Welcome to today's edition of Secret CISO, where we bring you the latest and most impactful cybersecurity news. Today, we're focusing on a series of data breaches that have affected millions of people worldwide.

First up, a breach at Change Healthcare exposed data on a staggering 190 million people, marking it as the largest breach of medical data in U.S. history. UnitedHealth Group, the parent company of Change Healthcare, confirmed the breach, which has caused months of outages across the U.S. healthcare system. In education, a major data breach involving PowerSchool software has compromised the personal information of millions of students and teachers in Ohio, North Carolina, and other parts of the world. The breach was identified in late December 2024, and PowerSchool acted immediately to secure the affected data and mitigate any ongoing risks.

Meanwhile, in Nepal, lawmakers are demanding assurances on the data security architecture of the national ID card program. This comes after a series of data breaches in various sectors, highlighting the need for robust data security measures. In other news, PayPal was fined $2 million for exposing thousands of customers' Social Security numbers due to inadequate cybersecurity practices. And MGM Resorts has agreed to pay $45 million to settle data-breach lawsuits, providing a stark reminder of the financial implications of failing to protect customer data. Finally, we turn our attention to the world of cybersecurity research. Researchers have discovered vulnerabilities in Subaru's Starlink connected vehicle service, potentially exposing sensitive customer data.

Meanwhile, cybersecurity firm Sophos has warned security teams about Russian threat groups posing as tech help services to infiltrate systems. Stay tuned for more updates and remember, in the world of cybersecurity, vigilance is key.

Data Breaches

1. Change Healthcare Data Breach: A ransomware attack on Change Healthcare in 2024 exposed data on a record-breaking 190 million people, marking the largest breach of medical data in U.S. history. The attack caused months of outages across the U.S. healthcare system. Source: TechCrunch
2. PayPal Fined for Data Exposure: PayPal was fined $2 million for failing to implement proper cybersecurity practices, which led to the exposure of thousands of customers' Social Security numbers. Source: Straight Arrow News
3. MGM Resorts Data Breach Settlement: MGM Resorts has agreed to pay $45 million to settle data breach lawsuits. The settlement will provide benefits to three tiers of class members, including an estimated $75 cash payment to those whose Social Security number was exposed. Source: Bloomberg Law News
4. HCF Management Cyberattack: HCF Management, a healthcare facility, suffered a cyberattack affecting tens of thousands of residents. The extent of the breach is still under investigation as each facility is reporting the breach separately. Source: HIPAA Journal
5. Universal Lenders Data Breach: Universal Lenders suffered a data breach, prompting a potential class action lawsuit on behalf of the victims. The extent of the breach and the data affected are still unknown. Source: Class Action

Security Research

1. Subaru's Starlink Vulnerability: Security researcher Sam Curry discovered a vulnerability in Subaru's Starlink connected vehicle service that exposed sensitive customer data. This flaw could allow attackers to track, control, and even start Subarus remotely. Source: CyberWire, Bleeping Computer, Kelley Blue Book
2. Russian Threat Groups Pose as Tech Help: Researchers at cybersecurity firm Sophos have warned security teams about Russian threat groups posing as tech help services to infiltrate systems. Source: ChannelE2E
3. Lumma Stealer Campaign: Security researcher Ryan Chenkie discovered a phishing campaign that spoofs Reddit and WeTransfer pages to steal user data. Source: SC Media
4. Cybersecurity in Networked Systems and AI: A research study emphasizes the importance of resource allocation and risk management in achieving security goals, providing a framework for networked systems and artificial intelligence. Source: Nature
5. Cloudflare CDN Bug: A 15-year-old security researcher identified a bug in Cloudflare's CDN that reveals user locations on Signal and Discord. Source: Dark Reading

Top CVEs

1. CVE-2019-15690 - LibVNCServer Heap Buffer Overflow: LibVNCServer 0.9.12 and earlier versions contain a heap buffer overflow vulnerability within the HandleCursorShape() function. An attacker can send cursor shapes with specially crafted dimensions, leading to remote code execution. Source: CVE-2019-15690
2. CVE-2024-35122 - IBM i Local Denial of Service: IBM i 7.2, 7.3, 7.4, and 7.5 is vulnerable to a file level local denial of service caused by an insufficient authority requirement. A local non-privileged user can configure a referential constraint with the privileges of a user socially engineered to access the target. Source: CVE-2024-35122
3. CVE-2025-21262 - Microsoft Edge Spoofing: Microsoft Edge (Chromium-based) has a spoofing vulnerability. The specifics of the vulnerability are currently undisclosed. Source: CVE-2025-21262
4. CVE-2025-0411 - 7-Zip Mark-of-the-Web Bypass: This vulnerability allows remote attackers to bypass the Mark-of-the-Web protection mechanism on affected installations of 7-Zip. The specific flaw exists within the handling of archived files. An attacker can leverage this vulnerability to execute arbitrary code in the context of the current user. Source: CVE-2025-0411
5. CVE-2024-41739 - IBM Cognos Dashboards Unauthorized Actions: IBM Cognos Dashboards 4.0.7 and 5.0.0 on Cloud Pak for Data could allow a remote attacker to perform unauthorized actions due to dependency. Source: CVE-2024-41739

API Security

1. CVE-2024-10552 Flexmls® IDX Plugin Vulnerability: The Flexmls® IDX Plugin for WordPress is susceptible to Stored Cross-Site Scripting via the ‘api_key’ and 'api_secret' parameters in all versions up to, and including, 3.14.26. This vulnerability allows authenticated attackers with Contributor-level access to inject arbitrary web scripts in pages, which will execute whenever a user accesses an injected page. The vulnerability was partially patched in version 3.14.26. Source: vulners.com
2. CVE-2025-22610 Coolify OAuth Configuration Vulnerability: Coolify, an open-source tool for managing servers, applications, and databases, has a vulnerability prior to version 4.0.0-beta.361. This vulnerability allows any authenticated user to fetch the global coolify instance OAuth configuration, exposing the 'client id' and 'client secret' for every custom OAuth provider. The attacker can also modify the global OAuth configuration. The issue was fixed in version 4.0.0-beta.361. Source: vulners.com
3. CVE-2025-23222 Deepin dde-api-proxy Vulnerability: Deepin dde-api-proxy through 1.0.19 has a vulnerability where unprivileged users can access D-Bus services as root. The dde-api-proxy runs as root and forwards messages from arbitrary local users to legacy D-Bus methods in the actual D-Bus services. This allows several proxied methods, that shouldn't be accessible to non-root users, to be accessible to non-root users. Source: vulners.com
4. CVE-2024-45077 IBM Maximo Asset Management Vulnerability: IBM Maximo Asset Management 7.6.1.3 MXAPIASSET API is vulnerable to unrestricted file upload. This allows authenticated low privileged users to upload restricted file types with a simple method of adding a dot to the end of the file name if Maximo is installed on Windows operating system. Source: vulners.com

Sponsored by Wallarm API Security Solution

Final Words

That's all for today's edition of Secret CISO. We've covered a lot of ground, from the record-breaking data breach at Change Healthcare to the ongoing issues with PowerSchool's data security. It's clear that cybersecurity is a critical issue that affects every aspect of our lives, from our healthcare to our children's education. Remember, staying informed is the first step in staying secure.

So, don't keep this valuable information to yourself. Share Secret CISO with your friends and colleagues, and help them stay one step ahead of the cyber threats. Stay safe, stay informed, and keep fighting the good fight against cyber threats. See you in the next edition of Secret CISO.