HPE Aruba Networking (formerly Aruba Networks) has released security updates to address critical flaws impacting ArubaOS that could result in remote code execution (RCE) on affected systems.
Of the 10 security defects, four are rated critical in severity -

CVE-2024-26304 (CVSS score: 9.8) - Unauthenticated Buffer Overflow Vulnerability in the L2/L3 Management Service Accessed via

Four Critical Vulnerabilities Expose HPE Aruba Devices to RCE Attacks

The startup says its SaaS platform helps organizations detect and recover from ransomware attacks faster than "traditional" methods.

Source: Ihor Sveitukha via Alamy Stock Photo

The number of ransomware and associated extortion attacks is growing, with reports nearly every day about damage inflicted on organizations. These attacks disrupt business operations and result in significant downtime. In some cases, data is stolen. Educational institutions, retail and healthcare entities, and critical infrastructure organizations have all been targeted over the past few months.

Mimic, which came out of stealth today, is a ransomware defense company that offers a way for organizations to detect, deflect, and recover from ransomware attacks. The company says its software-as-a-service platform is capable of restoring an organization's environment and data back to an uninfected state within 24 hours without needing to pay a ransom.

Details about the technology are sparse, but the company has the support of several well-known names, including Ted Schlein, general partner at Ballistic Ventures, who joined the board of directors; and Marie Mouchet, former CIO of Colonial Pipeline, who joined the advisory board.

Mimic's platform works "in concert" with a customer's existing security controls, said Mimic CEO Derek Smith in a statement. Smith was formerly CEO of Shape Security, a Web and mobile application security company that was acquired by F5 in 2019 for $1 billion. 

As part of the launch, Mimic raised $27 million in seed funding from Ballistic Ventures, Menlo Ventures, Team8, Wing Venture Capital, and Shield Capital. The company said Apex Group, a financial services provider, is currently using the platform.

**About the Author(s)**

Mimic Launches With New Ransomware Defense Platform

Microsoft has uncovered a common vulnerability pattern in several apps allowing code execution; at least four of the apps have more than 500 million installations each; and one, Xiaomi's File Manager, has at least 1 billion installations.

Source: rafapress via Shutterstock

Researchers from Microsoft recently discovered many Android applications — including at least four with more than 500 million installations each — to be vulnerable to remote-code execution attacks, token theft, and other issues because of a common security weakness.

Microsoft informed Google's Android security research team of the problem and Google has published new guidance for Android app developers on how to recognize and remediate the issue.

**Billions of Installations at Risk of Compromise**

Microsoft has also shared its findings with vendors of affected Android apps on Google's Play store. Among them were Xiaomi Inc.'s File Manager product, which has more than 1 billion installations, and WPS Office with some 500 million downloads.

Microsoft said vendors of both products have already fixed the issue. But it believes there are more apps out there that are fallible to exploit and compromise because of the same security weakness. "We anticipate that the vulnerability pattern could be found in other applications," Microsoft's threat intelligence team said, in a blog post this week. "We're sharing this research so developers and publishers can check their apps for similar issues, fix as appropriate, and prevent introducing such vulnerabilities into new apps or releases."

The issue that Microsoft discovered affects Android applications that share files with other applications. To facilitate the sharing in a secure manner, Android implements a so-called "content provider" feature that basically acts as an interface for managing and exposing an app's data to other installed applications on a device, Microsoft said. An app that needs to share its files — or a file provider in Android speak — declares the specific paths that other apps can use to get to the data. File providers also include an identifying feature that other apps can use as an address to find them on a system.

**Blind Trust & Lack of Content Validation**

"This content provider-based model provides a well-defined file-sharing mechanism, enabling a serving application to share its files with other applications in a secure manner with fine-grained control," Microsoft said. However, in many cases when an Android app receives a file from another app, it does not validate the content. "Most concerning, it uses the filename provided by the serving application to cache the received file within the consuming application's internal data directory."

This gives attackers an opening to create a rogue app that can send a file with a malicious filename directly to a receiving app — or file share target — without the user's knowledge or approval, Microsoft said. Typical file share targets include email clients, messaging apps, networking apps, browsers, and file editors. When a share target receives a malicious filename, it uses the filename to initialize the file and trigger a process that could end with the app getting compromised, Microsoft said.

