Workplace monitoring apps share employee data with ad platforms, study finds
A new study led by Columbia Law School's Stephanie Nguyen found that nine workplace monitoring tools share employee data with third parties including Facebook and Google. The data ranges from names and email addresses to web browsing history.
A study released Tuesday reveals that many workplace monitoring applications transmit employee data not only to employers but also to digital advertising platforms and data brokers. The research, led by Stephanie Nguyen, a senior fellow at Columbia Law School's Center for Law and the Economy and former chief technologist at the Federal Trade Commission under Lina Khan, examined nine popular "bossware" services. All nine were found to share some form of information with third-party platforms, according to the report.
The data shared includes names, email addresses, and web browsing history. Recipients of this data include major ad platforms such as Facebook and Google. The study did not name the specific bossware services but noted that they are used by hundreds of thousands of workplaces to monitor employee activity.
Nguyen's review highlights a growing concern about privacy in the workplace as remote and hybrid work models become more common. Employee monitoring software often tracks keystrokes, screenshots, and time spent on tasks, but the extent of data sharing with third parties has been less understood.
The findings come amid increased regulatory scrutiny of data privacy practices. The FTC has been active in pursuing cases against companies that misuse consumer data, and the study suggests that workplace monitoring tools may be operating in a gray area of consent and transparency.
Employers using these tools may not be fully aware of the data-sharing practices, the study suggests. The report calls for greater transparency from bossware providers and clearer disclosures to both employers and employees about how data is used and shared.
Representatives from Facebook and Google did not immediately respond to requests for comment. The study's authors recommend that companies review their monitoring software contracts and data-sharing policies to ensure compliance with privacy regulations.
The full study is available on the Columbia Law School website. Nguyen and her team plan to expand the research to include more bossware services and examine the legal implications of the data-sharing practices they uncovered.
Trump Mobile Data Leak Exposes Customer Addresses, Emails
Trump Mobile is reportedly leaking customers' email and home addresses, with two YouTubers claiming to have verified the authenticity of the exposed data. The company has not responded to alerts about the breach.
Trump Mobile, a mobile virtual network operator (MVNO) associated with former President Donald Trump, is facing allegations of a data leak that exposes customers' personal information. Two YouTubers have reported that the company is leaking email and home addresses, and that Trump Mobile has not responded to individuals who alerted the company about the exposure. The YouTubers stated they verified that their own leaked data was authentic, raising concerns about the security of customer information.
The alleged leak involves sensitive personal details, including email addresses and physical home addresses, which could be used for identity theft or targeted harassment. The YouTubers, who have not been named in the reports, claimed they discovered the data exposure and attempted to notify Trump Mobile but received no response. The company's silence has intensified scrutiny over its data protection practices.
Trump Mobile operates as an MVNO, meaning it resells wireless services from major carriers under its own brand. The company markets itself to supporters of Donald Trump, offering plans that emphasize conservative values. The alleged data breach could undermine trust among its customer base, which includes politically engaged individuals who may be particularly concerned about privacy.
The YouTubers did not specify how they discovered the leak or the extent of the data exposure. However, they asserted that the leaked information matched their own personal details, confirming the breach's validity. Without a response from Trump Mobile, it remains unclear how many customers may be affected or what steps the company is taking to address the issue.
Data breaches involving MVNOs are not uncommon, as these companies often rely on third-party infrastructure and may have less robust security measures than major carriers. The exposure of email and home addresses can lead to phishing attacks, doxxing, or other forms of cyber exploitation. Customers of Trump Mobile are advised to monitor their accounts and be cautious of unsolicited communications.
As of now, Trump Mobile has not issued a public statement regarding the alleged leak. The company's website and social media channels have not addressed the reports. The YouTubers have called on the company to acknowledge the breach and take corrective action to protect customer data.
The Federal Trade Commission (FTC) and other regulatory bodies have not commented on the incident. If the leak is confirmed, Trump Mobile could face legal consequences under data protection laws, including potential fines for failing to safeguard consumer information. The company's lack of response may also lead to reputational damage and customer attrition.
Customers who believe their data may have been exposed are encouraged to change passwords, enable two-factor authentication, and report any suspicious activity to authorities. The YouTubers have urged Trump Mobile to notify affected individuals and implement stronger security measures to prevent future breaches.
Trump Mobile accused of leaking customer addresses and phone numbers
Trump Mobile has been accused of insecurely storing customer data, exposing addresses and phone numbers. The alleged leak also revealed that T1 Phone pre-orders are far fewer than viral figures claimed.
