Microsoft, CISA warn of critical on-prem exchange flaw

Metacurity really needs your help

Metacurity has been a labor of love for years, and I’m so grateful for your readership. Your support can help ensure I can continue delivering the carefully curated weekly long-reads and daily digests of the most critical developments in cybersecurity.

If you find value in what Metacurity offers, please consider upgrading to a paid subscription. We also provide corporate subscription options, and soon we’ll be introducing affordable sponsorship opportunities—perfect for promoting your events or products to a highly engaged audience.

To learn more, feel free to reach out at cynthia@metacurity.com.

Thank you so much for being part of the Metacurity community.

If you can't commit to a subscription, please consider donating what you can afford to help keep Metacurity free to all.

Microsoft and the US Cybersecurity and Infrastructure Security Agency (CISA) issued a “high-severity vulnerability” alert about a flaw affecting on-premises versions of Microsoft Exchange that coincided with a talk delivered at the Black Hat cybersecurity conference by the security researcher who discovered and presented it in detail.

The vulnerability allows hackers to deploy a series of techniques that enable compromise of on-premises versions of Active Directory. This Microsoft tool suite centralizes the management of users, computers, and other resources across an organization’s network.

The flaw also exposes Entra ID, Microsoft’s cloud-based identity and access management service that helps identify and authenticate network users, according to a detailed blog issued by the company.

Parts of the federal enterprise are susceptible to the vulnerability, and CISA plans to issue an emergency patching directive to the federal enterprise on Thursday, according to one source.

The vulnerability affects Exchange Server 2016 and Exchange Server 2019, as well as Microsoft Exchange Server Subscription Edition, the latest version, which replaces the traditional perpetual license model with a subscription-based one.

While Microsoft has yet to observe in-the-wild exploitation, the company has tagged it as "Exploitation More Likely" because its analysis revealed that exploit code could be developed to exploit this vulnerability, increasing its attractiveness to attackers consistently.

CISA advised network defenders who want to secure their Exchange hybrid deployments against potential attacks targeting the CVE-2025-53786 flaw by installing Microsoft's April 2025 Exchange Server Hotfix Updates on the on-premise Exchange server and following Microsoft's configuration instructions.

For organizations using Exchange hybrid (or have previously configured Exchange hybrid but no longer use it), review Microsoft's Service Principal Clean-Up Mode for guidance on resetting the service principal's key credentials.

CISA warned that failing to mitigate this vulnerability could lead "to a hybrid cloud and on-premises total domain compromise" and urged admins to disconnect public-facing servers running end-of-life (EOL) or end-of-service versions of Exchange Server or SharePoint Server from the internet.

At Black Hat, Outsider Security researcher Dirk-Jan Mollema presented a long-form demo exploiting the flaw, where he said he was able to modify user passwords, convert cloud users to hybrid users, and impersonate hybrid users.

Through the exploit, hackers could also modify executive permissions, known as service principals, where they could escalate network access privileges or establish persistent access between on-premises Exchange and Microsoft 365 by tampering with the identities and permissions set up on a network.

“These tokens, they’re basically valid for 24 hours. You cannot revoke them. So if somebody has this token, there’s absolutely nothing you can do from a defensive point of view,” Mollema said.

He was referring to special access tokens used when Exchange servers talk to Microsoft 365, which can’t be canceled once stolen — giving attackers up to 24 hours of unchecked access. That access, combined with special top-level permissions, could let hackers steal email data or move deeper into an organization’s cloud environment undetected. (David DiMolfetta / NextGov/FCW and Sergiu Gatlan / Bleeping Computer)

Related: CISA, CISA, Microsoft, GBHackers, Black Hat

Three Israeli researchers discovered that an indirect prompt injection in a Google invitation is all that is needed to exploit Gemini for Workspace's agentic architecture to trigger a host of bad outcomes.

The researchers, Ben Nassi, a researcher at Tel Aviv University, Stav Cohen, from the Technion Israel Institute of Technology, and Or Yair, a researcher at security firm SafeBreach, focused on new security risks, notably known as Promptware.