The potential impact will vary depending on an Android application's implementation specifics. In some cases, an attacker could use a malicious app to overwrite a receiving app's settings and cause it to communicate with an attacker-controlled server, or get it to share the user's authentication tokens and other data. In other situations, a malicious application could overwrite malicious code into a receiving app's native library to enable arbitrary code execution. "Since the rogue app controls the name as well as the content of the file, by blindly trusting this input, a share target may overwrite critical files in its private data space, which may lead to serious consequences," Microsoft said.

Both Microsoft and Google have provided tips to developers on how to avoid the issue. End users, meanwhile, can mitigate the risk by ensuring their Android apps are up to date and by only installing apps from trusted sources.

**About the Author(s)**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Billions of Android Devices Open to 'Dirty Stream' Attack

Organizations can go a long way toward preventing spoofing attacks by changing one basic parameter in their DNS settings.

Source: Panther Media GmbH via Alamy Stock Photo

North Korean hackers are taking advantage of weak DMARC configurations to impersonate organizations in phishing attacks against individuals of strategic significance to the Kim Jong Un regime.

DMARC, short for Domain-based Message Authentication, Reporting & Conformance, is a security protocol for preventing email-based attacks. Unlike most security solutions, however, which potential victims implement for themselves, DMARC policies are set by email senders. In part for this reason, it can be easily overlooked.

On Thursday, the FBI and National Security Agency released a joint cybersecurity advisory detailing how the APT Kimsuky (aka APT 43, Thallium) is taking advantage. For some time now, it has been masquerading as organizations that have weak or nonexistent DMARC policies in convincing spear phishing emails.

"This is a highly effective new tool in the arsenal of one of the more prolific social engineering threat groups that Mandiant tracks," Gary Freas, Mandiant senior analyst with Google Cloud, said in an email. "Organizations in a variety of industries around the world are at risk of leaving themselves unnecessarily exposed. Proper DMARC configuration, in conjunction with proper management of SPF/DKIM, is low-hanging fruit to deliver high-impact prevention of phishing and spoofing of an organization."

**The Difference DMARC Makes**

Kimsuky's primary objective is to steal valuable intelligence — regarding geopolitical events, other nations' foreign policy strategies, and more — for the Kim regime. To do that, it aims cyberattacks at journalists, think tanks, government organizations, and the like.

To add legitimacy to these attacks, it often impersonates individuals from trusted organizations like these in highly targeted emails. Such emails are extra convincing when Kimsuky gains access to their puppet's legitimate account or domain (often through a separate spear phishing attack) to send emails on their behalf.

A Kimsuky phishing email sent from late 2023 to early 2024. Source: FBI/NSA

This is what DMARC is designed to prevent. It combines two authentication mechanisms: the Sender Policy Framework (SPF), which checks that a sender's IP address is authorized to send emails from their specified domain, and DomainKeys Identified Mail (DKIM), which uses public key cryptography for anti-tampering. Domain owners can set a DMARC record in their domain name system (DNS) settings to determine what happens should an email-en-route fail one of these checks: either block it (p=reject), treat it with suspicion (p=quarantine), or do nothing (p=none).

The FBI-NSA joint advisory suggests organizations favor p=reject or p=quarantine to prevent threat actors like Kimsuky from sending emails from their domains.

"DMARC hygiene is critical," says Jeremy Fuchs, Harmony Email analyst at Check Point. "It's a fantastic way to ensure that when someone gets an email from your company, it’s actually from your company. It can be a big project, though, to ensure p=reject state, especially when you have many domains. This is why reporting, monitoring, and consistent hygiene is key.

"DMARC is not a silver bullet, as hackers have plenty of ways to spoof, but it can be a good starting point."

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

DPRK's Kimsuky APT Abuses Weak DMARC Policies, Feds Warn

Actual legislation is a long shot and a decade away, but policy experts are looking to jump-start the conversation around greater legal liability for insecure software products.

Source: Nick Lylak via Alamy Stock Photo

While legal legwork is already in progress to hold software vendors liable for delivering insecure products, actual laws and penalties are at least a decade away, says one policy expert who'll be speaking at next week's RSA Conference.

Greater accountability for insecure software vendors has the support of the Biden White House. However, licensing and contract protections have shielded companies whose vulnerable products have cost customers millions, according to James Dempsey, senior policy adviser/technology and governance lecturer, Stanford Program on Geopolitics/UC Berkeley Law School.

