Cyberview #2: Casino hacks, modern car data privacy, and ChatGPT
October 18, 2023
Table of contents
Cyberattacks on MGM and Caesars Palace
In recent months, two of Las Vegas’ biggest hotel-casinos, MGM Resorts and Caesars Entertainment, were battered by cyberattacks.
MGM Resorts faced broad system outages and service disruptions, affecting properties in Las Vegas and elsewhere. According to Vox, “a group known as Scattered Spider is believed to be responsible, and it reportedly used ransomware made by ALPHV, or BlackCat, a ransomware-as-a-service operation. The hackers are said to be especially good at “vishing,” or gaining access to systems through a convincing phone call.”
Caesars Entertainment stated that it experienced a similar social engineering attack, albeit on an outsourced IT support vendor. The resulting data breach caused many of its loyalty program members' Social Security numbers and driver's license numbers to be stolen, along with other personal data. Caesars paid roughly $15m of the $30m ransom, according to the Wall Street Journal. These attacks remind us again of the vulnerability of human error, the persistent “weak link of cybersecurity”.
Car Companies & Data: A Privacy Nightmare
A recent report from Mozilla has shed light on some alarming data collection practices among car manufacturers. The study of 25 car companies found each to collect more personal data than necessary for operating vehicles and maintaining customer relationships. In Mozilla’s words, “Cars are the worst product category we have ever reviewed for privacy.”
This data covers not only driving habits and locations visited, but also sensitive details such as immigration status, weight, genetic information, and even facial expressions.
Cars are jam-packed full of sensors, microphones, cameras, connected devices, apps, and more – in short, a rich harvesting ground for data. This data is vulnerable to sale or share to third parties. Albert Fox Cahn’s remark, “Cars are wiretaps on wheels,” is ringing true.
Elon Musk’s X recently rolled out some controversial changes. The app formerly known as Twitter stated that it “may collect and use your personal information” – employment, educational history, skills, job search activity, etc – “to recommend potential jobs for you, to share with potential employers when you apply for a job, to enable employers to find potential candidates, and to show you more relevant advertising.”
And there’s more. X has introduced a biometric verification system for paid users, based on government-issued IDs. Seemingly, this system will prevent impersonation and offers “prioritized support” to premium users. These users can opt to submit their government IDs and an image for verification, earning a badge (replacing the old “blue tick”) on their profile.
These changes are likely related to X's recent moves into the job market space (look out, LinkedIn), and part of X's broader plan to transform into an “everything app”. Also, training AIs.
OpenAI's ChatGPT Enterprise: Protecting Business Data
Growing concerns about business data security (how much of our ChatGPT prompts are being used to train the next large language model?) have pushed OpenAI in a more B2B-friendly direction with the launch of ChatGPT Enterprise: “You own and control your business data in ChatGPT Enterprise. We do not train on your business data or conversations, and our models don’t learn from your usage.”
This move puts OpenAI in direct competition with its major backer, Microsoft, as both aim to attract business clients. What’s the connection? The Cyberview team delves into the details.
Stay tuned for the next episode of Cyberview.