Welcome to today's issue of Secret CISO! We're diving into a whirlwind of data breaches and security measures that have been making headlines. Hackney Council is still grappling with the aftermath of a 2020 data breach, while Medusind is taking action after a breach exposed over 360,000 individuals' healthcare info. In the automotive sector, a software bug has left 800,000 VW electric vehicle owners' data exposed. Meanwhile, PowerSchool's data breach has affected millions of student and teacher records, adding an extra layer of urgency to the need for robust security measures. In the world of cybersecurity, Stephanie Crowe has taken over as the new head of the Australian Cyber Security Centre.

On the other side of the globe, the International Civil Aviation Organization is dealing with a recruitment data breach impacting nearly 12,000 individuals. We also delve into the world of tech, where Apple devices are at risk after a security researcher successfully hacked the ACE3 USB-C controller. And in the financial sector, the Capital One Bank Settlement 2025 is providing compensation for fraud, identity theft, and data security expenses. Stay tuned for more updates on these stories and a deep dive into the world of data privacy, security research, and the latest vulnerabilities. Don't miss out on the essential insights that every CISO needs to know!

P.S. we are sorry for the AI generated images, the best we can do now without a dedicated designer.

Data Breaches

1. Hackney Council still addressing 2020 data breach issues: Hackney Council's IT department has confirmed that a new contract was signed in December 2021 and will be implemented in January 2022 to address ongoing issues from a 2020 data breach. Source: BBC
2. Medusind Data Breach Exposes Over 360,000 Individuals' Healthcare Info: Medusind, a healthcare solutions provider, has suffered a data breach exposing the healthcare information of over 360,000 individuals. In response, the company has implemented enhanced security measures and is offering two years of complimentary identity monitoring services. Source: Information Security Buzz
3. 800,000 VW electric vehicle owners' data exposed by software bug: A massive data leak at Volkswagen has exposed the personal and geolocation data of approximately 800,000 electric vehicle owners. The breach was reportedly caused by a software bug. Source: CyberGuy
4. PowerSchool data breach exposes millions of student and teacher records: A data breach at PowerSchool, an education technology platform, has exposed the records of millions of students and teachers. The company has added an extra layer of security by requiring a second form of verification to access accounts. Source: AOL
5. ICAO says nearly 12,000 impacted by recruitment data breach: The International Civil Aviation Organization (ICAO) has confirmed a data breach impacting nearly 12,000 individuals. The breach occurred during a recruitment process and the organization has released a second update regarding the incident. Source: Cyber Daily

Security Research

1. Apple devices at risk after security researcher successfully hacks ACE3 USB-C controller: Security researcher Thomas Roth has successfully hacked the custom ACE3 USB-C controller in Apple devices, demonstrating a potential vulnerability. Source: SiliconANGLE
2. Researcher Uncovers Critical Flaw in Facebook's Ad Platform, Earns $100,000: Security researcher Ben Sadeghipour discovered a significant security vulnerability within Facebook's ad platform in October 2024, earning a $100,000 bounty for his findings. Source: MSN
3. Noneuclid RAT Evades Antivirus Detection: Security researchers have discovered a new Remote Access Trojan (RAT) named Noneuclid that can bypass antivirus detection, posing a potential threat to cybersecurity. Source: Cybersecurity News
4. Check Point Research Warns 100 Million macOS Users Of A New Hack Attack: Security researchers at Check Point have identified a new malicious software capable of stealing browser credentials, potentially impacting 100 million macOS users. Source: ABP Live
5. Zero-Click Exploit Uncovered on Samsung Devices: What You Need to Know: A zero-click exploit has been discovered on Samsung devices, highlighting the importance of collaboration between tech companies and security researchers in identifying and addressing such vulnerabilities. Source: The Africa Logistics

Top CVEs

1. IBM Robotic Process Automation Vulnerability (CVE-2024-51456): A remote attacker could obtain sensitive data through certain crypto-analytic methods in IBM Robotic Process Automation versions 21.0.0 through 21.0.7.19 and 23.0.0 through 23.0.19. Source: CVE-2024-51456
2. Exelban Stats Vulnerability (CVE-2025-0396): A critical vulnerability has been found in exelban stats up to version 2.11.21, affecting the function shouldAcceptNewConnection of the component XPC Service. The manipulation leads to command injection. Source: CVE-2025-0396
3. Longpi1 Warehouse Vulnerability (CVE-2025-0398): A problematic vulnerability has been found in longpi1 warehouse 1.0, affecting an unknown functionality of the file /resources/..;/inport/updateInport of the component Backend. The manipulation of the argument remark leads to cross-site scripting. Source: CVE-2025-0398
4. Reggie Vulnerability (CVE-2025-0402): A critical vulnerability was found in 1902756969 reggie 1.0, affecting the function upload of the file src/main/java/com/itheima/reggie/controller/CommonController.java. The manipulation of the argument file leads to unrestricted upload. Source: CVE-2025-0402
5. StarSea99 Starsea-Mall Vulnerability (CVE-2025-0400): A problematic vulnerability was found in StarSea99 starsea-mall 1.0, affecting some unknown processing of the file /admin/categories/update. The manipulation of the argument categoryName leads to cross-site scripting. Source: CVE-2025-0400

API Security

1. API Security Issue in HCL MyXalytics: A sensitive information disclosure vulnerability has been identified in HCL MyXalytics. The HTTP response header reveals the Microsoft-HTTP API/2.0 as the server's name, potentially exposing sensitive server information to malicious actors. This vulnerability could be exploited to gain unauthorized access or disrupt services. Source: CVE-2024-42179

Sponsored by Wallarm API Security Solution

Final Words

And that's a wrap for today's edition of Secret CISO. From the ongoing data breach issues at Hackney Council to the exposure of over 360,000 individuals' healthcare info in the Medusind data breach, it's clear that cybersecurity is a critical concern for all. As we continue to navigate this digital landscape, let's remember to stay vigilant, stay informed, and most importantly, stay secure.

If you found this newsletter helpful, please consider sharing it with your friends and colleagues. Let's work together to create a safer digital world for everyone. Until next time, keep your data close and your security closer.