The three smart-home hacks are part of a series of 14 indirect prompt-injection attacks against Gemini across web and mobile that the researchers dubbed Invitation Is All You Need.

In demonstrations at Black Hat this week, the researchers are showing how Gemini can be made to send spam links, generate vulgar content, open up the Zoom app and start a call, steal email and meeting details from a web browser, and download a file from a smartphone’s web browser.

Google’s Andy Wen, a senior director of security product management for Google Workspace, says that while malicious hackers did not exploit the vulnerabilities, the company is taking them “extremely seriously” and has introduced multiple fixes. The researchers reported their findings to Google in February and met with the teams who worked on the flaws over recent months.

The research has, Wen says, directly “accelerated” Google’s rollout of more defenses against AI prompt-injection attacks, including using machine learning to detect potential attacks and suspicious prompts and requiring greater user confirmation when actions are going to be taken by AI. “Sometimes there’s just certain things that should not be fully automated, that users should be in the loop,” Wen says. (Matt Burgess / Wired)

Related:  Invitation Is All You Need, Invitation is All You Need, Ars Technica, PhoneArena, Android Authority, BGR, r/technews, r/artificial, Digit, Engadget

New findings from security researchers Michael Bargury and Tamir Ishay Sharbat, revealed at the Black Hat conference, show how a weakness in OpenAI’s Connectors allowed sensitive information to be extracted from a Google Drive account using an indirect prompt injection attack.

In a demonstration of the attack, dubbed AgentFlayer, Bargury shows how it was possible to extract developer secrets, in the form of API keys, that were stored in a demonstration Drive account.

The vulnerability highlights how connecting AI models to external systems and sharing more data across them increases the potential attack surface for malicious hackers and potentially multiplies the ways in which vulnerabilities may be introduced.

Bargury says he reported the findings to OpenAI earlier this year and that the company quickly introduced mitigations to prevent the technique he used to extract data via Connectors. The way the attack works means only a limited amount of data could be extracted at once—full documents could not be removed as part of the attack. (Matt Burgess / Wired)

Related: Zenity on YouTube, Zenity Labs, Embrace The Red, Security Week

Sources say two components of the US Judiciary's electronic case filing system were breached in a sweeping cyber intrusion that is believed to have exposed sensitive court data across multiple US states.

The two affected components are the Case Management/Electronic Case Files, or CM/ECF, which legal professionals use to upload and manage case documents, and PACER, a system that gives the public limited access to the same data.

The hack is feared to have compromised the identities of confidential informants involved in criminal cases at multiple federal district courts, said the two people, both of whom were granted anonymity because they were not authorized to speak publicly about the hack.

According to one source, the Administrative Office of the US Courts, which manages the federal court filing system, first determined how serious the issue was around July 4.

But the office, along with the Justice Department and individual district courts around the country, is still trying to determine the full extent of the incident.

It is not immediately clear who is behind the hack, though nation-state-affiliated actors are widely suspected, the people said. Criminal organizations may also have been involved, sources said. (John Sakellariadis and Josh Gerstein / Politico)

Related: Reuters, WION

Ron Deibert, the director of Citizen Lab, ahead of his Black Hat conference keynote said that he plans to speak about what he describes as a “descent into a kind of fusion of tech and fascism,” and the role that the Big Tech platforms are playing, and “propelling forward a really frightening type of collective insecurity that isn’t typically addressed by this crowd, this community, as a cybersecurity problem.”

Deibert described the recent political events in the United States as a “dramatic descent into authoritarianism,” but one that the cybersecurity community can help defend against.

“I think alarm bells need to be rung for this community that, at the very least, they should be aware of what’s going on and hopefully they can not contribute to it, if not help reverse it,” Deibert said.

