The Federal Bureau of Investigation (FBI) warned US companies in a recently updated flash alert that the financially motivated FIN7 cybercriminals group is targeting the US defense industry with packages containing malicious USB devices. BleepingComputer reports: The attackers are mailing packages containing 'BadUSB' or 'Bad Beetle USB' devices with the LilyGO logo, commonly available for sale on the Internet. The packages have been mailed via the United States Postal Service (USPS) and United Parcel Service (UPS) to businesses in the transportation and insurance industries since August 2021 and defense firms starting with November 2021. FIN7 operators impersonate Amazon and the US Department of Health & Human Services (HHS) to trick the targets into opening the packages and connecting the USB drives to their systems. Since August, reports received by the FBI say that these malicious packages also contain letters about COVID-19 guidelines or counterfeit gift cards and forged thank you notes, depending on the impersonated entity.

After the targets plug the USB drive into their computers, it automatically registers as a Human Interface Device (HID) Keyboard (allowing it to operate even with removable storage devices toggled off). It then starts injecting keystrokes to install malware payloads on the compromised systems. FIN7's end goal in these attacks is to access the victims' networks and deploy ransomware within a compromised network using various tools, including Metasploit, Cobalt Strike, Carbanak malware, the Griffon backdoor, and PowerShell scripts. [...] Companies can defend against such attacks by allowing their employees to connect only USB devices based on their hardware ID or if they're vetted by their security team.

Supply is low, demand is high -- but that alone cannot explain the weird indignity of renting a vehicle. From a report: The present situation is "the most challenging in the history of car rental," says Chris Brown, the digital editor of the industry trade publication Auto Rental News. "Last year ... it was a disaster." Nobody could have planned for such a catastrophic revenue loss, he told me, and while the airline industry received a government bailout, the rental-car industry did not. "Hertz had 3,000 cars burned to the ground because someone lit a match, and they just burned in a field," he added. (Something like this did happen in Florida, though only around 1,000 of the 4,500 cars destroyed in the fire belonged to Hertz, and investigators blamed the episode on a hot exhaust pipe and dry grass.) Given the context, some negative customer experiences were to be expected, Brown argued. "But I think it's really impressive how car-rental [companies have] been able to pull themselves out of this very difficult time managing as well as they are."

Well, I'm not trying to be unfair to any companies, but many car-rental businesses did receive funds from the Paycheck Protection Program. And many of their negative customer experiences have nothing to do with a car shortage or a pandemic. Why is that car-rental employee typing for so long? We'll never know. Why are the printers so old and loud and broken? Who could say! Will you ever get a straight answer as to how much insurance to buy, or whether to prepay for gas, or why it's forbidden for you to drive this rental car out of the state of Florida? What does the pandemic have to do with Avis allegedly repossessing a rental car from someone's driveway in the middle of the night in Teaneck, New Jersey, and then allegedly claiming to know absolutely nothing about it, in one of the oddest stories I have ever read? And what does the pandemic have to do with the stream of complaints about rental-car companies on the Better Business Bureau website, a surprising number of which come from people who insist that they do not smoke yet they have been charged as much as $450 for allegedly smoking in a car?

I reached out with questions of this kind to the three largest rental-car companies, which control the large majority of the rental-car business in the United States. Enterprise Holdings did not respond. Avis Budget declined to comment about either the state of the industry or the alleged incident in Teaneck. A Hertz spokesperson said, in part, "Hertz is working closely with our automotive partners to add new vehicles to our fleet as quickly as possible amid the microchip shortage that continues to impact the car rental industry. We're also purchasing low-mileage, pre-owned vehicles, and moving vehicles to the areas with highest demand." The financial structure of these companies is as inscrutable as a contract printed on a dot-matrix printer and signed in a dim underground parking garage. Some of them have gone bankrupt; at least one has done so multiple times. Take Hertz for instance: Private-equity firms acquired the company from Ford in 2005, then made a profit of $1 billion with an IPO while the company itself remained deeply in debt. The company is also on its sixth CEO since 2014 and has been deemed a "Frankenstein of financial engineering" by Axios. Most of the cars that Hertz rents out are owned by "special-purpose" subsidiaries of Hertz, from which Hertz then leases them. When Hertz was sliding into bankruptcy in spring 2020, it was because the company had missed lease payments -- to put it crudely -- to itself. I can barely understand this, yet I will walk into a rental-car office and suffer for it.

