Take the Speakers, Headphones, and Earphones SurveyTake other PCMag surveys. Each completed survey is a chance to win a $250 Amazon gift card. OFFICIAL SWEEPSTAKES RULESNO PURCHASE NECESSARY TO ENTER OR WIN. A PURCHASE WILL NOT INCREASE YOUR CHANCES OF WINNING. VOID WHERE PROHIBITED. Readers' Choice Sweepstakes (the "Sweepstakes") is governed by these official rules (the "Sweepstakes Rules"). The Sweepstakes begins on May 9, 2025, at 12:00 AM ET and ends on July 27, 2025, at 11:59 PM ET (the "Sweepstakes Period").SPONSOR: Ziff Davis, LLC, with an address of 360 Park Ave South, Floor 17, New York, NY 10010 (the "Sponsor").ELIGIBILITY: This Sweepstakes is open to individuals who are eighteen (18) years of age or older at the time of entry who are legal residents of the fifty (50) United States of America or the District of Columbia. By entering the Sweepstakes as described in these Sweepstakes Rules, entrants represent and warrant that they are complying with these Sweepstakes Rules (including, without limitation, all eligibility requirements), and that they agree to abide by and be bound by all the rules and terms and conditions stated herein and all decisions of Sponsor, which shall be final and binding.All previous winners of any sweepstakes sponsored by Sponsor during the nine (9) month period prior to the Selection Date are not eligible to enter. Any individuals (including, but not limited to, employees, consultants, independent contractors and interns) who have, within the past six (6) months, held employment with or performed services for Sponsor or any organizations affiliated with the sponsorship, fulfillment, administration, prize support, advertisement or promotion of the Sweepstakes ("Employees") are not eligible to enter or win. Immediate Family Members and Household Members are also not eligible to enter or win. "Immediate Family Members" means parents, step-parents, legal guardians, children, step-children, siblings, step-siblings, or spouses of an Employee. "Household Members" means those individuals who share the same residence with an Employee at least three (3) months a year.HOW TO ENTER: There are two methods to enter the Sweepstakes: (1) fill out the online survey, or (2) enter by mail.1. Survey Entry: To enter the Sweepstakes through the online survey, go to the survey page and complete the current survey during the Sweepstakes Period.2. Mail Entry: To enter the Sweepstakes by mail, on a 3" x 5" card, print your first and last name, street address, city, state, zip code, phone number, and email address. Mail your completed entry to:Readers' Choice Sweepstakes - Audio 2025c/o E. Griffith 624 Elm St. Ext.Ithaca, NY 14850-8786Mail Entries must be postmarked by July 28, 2025, and received by Aug. 4, 2025.Only one (1) entry per person is permitted, regardless of the entry method used. Subsequent attempts made by the same individual to submit multiple entries may result in the disqualification of the entrant.Only contributions submitted during the Sweepstakes Period will be eligible for entry into the Sweepstakes. No other methods of entry will be accepted. All entries become the property of Sponsor and will not be returned. Entries are limited to individuals only; commercial enterprises and business entities are not eligible. Use of a false account will disqualify an entry. Sponsor is not responsible for entries not received due to difficulty accessing the internet, service outage or delays, computer difficulties, and other technological problems.Entries are subject to any applicable restrictions or eligibility requirements listed herein. Entries will be deemed to have been made by the authorized account holder of the email or telephone phone number submitted at the time of entry and qualification. Multiple participants are not permitted to share the same email address. Should multiple users of the same e-mail account or mobile phone number, as applicable, enter the Sweepstakes and a dispute thereafter arises regarding the identity of the entrant, the Authorized Account Holder of said e-mail account or mobile phone account at the time of entry will be considered the entrant. "Authorized Account Holder" is defined as the natural person who is assigned an e-mail address or mobile phone number by an Internet access provider, online service provider, telephone service provider or other organization that is responsible for assigned e-mail addresses, phone numbers or the domain associated with the submitted e-mail address. Proof of submission of an entry shall not be deemed proof of receipt by the website administrator for online entries. When applicable, the website administrator's computer will be deemed the official time-keeping device for the Sweepstakes promotion. Entries will be disqualified if found to be incomplete and/or if Sponsor determines, in its sole discretion, that multiple entries were submitted by the same entrant in violation of the Sweepstakes Rules.Entries that are late, lost, stolen, mutilated, tampered with, illegible, incomplete, mechanically reproduced, inaccurate, postage-due, forged, irregular in any way or otherwise not in compliance with these Official Rules will be disqualified. All entries become the property of the Sponsor and will not be acknowledged or returned.WINNER SELECTION AND NOTIFICATION: Sponsor shall select the prize winner(s) (collectively, the "Winner") on or about Aug. 11, 2025, ("Selection Date") by random drawing or from among all eligible entries. The Winner will be notified via email to the contact information provided in the entry. Notification of the Winner shall be deemed to have occurred immediately upon sending of the notification by Sponsor. Selected winner(s) will be required to respond (as directed) to the notification within seven (7) days of attempted notification. The only entries that will be considered eligible entries are entries received by Sponsor within the Sweepstakes Period. The odds of winning depend on the number of eligible entries received. The Sponsor reserves the right, in its sole discretion, to choose an alternative winner in the event that a possible winner has been disqualified or is deemed ineligible for any reason.Recommended by Our EditorsPRIZE: One (1) winner will receive the following prize (collectively, the "Prize"):One (1) $250 Amazon.com gift code via email, valued at approximately two hundred fifty dollars ($250).No more than the stated number of prize(s) will be awarded, and all prize(s) listed above will be awarded. Actual retail value of the Prize may vary due to market conditions. The difference in value of the Prize as stated above and value at time of notification of the Winner, if any, will not be awarded. No cash or prize substitution is permitted, except at the discretion of Sponsor. The Prize is non-transferable. If the Prize cannot be awarded due to circumstances beyond the control of Sponsor, a substitute Prize of equal or greater retail value will be awarded; provided, however, that if a Prize is awarded but remains unclaimed or is forfeited by the Winner, the Prize may not be re-awarded, in Sponsor's sole discretion. In the event that more than the stated number of prize(s) becomes available for any reason, Sponsor reserves the right to award only the stated number of prize(s) by a random drawing among all legitimate, un-awarded, eligible prize claims.ACCEPTANCE AND DELIVERY OF THE PRIZE: The Winner will be required to verify his or her address and may be required to execute the following document(s) before a notary public and return them within seven (7) days (or a shorter time if required by exigencies) of receipt of such documents: an affidavit of eligibility, a liability release, and (where imposing such condition is legal) a publicity release covering eligibility, liability, advertising, publicity and media appearance issues (collectively, the "Prize Claim Documents"). If an entrant is unable to verify the information submitted with their entry, the entrant will automatically be disqualified and their prize, if any, will be forfeited. The Prize will not be awarded until all such properly executed and notarized Prize Claim Documents are returned to Sponsor. Prize(s) won by an eligible entrant who is a minor in his or her state of residence will be awarded to minor's parent or legal guardian, who must sign and return all required Prize Claim Documents. In the event the Prize Claim Documents are not returned within the specified period, an alternate Winner may be selected by Sponsor for such Prize. The Prize will be shipped to the Winner within 7 days of Sponsor's receipt of a signed Affidavit and Release from the Winner. The Winner is responsible for all taxes and fees related to the Prize received, if any.OTHER RULES: This sweepstakes is subject to all