Historically, at least in the United States, the cybersecurity industry has put politics — to a certain extent — to the side. More recently, however, politics has fully entered the world of cybersecurity, with Donald Trump's retribution against former CISA director Chris Krebs for proclaiming the 2020 election as secure and malice toward Jen Easterly at the urging of conspiracist Laura Loomer. (Lorenzo Franceschi-Bicchierai / TechCrunch)

Related: BlackHat, WebProNews

Fearful of clashing with incoming president Donald Trump, the National Institute of Standards and Technology (NIST) refrained from publishing a report on a first-of-its-kind exercise in AI “red teaming,” or stress-testing a cutting-edge language model and other artificial intelligence systems, which identified 139 novel ways to get the systems to misbehave including by generating misinformation or leaking personal data.

Moreover, the teams participating in the event, which was held last October, discovered shortcomings in a new US government standard designed to help companies test AI systems.

The red-teaming event was organized through NIST’s Assessing Risks and Impacts of AI (ARIA) program in collaboration with Humane Intelligence, a company that specializes in testing AI systems, and saw teams attack tools. The event took place at the Conference on Applied Machine Learning in Information Security (CAMLIS).

Before taking office, Trump signaled that he planned to reverse Biden’s Executive Order on AI. Trump’s administration has since steered experts away from studying issues such as algorithmic bias or fairness in AI systems.

Ironically, though, Trump’s AI Action plan also calls for precisely the kind of exercise that the unpublished report covered. It calls for numerous agencies, along with NIST, to “coordinate an AI hackathon initiative to solicit the best and brightest from US academia to test AI systems for transparency, effectiveness, use control, and security vulnerabilities. (Will Knight / Wired)

Related: Federal News Network

Air France and KLM announced that attackers breached a customer service platform and stole the data of an undisclosed number of customers.

Together with Transavia, Air France and KLM are part of Air France–KLM Group, a French-Dutch multinational airline holding company founded in 2004 and a major player in international air transport. With a fleet of 564 aircraft and 78,000 employees, Air France-KLM provides services to up to 300 destinations in 90 countries.

The two airlines stated that they've cut off the attackers' access to the compromised systems after discovering the breach and added that their networks were not affected by the attack.

"Air France and KLM have detected unusual activity on an external platform we use for customer service. This activity resulted in unauthorized access to customer data," they said. "Our IT security teams, along with the relevant external party, took immediate action to stop the unauthorized access. Measures have also been implemented to prevent recurrence. Internal Air France and KLM systems were not affected."

These attacks follow other aviation breaches linked to the Scattered Spider hacker collective, which has shifted its focus to aviation and transportation firms, breaching WestJet and Hawaiian Airlines after previously targeting the insurance and retail sectors. (Sergiu Gatlan / Bleeping Computer)

Related: KLM, NL Times, Hack Read, Bleeping Computer, Aviation A2Z, Anadolu Ajansı, Techzine, The Flight Club, KP Law, AML Intelligence

Researchers at Hudson Rock report that, using infostealers, hackers have stolen login credentials from thousands of people working with the UK’s National Health Service, putting the organization at risk of further cyberattacks, according to researchers.

About 2,000 computers used by people working with the National Health Service, or NHS, which runs hospitals and clinics across the country, have been compromised by infostealers.

Many of the stolen credentials are for accounts that have been registered with an NHS.net email address, meaning they belong to an NHS employee or affiliate, such as a pharmacist or an IT consultant, according to Hudson Rock. The credentials were stolen between 2020 and 2025 and include passwords for internal NHS email systems and other platforms such as Zoom, Zendesk, Salesforce, and NHS.uk, according to the analysis. (Ryan Gallagher / Bloomberg)

Researchers at Cyata unearthed nine zero-day security vulnerabilities in HashiCorp Vault and five in CyberArk Conjur, password vaults used by thousands of companies.

At the BlackHat conference, Shahar Tal, CEO and co-founder of Cyatal, and his colleague revealed 14 previously unknown vulnerabilities in two leading secret managers: HashiCorp Vault and CyberArk Conjur.

Some of these issues were lying in wait for years. They enabled authentication bypass, root access, remote code execution (RCE), and ultimately total compromise of all of a company's most valuable secrets.