RestOfWorld.org tells the story of a libertarian 'startup city' in Honduras that was "supposed to be a privatized, Silicon Valley-funded paradise."

Co-founded by 37-year-old Venezuelan Erick Brimen, "Próspera's founders promised to enrich the local community, even supplying water to a nearby village. But relations with neighboring communities deteriorated. Then, Próspera turned off the taps..."

Próspera's founders believe the future of government lies with privatized startup cities. They belong to a movement with deep roots in U.S. libertarian circles: one that wants to redefine citizenship and governance in tech-consumerist terms. It has gained momentum in recent years, as high-profile Silicon Valley figures, like PayPal co-founder Peter Thiel and venture capitalist Marc Andreessen, put their money behind startup city initiatives.

Some governments have been drawn to the idea, too, hoping it will attract foreign investment and spur economic growth. In 2013, Honduras passed a law allowing people like Brimen to set up semi-autonomous, privately run cities, "zonas de empleo y desarrollo económico" (zones for employment and economic development), or "ZEDEs" — pronounced "zeh-dehs." These cities are to be governed by private investors, who can write their own laws and regulations, design their own court systems, and operate their own police forces. The Honduran government granted Próspera ZEDE status in late 2017. Subject to limited government oversight and few legal restrictions, a set of for-profit firms incorporated abroad by Brimen and his business partners will govern the city — with ambitions to expand across [its Honduran island] Roatán and onto the Honduran mainland.... This year, skeptical Hondurans organized weeks of anti-ZEDE protests across the country. They fear cities like Próspera will leave ordinary people no better off than they were before, while ceding to profit-driven investors the power to decide what's in the public interest...

Applications for [Próspera] residency require a background check, a Honduran residency permit, and an annual fee — $260 per year for Hondurans and $1,300 for foreigners. Prospective residents will also have to sign something called an "agreement of coexistence," which lays out all the rights and responsibilities of Próspera residents and Próspera's obligations to them. Brimen characterized it as, "if you could make the social contract a real contract." The agreement incorporates Próspera's resident bill of rights, which is modeled on the U.S. Bill of Rights but with some decidedly libertarian twists. Government services will be centralized and automated through ePróspera, an online portal modeled on the much-praised e-Estonia system developed by the Baltic nation. From the comfort of their homes, Prósperans will be able to pay taxes, incorporate a company, transact business, and even buy real estate. They'll be able to vote, too, but their franchise is limited. Residents elect only five of the council's nine members. Landowners vote for two of the five, with voting power pegged to acreage. Buy more land, buy more votes. Próspera's founders choose the four remaining council members, and a six-member supermajority is needed to alter policy.... Government services will be provided entirely by a contractor...

Effective tax rates will sit in the low single digits, and, in place of Honduran courts, there's a private arbitration center. But where the business inducements enter unprecedented terrain is health and safety regulation. Próspera won't impose rules so much as curate prix fixe and à la carte menus of rules. Companies will be able to opt into an existing regulatory regime — choosing from dozens of countries and U.S. states — or they can Frankenstein together an entirely novel code, mixing and matching rules from different jurisdictions and even inventing new ones. [The building code for one new construction site is a pastiche of Honduran and U.S. law.] The lone requirements: sign-off by Próspera's governing council and a liability insurance policy, most likely underwritten, [Próspera co-founder] Delgado says, by offshore insurers.
RestOfWorld carefully chronicles how Próspera became unpopular with locals. In the summer of 2019, Próspera connected a nearby village to its own water supply. Then started billing them. (Though the water bills eventually stopped.) After protests over the fact that few construction jobs went to villagers — and how Próspera's armed security guards began asking pedestrians for identification — several local groups issued a critical statement while villagers elected a new council empowered to speak for them.

