Andrew Hoog

140 Followers
34 Following
222 Posts
I like to tinker in mobile forensics, security, privacy, tools development, nodejs and home automation. I’m an author, inventor, expert witness and co-founder of NowSecure.
Board Cybersecurityhttps://www.board-cybersecurity.com
Personal Websitehttps://www.andrewhoog.com
YouTube Channelhttps://www.youtube.com/@SPFExpert
GitHubhttps://github.com/ahoog42
LinkedInhttps://www.linkedin.com/in/andrewhoog/

FTC + AI + Consent. Remember this pattern, you may be seeing it a lot.

This week the FTC settled with Cox Media Group and two marketing firms for $930,000 over a service they called "Active Listening", AI that purportedly targeted ads based on conversations picked up by smart devices.

The product turned out to be smoke and mirrors (it was just resold email lists). But the FTC's legal analysis is what matters for boards:

The agency ruled explicitly that mandatory Terms of Service click-throughs do not constitute opt-in consent for invasive data collection or use of voice data. If the technology had worked as advertised, the data collection itself would have violated the FTC Act.

That's a significant marker. It means the consent architecture underlying a wide range of AI-powered products, not just ad tech, is now under scrutiny. Think of the implication for mobile apps!

If you want alerts alerts for new incidents or regulatory actions, you can sign up for a free account here:
https://www.board-cybersecurity.com/alerts/upgrade?utm_source=mastadon&utm_medium=social&utm_campaign=cox-ftc-ai-consent

Inotiv settles cybersecurity class action — here's what boards and executives should know.

The company filed an 8-K today confirming a settlement agreement resolving litigation stemming from its August 2025 data breach. PHI and PII were among the data potentially acquired.

The settlement, if court-approved, provides class members with:
• Compensation for lost time and out-of-pocket expenses
• Recovery for extraordinary losses
• An alternative flat cash payment
• Two years of credit monitoring

Attorneys' fees are capped at $275,000. The company anticipates full insurance coverage for all settlement payments.

No admission of liability. Three federal cases were dismissed and refiled in Indiana state court before this resolution.

This is a useful case study in how post-breach litigation tends to consolidate and settle — and why cyber liability insurance structuring matters from day one.

Full incident profile: https://www.board-cybersecurity.com/incidents/tracker/inotiv-cybersecurity-incident-f965dc60?utm_source=mastodon&utm_medium=social&utm_campaign=inotiv-update

#CyberSecurity #DataBreach #BoardGovernance #CyberRisk #PrivacyLaw

This marks the first material cybersecurity 8-K I've tracked where the root cause was employee use of unauthorized AI software. Full filing on Board Cybersecurity: https://www.board-cybersecurity.com/incidents/tracker/cb-financial-services-cybersecurity-incident-2b5a3883?utm_source=mastodon&utm_medium=social&utm_campaign=cb-financial-shadow-ai

CB Financial Services, the parent company of Community Bank, filed an Item 1.05 disclosure on May 11 after discovering on May 5 that non-public customer information had been processed through an unauthorized AI application. On May 7, the Company determined the incident to be material due to the volume and sensitivity of the data involved.

The exposed records included customer names, social security numbers, and dates of birth—essentially a full identity-theft starter kit.

Three aspects make this filing noteworthy:

1. Materiality determinations are rare. Out of 153 8-K filings that discuss cybersecurity materiality in the Board Cybersecurity dataset, only 9 concluded the incident was material across the five SEC impact categories. CB Financial is unique in stating that the incident "has not had, and is not expected to have, a material impact on the Company's consolidated financial condition or results of operations," yet still filed under Item 1.05, emphasizing the materiality based on data volume and sensitivity.

2. The root cause is not ransomware, vendor breaches, or phishing campaigns; it is shadow AI. An employee or employees used an unsanctioned AI application to handle customer data. This serves as a reference case for every CISO warning their board about this risk.

3. The materiality determination occurred just two days after discovery, driven solely by the data's volume and sensitivity, not by operational impact, as the Bank stated that operations, payment systems, customer access, and core IT infrastructure were not disrupted.

The key takeaway is not that AI is inherently dangerous, but rather that the gap between "employees can access AI tools" and "the bank has controls over what data goes into those tools" has led to a material cybersecurity disclosure.

Expect more developments on this front.

SailPoint, Inc. has disclosed a cybersecurity incident in an 8-K filed on May 8, 2026. The incident occurred on April 20, 2026, when an attacker gained unauthorized access to GitHub repositories.

Key details include:
- The root cause was identified as a vulnerability in a third-party application.
- Importantly, no customer data was accessed, and services were not interrupted.
- Impacted customers have been notified.

For more information, you can visit https://www.board-cybersecurity.com/incidents/tracker/sailpoint-cybersecurity-incident-dff0436a?utm_source=mastodon&utm_medium=social&utm_campaign=sailpoint-incident

Late Friday, Medtronic filed an 8-K disclosing a cybersecurity incident. Then this morning, its subsidiary, MiniMed Group filed nearly the exact same filing.

It will be interesting to see if this becomes a trend. In the past, we've typically only seen either the parent or the subsidiary disclose the incident in an SEC 8-K filings.