HashiCorp said that it has patched all nine vulnerabilities, and that "every issue was triaged, validated, and resolved with coordinated patch releases for the Community, HCP, and Enterprise versions of Vault. Anyone running a version of Vault with an identified vulnerability should upgrade to the latest version of Vault, where those issues are resolved."

CyberArk confirmed the details of its fixes, writing in a statement that "we added validations and restrictions to ensure that IAM authentication requests only go to the expected servers and only include the necessary headers, added validation on our API endpoints to restrict what kinds of resources can be used with each API call, and removed the use of ERB templates entirely." (Nate Nelson / Dark Reading)

Related: Cyata, Cyata, Cyata, Security Week, CSO Online

Researchers from SecAlliance report that Chinese smishing syndicates may have compromised up to 115 million payment cards in the US between July 2023 and October 2024, resulting in billions of dollars of financial loss.

They highlighted the sophisticated nature of these campaigns, which involved the strategic exploitation of digital wallet tokenization, notably Apple Pay and Google Wallet, to circumvent traditional fraud detection mechanisms.

“These operations represent a paradigm shift in payment card fraud, combining advanced SMS, RCS, and iMessage-based social engineering with sophisticated phishing infrastructure and real-time multi-factor authentication (MFA) bypass techniques,” the researchers noted.

The investigation, which spanned nearly two years, observed that the campaigns are orchestrated by Chinese cybercriminal syndicates, which have systematically targeted victims worldwide since early 2023.

Between 12.7 million and 115 million payment cards have been compromised in these campaigns in the US, based on research from independent security researchers and SecAlliance’s analysis of domain activity patterns. (James Coker / Infosecurity Magazine)

Related: SecAlliance, SecAlliance, Hack Read

The Venice Film Festival confirmed it was the victim of a cyberattack that compromised the personal data of accredited participants for this year’s event, including members of the press.

In a notification sent to those affected, including journalists at The Hollywood Reporter, festival organizers said the attack occurred on July 7 when unknown individuals accessed and copied documents stored on the Venice festival servers, exposing data such as names, email addresses, phone numbers, mailing addresses, and, for attendees who can claim back VAT on their accreditation fees, tax codes.

Venice said its IT team “intervened promptly, isolating the affected systems and securing them. The competent authorities were immediately informed, and restoration operations were initiated.”

Those concerned about the safety of their data or wanting further information are requested to contact the festival’s data protection officer at: privacy@labiennale.org. (Scott Roxborough / The Hollywood Reporter)

Related: r/TheBigPicture

The UK's National Cyber Security Centre (NCSC) warned that the threat posed by hackers to critical infrastructure in Britain is increasing, leaving a “widening gap” between the potential for harm and the collective ability to defend against it.

The NCSC again stressed that Britain was underestimating the severity of the risk from cyberattacks and provided updated guidance to infrastructure operators to protect themselves.

Despite these repeated warnings, there are continuing delays from both the government and the private sector in taking action to drive forward even basic levels of security. As the agency’s chief complained earlier this year, many organizations still fail to follow the NCSC’s cybersecurity guidance and advice.

The government itself is now several years late in introducing cybersecurity legislation intended to improve resilience across critical national infrastructure sectors, despite the NCSC’s calls for a strategic policy agenda to tackle shortcomings.

The agency published an updated version of its Cyber Assessment Framework — a collection of guidance intended to help “essential services, in sectors such as energy, healthcare, transport, digital infrastructure and government.”

The update calls on organizations to keep pace with the evolving attack methods being deployed by threat actors to protect themselves, and to be prepared to respond and continue to operate if an attack does get through. (Alexander Martin / The Record)

Related: NCSC, SC Magazine UK, Digit, Identity Week, UK Authority

Ukrainian cybersecurity authorities warned that hackers tracked as Constella Intelligence finds that Anton Gannadievich Medvedovskiy is living in Kiev, who will be 38 years old in December. have been sending fake summons emails purportedly from Ukrainian courts to target the country’s government, military, and defense sector in a new cyberespionage campaign.

The group has been active in the country since at least 2022 and has gained unauthorized remote access to dozens of local computers.