applicable laws and is void where prohibited. All submissions by entrants in connection with the sweepstakes become the sole property of the sponsor and will not be acknowledged or returned. Winner assumes all liability for any injuries or damage caused or claimed to be caused by participation in this sweepstakes or by the use or misuse of any prize.By entering the sweepstakes, each winner grants the SPONSOR permission to use his or her name, city, state/province, e-mail address and, to the extent submitted as part of the sweepstakes entry, his or her photograph, voice, and/or likeness for advertising, publicity or other purposes OR ON A WINNER'S LIST, IF APPLICABLE, IN ANY and all MEDIA WHETHER NOW KNOWN OR HEREINAFTER DEVELOPED, worldwide, without additional consent OR compensation, except where prohibited by law. By submitting an entry, entrants also grant the Sponsor a perpetual, fully-paid, irrevocable, non-exclusive license to reproduce, prepare derivative works of, distribute, display, exhibit, transmit, broadcast, televise, digitize, perform and otherwise use and permit others to use, and throughout the world, their entry materials in any manner, form, or format now known or hereinafter created, including on the internet, and for any purpose, including, but not limited to, advertising or promotion of the Sweepstakes, the Sponsor and/or its products and services, without further consent from or compensation to the entrant. By entering the Sweepstakes, entrants consent to receive notification of future promotions, advertisements or solicitations by or from Sponsor and/or Sponsor's parent companies, affiliates, subsidiaries, and business partners, via email or other means of communication.If, in the Sponsor's opinion, there is any suspected or actual evidence of fraud, electronic or non-electronic tampering or unauthorized intervention with any portion of this Sweepstakes, or if fraud or technical difficulties of any sort (e.g., computer viruses, bugs) compromise the integrity of the Sweepstakes, the Sponsor reserves the right to void suspect entries and/or terminate the Sweepstakes and award the Prize in its sole discretion. Any attempt to deliberately damage the Sponsor's website(s) or undermine the legitimate operation of the Sweepstakes may be in violation of U.S. criminal and civil laws and will result in disqualification from participation in the Sweepstakes. Should such an attempt be made, the Sponsor reserves the right to seek remedies and damages (including attorney's fees) to the fullest extent of the law, including pursuing criminal prosecution.DISCLAIMER: EXCLUDING ONLY APPLICABLE MANUFACTURERS' WARRANTIES, THE PRIZE IS PROVIDED TO THE WINNER ON AN "AS IS" BASIS, WITHOUT FURTHER WARRANTY OF ANY KIND. SPONSOR HEREBY DISCLAIMS ALL FURTHER WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE WITH RESPECT TO THE PRIZE.LIMITATION OF LIABILITY: BY ENTERING THE SWEEPSTAKES, ENTRANTS, ON BEHALF OF THEMSELVES AND THEIR HEIRS, EXECUTORS, ASSIGNS AND REPRESENTATIVES, RELEASE AND HOLD THE SPONSOR its PARENT COMPANIES, SUBSIDIARIES, AFFILIATED COMPANIES, UNITS AND DIVISIONS, AND THE CURRENT AND FORMER OFFICERS, DIRECTORS, EMPLOYEES, SHAREHOLDERS, AGENTS, SUCCESSORS AND ASSIGNS OF EACH OF THE FOREGOING, AND ALL THOSE ACTING UNDER THE AUTHORITY OF THE FOREGOING, OR ANY OF THEM (INCLUDING, BUT NOT LIMITED TO, ADVERTISING AND PROMOTIONAL AGENCIES AND PRIZE SUPPLIERS) (EACH A "RELEASED PARTY"), HARMLESS FROM AND AGAINST ANY AND ALL CLAIMS, ACTIONS, INJURY, LOSS, DAMAGES, LIABILITIES AND OBLIGATIONS OF ANY KIND WHATSOEVER (COLLECTIVELY, THE "CLAIMS") WHETHER KNOWN OR UNKNOWN, SUSPECTED OR UNSUSPECTED, WHICH ENTRANT EVER HAD, NOW HAVE, OR HEREAFTER CAN, SHALL OR MAY HAVE, AGAINST THE RELEASED PARTIES (OR ANY OF THEM), INCLUDING, BUT NOT LIMITED TO, CLAIMS ARISING FROM OR RELATED TO THE SWEEPSTAKES OR ENTRANT'S PARTICIPATION IN THE SWEEPSTAKES (INCLUDING, WITHOUT LIMITATION, CLAIMS FOR LIBEL, DEFAMATION, INVASION OF PRIVACY, VIOLATION OF THE RIGHT OF PUBLICITY, COMMERCIAL APPROPRIATION OF NAME AND LIKENESS, INFRINGEMENT OF COPYRIGHT OR VIOLATION OF ANY OTHER PERSONAL OR PROPRIETARY RIGHT), AND THE RECEIPT, OWNERSHIP, USE, MISUSE, TRANSFER, SALE OR OTHER DISPOSITION OF THE PRIZE (INCLUDING, WITHOUT LIMITATION, CLAIMS FOR PERSONAL INJURY, DEATH, AND/OR PROPERTY DAMAGE). All matters relating to the interpretation and application of these Sweepstakes Rules shall be decided by Sponsor in its sole discretion.DISPUTES: If, for any reason (including infection by computer virus, bugs, tampering, unauthorized intervention, fraud, technical failures, or any other causes beyond the control of the Sponsor which corrupt or affect the administration, security, fairness, integrity, or proper conduct of this Sweepstakes), the Sweepstakes is not capable of being conducted as described in these Sweepstakes Rules, Sponsor shall have the right, in its sole discretion, to disqualify any individual who tampers with the entry process, and/or to cancel, terminate, modify or suspend the Sweepstakes. The Sponsor assumes no responsibility for any error, omission, interruption, deletion, defect, delay in operation or transmission, communications line failure, theft or destruction or unauthorized access to, or alteration of, entries. The Sponsor is not responsible for any problems or technical malfunction of any telephone network or lines, computer online systems, servers, providers, computer equipment, software, or failure of any e-mail or entry to be received by Sponsor on account of technical problems or traffic congestion on the Internet or at any website, or any combination thereof, including, without limitation, any injury or damage to any entrant's or any other person's computer related to or resulting from participating or downloading any materials in this Sweepstakes. Because of the unique nature and scope of the Sweepstakes, Sponsor reserves the right, in addition to those other rights reserved herein, to modify any date(s) or deadline(s) set forth in these Sweepstakes Rules or otherwise governing the Sweepstakes, and any such changes will be posted here in the Sweepstakes Rules. Any attempt by any person to deliberately undermine the legitimate operation of the Sweepstakes may be a violation of criminal and civil law, and, should such an attempt be made, Sponsor reserves the right to seek damages to the fullest extent permitted by law. Sponsor's failure to enforce any term of these Sweepstakes Rules shall not constitute a waiver of any provision.As a condition of participating in the Sweepstakes, entrant agrees that any and all disputes that cannot be resolved between entrant and Sponsor, and causes of action arising out of or connected with the Sweepstakes or these Sweepstakes Rules, shall be resolved individually, without resort to any form of class action, exclusively before a court of competent jurisdiction located in New York, New York, and entrant irrevocably consents to the jurisdiction of the federal and state courts located in New York, New York with respect to any such dispute, cause of action, or other matter. All disputes will be governed and controlled by the laws of the State of New York (without regard for its conflicts-of-laws principles). Further, in any such dispute, under no circumstances will entrant be permitted to obtain awards for, and hereby irrevocably waives all rights to claim, punitive, incidental, or consequential damages, or any other damages, including attorneys' fees, other than entrant's actual out-of-pocket expenses (i.e., costs incurred directly in connection with entrant's participation in the Sweepstakes), and entrant further irrevocably waives all rights to have damages multiplied or increased, if any. EACH PARTY EXPRESSLY WAIVES ANY RIGHT TO A TRIAL BY JURY. All federal, state, and local laws and regulations apply.PRIVACY: Information collected from entrants in connection with the Sweepstakes is subject to Sponsor's privacy policy, which may be found here.SOCIAL MEDIA PROMOTION: Although the Sweepstakes may be featured on Twitter, Facebook, and/or other social media platforms, the Sweepstakes is in no way sponsored, endorsed, administered by, or in association with Twitter, Facebook, and/or such other social media platforms and you agree that Twitter, Facebook, and all other social media platforms are not liable in any way for any claims, damages or losses associated with the Sweepstakes.WINNER(S) LIST: For a list of name(s) of prizewinner(s), after the Selection Date, please send a stamped, self-addressed No. 10/standard business envelope to Ziff Davis, LLC, Attn: Legal Department, 360 Park Ave South, Floor 17, New York, NY 10010 (VT residents may omit return postage).BY ENTERING, YOU AGREE THAT YOU HAVE READ AND AGREE TO ALL OF THESE SWEEPSTAKES RULES.