It all came to a head when the council asked Brimen to cancel a public meeting (due to surging Covid cases), which Brimen insisted was a violation of his free speech. He held the meeting anyways, local police were sent to break it up, and one of Brimen's bodyguards "scuffled" with one of the officers as his other bodyguards whisked him to safety. The incident made the local news and social media. Then the next month "Próspera Foundation" threatened to cut off the village's water within 30 days if they didn't formally request the foundation's intervention in writing.

The village instead appealed to a local congressman/mayoral candidate, who by mid-January had fully restored the village's water supply.

China kicked off a two-month campaign to crack down on commercial platforms and social media accounts that post finance-related information that's deemed harmful to its economy. From a report: The initiative will focus on rectifying violations including those that "maliciously" bad-mouth China's financial markets and falsely interpret domestic policies and economic data, the Cyberspace Administration of China said in a statement late Friday. Those who republish foreign media reports or commentaries that falsely interpret domestic financial topics "without taking a stance or making a judgment" will also be targeted, it added. The move is aimed at cultivating a "benign" online environment for public opinion that can facilitate "sustainable and healthy development" of China's economy and its society, according to the statement. It followed a draft proposal issued earlier Friday by the cyberspace regulator to regulate algorithms that technology firms use to recommend videos and other content. Commercial websites and platforms will be ordered to clean up financial information posts and shut accounts deemed in violation, under the supervision of authorities including the cyberspace administrator, the finance ministry, central bank as well as securities, banking and insurance regulators.

Uber called on the European Union to introduce a framework for gig economy workers, floating a model similar to that adopted by California after a contentious fight over the employment status of its drivers. From a report: The U.S. ride-hailing giant shared a "white paper" with EU competition chief Margrethe Vestager, jobs commissioner Nicolas Schmit and other officials. It urged policymakers to implement reforms that protect drivers and couriers operating through an app, without reclassifying them as employees. It's a thorny issue for Uber and other companies in the so-called gig economy that encourage temporary, flexible working models in favor of full-time employment. Last year, Uber, Lyft and other firms successfully fought against proposals in California which would have given their drivers the status of employees rather than independent contractors. Californian voters approved Proposition 22, a measure that would allow drivers for app-based transportation and delivery companies to be classified as independent contractors while still entitling them to new benefits like minimum earnings and vehicle insurance.

"We're calling on policymakers, other platforms and social representatives to move quickly to build a framework for flexible earning opportunities, with industry-wide standards that all platform companies must provide for independent workers," Uber CEO Dara Khosrowshahi said in a blog post Monday. "This could include introducing new laws such as the legislation recently enacted in California," he added. Uber said the EU could alternatively set new principles through a "European model of social dialogue" between platform workers, policy makers and industry representatives.

Krebs on Security: Companies victimized by ransomware and firms that facilitate negotiations with ransomware extortionists could face steep fines from the U.S. federal government if the crooks who profit from the attack are already under economic sanctions, the Treasury Department warned today. In its advisory, the Treasury's Office of Foreign Assets Control (OFAC) said "companies that facilitate ransomware payments to cyber actors on behalf of victims, including financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response, not only encourage future ransomware payment demands but also may risk violating OFAC regulations." As financial losses from cybercrime activity and ransomware attacks in particular have skyrocketed in recent years, the Treasury Department has imposed economic sanctions on several cybercriminals and cybercrime groups, effectively freezing all property and interests of these persons (subject to U.S. jurisdiction) and making it a crime to transact with them. A number of those sanctioned have been closely tied with ransomware and malware attacks, including the North Korean Lazarus Group; two Iranians thought to be tied to the SamSam ransomware attacks; Evgeniy Bogachev, the developer of Cryptolocker; and Evil Corp, a Russian cybercriminal syndicate that has used malware to extract more than $100 million from victim businesses.