In the latest operation, the hackers sent phishing emails disguised as court summonses. These messages included links to legitimate file-sharing platforms that delivered archive files bundled with malware.

The primary malware used in the campaign, dubbed Matchboil, collects system data and deploys additional malicious tools — including Matchwok, a backdoor that enables remote command execution, and Dragstare, a stealer that extracts browser data such as passwords, cookies, and desktop files. (Daryna Antoniuk / The Record)

Related: CERT.Gov.uk, Security Affairs, WebProNews

According to newly published procurement documents, Immigration and Customs Enforcement (ICE) is looking to buy iris scanning technology that its manufacturer says can identify known persons “in seconds from virtually anywhere.

Originally designed to be used by sheriff departments to identify inmates or other known persons, ICE is now likely buying the technology specifically for its Enforcement and Removal Operations (ERO) section, which focuses on deportations.

“This one-of-a-kind system allows sheriffs and other law enforcement agencies to authenticate the identity of the person in their custody quickly and provides record information from other jurisdictions across the country once the offender is registered in the system,” a brochure for one of the technology products, called the Mobile Offender Recognition & Identification System, or MORIS, reads.

The procurement documents say ICE is also seeking to buy access to the Inmate Recognition & Identification System, or I.R.I.S., and marketing material available online says the two work in tandem with one another. I.R.I.S. claims to be the “only national, web-based iris biometric network” in that material.

Both products are made by BI2 Technologies, a company based in Massachusetts.

ICE posted an announcement saying it intended to award a sole-source purchase order to BI2 for licenses to both I.R.I.S. and MORIS. According to BI2 marketing material, MORIS is available on Apple and Android devices. That material says it can identify an offender already enrolled in a national database. (Joseph Cox / 404 Media)

Related: Mobile ID World, r/Ice_Raids

Roman Storm, a co-founder of cryptomixer Tornado Cash, was convicted of conspiring to run an unlicensed money-transfer operation, while avoiding more serious charges that could have subjected him to decades in prison, in a closely watched case with sweeping implications for open-source development and blockchain privacy.

The outcome was a partial victory for federal prosecutors who had alleged that Storm helped cybercriminals — including a group linked to the North Korean government — launder stolen crypto through Tornado Cash, which they described as a “giant washing machine” for illicit funds.

The jury, after three days of deliberations, couldn’t reach a verdict on the two most serious counts against Storm, including conspiracy to launder money and conspiracy to violate sanctions. (Chris Dolmetsch and Anika Arora Seth / Bloomberg)

Related: DL News, CoinDesk, Blockworks, The Block, Business Insider, Cointelegraph, Reuters, CryptoSlate, Bitcoinist.com, The Defiant, Slashdot, Wall Street Journal

On July 22, 2025, the European police agency Europol said a long-running investigation led by the French Police resulted in the arrest of a 38-year-old administrator of XSS, a Russian-language cybercrime forum with more than 50,000 members, sparking a search for the identity of the unnamed admin.

However,  the consensus is that he is a pivotal figure in the crime forum scene who goes by the hacker handle “Toha.” 

Europol did not name the accused, but published partially obscured photos of him from the raid on his residence in Kiev. The police agency said the suspect acted as a trusted third party, arbitrating disputes between criminals, and guaranteeing the security of transactions on XSS.

A host of digital breadcrumbs leads to the conclusion that Toha is a Ukrainian named Anton Gannadievich Medvedovskiy. “Toha” is a common Slavic nickname for someone with the first name “Anton,” and that matches the name in the registration records for more than a dozen domains tied to Toha’s toschka2003@yandex.ru email address: Anton Medvedovskiy.

Constella Intelligence finds that Anton Gannadievich Medvedovskiy is living in Kiev, who will be 38 years old in December. This individual owns the email address itsmail@i.ua, as well as an Airbnb account featuring a profile photo of a man with roughly the same hairline as the suspect in the blurred images released by the Ukrainian police. (Brian Krebs / Krebs on Security)

According to a public records request, hundreds of AI-powered automated license plate reading cameras, paid for by Lowe’s and Home Depot and stationed in the hardware stores’ parking lots, are being fed into a massive surveillance system that law enforcement can access.

