Tag: sam curry

  • McDonald’s AI “McHire” platform was breached, allowing for the potential exposure of 64 million applicants private data

    McDonald’s AI “McHire” platform was breached, allowing for the potential exposure of 64 million applicants private data

    For employers, sorting through applications is ordinarily a tedious but necessary part of the hiring process. Enter AI, with artificial intelligence employers can now have AI tools sort candidates based on specific prompt criteria, shortening the time it takes to sort through dozens or even hundreds of applications and propelling the most worthy candidates to the top of the list for human review.

    Or at least, that was the idea. However recently for McDonald’s that idea backfired with a simple mistake, a security flaw in their AI hiring platform dubbed “McHire” or McHire.com allowed attackers to access the logs of any user in the system simply by using the account and username “123456”.

    This allowed access to an administrator account for Paradox.ai, the vendor behind the creation of the McDonald’s AI hiring platform, and the ability to query “Olivia”. Olivia is is the chatbot potential applicants would chat with as they submitted their application.

    The data they were able to access included applicants’ names, emails, addresses and phone numbers. In total there were 64 million records accessible in the system at the time the breach occurred.

    Luckily, the security flaw was discovered by researchers instead of true bad actors. The breakdown of how it was discovered can be found on the blog by security researchers Ian Carroll and Sam Curry. We have reported on their research before when they discovered a major flaw with Kia and other car brand manufacturers allowing for remote access to vehicles (even while they’re actively being driven).

    It’s a sharp reminder that just because AI solutions may make things easier, doesn’t mean that best practices are automatically being followed. The human review is still an important component when deploying any system that will gather large amounts of PII (Personally Identifiable Information) and it’s important to know the rules and restrictions you must follow when collecting that data for your business.

    Below are three rules we recommend following when collecting PII in your business:

    1. Collect Only What’s Necessary (Data Minimization)

    Only gather the PII that is absolutely essential for the purpose at hand. Avoid collecting excess or sensitive data unless it is required. This reduces risk in the event of a data breach and shows respect for user privacy.

    1. Clearly Inform and Obtain Consent

    Be transparent about what data is being collected, why it’s needed, how it will be used, and with whom it might be shared. Always obtain informed consent before collecting any PII, especially for sensitive data like health, financial, or biometric information.

    1. Protect the Data with Strong Security Measures

    Use up-to-date encryption, access controls, and secure storage practices to protect PII from unauthorized access, loss, or misuse. Regularly audit systems and train employees on proper data handling procedures.

    These rules not only build trust with users but also help ensure compliance with regulations like GDPR, CCPA, HIPAA, CMMC and more. If compliance or data protection is a concern for your business, Valley Techlogic can be your go-to partner in creating secure data collection and safeguarding practices alongside deploying industry leading cyber security preventions within your business. Reach out today to learn more.

    Looking for more to read? We suggest these other articles from our site.

    This article was powered by Valley Techlogic, leading provider of trouble free IT services for businesses in California including Merced, Fresno, Stockton & More. You can find more information at https://www.valleytechlogic.com/ or on Facebook at https://www.facebook.com/valleytechlogic/ . Follow us on X at https://x.com/valleytechlogic and LinkedIn at https://www.linkedin.com/company/valley-techlogic-inc/.

  • How easy is it to hack your car? For one brand it can take just a few minutes

    How easy is it to hack your car? For one brand it can take just a few minutes

    We are all aware of the devices in our home that are vulnerable to attacks, from the usual suspects like our PCs, laptops and phones to the less obvious like our internet capable smart home devices, but now we even have to worry about hackers when it comes to our cars?

    In the past, hacking a car required a great deal of skill and time. One recent variation was hackers taking advantage of RFID powered key fobs by intercepting their signal from outside your home. This attack still required the attacker to be quite close to your vehicle and security cameras (or even tinfoil wrapped around the keyfob) would be a deterrent, it also required knowledge in how the signals being broadcasted work and special equipment to intercept those signals.

    For Kia car owners, hackers have discovered a vulnerability in Kia’s own web portal that allows them to assume control of the internet connected features on the car, including swapping out the owner’s smart phone for the hackers own on the vehicle.

    This vulnerability wasn’t limited to a certain type of Kia but could be applied to any Kia with internet connected features, which in total is millions of cars. While the vulnerability Isn’t allowing the attacker to steal the car (yet) it can give the attacker control of the customers Bluetooth, vehicle cameras, door locks (allowing for theft of items in the car) and more.

    For researchers who discovered the vulnerability they also realized it led to a rabbit hole of similar vulnerabilities found on a variety of car maker websites, including Honda, Toyota, Hyundai, Infiniti and more. In a nutshell, the cyber protection available for cars leaves a lot to be desired.

    For more information on how these vulnerabilities are being exploited and exactly which car manufacturers are affected, you can read the comprehensive study put out by Sam Curry, an ethical hacker that works towards bringing critical vulnerabilities to light so they can be solved.

    So where do we go from here? In general, the more internet features devices like cars or home products have the more vulnerable they are to attacks, and the same protections we apply to our computers, servers and phones need to apply to Internet of Things (IoT) devices as well. Below are three ways you can secure your IoT devices:

    While we can’t help you with securing your car, we can help you with securing your business’s technology. At Valley Techlogic, cyber security protections are an included offering in every service plan we provide – including 24/7 monitoring, advanced threat detection, threat remediation and more. Learn more today with a consultation.

    Looking for more to read? We suggest these other articles from our site.

    This article was powered by Valley Techlogic, leading provider of trouble free IT services for businesses in California including Merced, Fresno, Stockton & More. You can find more information at https://www.valleytechlogic.com/ or on Facebook at https://www.facebook.com/valleytechlogic/ . Follow us on Twitter at https://x.com/valleytechlogic and LinkedIn at https://www.linkedin.com/company/valley-techlogic-inc/.