Published June 15, 2025 10:00am EDT close IPhone users instructed to take immediate action to avoid data breach: 'Urgent threat' Kurt 'The CyberGuy' Knutsson discusses Elon Musk's possible priorities as he exits his role with the White House and explains the urgent warning for iPhone users to update devices after a 'massive security gap.' NEWYou can now listen to Fox News articles! In the past decade, healthcare data has become one of the most sought-after targets in cybercrime. From insurers to clinics, every player in the ecosystem handles some form of sensitive information. However, breaches do not always originate from hospitals or health apps. Increasingly, patient data is managed by third-party vendors offering digital services such as scheduling, billing and marketing. One such breach at a digital marketing agency serving dental practices recently exposed approximately 2.7 million patient profiles and more than 8.8 million appointment records.Sign up for my FREE CyberGuy ReportGet my best tech tips, urgent security alerts, and exclusive deals delivered straight to your inbox. Plus, you’ll get instant access to my Ultimate Scam Survival Guide — free when you join. Illustration of a hacker at work   (Kurt "CyberGuy" Knutsson)Massive healthcare data leak exposes millions: What you need to knowCybernews researchers have discovered a misconfigured MongoDB database exposing 2.7 million patient profiles and 8.8 million appointment records. The database was publicly accessible online, unprotected by passwords or authentication protocols. Anyone with basic knowledge of database scanning tools could have accessed it.The exposed data included names, birthdates, addresses, emails, phone numbers, gender, chart IDs, language preferences and billing classifications. Appointment records also contained metadata such as timestamps and institutional identifiers.MASSIVE DATA BREACH EXPOSES 184 MILLION PASSWORDS AND LOGINSClues within the data structure point toward Gargle, a Utah-based company that builds websites and offers marketing tools for dental practices. While not a confirmed source, several internal references and system details suggest a strong connection. Gargle provides appointment scheduling, form submission and patient communication services. These functions require access to patient information, making the firm a likely link in the exposure.After the issue was reported, the database was secured. The duration of the exposure remains unknown, and there is no public evidence indicating whether the data was downloaded by malicious actors before being locked down.We reached out to Gargle for a comment but did not hear back before our deadline. A healthcare professional viewing heath data      (Kurt "CyberGuy" Knutsson)How healthcare data breaches lead to identity theft and insurance fraudThe exposed data presents a broad risk profile. On its own, a phone number or billing record might seem limited in scope. Combined, however, the dataset forms a complete profile that could be exploited for identity theft, insurance fraud and targeted phishing campaigns.Medical identity theft allows attackers to impersonate patients and access services under a false identity. Victims often remain unaware until significant damage is done, ranging from incorrect medical records to unpaid bills in their names. The leak also opens the door to insurance fraud, with actors using institutional references and chart data to submit false claims.This type of breach raises questions about compliance with the Health Insurance Portability and Accountability Act, which mandates strong security protections for entities handling patient data. Although Gargle is not a healthcare provider, its access to patient-facing infrastructure could place it under the scope of that regulation as a business associate. A healthcare professional working on a laptop   (Kurt "CyberGuy" Knutsson)5 ways you can stay safe from healthcare data breachesIf your information was part of the healthcare breach or any similar one, it’s worth taking a few steps to protect yourself.1. Consider identity theft protection services: Since the healthcare data breach exposed personal and financial information, it’s crucial to stay proactive against identity theft. Identity theft protection services offer continuous monitoring of your credit reports, Social Security number and even the dark web to detect if your information is being misused. These services send you real-time alerts about suspicious activity, such as new credit inquiries or attempts to open accounts in your name, helping you act quickly before serious damage occurs. Beyond monitoring, many identity theft protection companies provide dedicated recovery specialists who assist you in resolving fraud issues, disputing unauthorized charges and restoring your identity if it’s compromised. See my tips and best picks on how to protect yourself from identity theft.2. Use personal data removal services: The healthcare data breach leaks loads of information about you, and all this could end up in the public domain, which essentially gives anyone an opportunity to scam you.  One proactive step is to consider personal data removal services, which specialize in continuously monitoring and removing your information from various online databases and websites. While no service promises to remove all your data from the internet, having a removal service is great if you want to constantly monitor and automate the process of removing your information from hundreds of sites continuously over a longer period of time. Check out my top picks for data removal services here. GET FOX BUSINESS ON THE GO BY CLICKING HEREGet a free scan to find out if your personal information is already out on the web3. Have strong antivirus software: Hackers have people’s email addresses and full names, which makes it easy for them to send you a phishing link that installs malware and steals all your data. These messages are socially engineered to catch them, and catching them is nearly impossible if you’re not careful. However, you’re not without defenses.The best way to safeguard yourself from malicious links that install malware, potentially accessing your private information, is to have strong antivirus software installed on all your devices. This protection can also alert you to phishing emails and ransomware scams, keeping your personal information and digital assets safe. Get my picks for the best 2025 antivirus protection winners for your Windows, Mac, Android and iOS devices.4. Enable two-factor authentication: While passwords weren’t part of the data breach, you still need to enable two-factor authentication (2FA). It gives you an extra layer of security on all your important accounts, including email, banking and social media. 2FA requires you to provide a second piece of information, such as a code sent to your phone, in addition to your password when logging in. This makes it significantly harder for hackers to access your accounts, even if they have your password. Enabling 2FA can greatly reduce the risk of unauthorized access and protect your sensitive data.5. Be wary of mailbox communications: Bad actors may also try to scam you through snail mail. The data leak gives them access to your address. They may impersonate people or brands you know and use themes that require urgent attention, such as missed deliveries, account suspensions and security alerts. Kurt’s key takeawayIf nothing else, this latest leak shows just how poorly patient data is being handled today. More and more, non-medical vendors are getting access to sensitive information without facing the same rules or oversight as hospitals and clinics. These third-party services are now a regular part of how patients book appointments, pay bills or fill out forms. But when something goes wrong, the fallout is just as serious. Even though the database was taken offline, the bigger problem hasn't gone away. Your data is only as safe as the least careful company that gets access to it.CLICK HERE TO GET THE FOX NEWS APPDo you think healthcare companies are investing enough in their cybersecurity infrastructure? Let us know by writing us at Cyberguy.com/ContactFor more of my tech tips and security alerts, subscribe to my free CyberGuy Report Newsletter by heading to Cyberguy.com/NewsletterAsk Kurt a question or let us know what stories you'd like us to coverFollow Kurt on his social channelsAnswers to the most asked CyberGuy questions:New from Kurt:Copyright 2025 CyberGuy.com.  All rights reserved.   Kurt "CyberGuy" Knutsson is an award-winning tech journalist who has a deep love of technology, gear and gadgets that make life better with his contributions for Fox News & FOX Business beginning mornings on "FOX & Friends." Got a tech question? Get Kurt’s free CyberGuy Newsletter, share your voice, a story idea or comment at CyberGuy.com.