The records, obtained from the Johnson County, Texas Sheriff’s Office by the Electronic Frontier Foundation (EFF), show the sheriff’s office can tap into Flock license plate reading cameras at 173 different Lowe’s locations around the US and that it can tap into cameras and gunshot-detecting microphones at dozens of Home Depot stores within Texas.

The records are the latest to shed light on how expansive Flock’s surveillance network has become, and highlight that it includes cameras that are operated by both police and private businesses. (Jason Koebler / 404 Media)

Researchers at Guidepoint Security report that Akira ransomware is abusing a legitimate Intel CPU tuning driver to turn off Microsoft Defender in attacks from security tools and EDRs running on target machines.

The abused driver is 'rwdrv.sys' (used by ThrottleStop), which the threat actors register as a service to gain kernel-level access.

This driver is likely used to load a second driver, 'hlpdrv.sys,' a malicious tool that manipulates Windows Defender to turn off its protections.

This is a 'Bring Your Own Vulnerable Driver' (BYOVD) attack, where threat actors use legitimate signed drivers that have known vulnerabilities or weaknesses that can be abused to achieve privilege escalation. This driver is then used to load a malicious tool that disables Microsoft Defender.

"The second driver, hlpdrv.sys, is similarly registered as a service. When executed, it modifies the DisableAntiSpyware settings of Windows Defender within \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware," explain the researchers.

Akira ransomware was recently linked to attacks on SonicWall VPNs using what is believed to be an unknown flaw.

Guidepoint Security says it could neither confirm nor debunk the exploitation of a zero-day vulnerability in SonicWall VPNs by Akira ransomware operators. (Bill Toulas / Bleeping Computer)

Related: Guidepoint Security, Hack Read

Check Point researchers uncovered a remote code execution bug in the popular vibe-coding AI tool Cursor that could allow an attacker to poison developer environments by secretly modifying a previously approved Model Context Protocol (MCP) configuration, silently swapping it for a malicious command without any user prompt.

Cursor released an update (version 1.3) on July 29 that fixes the issue and requires user approval every time an MCP Server entry is modified. So if you use the AI-powered code editor, update to run the latest version and ensure you're not giving miscreants complete access to your machine every time you open Cursor.

While Cursor addressed the flaw, Check Point thinks the vulnerability highlights a significant AI supply chain risk.

"The flaw exposes a critical weakness in the trust model behind AI-assisted development environments, raising the stakes for teams integrating LLMs and automation into their workflows," CheckPoint said. (Jessica Lyons / The Register)

Related: Check Point, GitHub, BankInfoSecurity

OT security firm Claroty and its research branch, Team82, shared findings at Black Hat showing that thousands of organizations could be vulnerable to attack after researchers discovered four critical vulnerabilities in the products of Axis Communications, a leading manufacturer of CCTV cameras and surveillance equipment.

Successful exploitation of these vulnerabilities could allow an attacker to infiltrate an internal network and execute code remotely on either the server or client systems.

Additionally, Team82 highlighted that an attacker positioned as a MitM could exploit a pass-the-request flaw in the protocol, potentially decrypting traffic and achieving remote code execution.

Upon discovery, Team82 quickly notified Axis Communications, which publicly reported them – the manufacturer is a certified Common Vulnerabilities and Exposures (CVE) Numbering Authority (CNA),

Despite public disclosure, the CVE entries still currently appear under the ‘Reserved’ status on the website of the CVE program, suggesting that more information will be made available after the Team82 session at Black Hat, which is to be held on August 6.

On the US National Vulnerability Database (NVD) website, the four vulnerabilities are registered under the status ‘Awaiting Analysis,’ which typically means that the NVD team has not yet added any enriched data around these flaws.

Despite no known records of exploitation, the Team82 researchers discovered more than 6,500 servers exposing this protocol and its services to the internet, more than half of those (almost 4,000) in the US. (Kevin Poireault / Infosecurity Magazine)

Related: Claroty

The FBI and a state cyber-crimes task force are investigating a data breach at Box Elder County government offices in Utah that seems to have rendered some computers unusable.

