually every application that's ever been made to McDonald's going back years."
Paradox.ai confirmed the security findings, acknowledging that only a small portion of the accessed records contained personal data. The company stated that the weak-password account ("123456") was only accessed by the researchers and no one else. To prevent future issues, Paradox is launching a bug bounty program. "We do not take this matter lightly, even though it was resolved swiftly and effectively," Paradox.ai's chief legal officer, Stephanie King, told WIRED in an interview. "We own this."

In a statement to WIRED, McDonald's agreed that Paradox.ai was to blame. "We're disappointed by this unacceptable vulnerability from a third-party provider, Paradox.ai. As soon as we learned of the issue, we mandated Paradox.ai to remediate the issue immediately, and it was resolved on the same day it was reported to us," the statement reads. "We take our commitment to cyber security seriously and will continue to hold our third-party providers accountable to meeting our standards of data protection."
The Courts

Court Nullifies 'Click-To-Cancel' Rule That Required Easy Methods of Cancellation (arstechnica.com) 94

A federal appeals court struck down a "click-to-cancel" rule that would have required companies to make cancelling services as easy as signing up. The Federal Trade Commission rule was scheduled to take effect on July 14 but was vacated by the US Court of Appeals for the 8th Circuit. The three-judge panel ruled unanimously that the Biden-era FTC failed to follow the full rulemaking process required under US law.

The FTC is required to conduct a preliminary regulatory analysis when a rule has an estimated annual economic effect of $100 million or more. The FTC initially estimated the rule would not reach that threshold, but an administrative law judge later found compliance costs would exceed $100 million. Despite this finding, the FTC did not conduct the required preliminary analysis.
Government

The Military Might Finally Win the Right To Repair 54

Senators Tim Sheehy and Elizabeth Warren have introduced the bipartisan "Warrior Right to Repair Act," which would guarantee the military's right to repair its own equipment. The bill builds on a previous Army directive and has broad public support, with nearly 75% of Americans in favor, according to a PIRG poll. Engadget reports: The Department of Defense has not been immune from restrictive practices set forth by manufacturers, and much like the average consumer, has been hamstrung in its ability to repair its own equipment by clauses in its purchase agreements. According to the Public Interest Research Group (PIRG), the current system leads to excessive repair and sustainment costs, and can even impede military readiness.

"When our neighbors, friends and family serve in our military, we expect them to get what they need to do their jobs as safely as possible," PIRG Federal Legislative Director Isaac Bowers wrote regarding the newly introduced bill. "Somehow, that hasn't included the materials and information they need to repair equipment they rely on. It's time we fixed that."
AI

Georgia Court Throws Out Earlier Ruling That Relied on Fake Cases Made Up By AI (theregister.com) 47

The Georgia Court of Appeals has overturned a trial court's order after finding it relied on court cases that do not exist, apparently generated by AI. The appellate court vacated the ruling in a divorce case involving Nimat Shahid's challenge to a divorce order granted to her husband Sufyan Esaam in July 2022.

"We are troubled by the citation of bogus cases in the trial court's order," the appeals court stated in its decision, which directs the lower court to revisit Shahid's petition. The court noted the errant citations appear to have been "drafted using generative AI" and were included in an order prepared by attorney Diana Lynch.

Lynch repeated the fabricated citations in her appeals briefs and expanded upon them after Shahid had challenged the fictitious cases. The appeals court found Lynch's briefs contained "11 bogus case citations out of 15 total, one of which was in support of a frivolous request for attorney fees." The court fined Lynch $2,500 for filing the frivolous motion.
Social Networks

X Says It's 'Deeply Concerned' About India Press Censorship (aljazeera.com) 42

X said Tuesday it is "deeply concerned about ongoing press censorship in India" after the Indian government ordered the platform to block 2,355 accounts on July 3, including two Reuters news agency handles. The social media company said the order came under India's Section 69A of the Information Technology Act, with non-compliance risking criminal liability.