Dempsey will moderate a detailed discussion of proposed legal frameworks for software liability at this year's RSA, giving vendors a glimpse at the liability landscape. He'll be joined by Nick Leiserson, assistant national cyber director, cyber policy and programs, Office of the National Cyber Director; Bruce Schneier, security technologist, researcher, and lecturer, Harvard Kennedy School; and Chinmayi Sharma, associate professor, Fordham Law School.

"Right now, almost all software developers have language in their licenses or other contracts or terms of service in which they disavow any liability for any flaws in their products," Dempsey explains.

He uses the example of the Microsoft license on his own laptop to illustrate.

"For example, the Microsoft license for the operating system on my laptop says: 'You may not under this limited warranty, under any other part of this agreement, or under any theory, recover any damages or other remedy, including lost profits or direct, consequential, special, indirect, or incidental damages,'" Dempsey tells Dark Reading. "The damage exclusions and remedy limitations in this agreement apply even if Microsoft knew or should have known about the possibility of the damages."

That's how vendors have been evading legal liability for their customer's damages, and in some cases, collecting cyber insurance payouts instead.

Progress Software, whose vulnerable MOVEit file transfer software led to the breach of more than 600 organizations and the compromise of the personal information of more than 40 million people, has so far evaded liability for its customer losses. Instead, Progress filed an 8-K form with the Securities and Exchange Commission that outlined the company's intent to collect on its full $15 million cyber-insurance policy coverage.

While there is a class-action consumer rights litigation against Progress Software for negligence and breach of contract, there are no legal protections for its customers, which in other industries could be enforced under an agreed upon legal "standard of care," according to a recent paper, "Standards for Software Liability: Focus on the Product for Liability, Focus on the Process for Safe Harbor," published by Dempsey in Lawfare. The paper outlines Dempsey's theory for the right path toward holding vendors legally liable for the cybersecurity of their products.

Okta is another software vendor that has exposed its customers to cyberattacks — and losses. September cyberattacks against Caesars Entertainment and MGM Resorts used Okta as an initial attack vector. Losses related to the cyberattacks at the hospitality giants racked up hundreds of millions in costs; both in lost earnings, as well as ransomware payouts.

By the end of 2023 Okta confirmed that an unauthorized user was able to gain access to data on 100% of its customers.

**Why Strong Software Developer Liability Protections Also Matter**

Holding developers liable for knowingly producing insecure tools requires carefully considered guidelines for what is a reasonable level of cybersecurity to expect from a software vendor in order to determine egregious outliers, Dempsey explained.

"Because there is general agreement that the manufacturers of software should not be made insurers of their products but rather should be liable only when a product is unreasonably secure, getting software liability right turns a lot on defining a standard of care," Dempsey's Lawfare article read.

This standard would include defects analysis already widely used in products liability law, the article added.

Dempsey also advocates a software developer "safe harbor" for hard-to-detect flaws. "For that, I would turn to a set of robust coding practices," Dempsey wrote.

Dempsey tells Dark Reading the Biden Administration realizes legislation will be necessary to achieve its goal of holding insecure software developers liable, which he adds they also understand is a long shot: "They see this as a 10-year issue."

Dempsey will moderate a detailed discussion of proposed legal framework for software liability on Monday, May 6, during RSA in San Francisco at 8:30 a.m. PT, giving vendors a glimpse at the liability landscape to come.

Software Security: Too Little Vendor Accountability, Experts Say

After a breach in the Dropbox Sign environment, customer information may have been stolen and API users have restricted functionality

Dropbox is reporting a recent “security incident” in which an attacker gained unauthorized access to the Dropbox Sign (formerly HelloSign) production environment. During this access, the attacker had access to Dropbox Sign customer information.

Dropbox Sign is a platform that allows customers to digitally sign, edit, and track documents. The accessed customer information includes email addresses, usernames, phone numbers, and hashed passwords, in addition to general account settings and certain authentication information such as API keys, OAuth tokens, and multi-factor authentication. The access is limited to Dropbox Sign customers and does not affect users of other Dropbox services because the environments are largely separate.

> “We believe that this incident was isolated to Dropbox Sign infrastructure and did not impact any other Dropbox products.”