“We’re working to investigate the situation fully in an attempt to ensure that no information has been compromised,“ the county said in a statement. “Box Elder County immediately undertook extensive remediation action and launched an investigation to confirm the full nature and scope of the activity.” (Brian Mullahy / KUTV)

Related: KMYU

Acting Federal Chief Information Security Officer Mike Duffy told Black Hat conference attendees that federal CISOs need to get together to work on cybersecurity solutions and then communicate them to the rest of the ecosystem.

Duffy spoke alongside Robert Costello, the chief information officer at the Cybersecurity and Infrastructure Security Agency, as well as Rob Knake, the former acting principal deputy national cyber director. 

“It’s that communication, that dialog, that we have that’s so important for the policy process and in the policy implementation,” Duffy said.

The panelists also discussed the importance of zero trust, a cybersecurity management method where all users on a network should never be trusted and always verified as they navigate through systems.

The US needs to pivot away from checklist-style zero trust benchmarks, Duffy said. “Now is a moment where I’m very focused on the operational aspects of what that means. It isn’t enough to make a zero trust checklist, or say, where are you in maturity?” (David DiMolfetta / NextGov/FCW)

In a letter to United Health's CEO Stephen Hemsley, US Sen. Bill Cassidy (R-LA) and Sen. Maggie Hassan (D-NH) asked about a January breach at one of the company's subsidiaries, Episource, which provides medical coding and risk adjustment services to doctors, health plans, and health companies.

Episource warned regulators in June that hackers breached its systems between January 27 and February 6, stealing the Social Security numbers, Medicaid-Medicare ID numbers, and medical records of 5.4 million people.

The senators said the hack “raises significant questions about UHG’s efforts to safeguard patient information.” Cassidy is a physician and the chairman of the Senate’s health committee, and Hassan is a member of the panel.

“We have seen the recent threat that hostile actors, including Iran, may pose on health care entities and UHG’s repeated failures to protect against such attacks jeopardizes patient health,” the senators said.

UHG has until August 18 to respond to four questions about the Episource hack, including when they first became aware of the breach, when they notified federal regulators, what date they will have a better understanding of what the hackers stole, and more general information about how the company is improving its cybersecurity protections. (Jonathan Greig / The Record)

Related: Senate Committee on Health, Education, Labor and Pensions, Healthcare Finance, SC Media

New research from watchdog Privacy4Cars says that while few automakers strongly protect website and customer portal users’ privacy, one company drastically improved its practices after California’s privacy regulator fined it in March for allegedly failing to implement relevant standards required under state law.

Privacy4Cars scored 44 car brands on a scale of 0-5. The median ranking was 1.7 for a host of privacy practices, including whether companies easily allow consumers and agents acting on their behalf to file opt-out requests to prevent the sale and sharing of personal data.

The scorecard shows that American Honda Motor Co. scored just 0.8 before the California Privacy Protection Agency's crackdown. After the agency issued a $632,500 fine and required the automaker to implement new procedures to allow Californians to assert their privacy rights more easily, Honda’s score skyrocketed to 4.6, considerably ahead of all other vehicle manufacturers, the report shows.

Privacy4Cars founder and CEO Andrea Amico said he hopes the scorecard will push more car companies to improve privacy practices by giving public credit to those that do. He compared it to the advent of crash-test ratings a generation ago, when strong safety ratings made some models more marketable. (Suzanne Smalley / The Record)

Related: PR Web

Best Thing of the Day: Your AI Is Not Actually Worth Ten Engineers

Colton Voege, principal engineer at Beacons.ai, puts to rest the oft-stated "force multiplier" assertion that AI will make real engineers 10- 100x more productive.

Worst Thing of the Day: Cybersecurity Problems Apply to Men's Dating Dish Sites Too

TeaOnHer, an app designed for men to share photos and information about women they have supposedly dated, has exposed users’ personal information, including government IDs and selfies.

Closing Thought

who