The FBI has sent a private security alert to the US financial sector last week warning organizations about the increasing number of credential stuffing attacks that have targeted their networks and have led to breaches and considerable financial losses. From a report: Credential stuffing is a relatively new term in the cyber-security industry. [...] According to an FBI security advisory obtained by ZDNet today, credential stuffing attacks have increased in recent years and have now become a major problem for financial organizations. "Since 2017, the FBI has received numerous reports on credential stuffing attacks against US financial institutions, collectively detailing nearly 50,000 account compromises," the FBI said. "The victims included banks, financial services providers, insurance companies, and investment firms."

Ransomware incidents accounted for 41% of cyber insurance claims filed in the first half of 2020, according to a report published today by Coalition, one of the largest providers of cyber insurance services in North America. From a report: The high number of claims comes to confirm previous reports from multiple cyber-security firms that ransomware is one of today's most prevalent and destructive threats. "Ransomware doesn't discriminate by industry. We've seen an increase in ransom attacks across almost every industry we serve," Coalition added. "In the first half of 2020 alone, we observed a 260% increase in the frequency of ransomware attacks amongst our policyholders, with the average ransom demand increasing 47%," the company added. Among the most aggressive gangs, the cyber insurer listed Maze and DoppelPaymer, which have recently begun exfiltrating data from hacked networks, and threatening to release data on specialized leak sites, as part of double extortion schemes. Based on cyber insurance claims filed by customers who faced a ransomware attack in the first half of 2020, Coalition said the Maze ransomware gang was the most greedy, with the group requesting ransom demands six times larger than the overall average.

Before life can safely return to normalcy, we'll need an enormous increase in our ability to perform contact tracing -- identifying and contacting everyone who's been in contact with a person infected with COVID-19 so that they in turn can hunker down in quarantine and avoid infecting others. But, as Ars Technica reports, there are two huge problems with the massive contact-tracing platform that Google and Apple are working on. "First, billions of phones won't be able to use the tech," reports Ars. "And second: even among those who could, a solid half of Americans would refuse to because they don't trust insurers or tech companies with their health data." From the report: The 82 percent of US adults who have smartphones are exactly split on the issue, according to poll data released today by The Washington Post and University of Maryland. Half of the poll respondents said they probably or definitely would use a contact-tracing app, and the remaining half said they probably or definitely would not. While a majority of respondents (57 percent) expressed a reasonable amount of trust in public health agencies, less than half (47 percent) said they trust health insurance firms, and only 43 percent said they trust tech firms such as Google or Apple. Overall, the poll indicates that only 41 percent of American adults have both the technological capacity and the will to use a contact-tracing app. That's a problem, as research suggests that digital tracing would have to reach about 60 percent of the population to be most effective.

An anonymous reader quotes a report from the BBC: A leading research centre has called for new laws to restrict the use of emotion-detecting tech. The AI Now Institute says the field is "built on markedly shaky foundations." Despite this, systems are on sale to help vet job seekers, test criminal suspects for signs of deception, and set insurance prices. It wants such software to be banned from use in important decisions that affect people's lives and/or determine their access to opportunities. The US-based body has found support in the UK from the founder of a company developing its own emotional-response technologies -- but it cautioned that any restrictions would need to be nuanced enough not to hamper all work being done in the area.