Even if you never created a Dropbox Sign account but received or signed a document through Dropbox Sign, your email addresses and names were exposed. In a government (K-8) filing about the incident, Dropbox says it found no evidence of unauthorized access to the contents of customers’ accounts (i.e. their documents or agreements), or their payment information. 

The attacker compromised a back-end service account that acted as an automated system configuration tool for the Dropbox Sign environment. The attacker used the privileges of the service account for the production environment to gain access to the customer database.

To limit the aftermath of the incident, Dropbox’s security team reset users’ passwords, logged users out of any devices they had connected to Dropbox Sign, and is coordinating the rotation of all API keys and OAuth tokens.

For customers with API access to Dropbox Sign, the company said new API keys will need to be generated and warned that certain functionality will be restricted while they deal with the breach.

Dropbox says it has reported this event to data protection regulators and law enforcement.

**Recommendations**

Dropbox expired affected passwords and logged users out of any devices they had connected to Dropbox Sign for further protection. The next time these users log in to their Sign account, they’ll be sent an email to reset the password. Dropbox recommends users do this as soon as possible.

If you’re an API customer, to ensure the security of your account, you’ll need to rotate your API key by generating a new one, configuring it with your application, and deleting your current one. Here is how you can easily create a new key.

API customers should be aware that names and email addresses for those who received or signed a document through Dropbox Sign, even if they never created an account, were exposed. So, this may impact their customers.

Customers who use an authenticator app for multi-factor authentication should reset it. Please delete your existing entry and then reset it. If you use SMS you do not need to take any action.

If you reused your Dropbox Sign password on any other services, we strongly recommend that you change your password on those accounts and use multi-factor authentication when available.

****Protecting yourself from a data breach****

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

*   **Check the vendor’s advice.** Every breach is different, so check with the vendor to find out what’s happened and follow any specific advice they offer.
*   **Change your password.** You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
*   **Enable two-factor authentication (2FA).** If you can, use a FIDO2-compliant hardware key, laptop, or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
*   **Watch out for fake vendors.** The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims and verify any contacts using a different communication channel.
*   **Take your time.** Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
*   **Set up identity monitoring.** Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

Malwarebytes has a new free tool for you to check how much of your personal data has been exposed online. Submit your email address (it’s best to give the one you most frequently use) to our free Digital Footprint scan and we’ll give you a report and recommendations.

**We don’t just report on threats – we help safeguard your entire digital identit**y

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection

 Dropbox Sign customer data accessed in breach 

Two years after a warrant went out for his arrest, Aleksanteri Kivimäki finally has been found guilty of thousands of counts of aggravated attempted blackmail, among other charges.

Source: Taina Sohlman via Alamy Stock Photo

Aleksanteri Kivimäki, a Finnish national, has been sentenced to six years and three months in prison, after stealing thousands of patient records from a psychotherapy clinic and using them to blackmail their owners.

A judge in the district court of Länsi-Uusimaa, Finland, sentenced Kivimäki, 26, on April 30 after finding him guilty of 9,231 counts of aggravated dissemination of information infringing on individuals' private lives, and 20,745 counts of aggravated attempted blackmail. He also was found guilty on 20 counts of aggravated blackmail.

Kivimäki, known online as "Zeekill," breached Psychotherapy Center Vastaamo Oy's IT system in November of 2018. It was after this that sensitive information of the clinic's patients started to be posted online. Kivimäki would demand a ransom of €200 ($213) in order not to leak targets' data, upping the payment to €500 ($534) if the ransom wasn't paid in 24 hours. 

Kivimäki ultimately caused such a ruckus that Finland's crime figures reportedly rose drastically, to more than double the average rate.

A warrant for Kivimäki went out in October of 2022, and he was arrested last year in France. 

In his trial, the court found he was the partial owner of a data center that housed the server used to commit the crimes he was charged with. The encryption key and IP address he used were also discovered.

The district court stated: "Kivimäki's guilt was also supported by the fact that he had published messages related to the data breach and extortion on the forum Ylilauda under his pseudonym in a purposeful and fixed temporal connection with the extortion actions."

**About the Author(s)**

Hacker Sentenced After Years of Extorting Psychotherapy Patients

pgAdmin <= 8.5 is affected by a multi-factor authentication bypass vulnerability. This vulnerability allows an attacker with knowledge of a legitimate account’s username and password may authenticate to the application and perform sensitive actions within the application, such as managing files and executing SQL queries, regardless of the account’s MFA enrollment status.