The Secure Government Email (SGE) Common Implementation Framework New Zealand’s government is introducing a comprehensive email security framework designed to protect official communications from phishing and domain spoofing. This new framework, which will be mandatory for all government agencies by October 2025, establishes clear technical standards to enhance email security and retire the outdated SEEMail service.  Key Takeaways All NZ government agencies must comply with new email security requirements by October 2025. The new framework strengthens trust and security in government communications by preventing spoofing and phishing. The framework mandates TLS 1.2+, SPF, DKIM, DMARC with p=reject, MTA-STS, and DLP controls. EasyDMARC simplifies compliance with our guided setup, monitoring, and automated reporting. Start a Free Trial What is the Secure Government Email Common Implementation Framework? The Secure Government Email (SGE) Common Implementation Framework is a new government-led initiative in New Zealand designed to standardize email security across all government agencies. Its main goal is to secure external email communication, reduce domain spoofing in phishing attacks, and replace the legacy SEEMail service. Why is New Zealand Implementing New Government Email Security Standards? The framework was developed by New Zealand’s Department of Internal Affairs (DIA) as part of its role in managing ICT Common Capabilities. It leverages modern email security controls via the Domain Name System (DNS) to enable the retirement of the legacy SEEMail service and provide: Encryption for transmission security Digital signing for message integrity Basic non-repudiation (by allowing only authorized senders) Domain spoofing protection These improvements apply to all emails, not just those routed through SEEMail, offering broader protection across agency communications. What Email Security Technologies Are Required by the New NZ SGE Framework? The SGE Framework outlines the following key technologies that agencies must implement: TLS 1.2 or higher with implicit TLS enforced TLS-RPT (TLS Reporting) SPF (Sender Policy Framework) DKIM (DomainKeys Identified Mail) DMARC (Domain-based Message Authentication, Reporting, and Conformance) with reporting MTA-STS (Mail Transfer Agent Strict Transport Security) Data Loss Prevention controls These technologies work together to ensure encrypted email transmission, validate sender identity, prevent unauthorized use of domains, and reduce the risk of sensitive data leaks. Get in touch When Do NZ Government Agencies Need to Comply with this Framework? All New Zealand government agencies are expected to fully implement the Secure Government Email (SGE) Common Implementation Framework by October 2025. Agencies should begin their planning and deployment now to ensure full compliance by the deadline. The All of Government Secure Email Common Implementation Framework v1.0 What are the Mandated Requirements for Domains? Below are the exact requirements for all email-enabled domains under the new framework. ControlExact RequirementTLSMinimum TLS 1.2. TLS 1.1, 1.0, SSL, or clear-text not permitted.TLS-RPTAll email-sending domains must have TLS reporting enabled.SPFMust exist and end with -all.DKIMAll outbound email from every sending service must be DKIM-signed at the final hop.DMARCPolicy of p=reject on all email-enabled domains. adkim=s is recommended when not bulk-sending.MTA-STSEnabled and set to enforce.Implicit TLSMust be configured and enforced for every connection.Data Loss PreventionEnforce in line with the New Zealand Information Security Manual (NZISM) and Protective Security Requirements (PSR). Compliance Monitoring and Reporting The All of Government Service Delivery (AoGSD) team will be monitoring compliance with the framework. Monitoring will initially cover SPF, DMARC, and MTA-STS settings and will be expanded to include DKIM. Changes to these settings will be monitored, enabling reporting on email security compliance across all government agencies. Ongoing monitoring will highlight changes to domains, ensure new domains are set up with security in place, and monitor the implementation of future email security technologies.  Should compliance changes occur, such as an agency’s SPF record being changed from -all to ~all, this will be captured so that the AoGSD Security Team can investigate. They will then communicate directly with the agency to determine if an issue exists or if an error has occurred, reviewing each case individually. Deployment Checklist for NZ Government Compliance Enforce TLS 1.2 minimum, implicit TLS, MTA-STS & TLS-RPT SPF with -all DKIM on all outbound email DMARC p=reject  adkim=s where suitable For non-email/parked domains: SPF -all, empty DKIM, DMARC reject strict Compliance dashboard Inbound DMARC evaluation enforced DLP aligned with NZISM Start a Free Trial How EasyDMARC Can Help Government Agencies Comply EasyDMARC provides a comprehensive email security solution that simplifies the deployment and ongoing management of DNS-based email security protocols like SPF, DKIM, and DMARC with reporting. Our platform offers automated checks, real-time monitoring, and a guided setup to help government organizations quickly reach compliance. 1. TLS-RPT / MTA-STS audit EasyDMARC enables you to enable the Managed MTA-STS and TLS-RPT option with a single click. We provide the required DNS records and continuously monitor them for issues, delivering reports on TLS negotiation problems. This helps agencies ensure secure email transmission and quickly detect delivery or encryption failures. Note: In this screenshot, you can see how to deploy MTA-STS and TLS Reporting by adding just three CNAME records provided by EasyDMARC. It’s recommended to start in “testing” mode, evaluate the TLS-RPT reports, and then gradually switch your MTA-STS policy to “enforce”. The process is simple and takes just a few clicks. As shown above, EasyDMARC parses incoming TLS reports into a centralized dashboard, giving you clear visibility into delivery and encryption issues across all sending sources. 2. SPF with “-all”In the EasyDARC platform, you can run the SPF Record Generator to create a compliant record. Publish your v=spf1 record with “-all” to enforce a hard fail for unauthorized senders and prevent spoofed emails from passing SPF checks. This strengthens your domain’s protection against impersonation. Note: It is highly recommended to start adjusting your SPF record only after you begin receiving DMARC reports and identifying your legitimate email sources. As we’ll explain in more detail below, both SPF and DKIM should be adjusted after you gain visibility through reports. Making changes without proper visibility can lead to false positives, misconfigurations, and potential loss of legitimate emails. That’s why the first step should always be setting DMARC to p=none, receiving reports, analyzing them, and then gradually fixing any SPF or DKIM issues. 3. DKIM on all outbound email DKIM must be configured for all email sources sending emails on behalf of your domain. This is critical, as DKIM plays a bigger role than SPF when it comes to building domain reputation, surviving auto-forwarding, mailing lists, and other edge cases. As mentioned above, DMARC reports provide visibility into your email sources, allowing you to implement DKIM accordingly (see first screenshot). If you’re using third-party services like Google Workspace, Microsoft 365, or Mimecast, you’ll need to retrieve the public DKIM key from your provider’s admin interface (see second screenshot). EasyDMARC maintains a backend directory of over 1,400 email sources. We also give you detailed guidance on how to configure SPF and DKIM correctly for major ESPs.  Note: At the end of this article, you’ll find configuration links for well-known ESPs like Google Workspace, Microsoft 365, Zoho Mail, Amazon SES, and SendGrid – helping you avoid common misconfigurations and get aligned with SGE requirements. If you’re using a dedicated MTA (e.g., Postfix), DKIM must be implemented manually. EasyDMARC’s DKIM Record Generator lets you generate both public and private keys for your server. The private key is stored on your MTA, while the public key must be published in your DNS (see third and fourth screenshots). 4. DMARC p=reject rollout As mentioned in previous points, DMARC reporting is the first and most important step on your DMARC enforcement journey. Always start with a p=none policy and configure RUA reports to be sent to EasyDMARC. Use the report insights to identify and fix SPF and DKIM alignment issues, then gradually move to p=quarantine and finally p=reject once all legitimate email sources have been authenticated.  This phased approach ensures full protection against domain spoofing without risking legitimate email delivery. 5. adkim Strict Alignment Check This strict alignment check is not always applicable, especially if you’re using third-party bulk ESPs, such as Sendgrid, that require you to set DKIM on a subdomain level. You can set adkim=s in your DMARC TXT record, or simply enable strict mode in EasyDMARC’s Managed DMARC settings. This ensures that only emails with a DKIM signature that exactly match your domain pass alignment, adding an extra layer of protection against domain spoofing. But only do this if you are NOT a bulk sender. 