This week:
3 – In the rush to use AI, they forgot about security.
2 – You are only as strong as your weakest third party.
1 – We all need to be Doubting Thomas.
3 – In the rush to use AI, they forgot about security.
McHire, the chatbot recruitment platform used by 90% of McDonald’s US franchisees, exposed the details of 64 million job applicants.
Source: Ian Carroll (via Risky Biz)
What’s the story?
A security researcher has discovered that McDonald’s recruitment platform, McHire, used easy-to-guess login details (“123456:123456”!) and had insufficient security to prevent someone from gaining access to the personal data for over 64 million job applicants. The details included names, contact information, and home addresses.
The company that manages the platform, Paradox.ai, fixed the vulnerabilities within two hours of being alerted.
So what?
Understanding AI can be difficult.
But implementing some basic security measures isn’t.
2 – You are only as strong as your weakest third party.
“As organisations enhance their own security, attackers are increasingly targeting third-party platforms with less stringent controls. “
Source: Cyber Brief Australia
What’s the story?
A cyberattack targeting a third-party call centre platform compromised data for about 5.7 million Qantas customers. Stolen information includes names, email addresses, frequent flyer numbers. For 1.7 million of these individuals, the data also includes addresses, birth dates, phone numbers, gender, and meal preferences.
This attack did not directly breach Qantas’ internal defences – It exploited vulnerabilities within an external service provider.
Apparently, the attackers fooled a staff member in the third party service provider to grant them access to the system storing all of this data.
So what?
You’re only as strong as your weakest link.
And your weakest link is probably your third parties.
So, yes, managing your third parties is a pain in the neck.
But it’s nothing like the pain of not managing your third parties.
1 – We all need to be Doubting Thomas
“An imposter using AI to pose as Secretary of State Marco Rubio contacted three foreign ministers, a U.S. governor and a member of Congress.”
Source: The Washington Post (and sent my way by Ray Bowe)
What’s the story?
An AI-generated impostor account recently posed as Marco Rubio via Signal and text, targeting senior U.S. and foreign officials. Using deepfake voice messages and spoofed IDs, the goal appeared to be to gather sensitive information or gaining system access.
The deepfake voice messages were generated using freely-available AI tools that only require 15 – 20 seconds of audio to be able to mimic anyone’s voice.
So WWJD (What Would Jesus Do)?
I think even Jesus would become a Doubting Thomas.
Because in this world of AI, we can’t believe anything we don’t see with our own eyes in the real world.