Trump Mobile faces allegations of insecure data storage, with customer addresses and phone numbers potentially exposed. The T1 Phone, which was scheduled to start shipping last week, is at the center of the controversy. YouTuber voidzilla first reported the apparent leak after being tipped off by an anonymous individual who discovered a vulnerability in the Trump Mobile website. The hacker claims they were able to place fake orders and scrape the entire pre-order database, accessing emails, phone numbers, and mailing addresses. The alleged leak also revealed the number of T1 Phone orders placed, which is significantly lower than viral figures have suggested. Trump Mobile has not yet commented on the allegations. The company had been promoting the T1 Phone as a secure device, making the reported data exposure particularly concerning for customers. The full story is available at The Verge.
GitHub Confirms Hackers Stole Data from Internal Repositories
GitHub reported that attackers accessed and exfiltrated data from thousands of its internal repositories. The company stated it found no evidence that customer data was compromised.
GitHub disclosed on Tuesday that it had identified a security incident involving unauthorized access to its internal systems. The code hosting platform said attackers managed to steal data from thousands of its private repositories. The breach was discovered during a routine security review, prompting an immediate investigation.
The company emphasized that the stolen data originated from internal repositories used for development and operations. GitHub clarified that no customer repositories or personal information were accessed in the incident. The attackers exploited a vulnerability in a third-party service integrated with GitHub's infrastructure.
GitHub's security team has since patched the vulnerability and is working with law enforcement. The company is also notifying affected users and implementing additional security measures. The incident underscores ongoing risks in software supply chain security, where attackers target development tools and internal systems.
GitHub has not disclosed the exact number of repositories affected, but described the breach as limited in scope. The company stated that the attackers did not gain access to production systems or customer data. GitHub advised users to review their own security practices and enable two-factor authentication.
This incident follows a trend of cyberattacks targeting code repositories and development platforms. In recent years, similar breaches have affected other tech companies, highlighting the value of source code and internal documentation to malicious actors. GitHub's response includes enhanced monitoring and stricter access controls.
GitHub has not provided a timeline for when the breach occurred or when it was fully contained. The company said it will release more details as its investigation progresses. Users are encouraged to report any suspicious activity related to their GitHub accounts.
GitHub reiterated its commitment to security and transparency, stating that it will continue to update the community. The company operates one of the largest code hosting platforms, serving millions of developers worldwide. This incident serves as a reminder of the persistent threats facing the software development ecosystem.
Ocean Raises $28M for AI Email Security Platform to Combat Phishing
Ocean, an agentic email security platform, raised $28 million to fight AI-powered phishing. Its AI analyzes email context to detect fraud and impersonation.
Ocean, an email security startup, announced it has raised $28 million in funding. The company's platform uses artificial intelligence to analyze the context of incoming emails, aiming to detect sophisticated phishing and impersonation attempts. The funding round was led by a prominent venture capital firm, with participation from existing investors.
The platform employs what Ocean calls "agentic" AI, which goes beyond traditional email filtering. Instead of relying solely on known threat signatures or simple rule-based detection, Ocean's system examines the full context of each message, including sender behavior, language patterns, and relationship dynamics. This approach is designed to catch advanced social engineering attacks that often bypass conventional security measures.
Ocean's technology was developed by a founder with a background in cybersecurity research, including work on systems similar to Israel's Iron Dome missile defense. The founder's experience in high-stakes threat detection informed the design of Ocean's AI, which aims to adapt to evolving attack techniques in real time.
The company reports that its platform can identify subtle indicators of fraud, such as unusual requests for sensitive information or slight deviations in communication style. Ocean claims its AI reduces false positives compared to traditional email security tools, allowing legitimate emails to reach users without interruption.
Ocean plans to use the new funding to expand its engineering team and accelerate product development. The company also intends to scale its sales and marketing efforts to reach more enterprise customers. Ocean's platform integrates with major email providers like Microsoft 365 and Google Workspace.
The $28 million funding round brings Ocean's total raised to date to $35 million. The company did not disclose its valuation. Ocean's customers include several Fortune 500 companies, though the startup declined to name them.
Ocean's platform is available now for businesses of all sizes. Pricing is based on the number of users and starts at $5 per user per month. The company offers a free trial for prospective customers.
"Our mission is to make email safe for everyone," said Ocean's founder and CEO in a statement. "With this funding, we can accelerate our work to stop AI-powered phishing attacks before they cause harm."