AI Now refers to the technology by its formal name, affect recognition, in its annual report. It says the sector is undergoing a period of significant growth and could already be worth as much as $20 billion. "It claims to read, if you will, our inner-emotional states by interpreting the micro-expressions on our face, the tone of our voice or even the way that we walk," explained co-founder Prof Kate Crawford. "It's being used everywhere, from how do you hire the perfect employee through to assessing patient pain, through to tracking which students seem to be paying attention in class. "At the same time as these technologies are being rolled out, large numbers of studies are showing that there is... no substantial evidence that people have this consistent relationship between the emotion that you are feeling and the way that your face looks." "Prof Crawford suggested that part of the problem was that some firms were basing their software on the work of Paul Ekman, a psychologist who proposed in the 1960s that there were only six basic emotions expressed via facial emotions," reports the BBC. "But, she added, subsequent studies had demonstrated there was far greater variability, both in terms of the number of emotional states and the way that people expressed them."

AmiMoJo quotes a report from The Guardian: The number of insurers withdrawing cover for coal projects more than doubled this year and for the first time U.S. companies have taken action, leaving Lloyd's of London and Asian insurers as the "last resort" for fossil fuels, according to a new report. The report, which rates the world's 35 biggest insurers on their actions on fossil fuels, declares that coal -- the biggest single contributor to climate change -- "is on the way to becoming uninsurable" as most coal projects cannot be financed, built or operated without insurance.

Ten firms moved to restrict the insurance cover they offer to companies that build or operate coal power plants in 2019, taking the global total to 17, said the Unfriend Coal campaign, which includes 13 environmental groups such as Greenpeace, Client Earth and Urgewald, a German NGO. The report will be launched at an insurance and climate risk conference in London on Monday, as the UN climate summit gets underway in Madrid. The first insurers to exit coal policies were all European, but since March, two U.S. insurers -- Chubb and Axis Capital -- and the Australian firms QBE and Suncorp have pledged to stop or restrict insurance for coal projects. At least 35 insurers with combined assets of $8.9 trillion, equivalent to 37% of the insurance industry's global assets, have begun pulling out of coal investments. A year ago, 19 insurers holding more than $6 trillion in assets were divesting from fossil fuels.

Popular health websites are sharing private, personal medical data with big tech companies, according to an investigation by the Financial Times. From a report: The data, including medical diagnoses, symptoms, prescriptions, and menstrual and fertility information, are being sold to companies like Google, Amazon, Facebook, and Oracle and smaller data brokers and advertising technology firms, like Scorecard and OpenX. The FT analyzed 100 health websites, including WebMD, Healthline, health insurance group Bupa, and parenting site Babycentre, and found that 79% of them dropped cookies on visitors, allowing them to be tracked by third-party companies around the internet. This was done without consent, making the practice illegal under European Union regulations. By far the most common destination for the data was Google's advertising arm DoubleClick, which showed up in 78% of the sites the FT tested.

Cyberattacks are now considered by most execs to be the top business concern, far outranking economic uncertainty, brand damage, and regulation, according to a survey by insurance consultancy Marsh and tech giant Microsoft. From a report: The global survey of over 1,500 business leaders illustrates the rapid change in business leaders' perceived risks to their organizations and shows that having a cyber insurance policy is now more common than two years ago. In 2017, Marsh and Microsoft found that 62% of respondents saw cyberattacks as a top-five risk, whereas this year 79% do. The share of respondents who see cyber attacks as the number one risk has also risen from 6% to 22% over two years. This year, the second most widely considered top-five risk is economic uncertainty, followed by brand damage, regulation, and loss of key personnel. [...] According to Marsh and Microsoft's survey, 47% of organizations have cyber insurance [PDF], up from 34% in 2017. Additionally, 57% of large firms with annual revenues of over $1bn report having cyber insurance compared with 36% of organizations with revenues below $100m. Nearly all respondents, totaling 89%, are confident their cyber insurance policy would cover the cost of a cyber event.

Florida's Department of Highway Safety and Motor Vehicles "made $77 million in 2017 by selling drivers' personal information to more than 30 private companies, including marketing firms, bill collectors, insurance companies and data brokers..." according to local news site.

schwit1 shared this report from WPTV: A Florida woman is blaming the state government for an onslaught of robocalls and direct mail offers â"- accusations that come as the Scripps station WFTS in Tampa uncovered that the DMV makes millions by selling Florida drivers' personal information to outside companies, including marketing firms.