The Indian Ministry of Electronics and Information Technology demanded immediate action within one hour without providing justification, X said. After public outcry, the government requested X to unblock the Reuters accounts.
The Courts

Fubo Pays $3.4 Million To Settle Claims It Illegally Shared User Data With Advertisers (arstechnica.com) 9

Fubo has agreed to pay $3.4 million to settle a class-action lawsuit (PDF) accusing it of illegally sharing usersâ(TM) personally identifiable information and video viewing history with advertisers without consent, allegedly violating the Video Privacy Protection Act (VPPA). Ars Technica reports: As reported by Cord Cutters News this week, instead of going to trial, Fubo reached a settlement agreement [PDF] that allows people who used Fubo before May 29, which is when Fubo last updated its privacy policy, to receive part of a $3.4 million settlement. The settlement agreement received preliminary approval on May 29, and users recently started receiving notice of their potential entitlement to some of the settlement. They have until September 12 to submit claims. Fubo said in a statement: "We deny the allegations in the putative class lawsuit and specifically deny that we have engaged in any wrongdoing whatsoever. Fubo has nonetheless chosen to pursue a settlement for this matter in order to avoid the uncertainty and expense of litigation. We look forward to putting this matter behind us."
The Courts

Samsung and Epic Games Call a Truce In App Store Lawsuit (arstechnica.com) 12

An anonymous reader quotes a report from Ars Technica: Epic Games, buoyed by the massive success of Fortnite, has spent the last few years throwing elbows in the mobile industry to get its app store on more phones. It scored an antitrust win against Google in late 2023, and the following year it went after Samsung for deploying "Auto Blocker" on its Android phones, which would make it harder for users to install the Epic Games Store. Now, the parties have settled the case just days before Samsung will unveil its latest phones.

The Epic Store drama began several years ago when the company defied Google and Apple rules about accepting outside payments in the mega-popular Fortnite. Both stores pulled the app, and Epic sued. Apple emerged victorious, with Fortnite only returning to the iPhone recently. Google, however, lost the case after Epic showed it worked behind the scenes to stymie the development of app stores like Epic's. Google is still working to avoid penalties in that long-running case, but Epic thought it smelled a conspiracy last year. It filed a similar lawsuit against Samsung, accusing it of implementing a feature to block third-party app stores. The issue comes down to the addition of a feature to Samsung phones called Auto Blocker, which is similar to Google's new Advanced Protection in Android 16. It protects against attacks over USB, disables link previews, and scans apps more often for malicious activity. Most importantly, it blocks app sideloading. Without sideloading, there's no way to install the Epic Games Store or any of the content inside it.

Auto Blocker is enabled by default on Samsung phones, but users can opt out during setup. Epic claimed in its suit that the sudden inclusion of this feature was a sign that Google was working with Samsung to stand in the way of alternative app stores again. Epic has apparently gotten what it wanted from Samsung -- CEO Tim Sweeney has announced that Epic is dropping the case in light of a new settlement.
Sweeney said Samsung "will address Epic's concerns," without elaborating on the details. Samsung may stop making Auto Blocker the default or create a whitelist of apps, like the Epic Games Store, that can bypass Auto Blocker. Another possibility is that Epic and select third-party stores are granted special access while Auto Blocker remains on for others, balancing security and openness.

A "more interesting outcome," according to Ars, would be for Samsung to pre-install the Epic Games Store on its new phones.
Government

Drones Used by California Cities to Patrol for Illegal Fireworks and Issue Fines (sfgate.com) 112

"California residents who lit illegal fireworks over the July 4 holiday may be in for a nasty surprise in the mail thanks to covert fire department operations," reports SFGate.

"A number of California cities, including Sacramento, have begun using drones to locate people shooting off illegal fireworks." From Wednesday to Saturday night, the Sacramento Fire Department's special fireworks task force patrolled the streets with unmarked cars and drones, focusing on neighborhoods where they've had prior complaints. Task force officers and the drones took photos of the illegal activity, and within 30 days the property owner where the fireworks were used could receive a fine in the mail...

This year, Sacramento upped the fine to $1,000 for the first firework, $2,500 for the second and $5,000 per firework after that. If you lit a firework on city property, such as a park or a school, the fine goes up to $10,000 each. There's no limit to how many fines you can be issued... This year, a number of cities across the state announced they would be using drones to find scofflaws, among them Indio, Riverside, Hemet, Brea and towns in Tulare County...

Fox40 reported on Saturday that around 60 citations were being prepared in Sacramento, with more likely on the way as fire officials review surveillance footage.

