Welcome to today's issue of Secret CISO. As we navigate the ever-evolving landscape of data privacy and security, we bring you the latest updates and insights. Today, we delve into the future of data privacy, with 82% of respondents in a Thomson Reuters Risk & Compliance Survey Report citing data and cybersecurity concerns as their top priority. We also discuss the recent $350,000 penalty imposed on Indiana AG for egregious HIPAA violations, highlighting the importance of breach notification and consumer protection. In the healthcare sector, regulators are planning to restart HIPAA health data privacy and security audits, emphasizing the need for robust HIPAA privacy, security, and data breach policies.

Meanwhile, the financial services industry is urged to improve its cyber hygiene, as 50% of businesses experienced a cyber-attack or security breach in the past year. We also cover the recent data breaches at Cyberhaven, Volkswagen, and the US Treasury Department, underscoring the urgent need for enhanced security measures. On the darker side of the web, stolen data is becoming a currency, with hackers leaking Rhode Island citizens' data on the Dark Web.

Lastly, we explore the emerging trends in cybersecurity for businesses in 2025, including the rise of biometric security and AI-powered threats. Stay tuned for more updates and stay secure!

Data Breaches

1. Indiana AG Agrees to $350,000 Penalty to Resolve Egregious HIPAA Violations: The Indiana Attorney General has agreed to a hefty penalty in response to serious violations of the Health Insurance Portability and Accountability Act (HIPAA). The violations included a failure to provide breach notification, which is a violation of the Indiana Disclosure of Security Breach Act. Source: HIPAA Journal
2. Federal Cybersecurity Policy Still Lags Rapid Change: The data breach at National Public Data, which exposed Americans' Social Security numbers and other personal data, has highlighted the need for a more rapid response to changes in federal cybersecurity policy. Source: InformationWeek
3. Cyberhaven Breach Caused by Malicious Chrome Extension: Cybersecurity startup Cyberhaven has experienced a data breach due to a malicious Chrome extension, infecting 400,000 users with malware. The company focuses on Data Loss Prevention (DLP). Source: Techzine Global
4. Hackers Leak Rhode Island Citizens' Data on Dark Web: The State of Rhode Island has confirmed that cybercriminals have begun publishing data stolen from its social services portal, RIBridges, on the dark web. Source: Infosecurity Magazine
5. US Treasury Department Discloses Data Breach Linked to BeyondTrust: The US Treasury Department has disclosed a major cybersecurity breach, with officials pointing the finger at Chinese state-sponsored attackers. The breach is linked to BeyondTrust, a cybersecurity company. Source: Computing UK

Security Research

1. AI Fuels Reported Rise in 'Polished' Phishing Scams: Cybercrime security researcher, Nadezda Demidova, warns that the availability of generative AI tools is lowering the entry threshold for advanced cybercrime, leading to a rise in sophisticated phishing scams. Source: PYMNTS.com
2. Double-clickjacking: attackers can steal user accounts unnoticed: Security researcher, Paulos Yibelo, has disclosed a new variation of 'clickjacking' attacks that can trick users into unknowingly giving attackers access to their accounts. Source: Cybernews
3. Smartphone users should be aware of the threats posed by malicious NFC tags: Security researchers at Kaspersky warn that NFC tags in public spaces can be reprogrammed or replaced to carry out harmful actions, posing a threat to smartphone users. Source: ZAWYA
4. No security patch in sight: Paessler PRTG Network Monitor vulnerable to attack: Security researchers from Trend Micro have discovered a high-risk vulnerability (CVE-2024-12833) in the web interface of Paessler PRTG Network Monitor, with no security update currently available. Source: Heise
5. Malicious Obfuscated NPM Package Disguised as an Ethereum Tool Deploys Quasar RAT: Security researcher, Kirill Boychenko, has published an analysis of a malicious NPM package disguised as an Ethereum tool that deploys the Quasar RAT. Source: The Hacker News

Top CVEs

1. CVE-2023-48758 WordPress JetEngine plugin <= 3.2.4 - Broken Access Control vulnerability: Crocoblock JetEngine plugin for WordPress has a missing authorization vulnerability that allows exploiting incorrectly configured access control security levels. Source: CVE-2023-48758
2. CVE-2023-46605: Convertful – Your Ultimate On-Site Conversion Tool by Ruslan Suhar has a missing authorization vulnerability that allows exploiting incorrectly configured access control security levels. Source: CVE-2023-46605
3. CVE-2023-46606: AtomChat has a missing authorization vulnerability that allows exploiting incorrectly configured access control security levels. Source: CVE-2023-46606
4. CVE-2023-48739 WordPress Porto Theme Functionality plugin < 2.12.1 - Broken Access Control vulnerability: Porto Theme - Functionality plugin for WordPress has a missing authorization vulnerability that allows exploiting incorrectly configured access control security levels. Source: CVE-2023-48739
5. CVE-2023-47557: Visitors Traffic Real Time Statistics by wp-buy has a missing authorization vulnerability that allows exploiting incorrectly configured access control security levels. Source: CVE-2023-47557

API Security

1. Critical Vulnerability in Beijing Yunfan Internet Technology Yunfan Learning Examination System 1.9.2 (CVE-2024-13111): A critical vulnerability has been discovered in the JWT Token Handler component of Beijing Yunfan Internet Technology's Yunfan Learning Examination System 1.9.2. The flaw leads to improper authentication and can be exploited remotely, although the complexity of the attack is high and exploitation appears difficult. The exploit has been publicly disclosed. Source: vulners.com
2. Missing Authorization Vulnerability in CoCart Headless, LLC CoCart – Headless ecommerce (CVE-2023-47241): A missing authorization vulnerability has been found in CoCart Headless, LLC's CoCart – Headless ecommerce. The issue stems from incorrectly configured access control security levels and affects all versions from n/a through... Source: vulners.com

Sponsored by Wallarm API Security Solution

Final Words

And that's a wrap for today's edition of Secret CISO. We've covered a lot of ground, from the future of data privacy to the latest security breaches and the ever-evolving world of cybersecurity. Remember, in this digital age, staying informed is your first line of defense. So, don't forget to share this newsletter with your friends and colleagues.

Let's spread the knowledge and build a safer cyber world together. Stay safe, stay secure, and see you in the next edition of Secret CISO.