Here are a few thoughts:

1️⃣ Materiality is being evaluated at multiple levels
The parent and subsidiary are each making their own call on disclosure obligations

2️⃣ Legal structure still matters
Even with centralized security, incidents still tie back to specific entities, systems, and data ownership

3️⃣ Over-disclosure is becoming the safer path
Under the SEC’s cyber rules, duplicating a filing is likely less risky than missing one
4️⃣ This creates noise downstream
Investors, analysts, and tools now have to reconcile what is effectively the same incident across filings

If this becomes standard practice, linking related disclosures across corporate structures becomes a real problem to solve.

Full breakdowns:

Medtronic: https://www.board-cybersecurity.com/incidents/tracker/medtronic-cybersecurity-incident-c15939ae
MiniMed: https://www.board-cybersecurity.com/incidents/tracker/minimed-group-cybersecurity-incident-722b9653

Medtronic plc disclosed a cybersecurity incident involving unauthorized access to IT systems.

https://www.board-cybersecurity.com/incidents/tracker/medtronic-cybersecurity-incident-c15939ae?utm_source=mastodon&utm_medium=social&utm_campaign=incident_alerts

The disclosure is carefully worded so it cannot be determined, at this time, if the incident was a breach or not.

Sign up for a free account to see the full details, get alerts on new incidents, and monitor a specific company. For now, the high level details are:

1️⃣ Unauthorized access detected
2️⃣ Incident response protocols activated
3️⃣ No impact on products or patient safety
4️⃣ No material financial impact expected

An unauthorized third party gained access to Itron's systems, prompting a SEC disclosure. Notable is they reference "significant costs". https://www.board-cybersecurity.com/incidents/tracker/itron-cybersecurity-incident-7dac5afb?utm_source=mastodon&utm_medium=social&utm_campaign=itron-incident-20260424

Here's a summary of the disclosure:

1️⃣ Incident detected on April 13, 2026
2️⃣ Investigation launched with external advisors
3️⃣ No subsequent unauthorized activity observed
4️⃣ Significant costs expected to be covered by insurance

You can see the full details at the link above and if you sign up for a free account, you can not only see the full details of all incidents, governance, and regulatory action events tracked in the system but also receive email alerts on new events. https://www.board-cybersecurity.com/alerts

CareCloud, Inc. disclosed a material cybersecurity incident involving one of their electronic health record environments.

1️⃣ Incident occurred on March 16, 2026
2️⃣ Affected one of six electronic health record environments
3️⃣ Systems fully restored within ~8 hours; incident contained same day
4️⃣ Patient data may have been involved; assessment of access or exfiltration is ongoing

additional details here: https://www.board-cybersecurity.com/incidents/tracker/carecloud-cybersecurity-incident-b2e7eba5?utm_source=infosec.exchange&utm_medium=social&utm_campaign=incident_alerts&utm_content=carecloud-2026-03-16

you can sign up for a free account and incident alerts here: https://www.board-cybersecurity.com/alerts/upgrade?utm_source=infosec.exchange&utm_medium=social&utm_campaign=incident_alerts&utm_content=carecloud-2026-03-16

UFP Technologies disclosed a cybersecurity incident after detecting suspicious activity in its IT systems earlier this month. The company is investigating potential data access while reporting no material operational impact so far.

1️⃣ Suspicious activity detected on February 14, 2026
2️⃣ External cybersecurity advisors engaged for investigation
3️⃣ Possible unauthorized access and data exfiltration under review
4️⃣ Company reports no material financial or operational impact at this time

UFP Technologies, Inc. designs and manufactures custom-engineered components and packaging for medical devices and other highly regulated industries.
https://www.board-cybersecurity.com/incidents/tracker/20260224-ufp-technologies-inc-cybersecurity-incident/

2026-02-24 UFP TECHNOLOGIES INC Cybersecurity Incident

UFP TECHNOLOGIES INC initially disclosed a cybersecurity incident in an SEC 8-K filing on 2026-02-24 16:40:24 EST. Incident Details Filings 8-K filed on 2026-02-24 Company Information Incident Details Material: Unknown Is Breach: Unknown Records Compromised: Unknown Data Types Impacted: No Data Types Tracked (yet) Compromised Date: Unknown Detected Date: Unknown Disclosure Date: Unknown Contained Date: Unknown Recovered Date: Unknown Attack Goal: Unknown Attack Tactics1: No Attack Tactics Tracked (yet) Attack Techniques1: No Attack Techniques Tracked (yet)

data in State AG breach notification has some issues. No, this 2021 breach wasn't first reports in the year 9999!

I'm a few weeks away from releasing the new Board Cybersecurity website that's ingesting far more incident data. You can sign up for free alerts on the current side and you'll get notified when the new system with 1000's of breaches is available. https://www.board-cybersecurity.com/

in the meantime, here's the Maine AG filing for this 2021 breach: https://www.maine.gov/agviewer/content/ag/985235c7-cb95-4be2-8792-a1252b4f8318/598f0dd5-2f8f-4610-9c63-5f2b7e96cf60.shtml