6. Securing Non-Email Enabled Domains The purpose of deploying email security to non-email-enabled domains, or parked domains, is to prevent messages being spoofed from that domain. This requirement remains even if the root-level domain has SP=reject set within its DMARC record. Under this new framework, you must bulk import and mark parked domains as “Parked.” Crucially, this requires adjusting SPF settings to an empty record, setting DMARC to p=reject, and ensuring an empty DKIM record is in place: • SPF record: “v=spf1 -all”. • Wildcard DKIM record with empty public key.• DMARC record: “v=DMARC1;p=reject;adkim=s;aspf=s;rua=mailto:…”. EasyDMARC allows you to add and label parked domains for free. This is important because it helps you monitor any activity from these domains and ensure they remain protected with a strict DMARC policy of p=reject. 7. Compliance Dashboard Use EasyDMARC’s Domain Scanner to assess the security posture of each domain with a clear compliance score and risk level. The dashboard highlights configuration gaps and guides remediation steps, helping government agencies stay on track toward full compliance with the SGE Framework. 8. Inbound DMARC Evaluation Enforced You don’t need to apply any changes if you’re using Google Workspace, Microsoft 365, or other major mailbox providers. Most of them already enforce DMARC evaluation on incoming emails. However, some legacy Microsoft 365 setups may still quarantine emails that fail DMARC checks, even when the sending domain has a p=reject policy, instead of rejecting them. This behavior can be adjusted directly from your Microsoft Defender portal. Read more about this in our step-by-step guide on how to set up SPF, DKIM, and DMARC from Microsoft Defender. If you’re using a third-party mail provider that doesn’t enforce having a DMARC policy for incoming emails, which is rare, you’ll need to contact their support to request a configuration change. 9. Data Loss Prevention Aligned with NZISM The New Zealand Information Security Manual (NZISM) is the New Zealand Government’s manual on information assurance and information systems security. It includes guidance on data loss prevention (DLP), which must be followed to be aligned with the SEG. Need Help Setting up SPF and DKIM for your Email Provider? Setting up SPF and DKIM for different ESPs often requires specific configurations. Some providers require you to publish SPF and DKIM on a subdomain, while others only require DKIM, or have different formatting rules. We’ve simplified all these steps to help you avoid misconfigurations that could delay your DMARC enforcement, or worse, block legitimate emails from reaching your recipients. Below you’ll find comprehensive setup guides for Google Workspace, Microsoft 365, Zoho Mail, Amazon SES, and SendGrid. You can also explore our full blog section that covers setup instructions for many other well-known ESPs. Remember, all this information is reflected in your DMARC aggregate reports. These reports give you live visibility into your outgoing email ecosystem, helping you analyze and fix any issues specific to a given provider. Here are our step-by-step guides for the most common platforms: Google Workspace Microsoft 365 These guides will help ensure your DNS records are configured correctly as part of the Secure Government Email (SGE) Framework rollout. Meet New Government Email Security Standards With EasyDMARC New Zealand’s SEG Framework sets a clear path for government agencies to enhance their email security by October 2025. With EasyDMARC, you can meet these technical requirements efficiently and with confidence. From protocol setup to continuous monitoring and compliance tracking, EasyDMARC streamlines the entire process, ensuring strong protection against spoofing, phishing, and data loss while simplifying your transition from SEEMail.

Microsoft offered up a fairly light Patch Tuesday release this month, with 68 patches to Microsoft Windows and Microsoft Office. There were no updates for Exchange or SQL server and just two minor patches for Microsoft Edge. That said, two zero-day vulnerabilities (CVE-2025-33073 and CVE-2025-33053) have led to a “Patch Now” recommendation for both Windows and Office. (Developers can follow their usual release cadence with updates to Microsoft .NET and Visual Studio.) To help navigate these changes, the team from Readiness has provided auseful  infographic detailing the risks involved when deploying the latest updates. (More information about recent Patch Tuesday releases is available here.) Known issues Microsoft released a limited number of known issues for June, with a product-focused issue and a very minor display concern: Microsoft Excel: This a rare product level entry in the “known issues” category — an advisory that “square brackets” or [] are not supported in Excel filenames. An error is generated, advising the user to remove the offending characters. Windows 10: There are reports of blurry or unclear CJK (Chinese, Japanese, Korean) text when displayed at 96 DPI (100% scaling) in Chromium-based browsers such as Microsoft Edge and Google Chrome. This is a limited resource issue, as the font resolution in Windows 10 does not fully match the high-level resolution of the Noto font. Microsoft recommends changing the display scaling to 125% or 150% to improve clarity. Major revisions and mitigations Microsoft might have won an award for the shortest time between releasing an update and a revision with: CVE-2025-33073: Windows SMB Client Elevation of Privilege. Microsoft worked to address a vulnerability where improper access control in Windows SMB allows an attacker to elevate privileges over a network. This patch was revised on the same day as its initial release (and has been revised again for documentation purposes). Windows lifecycle and enforcement updates Microsoft did not release any enforcement updates for June. Each month, the Readiness team analyzes Microsoft’s latest updates and provides technically sound, actionable testing plans. While June’s release includes no stated functional changes, many foundational components across authentication, storage, networking, and user experience have been updated. For this testing guide, we grouped Microsoft’s updates by Windows feature and then accompanied the section with prescriptive test actions and rationale to help prioritize enterprise efforts. Core OS and UI compatibility Microsoft updated several core kernel drivers affecting Windows as a whole. This is a low-level system change and carries a high risk of compatibility and system issues. In addition, core Microsoft print libraries have been included in the update, requiring additional print testing in addition to the following recommendations: Run print operations from 32-bit applications on 64-bit Windows environments. Use different print drivers and configurations (e.g., local, networked). Observe printing from older productivity apps and virtual environments. Remote desktop and network connectivity This update could impact the reliability of remote access while broken DHCP-to-DNS integration can block device onboarding, and NAT misbehavior disrupts VPNs or site-to-site routing configurations. We recommend the following tests be performed: Create and reconnect Remote Desktop (RDP) sessions under varying network conditions. Confirm that DHCP-assigned IP addresses are correctly registered with DNS in AD-integrated environments. Test modifying NAT and routing settings in RRAS configurations and ensure that changes persist across reboots. Filesystem, SMB and storage Updates to the core Windows storage libraries affect nearly every command related to Microsoft Storage Spaces. A minor misalignment here can result in degraded clusters, orphaned volumes, or data loss in a failover scenario. These are high-priority components in modern data center and hybrid cloud infrastructure, with the following storage-related testing recommendations: Access file shares using server names, FQDNs, and IP addresses. Enable and validate encrypted and compressed file-share operations between clients and servers. Run tests that create, open, and read from system log files using various file and storage configurations. Validate core cluster storage management tasks, including creating and managing storage pools, tiers, and volumes. Test disk addition/removal, failover behaviors, and resiliency settings. Run system-level storage diagnostics across active and passive nodes in the cluster. Windows installer and recovery Microsoft delivered another update to the Windows Installer (MSI) application infrastructure. Broken or regressed Installer package MSI handling disrupts app deployment pipelines while putting core business applications at risk. We suggest the following tests for the latest changes to MSI Installer, Windows Recovery and Microsoft’s Virtualization Based Security (VBS): Perform installation, repair, and uninstallation of MSI Installer packages using standard enterprise deployment tools (e.g. Intune). Validate restore point behavior for points older than 60 days under varying virtualization-based security (VBS) settings. Check both client and server behaviors for allowed or blocked restores. We highly recommend prioritizing printer testing this month, then remote desktop deployment testing to ensure your core business applications install and uninstall as expected. Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings:  Browsers (Microsoft IE and Edge); Microsoft Windows (both desktop and server); Microsoft Office; Microsoft Exchange and SQL Server;  Microsoft Developer Tools (Visual Studio and .NET); And Adobe (if you get this far). Browsers Microsoft delivered a very minor series of updates to Microsoft Edge. The  browser receives two Chrome patches (CVE-2025-5068 and CVE-2025-5419) where both updates are rated important. These low-profile changes can be added to your standard release calendar. Microsoft Windows Microsoft released five critical patches and (a smaller than usual) 40 patches rated important. This month the five critical Windows patches cover the following desktop and server vulnerabilities: Missing release of memory after effective lifetime in Windows Cryptographic Services (WCS) allows an unauthorized attacker to execute code over a network. Use after free in Windows Remote Desktop Services allows an unauthorized attacker to execute code over a network. Use after free in Windows KDC Proxy Service (KPSSVC) allows an unauthorized attacker to execute code over a network. Use of uninitialized resources in Windows Netlogon allows an unauthorized attacker to elevate privileges over a network. Unfortunately, CVE-2025-33073 has been reported as publicly disclosed while CVE-2025-33053 has been reported as exploited. Given these two zero-days, the Readiness recommends a “Patch Now” release schedule for your Windows updates. Microsoft Office Microsoft released five critical updates and a further 13 rated important for Office. The critical patches deal with memory related and “use after free” memory allocation issues affecting the entire platform. Due to the number and severity of these issues, we recommend a “Patch Now” schedule for Office for this Patch Tuesday release. Microsoft Exchange and SQL Server There are no updates for either Microsoft Exchange or SQL Server this month.  Developer tools There were only three low-level updates (product focused and rated important) released, affecting .NET and Visual Studio. Add these updates to your standard developer release schedule. Adobe (and 3rd party updates) Adobe has released (but Microsoft has not co-published) a single update to Adobe Acrobat (APSB25-57). There were two other non-Microsoft updated releases affecting the Chromium platform, which were covered in the Browser section above.

The cloud has changed everything. It’s faster, cheaper, and easier to scale than traditional infrastructure. Initially, most companies chose a single cloud provider. That’s no longer enough. Now, nearly 86% of businesses use more than one cloud. This approach—called multi-cloud—lets teams choose the best features from each provider. But it also opens the door to new security risks. When apps, data, and tools are scattered across platforms, managing security gets harder. And in today's world of constant cyber threats, ignoring cloud security is not an option. Let’s walk through real-world challenges and the best ways to protect business data in a multi-cloud environment. 1. Know What You’re Working With Start with visibility. Make a full inventory of the cloud platforms, apps, and storage your business uses. Ask every department—marketing, finance, HR—what tools they’ve signed up for. Many use services without informing IT. This is shadow IT, and it’s risky. Once you have the list, figure out what data lives where. Some workloads are low-risk. Others involve customer records, credit card data, or legal files. Prioritize those. 2. Build a Unified Security Strategy One of the biggest mistakes companies make is treating each cloud provider as a separate system. Every provider has its own rules, tools, and settings. If your security strategy is broken up, gaps will appear. Instead, aim for a single, connected approach. Use the same access rules, encryption standards, and monitoring tools across all clouds. You don’t want different policies on AWS and Azure—it just invites trouble. Tools like centralized dashboards, SIEM (Security Information and Event Management), and SOAR (Security Orchestration, Automation, and Response) help you keep everything in one place. 3. Enforce Strict Access Controls In a multi-cloud world, identity and access control are one of the hardest things to get right. Every platform has its own login system. Without proper integration, mistakes happen. Someone might get more access than they need, or never lose access when they leave the company. Stick to these practices: Use role-based access control. Limit permissions to the bare minimum. Turn on multi-factor authentication. Link logins across platforms using identity federation. The more consistent your access rules are, the easier it is to control who gets in and what they can do. 4. Use the Zero Trust Model Zero Trust means never assume anything is safe. Every user, device, and app must prove itself—every time. Even if a user is on your network, don’t trust them by default. This model reduces risk. It checks each request. It verifies users. And it looks for signs of abnormal behavior, like someone logging in from a new device or country. Zero Trust works well with automation and real-time monitoring. It also forces teams to rethink how data is shared and accessed. 5. Encrypt Data—Always Encryption is a basic but powerful layer of defense. It protects data whether it’s sitting in storage or moving between systems. If attackers get in, encrypted data is useless without the keys. Most cloud platforms offer built-in encryption. But don’t rely only on that. You can manage your own keys with tools like AWS KMS or Azure Key Vault. That gives you more control. To stay safe: Encrypt both at rest and in transit. Avoid default settings. Rotate encryption keys regularly. 6. Monitor in Real Time Security is not a one-time task. You need to watch your systems around the clock. Set alerts for things like large file downloads, unusual logins, or traffic spikes. Centralized monitoring helps a lot. It pulls logs from all your platforms and tools into one place. That way, your security team isn’t flipping between dashboards when something goes wrong. Also, use automation to filter out noise and surface real threats faster. 7. Set Up Regular Audits and Compliance Checks Multi-cloud setups are great for flexibility, but complex when it comes to compliance. Each platform has its own set of controls and certifications. Managing them all can be overwhelming. That’s why audits matter. Run security checks on a regular schedule—monthly, quarterly, or after every major change. Look for misconfigured permissions, missing patches, or unsecured data. And document everything. Also, make sure your tools help meet regulations like GDPR, HIPAA, or PCI DSS. Automated compliance scans can help stay on top of this. 8. Prevent Data Loss with Smart Policies Sensitive data is always at risk. Employees might share it by mistake. Attackers might try to steal it. That’s where Data Loss Prevention (DLP) comes in. DLP tools block unauthorized sharing of personal data, financial records, or internal files. You can create rules like “Don’t send customer SSNs over email” or “Block uploads of credit card data to personal drives.” DLP also supports compliance and helps avoid lawsuits or fines when accidents happen. 9. Automate Where You Can Manual work slows things down, and mistakes happen. That’s why automation is key in cloud security. Automate things like: Patch management Access reviews Backup schedules Security alerts Automation speeds up your response time. It also frees your security team to focus on serious issues, not routine tasks. 10. Centralized Security Control One major downside of multi-cloud isa lack of visibility. If you’re jumping between different tools for each cloud, you miss things. Instead, use a centralized security management system. It collects data from all clouds, shows risk levels, flags issues, and helps you fix them from one place. This unified view makes a huge difference. It helps you react faster and stay ahead of threats. Final Thought Cloud providers have made data storage and computing easier than ever. But with great power comes risk. Using multiple clouds gives more choice, but also more responsibility. Most businesses today are not ready. Only 15% have a mature multi-cloud security plan, says the 2023 Cisco Cyber Security Readiness Index. That means many are exposed. The good news? You can fix this. Start with simple steps. Know what you use. Lock it down. Watch it closely. Keep improving. And above all, treat cloud security not as a technical box to check, but as something critical to your business. Because in today’s world, a single breach can shut you down. And that’s too big a risk to ignore.