**pgAdmin is affected by a multi-factor authentication bypass vulnerability**

High severity GitHub Reviewed Published May 2, 2024 to the GitHub Advisory Database • Updated May 3, 2024

GHSA-2mvc-557g-5638: pgAdmin is affected by a multi-factor authentication bypass vulnerability

Threat actor dropped in to Dropbox Sign production environment and accessed emails, passwords, and other PII, along with APIs, OAuth, and MFA info.

Source: Lina Images via Shutterstock

Online storage service Dropbox is warning customers of a data breach by a threat actor that accessed customer credentials and authentication data of one of its cloud-based services.

The breach occurred when an unauthorized user gained access to the Dropbox Sign (formerly HelloSign) production environment, something administrators became aware of on April 24, according to a blog post published on May 1. Dropbox Sign is an online service for signing and storing contracts, nondisclosure agreements, tax forms, and other documents using legally binding e-signatures.

Specifically, the actor gained access to a Dropbox Sign automated system configuration tool, compromising a service account used to execute apps and run automated services as part of Sign's back end.

"As such, this account had privileges to take a variety of actions within Sign's production environment," the Dropbox Sign team wrote in the blog post. "The threat actor then used this access to the production environment to access our customer database."

**Customer Credentials Exposed**

Data exposed in the breach includes Dropbox Sign customer information such as emails, usernames, phone numbers, and hashed passwords. Moreover, anyone who received or signed a document through Dropbox Sign but never created an account had their email addresses and names exposed in the breach.

The threat actor also accessed data from the service itself, such as Dropbox Sign's API keys, OAuth tokens, and multifactor authentication (MFA) details, according to the post. This is all data used by third-party partners to connect to the service and offer seamless integration from their respective online services, with OAuth in particular being weaponized by threat actors for cross-platform compromise. Thus, users of other services could indirectly be affected by the breach.

Dropbox found no evidence that threat actors accessed any of the contents of customer accounts, such as documents or agreements signed through the service, nor any customer payment information. Moreover, as Dropbox Sign's infrastructure is largely separate from other Dropbox services, the company found that none of its other entities were affected by the breach.

As soon as Dropbox discovered the breach, the company brought on forensic investigators to get to the bottom of it; that investigation is ongoing. Dropbox also is in the process of reaching out to all users impacted by the incident and will provide step-by-step instructions on how to further protect their data.

**Mitigation Steps**

As an initial mitigation of the effects of the breach, Dropbox's security team reset users' passwords, logged users out of any devices they had connected to Dropbox Sign, and is coordinating the rotation of all API keys and OAuth tokens for the service. From a user perspective, all Dropbox Sign users will be asked to reset their passwords the next time they log into the service, the company said.

API customers will need to rotate their API keys by generating a new one; instructions for doing this are online. That key will then have to be configured with their individual application, along with deleting the current API key to protect their accounts, according to Dropbox.

"As an additional precaution, we'll be restricting certain functionality of API keys while we coordinate rotation," according to the post. As a result, only signature requests and signing capabilities will continue to be operational until the API key is rotated; only then will the restrictions be removed and the product continue to function as normal.

For customers who use an authenticator app along with Dropbox Sign for MFA, they should reset it by first deleting their existing entry and only then proceed with the reset, the company said. Those who use SMS for MFA don't need to take action.

Further, if someone reused their Dropbox Sign password on any other services, Dropbox recommends that password be changed and MFA be used whenever available.

Dropbox will continue an "extensive review" of the incident to understand exactly what happened, and to protect its customers against similar threats in the future, the company said, adding its willingness to help any customer who was impacted by the breach.

**About the Author(s)**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Dropbox Breach Exposes Customer Credentials, Authentication Data

Outabox, an Australian firm that scanned faces for bars and clubs, suffered a breach that shows the problems with giving companies your biometric data.

Police and federal agencies are responding to a massive breach of personal data linked to a facial recognition scheme that was implemented in bars and clubs across Australia. The incident highlights emerging privacy concerns as AI-powered facial recognition becomes more widely used everywhere from shopping malls to sporting events.