WFTS I-Team Investigator Adam Walser obtained records showing the state sold information on Florida drivers and ID cardholders to more than 30 private companies, including marketing firms, bill collectors, insurance companies and data brokers in the business of reselling information.
They also report that the woman was illiterate, and "had no digital footprint â" until she got an ID." But within days, her legal guardian reports she was "receiving direct mail offers for lawn service, credit cards, cell phones and insurance. She also now receives constant robocalls and salespeople have even started showing up at her door."

And their investigation revealed more damning details. One data broker said their firm "has an agreement with the state to buy driver and ID cardholder data for a penny a record." A promotional video on their web site brags they have "access to 2.5 billion customers and two-thirds of the world's population."

Though it may be possible to opt-out of data collection from individual marketing companies, a spokesperson for the state of Florida "said there's no way for drivers to opt out if they don't want their personal information sold."

An anonymous reader quotes a report from The Wall Street Journal: Special agents from the Federal Bureau of Investigation searched the offices of lab-test startup uBiome Inc. on Friday morning (Warning: source paywalled; alternative source), according to a person with knowledge of the matter. The FBI is investigating uBiome's billing practices. An FBI spokeswoman said, "I can confirm that special agents from the FBI San Francisco Division are present at 360 Langton Street in San Francisco conducting court-authorized law-enforcement activity. Due to the ongoing nature of the investigation, I cannot provide any additional details at this time." According to public records, uBiome has a headquarters office at that address.

uBiome sells tests for the microbiome, which refers to the group of microorganisms that live in the digestive tract and other parts of the body, under names including Explorer and SmartGut. The company, which calls itself the "leading microbial genomics company," was one of the earliest firms in the microbiome testing field, launching in 2012 with a crowdfunding campaign that raised $350,000. Last year, uBiome said it had raised $83 million from firms including OS Fund and Y Combinator. uBiome describes its SmartGut and SmartJane tests as "an insurance-reimbursed test ordered by a health-care provider." "We are cooperating fully with federal authorities on this matter. We look forward to continuing to serve the needs of healthcare providers and patients," a spokeswoman for uBiome said Friday. In an interview last week that included questions about scrutiny of uBiome's billing practices, uBiome Chief Executive Jessica Richman said that "compliance is our highest value" and that uBiome's billing and other practices are proper.

tedlistens writes: Vermont's newly enacted data broker law is the only law of its kind in the U.S. so far, and it's forced any company collecting data on its citizens to register with the state. Fast Company wrote about the limitations of the law and compiled a list of the companies, what they do, and tips for opting-out if possible.

The Vermont law only covers third-party data firms -- those trafficking in the data of people with whom they have no relationship -- as opposed to "first-party" data holders like Amazon, Facebook, or Google, which collect their own enormous piles of detailed personal data directly from users. It doesn't require data brokers to disclose who's in their databases, what data they collect, or who buys it. Nor does it require brokers to give consumers access to their own data or opt out of data collection. Brokers are, however required to provide some information about their opt-out systems under the law -- assuming they provide one. "The registry is an expansive, alphabet soup of companies, from lesser-known organizations that help landlords research potential tenants or deliver marketing leads to insurance companies, to the quiet giants of data," reports Fast Company. "Those include big names in people search, like Spokeo, ZoomInfo, White Pages, PeopleSmart, Intelius, and PeopleFinders; credit reporting, like Equifax, Experian, and TransUnion; and advertising and marketing, like Acxiom, Oracle, LexisNexis, Innovis, and KBM. Some companies also specialize in 'risk mitigation,' which can include credit reporting but also background checks and other identity verification services."

The report lists all the companies that have registered under Vermont's data broker law, with descriptions drawn from their websites or other sources where noted.

