Security News This Week: Toyota Leaked Vehicle Data of 2 Million Customers

SafeGraph, the data broker famous for selling location data linked to abortion clinic visits, is now a US military contractor. Documents obtained by WIRED reveal that the company landed an initial contract with the US Air Force and is hoping the Pentagon will buy a tool that SafeGraph says will pinpoint locations not to bomb, like schools and hospitals.

Your data is, of course, everywhere—likely including in the training data of generative AI tools like ChatGPT. Fortunately, at least some users can request that OpenAI, which created the tool, delete their data. It’s also possible to delete your chat history with ChatGPT. We run down how to do both right here. As Signal Foundation president Meredith Whittaker recently told WIRED during the latest episode of our new podcast Have a Nice Future, the surveillance economy, while powerful, is relatively new—and can still be dismantled if we have the will to do so.

Of course, even if you’re doing everything in your power to keep your data private, you’re probably still leaving a trail that can be traced back to you. Just ask any of the cyberattack-for-hire service operators who’ve been shut down or arrested thanks to an independent team of sleuths who’ve systematically dismantled the so-called booter services in recent years. Calling themselves Big Pipes, the group most recently contributed to the takedown of 13 booter services earlier this month. 

Speaking of pipes, the US Environmental Protection Agency is facing a lawsuit from Republican-led states that could endanger the Biden administration’s efforts to better protect the country’s critical infrastructure, like water plants, from cyberattacks. If the suit is successful, similar lawsuits could undermine the White House’s entire cyber regulation agenda.

Elsewhere in the world of nefarious cyber actors, a mysterious group of hackers was recently discovered conducting espionage operations against both pro-Ukrainian and pro-Russian entities since 2020. The group, dubbed Red Stringer by security firm Malwarebytes, is believed to be state-sponsored and may have ties to Moscow. But efforts to uncover the hackers’ true allegiances and identities are still ongoing.

One thing anyone needs to stay private online is a secure way to communicate, which means end-to-end encryption. Twitter this week rolled out its long-awaited encrypted direct messages (DMs). The problem is, the company put encrypted DMs behind a paywall—you have to subscribe to Twitter Blue to use them—and it only works among users who meet a variety of other criteria. Our advice? Just use Signal or WhatsApp.

But that’s not all. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click on the headlines to read the full stories, and stay safe out there.

Yesterday, Reuters reported that the vehicle data of millions of Toyota customers in Japan had been publicly available for a decade due to a simple technical error. The 2.15 million customers whose data was exposed make up nearly the entire customer base who have signed up for Toyota’s main cloud service platforms since 2012.

A Toyota spokesperson told Reuters that the accidental leak may have exposed extremely sensitive data, including a vehicle’s location and identification number. The issue, which began in 2013, was due to a “cloud system” being set to public instead of private, the spokesperson said. 

While the company says that they did not find any evidence of malicious use of the exposed data, the incident highlights an increasing threat as car manufacturers push into vehicle connectivity and AI-enabled features require the collection of massive quantities of data.

You can check the types of data a particular car manufacturer might be collecting and sharing using this free tool made by automotive privacy company Privacy4Cars.

The United States and its allies have successfully disabled Russian malware that one of the Kremlin’s most sophisticated hacker units had installed on hundreds of computers around the world. After spending years monitoring a malware network called Snake, the FBI developed and deployed a tool called Perseus—named after the Greek hero who slayed monsters—that caused the malware to overwrite and disable itself, the Department of Justice announced on Tuesday.

Snake is developed and operated by Turla, a notorious state-sponsored hacking group linked to Russia’s Federal Security Service, or FSB. Prosecutors said the Russian spies behind Turla have used versions of the Snake malware to steal sensitive documents from scores of governments, journalists, and “other targets of interest to the Russian Federation.” 

According to unsealed court documents, the Snake malware operated as a “peer-to-peer” network linking infected computers around the world, allowing Turla to install malware and exfiltrate data.

Europe this week got one step closer to banning facial recognition in public spaces with a lawmaker agreement to strengthen proposed legislation governing how artificial intelligence technology can be used in the European Union. 

In a vote on Thursday morning, members of the European Parliament agreed to include the ban in the text of the highly anticipated AI Act, the world's first comprehensive legislation governing the technology. "This vote is a milestone in regulating AI, and a clear signal from the Parliament that fundamental rights should be a cornerstone of that," MEP Kim van Sparrentak told Reuters. "AI should serve people, society, and the environment, not the other way around."

A ransomware group attempted to extort money from Dragos, a leading industrial cybersecurity firm, in an unsuccessful campaign targeting company executives, the firm said on Wednesday.

While the hackers gained access to a limited set of customer data, Dragos said it chose not to engage with the group. “The data that was lost and likely to be made public because we chose not to pay the extortion is regrettable,”  the company said. “However, it is our hope that highlighting the methods of the adversary will help others consider additional defenses against these approaches so that they do not become a victim to similar efforts.”