The online discussion forum says Anthropic continued to access its site more than 100,000 times after saying it had stopped.

IT Pros ‘Extremely Worried’ About Shadow AI: Report By John P. Mello Jr. June 4, 2025 5:00 AM PT ADVERTISEMENT Enterprise IT Lead Generation Services Fuel Your Pipeline. Close More Deals. Our full-service marketing programs deliver sales-ready leads. 100% Satisfaction Guarantee! Learn more. Shadow AI — the use of AI tools under the radar of IT departments — has information technology directors and executives worried, according to a report released Tuesday. The report, based on a survey of 200 IT directors and executives at U.S. enterprise organizations of 1,000 employees or more, found nearly half the IT pros (46%) were “extremely worried” about shadow AI, and almost all of them (90%) were concerned about it from a privacy and security viewpoint. “As our survey found, shadow AI is resulting in palpable, concerning outcomes, with nearly 80% of IT leaders saying it has resulted in negative incidents such as sensitive data leakage to Gen AI tools, false or inaccurate results, and legal risks of using copyrighted information,” said Krishna Subramanian, co-founder of Campbell, Calif.-based Komprise, the unstructured data management company that produced the report. “Alarmingly, 13% say that shadow AI has caused financial or reputational harm to their organizations,” she told TechNewsWorld. Subramanian added that shadow AI poses a much greater problem than shadow IT, which primarily focuses on departmental power users purchasing cloud instances or SaaS tools without obtaining IT approval. “Now we’ve got an unlimited number of employees using tools like ChatGPT or Claude AI to get work done, but not understanding the potential risk they are putting their organizations at by inadvertently submitting company secrets or customer data into the chat prompt,” she explained. “The data risk is large and growing in still unforeseen ways because of the pace of AI development and adoption and the fact that there is a lot we don’t know about how AI works,” she continued. “It is becoming more humanistic all the time and capable of making decisions independently.” Shadow AI Introduces Security Blind Spots Shadow AI is the next step after shadow IT and is a growing risk, noted James McQuiggan, security awareness advocate at KnowBe4, a security awareness training provider in Clearwater, Fla. “Users use AI tools for content, images, or applications and to process sensitive data or company information without proper security checks,” he told TechNewsWorld. “Most organizations will have privacy, compliance, and data protection policies, and shadow AI introduces blind spots in the organization’s data loss prevention.” “The biggest risk with shadow AI is that the AI application has not passed through a security analysis as approved AI tools may have been,” explained Melissa Ruzzi, director of AI at AppOmni, a SaaS security management software company, in San Mateo, Calif. “Some AI applications may be training models using your data, may not adhere to relevant regulations that your company is required to follow, and may not even have the data storage security level you deem necessary to keep your data from being exposed,” she told TechNewsWorld. “Those risks are blind spots of potential security vulnerabilities in shadow AI.” Krishna Vishnubhotla, vice president of product strategy at Zimperium, a mobile security company based in Dallas, noted that shadow AI extends beyond unapproved applications and involves embedded AI components that can process and disseminate sensitive data in unpredictable ways. “Unlike traditional shadow IT, which may be limited to unauthorized software or hardware, shadow AI can run on employee mobile devices outside the organization’s perimeter and control,” he told TechNewsWorld. “This creates new security and compliance risks that are harder to track and mitigate.” Vishnubhotla added that the financial impact of shadow AI varies, but unauthorized AI tools can lead to significant regulatory fines, data breaches, and loss of intellectual property. “Depending on the scale of the agency and the sensitivity of the data exposed, the costs could range from millions to potentially billions in damages due to compliance violations, remediation efforts, and reputational harm,” he said. “Federal agencies handling vast amounts of sensitive or classified information, financial institutions, and health care organizations are particularly vulnerable,” he said. “These sectors collect and analyze vast amounts of high-value data, making AI tools attractive. But without proper vetting, these tools could be easily exploited.” Shadow AI Everywhere and Easy To Use Nicole Carignan, SVP for security and AI strategy at Darktrace, a global cybersecurity AI company, predicts an explosion of tools that utilize AI and generative AI within enterprises and on devices used by employees. “In addition to managing AI tools that are built in-house, security teams will see a surge in the volume of existing tools that have new AI features and capabilities embedded, as well as a rise in shadow AI,” she told TechNewsWorld. “If the surge remains unchecked, this raises serious questions and concerns about data loss prevention, as well as compliance concerns as new regulations start to take effect.” “That will drive an increasing need for AI asset discovery — the ability for companies to identify and track the use of AI systems throughout the enterprise,” she said. “It is imperative that CIOs and CISOs dig deep into new AI security solutions, asking comprehensive questions about data access and visibility.” Shadow AI has become so rampant because it is everywhere and easy to access through free tools, maintained Komprise’s Subramanian. “All you need is a web browser,” she said. “Enterprise users can inadvertently share company code snippets or corporate data when using these Gen AI tools, which could create data leakage.” “These tools are growing and changing exponentially,” she continued. “It’s really hard to keep up. As the IT leader, how do you track this and determine the risk? Managers might be looking the other way because their teams are getting more done. You may need fewer contractors and full-time employees. But I think the risk of the tools is not well understood.” “The low, or in some cases non-existent, learning curve associated with using Gen AI services has led to rapid adoption, regardless of prior experience with these services,” added Satyam Sinha, CEO and co-founder of Acuvity, a provider of runtime Gen AI security and governance solutions, in Sunnyvale, Calif. “Whereas shadow IT focused on addressing a specific challenge for particular employees or departments, shadow AI addresses multiple challenges for multiple employees and departments. Hence, the greater appeal,” he said. “The abundance and rapid development of Gen AI services also means employees can find the right solution [instantly]. Of course, all these traits have direct security implications.” Banning AI Tools Backfires To support innovation while minimizing the threat of shadow AI, enterprises must take a three-pronged approach, asserted Kris Bondi, CEO and co-founder of Mimoto, a threat detection and response company in San Francisco. They must educate employees on the dangers of unsupported, unmonitored AI tools, create company protocols for what is not acceptable use of unauthorized AI tools, and, most importantly, provide AI tools that are sanctioned. “Explaining why one tool is sanctioned and another isn’t greatly increases compliance,” she told TechNewsWorld. “It does not work for a company to have a zero-use mandate. In fact, this results in an increase in stealth use of shadow AI.” In the very near future, more and more applications will be leveraging AI in different forms, so the reality of shadow AI will be present more than ever, added AppOmni’s Ruzzi. “The best strategy here is employee training and AI usage monitoring,” she said. “It will become crucial to have in place a powerful SaaS security tool that can go beyond detecting direct AI usage of chatbots to detect AI usage connected to other applications,” she continued, “allowing for early discovery, proper risk assessment, and containment to minimize possible negative consequences.” “Shadow AI is just the beginning,” KnowBe4’s McQuiggan added. “As more teams use AI, the risks grow.” He recommended that companies start small, identify what’s being used, and build from there. They should also get legal, HR, and compliance involved. “Make AI governance part of your broader security program,” he said. “The sooner you start, the better you can manage what comes next.” John P. Mello Jr. has been an ECT News Network reporter since 2003. His areas of focus include cybersecurity, IT issues, privacy, e-commerce, social media, artificial intelligence, big data and consumer electronics. He has written and edited for numerous publications, including the Boston Business Journal, the Boston Phoenix, Megapixel.Net and Government Security News. Email John. Leave a Comment Click here to cancel reply. Please sign in to post or reply to a comment. New users create a free account. Related Stories More by John P. Mello Jr. view all More in IT Leadership