An anonymous reader shares a report: On Monday, New Year's Eve, a hacker group announced it had breached a law firm handling cases related to the September 11 attacks, and threatened to publicly release a large cache of related internal files unless their ransom demands were met. The news is the latest public extortion attempt from the group known as The Dark Overlord, which has previously targeted a production studio working for Netflix, as well as a host of medical centres and private businesses across the United States. The announcement also signals a slight evolution in The Dark Overlord's strategy, which has expanded on leveraging the media to exert pressure on victims, to now distributing its threats and stolen data in a wider fashion.

In its announcement published on Pastebin, The Dark Overlord points to several different insurers and legal firms, claiming specifically that it hacked Hiscox Syndicates Ltd, Lloyds of London, and Silverstein Properties. "Hiscox Syndicates Ltd and Lloyds of London are some of the biggest insurers on the planet insuring everything from the smallest policies to some of the largest policies on the planet, and who even insured structures such as the World Trade Centers," the announcement reads.

Personal data has become widely available in China and can be scooped up for pennies by insurance companies, banks, loan sharks, and scammers alike, according to sellers and financiers interviewed by Reuters. From a report: In May, China introduced its most comprehensive data protection laws to date, tightening restrictions on the sharing of private data held by financial institutions and other firms. "Personal information leaks are risky," said Susan Ning, a partner at the law firm King & Wood Mallesons in Beijing. "Such information can facilitate other crimes," she added. Insurers often buy numbers from shadowy online data sellers, who themselves have acquired the information illegally, according to people in the industry. Some companies illegally buy information from the department of motor vehicles, car licensing authorities, car sellers, or from police stations, said Michelle Hu, a partner at Boston Consulting Group who has been a consultant on insurance deals. By entering keywords like "personal data" or "cellphone data", in Chinese, Reuters found more than 30 groups created for the purpose of selling and buying personal information on Tencent's instant messaging service QQ and Baidu forum site Tieba.

Last year's massive data breach at Equifax should have been a wake-up call for the entire industry. But a year after the patches were released, some of the world's wealthiest companies are still using, or have since introduced the same flawed software. From a report: Thousands of companies have downloaded vulnerable versions of Apache Struts, a popular web server software used across the Fortune 100 to provide web applications in Java. It's often used to power both front- and back-end applications -- including Equifax's public website. The bug used in the Equifax hack was fixed in March 2017, but Equifax never installed the patches. Since those patches were made available, data seen by ZDNet shows that least 10,800 companies downloaded vulnerable versions of the software. The data, provided by Sonatype, an open-source automation firm, shows that over half of the Fortune Global 100 are using vulnerable versions of the software. Although the firm wouldn't name the affected companies, a quarter of them are based in North America. The data showed that seven are tech giants, and 15 are financial services or insurance firms.

Today, Amazon, along with Berkshire Hathaway and JPMorgan, announced a plan to launch an independent company that will offer healthcare services to the companies' employees at a lower cost. The venture, which will be managed by executives from the firms, will be run more like a non-profit, than a for-profit entity. Even though the plans are vague, the news caused the market value of 10 large, listed health insurance and pharmacy stocks to drop by a combined $30 billion in the first two hours of trading. Quartz reports: "The healthcare system is complex, and we enter into this challenge open-eyed about the degree of difficulty," said Amazon's Jeff Bezos in a statement. "Hard as it might be, reducing healthcare's burden on the economy while improving outcomes for employees and their families would be worth the effort. Success is going to require talented experts, a beginner's mind, and a long-term orientation." Warren Buffett, the CEO of Berkshire Hathaway, likened America's mushrooming healthcare costs to "a hungry tapeworm on the American economy." How the venture will provide less pricy healthcare to the 1.2 million employees of the participating companies isn't yet clear. The new company will leverage "technology solutions" that provide "simplified, high-quality and transparent healthcare at a reasonable cost." Not much else, including the name of the company, is known.