The affected company is Australia-based Outabox, which also has offices in the United States and the Philippines. In response to the Covid-19 pandemic, Outabox debuted a facial recognition kiosk that scans visitors and checks their temperature. The kiosks can also be used to identify problem gamblers who enrolled in a self-exclusion initiative. This week, a website called “Have I Been Outaboxed” emerged, claiming to be set up by former Outabox developers in the Philippines. The website asks visitors to enter their name to check whether their information had been included in a database of Outabox data, which the site alleges had lax internal controls and was shared in an unsecured spreadsheet. It claims to have more than 1 million records.

The incident has rankled privacy experts who have long set off alarm bells over the creep of facial recognition systems in public spaces such as clubs and casinos.

“Sadly, this is a horrible example of what can happen as a result of implementing privacy-invasive facial recognition systems,” Samantha Floreani, head of policy for Australia-based privacy and security nonprofit Digital Rights Watch, tells WIRED. “When privacy advocates warn of the risks associated with surveillance-based systems like this, data breaches are one of them.”

According to the Have I Been Outaboxed website, the data includes “facial recognition biometric, driver licence \[sic\] scan, signature, club membership data, address, birthday, phone number, club visit timestamps, slot machine usage.” It claims Outabox exported the “entire membership data” of IGT, a supplier of gambling machines. IGT vice president of global communications Phil O’Shaughnessy tells WIRED that “the data affected by this incident has not been obtained from IGT,” and that the firm would work with Outabox and law enforcement.

The website’s owners posted a photo, signature, and redacted driver license belonging to one of Outabox’s founders, as well as a redacted screenshot of the alleged internal spreadsheet. WIRED was unable to independently verify the identity of the website’s owners or the authenticity of the data they claimed to have. An email sent to an address on the website was not returned.

"Outabox is aware and responding to a cyber incident potentially involving some personal information,” an Outabox spokesperson tells WIRED. “We have been in communication with a group of our clients to inform them and outline our strategy to respond. Due to the ongoing Australian police investigation, we are not able to provide further information at this time.”

The New South Wales police force confirmed to WIRED that it was investigating a data breach on Wednesday, but a spokesperson declined to share further details. On Thursday, the force announced that it, working alongside federal and state agencies, had arrested an unnamed 46-year-old man in a Sydney suburb. He is expected to be charged with blackmail.

Clubs that used Outabox’s technology posted announcements about the incident and notified clients this week. One person who posted a breach notification from a club they visited recounted their experience with the facial recognition system. “My fondest memory of this system is visiting a club and having it confidently match my face to a member that was clearly 20+ years older than me, and looked nothing like me,” they wrote in a post on X. The club did not respond to a request for comment.

The Have I Been Outaboxed website, which is still online at the time of writing, alleges that Outabox stopped paying its developers in the Philippines. AI companies frequently employ low-cost overseas labor, including in the Philippines, to power their systems. The website encourages anybody whose data is included in the breach to contact venues and ask that they remove Outabox’s system. The site, which was set up last week according to online records, lists 19 venues. WIRED searched the database for prominent Australians including politicians, and it returned redacted results listing their name and the venues they allegedly attended.

“We are aware of a malicious website carrying a number of false statements designed to harm our business and defame our senior staff,” the Outabox spokesperson says. “We believe this is linked and urge people not to repeat false and reputationally damaging misinformation.” Outabox declined to specify which statements are false, citing the police investigation.

It’s unclear how much of the story told on the website is true, or whether the perpetrators even have the claimed biometric data. Australian cybersecurity expert Troy Hunt, founder of the breach notification website Have I Been Pwned, tells WIRED that there is little reason to doubt it at this time.

“I haven’t seen any reason not to take this at face value, which means they have exactly what they say they have,” he says. In posts on X, Hunt speculated that the website’s posting may have been preceded by demands that were not met, and that the perpetrators’ actions now “clearly land” in the realm of criminality.

“Offshoring is a messy discussion between the legalities of data sovereignty, perceived shortcomings of foreign labor, and frankly, a big dose of xenophobia,” Hunt says. “It’s not like Aussie developers doing exactly the same thing would have made this OK.”

Floreani of Digital Rights Watch says that the incident illustrates the “significant negative consequences” that can arise from collecting sensitive biometric data. “We need bold privacy reform and strict limitations on facial recognition technology,” she says. “As always, surveillance isn’t safety.”

Tag

#auth