Last year for illegal fireworks, one Sacramento-area resident received a $100,000 fine.
AI

Police Department Apologizes for Sharing AI-Doctored Evidence Photo on Social Media (boston.com) 93

A Maine police department has now acknowledged "it inadvertently shared an AI-altered photo of drug evidence on social media," reports Boston.com: The image from the Westbrook Police Department showed a collection of drug paraphernalia purportedly seized during a recent drug bust on Brackett Street, including a scale and white powder in plastic bags. According to Westbrook police, an officer involved in the arrests snapped the evidence photo and used a photo editing app to insert the department's patch. "The patch was added, and the photograph with the patch was sent to one of our Facebook administrators, who posted it," the department explained in a post. "Unbeknownst to anyone, when the app added the patch, it altered the packaging and some of the other attributes on the photograph. None of us caught it or realized it."

It wasn't long before the edited image's gibberish text and hazy edges drew criticism from social media users. According to the Portland Press Herald, Westbrook police initially denied AI had been used to generate the photo before eventually confirming its use of the AI chatbot ChatGPT. The department issued a public apology Tuesday, sharing a side-by-side comparison of the original and edited images.

"It was never our intent to alter the image of the evidence," the department's post read. "We never realized that using a photoshop app to add our logo would alter a photograph so substantially."

Censorship

Will FaceTime In IOS 26 Freeze Your Call If Someone Starts Undressing? (9to5mac.com) 70

Long-time Slashdot reader AmiMoJo shared this report from the Apple news blog 9to5Mac: iOS 26 is a packed update for iPhone users thanks to the new Liquid Glass design and major updates for Messages, Wallet, CarPlay, and more. But another new feature was just discovered in the iOS 26 beta: FaceTime will now freeze your call's video and audio if someone starts undressing.

When Apple unveiled iOS 26 last month, it mentioned a variety of new family tools... "Communication Safety expands to intervene when nudity is detected in FaceTime video calls, and to blur out nudity in Shared Albums in Photos." However, at least in the iOS 26 beta, it seems that a similar feature may be in place for all users — adults included.

That's the claim of an X.com user named iDeviceHelp, who says FaceTime in iOS 26 swaps in a warning message that says "Audio and video are paused because you may be showing something sensitive," giving users a choice of ending the call or resuming it.

9to5Mac says "It's unclear whether this is an intended behavior, or just a bug in the beta that's applying the feature to adults... [E]verything happens on-device so Apple has no idea about the contents of your call."
The Internet

Websites Hosting Major US Climate Reports Taken Down (apnews.com) 77

An anonymous reader quotes a report from the Associated Press: Websites that displayed legally mandated U.S. national climate assessments seem to have disappeared, making it harder for state and local governments and the public to learn what to expect in their backyards from a warming world. Scientists said the peer-reviewed authoritative reports save money and lives. Websites for the national assessments and the U.S. Global Change Research Program were down Monday and Tuesday with no links, notes or referrals elsewhere. The White House, which was responsible for the assessments, said the information will be housed within NASA to comply with the law, but gave no further details. Searches for the assessments on NASA websites did not turn them up.

"It's critical for decision makers across the country to know what the science in the National Climate Assessment is. That is the most reliable and well-reviewed source of information about climate that exists for the United States," said University of Arizona climate scientist Kathy Jacobs, who coordinated the 2014 version of the report. "It's a sad day for the United States if it is true that the National Climate Assessment is no longer available," Jacobs said. "This is evidence of serious tampering with the facts and with people's access to information, and it actually may increase the risk of people being harmed by climate-related impacts."

"This is a government resource paid for by the taxpayer to provide the information that really is the primary source of information for any city, state or federal agency who's trying to prepare for the impacts of a changing climate," said Texas Tech climate scientist Katharine Hayhoe, who has been a volunteer author for several editions of the report. Copies of past reports are still squirreled away in NOAA's library. NASA's open science data repository includes dead links to the assessment site. [...] Additionally, NOAA's main climate.gov website was recently forwarded to a different NOAA website. Social media and blogs at NOAA and NASA about climate impacts for the general public were cut or eliminated. "It's part of a horrifying big picture," [said Harvard climate scientist John Holdren, who was President Obama's science advisor and whose office directed the assessments]. "It's just an appalling whole demolition of science infrastructure."
National climate assessments are more detailed and locally relevant than UN reports and undergo rigorous peer review and validation by scientific and federal institutions, Hayhoe and Jacobs said. Suppressing these reports would be censoring science, Jacobs said.

Slashdot Top Deals