Welcome to today's issue of Secret CISO, your daily dose of the latest in cybersecurity. Today, we're delving into a series of data breaches that have sent shockwaves across various sectors.

First, we're looking at the Umatilla School District, where thousands of Oregon school employees may have been exposed in a data breach. The breach has prompted urgent calls for employees to take action to protect their personal information. Next, we're examining the fallout from MGM Resorts International's agreement to pay $45 million to settle multiple class action lawsuits related to a data breach in 2019 and a ransomware attack in 2023.

We'll also discuss the second data breach involving disgraced surgeon's patients, where a spreadsheet with patients' personal information was leaked, and the surge in data breaches in 2024, with more than 1.7 billion data breach notices issued across the United States. In the academic sector, the University of Missouri Health Care has agreed to an $8M settlement following a 2020 data breach. Meanwhile, software company PowerSchool recently reported a data breach affecting students and educators, including those in Canada. We'll also touch on the importance of having your lawyer on call when reporting a breach, and how consumers have dropped a federal data breach suit against a collection firm.

Finally, we'll explore the risks of AI platforms exposed by the DeepSeek cyberattack and the massive data breach affecting the Rochester City School District. Stay tuned for all this and more in today's issue of Secret CISO. Stay safe, stay informed.

Data Breaches

1. Umatilla Schools Data Breach: Thousands of Oregon school employees, including those in the Umatilla School District, may have been exposed in a data breach. Employees are urged to take action to protect their personal information. Source: NBC Right Now
2. MGM Data Breach and Ransomware Attack: MGM Resorts International has agreed to pay $45 million to settle multiple class action lawsuits related to a data breach in 2019 and a ransomware attack in 2023. Source: The Record Media
3. NHS Tayside Data Breach: A second data breach at NHS Tayside has exposed the private details of 132 patients. A leaked spreadsheet contained patients' personal information. Source: STV News
4. Data Breaches Surge in 2024: More than 1.7 billion data breach notices were issued across the United States in 2024, according to a new report. This indicates a continued surge in data breaches. Source: Fox 23 Maine
5. University of Missouri Health Care Data Breach: A class-action lawsuit filed against University of Missouri Health Care over a 2020 data breach has been resolved, with plaintiffs receiving an $8 million settlement. Source: HealthExec

Security Research

1. Safari, Chrome at risk of data theft on Apple Silicon: Security researchers have identified vulnerabilities in Apple's Safari and Chrome browsers that could potentially lead to data theft. The vulnerabilities are particularly concerning as they affect devices running on Apple Silicon. Source: The Register
2. Fake toll road texts sweeping U.S., Chinese hackers behind scam: A new scam involving fake toll road texts is sweeping across the U.S., with security experts attributing the scam to Chinese hackers. The scam involves sending fake toll road texts to unsuspecting victims, potentially leading to significant financial loss. Source: AL.com
3. OAuth Flaw Exposed Millions of Airline Users to Account Takeovers: Researchers at Salt Security have discovered a vulnerability in the OAuth protocol that could have exposed millions of airline users to account takeovers. The vulnerability was discovered during a hunt for real-world examples of API supply-chain attacks. Source: Dark Reading
4. Former OpenAI safety researcher brands pace of AI development 'terrifying': A former safety researcher at OpenAI has expressed concern over the rapid pace of development in artificial intelligence, branding it as 'terrifying'. The researcher warned that the industry is not adequately prepared for the potential risks associated with AI. Source: The Guardian
5. Network security tool defects are endemic, eroding enterprise defense: Security researchers have warned that defects in network security tools are becoming increasingly common, thereby eroding enterprise defense. The warning comes in the wake of a zero-day vulnerability being exploited by attackers. Source: Cybersecurity Dive

Top CVEs

1. CVE-2024-40672 - Bypass Factory Reset Protections in ChooserActivity.java: A missing permission check in onCreate of ChooserActivity.java could allow an attacker to bypass factory reset protections, leading to local escalation of privilege. No additional execution privileges or user interaction are needed. Source: Vulners
2. CVE-2024-40676 - Bypass Intent Security Check in AccountManagerService.java: A confused deputy in checkKeyIntent of AccountManagerService.java could allow an attacker to bypass intent security check and install an unknown app, leading to local escalation of privilege. No additional execution privileges or user interaction are needed. Source: Vulners
3. CVE-2024-40673 - Arbitrary Code Execution in ZipFile.java: Improper input validation in Source of ZipFile.java could allow an attacker to execute arbitrary code by manipulating Dynamic Code Loading, leading to remote code execution. No additional execution privileges or user interaction are needed. Source: Vulners
4. CVE-2024-40677 - Bypass Factory Reset Protections in AdvancedPowerUsageDetail.java: A missing permission check in shouldSkipForInitialSUW of AdvancedPowerUsageDetail.java could allow an attacker to bypass factory reset protections, leading to local escalation of privilege. No additional execution privileges or user interaction are needed. Source: Vulners
5. CVE-2024-40675 - Infinite Loop in Intent.java: Improper input validation in parseUriInternal of Intent.java could allow an attacker to cause an infinite loop, leading to local denial of service. No additional execution privileges or user interaction are needed. Source: Vulners

API Security

1. CVE-2024-48310 - AutoLib Software Systems OPAC API Key Exposure: AutoLib Software Systems OPAC v20.10 has been found to have multiple API keys exposed within the source code. This vulnerability could allow attackers to access the backend API or other sensitive data using these keys. Source: Vulners.
2. CVE-2025-0783 - Pankajindevops Scale API Endpoint Improper Access Controls: A vulnerability has been discovered in pankajindevops scale up to 20241113, affecting an unknown part of the API Endpoint component. This issue leads to improper access controls, allowing potential attackers to initiate an attack remotely. The product does not use versioning, making it difficult to determine affected and unaffected releases. Source: Vulners.

Sponsored by Wallarm API Security Solution

Final Words

And that's a wrap for today's edition of Secret CISO. We hope you found these updates valuable and informative. Remember, in the world of cybersecurity, knowledge is power. Stay informed, stay vigilant, and most importantly, stay secure. If you found this newsletter helpful, please consider sharing it with your colleagues and friends.

Let's work together to create a safer digital world for everyone. Until next time, stay safe out there!