Issue 42 — Latest in privacy & security

In today's email…

• DOGE plagued by more security vulnerabilities
• Widespread malware exposes confidential US military and law enforcement data
• Agentic AI poses new security risks for companies
• UK fines 4 banks £100m for info-sharing practices
• TerraTrue Optimized Vendor Oversight
• Jobs corner
• Upcoming webinars & events

  Latest in Privacy and Security

• The Department of Government Efficiency (DOGE) continues to be plagued by lax security. In the last newsletter, we reported how the Elon Musk-led organization, named after a 15-year-old meme, put millions of federal employee records at risk. Now, 404 media is reporting that Doge’s website pulls data from a database that anyone can edit. One coder illustrated the vulnerability by posting two live updates on the site, saying, “this is a joke of a .gov site” and “THESE ‘EXPERTS’ LEFT THEIR DATABASE OPEN -roro.”
  
  The site, which is on Cloudflare and not a secure government server, was hastily setup with “tons of errors and details leaked in the page source code.” Waste.gov, another DOGE-related site, was recently left live with a default Wordpress template and sample text. These revelations have heightened the concerns of security experts about the extensive access and lax security of the new organization. Read More
  
  
• Multiple United States government agencies and defense contractors have been infected by malware designed to steal confidential information and other sensitive data, according to cybercrime intelligence firm, Hudson Rock. The firm has identified:
  
  
• Infostealer malware at Boeing, Lockheed Martin, Honeywell and other major defense contractors
• Stolen credentials among U.S. Army and Navy personnel
• Active malware infections at the FBI and Government Accountability Office
• Data marketplaces where classified logs are sold for $10 and up
• Read more
  
  
• As agentic AI takes a greater and more independent role in everyday business decisions, organizations are facing a range of new risks. For example, AI’s can be tricked into bypassing safeguards through role-playing, or manipulated by a malicious actor through hidden, machine-readable text placed in emails. To mitigate these risks, companies need to limit AI agency, improve robustness through testing and training, and use continuous monitoring and regular audits to catch inappropriate behavior and detect vulnerabilities. Read more

  Regulations / Fines

• The UK Competition and Markets Authority (CMA) has fined four major banks £100m for traders sharing sensitive government bond information over Bloomberg chat rooms. The CMA reports that the banks have put compliance measures in place to avoid future regulatory breaches. The CMA was more forgiving to Deutsche Bank, which avoided fines by alerting the organization, and Citi, which reduced its fine by agreeing to a settlement. Read more

  Feature Focus

• TerraTrue has optimized vendor oversight with comprehensive vendor profiles and integrated with risk-based assessment scheduling. Automated reminder workflows ensure you don’t fall behind on monitoring your vendors, and API endpoints make the system simpler to integrate with your stack.

  Job Board

• Mastercard: Senior Privacy Counsel
• Dentsply Sirona: Director Americas Privacy & Global Cybersecurity Counsel
• Credit Karma: Privacy Counsel
• Specialist Director: Cyber MDR
• AI & Model Risk Lead: Allstate Insurance
• Privacy Specialist at Templafy

  Upcoming Events

• IAPP Data Protection Intensive: UK | Mar 10-11, 2024 | London
• Future-Proofing Gaming | Mar 26 | Online Webinar
• IAPP Global Privacy Summit 2025 | Apr 21-24 | Washington, DC
• IAPP Canada Privacy Symposium | May 11-15 | Toronto, Ontario
• FutureCon St Louis | Mar 12 | St. Louis, MO
• Riskworld 2025 | May 3-7 | Chicago, IL
• Compliance Week Third Party Risk Management Summit |Jun 2-4 | Austin, TX

Need help thinking through your third party risk management?See how easy it is to launch your first risk review.