Published June 4, 2025 10:00am EDT close Windows bug leaves computer Wi-Fi vulnerable to hackers Kurt "CyberGuy" Knutsson explains how to keep your Windows computer safe and the security risks of online retail giant Temu. NEWYou can now listen to Fox News articles! Hackers are no longer targeting only tech giants or hospitals. Any business that collects valuable personal information, such as names, phone numbers, email addresses or even basic financial details, is now a target.Companies that rely heavily on third-party vendors or outsourced customer support are even more at risk, especially if they are not particularly strong in the technology sector.German retailer Adidas learned this the hard way. The company recently confirmed a data breach involving one of its external partners, and although it has acknowledged the issue, many important details are still missing. A hacker at work (Kurt "CyberGuy" Knutsson)Adidas confirms vendor breach: Here’s what we knowAdidas has officially acknowledged that a third-party vendor suffered a breach, resulting in unauthorized access to consumer data. In a public notice titled "Data Security Information," the company revealed that a "third-party customer service provider" had been compromised. While the brand was initially silent on the scope, it had already been reported earlier this month that customers in Turkey and Korea had received breach notifications.MASSIVE DATA BREACH EXPOSES 184 MILLION PASSWORDS AND LOGINSAdidas posted this information on both its German and English websites. However, no specific region or number of affected individuals has been confirmed. The company’s statement did clarify that no payment information, such as credit card details, nor passwords were included in the breach. Instead, it involved contact details submitted by users to Adidas’ help desk in the past.Data obtained reportedly includes names, phone numbers, email addresses and dates of birth. While this might seem limited compared to financial data, this type of information can be exploited for phishing scams and identity theft.  An Adidas sign (Kurt "CyberGuy" Knutsson)What Adidas told customers after the breachIn the wake of the breach, Adidas began notifying potentially affected customers directly. The company's email to customers below aimed to reassure recipients and clarify what information was involved. Here is the full text of the notification sent to affected individuals.Dear customer,We are writing to inform you of an issue that we recently became aware of which may have impacted some of your data.What happenedadidas recently learned that an unauthorized external party gained access to certain customer data through a third-party customer service provider.What information was involvedThe affected data does not contain passwords, credit card or any other payment-related information. Nor have any Social Security numbers been impacted.It mainly consists of contact information relating to customers who had contacted our customer service help desk in the past. This may have included one or more of the following: name, email address, telephone number, gender and/or birth date.What we are doing Privacy and the security of your data is our priority. Upon becoming aware of this incident, adidas took proactive and immediate steps to investigate and contain the incident. This includes further enhancing security measures and resetting passwords for customer service accounts.What you can doWe are currently unaware of any harm (such as identity theft or fraud) being caused to our customers as a result of this incident. There are no immediate steps that you need to take. Although, as always, please remain vigilant and look out for any suspicious messages. As a reminder, adidas will never directly contact you to ask that you provide us with financial information, such as your credit card details, bank account information or passwords.Who you can contactIf you have any questions, then please contact our Customer Service team at https://www.adidas.com/us/helpWe apologise for any inconvenience caused by this incident.adidas TeamWhat Adidas hasn’t said about the vendor hackDespite the official acknowledgment, several questions remain unanswered. Adidas has yet to clarify whether this is a single breach affecting multiple regions or several separate incidents. The lack of transparency around the name of the third-party vendor and the absence of concrete numbers or locations for affected users has created frustration among observers and possibly among customers themselves.The earlier regional reports from Turkey and Korea might suggest that this incident was either global in scale or that similar third-party vendors were independently targeted. In either case, the company's current handling of the situation has left room for speculation. Adidas claims it is in the process of informing potentially affected customers, but it has not detailed the method or timeline for this outreach.We reached out to adidas for a comment, and a representative referred us to this statement on their website. In part, the company said, "We remain fully committed to protecting the privacy and security of our consumers, and sincerely regret any inconvenience or concern caused by this incident."GET FOX BUSINESS ON THE GO BY CLICKING HERE An Adidas shoe (Kurt "CyberGuy" Knutsson)6 critical steps to take after the Adidas data breachIf you think you were affected or just want to be cautious, here are some steps you can take right now to stay safe from the Adidas data breach:1. Scrub your data from the internet using a personal data removal service: The more exposed your personal information is online, the easier it is for scammers to use it against you. Following the Adidas breach, consider removing your information from public databases and people-search sites. Check out my top picks for data removal services here.Get a free scan to find out if your personal information is already out on the web.2. Watch out for phishing scams and use strong antivirus software: With access to your email and phone number, Adidas attackers can craft convincing phishing emails pretending to be from healthcare providers or banks. These emails might include malicious links designed to install malware or steal login information. To defend yourself, use a strong antivirus program. Get my picks for the best 2025 antivirus protection winners for your Windows, Mac, Android and iOS devices.3. Safeguard against identity theft and use identity theft protection: Hackers now have access to high-value information from the Adidas breach. This makes you a prime target for identity theft. You might want to consider investing in identity theft protection, which can also assist you in freezing your bank and credit card accounts to prevent further unauthorized use by criminals. Signing up for identity theft protection gives you 24/7 monitoring, alerts for unusual activity and support if your identity is stolen. See my tips and best picks on how to protect yourself from identity theft.4. Set up fraud alerts: Requesting fraud alerts notifies creditors that they need extra verification before issuing credit in your name. You can request fraud alerts through any one of the three major credit bureaus; they’ll notify the others. This adds another layer of protection without completely freezing access to credit.5. Change passwords and use a password manager: Update passwords on any accounts tied to compromised data. Use unique passwords that are hard to guess and let a password manager do the heavy lifting by generating secure ones for you. Reused passwords are an easy target after breaches. Consider password managers for convenience and security. Get more details about my best expert-reviewed password managers of 2025 here.6. Be wary of social engineering attacks: Hackers may use stolen details like names or birthdates from breaches in phone scams or fake customer service calls designed to trick you into revealing more sensitive info. Never share personal details over unsolicited calls or emails. Social engineering attacks rely on trust, and vigilance is key.Kurt’s key takeawayThe Adidas breach shows that even companies with decades of brand equity and a massive global footprint are not immune to lapses in data security. It underscores the need for companies to go beyond basic compliance and actively evaluate the cybersecurity standards of every partner in their ecosystem. Consumers are becoming increasingly aware of the trade-offs they make when sharing their personal information, and brands that fail to meet this moment may find their reputations eroding faster than they expect.CLICK HERE TO GET THE FOX NEWS APPShould retailers be penalized for neglecting basic cybersecurity practices? Let us know by writing us atCyberguy.com/Contact.For more of my tech tips and security alerts, subscribe to my free CyberGuy Report Newsletter by heading to Cyberguy.com/Newsletter.Ask Kurt a question or let us know what stories you'd like us to cover.Follow Kurt on his social channels:Answers to the most-asked CyberGuy questions:New from Kurt:Copyright 2025 CyberGuy.com. All rights reserved. Kurt "CyberGuy" Knutsson is an award-winning tech journalist who has a deep love of technology, gear and gadgets that make life better with his contributions for Fox News & FOX Business beginning mornings on "FOX & Friends." Got a tech question? Get Kurt’s free CyberGuy Newsletter, share your voice, a story idea or comment at CyberGuy.com.