Good morning! In today's issue of Secret CISO, we're diving into a series of significant data breaches that have impacted millions of individuals and organizations across the globe.

First up, we're looking at the Powerschool data breach, which compromised data on more than 62 million students and 9.5 million teachers. The breach has sparked discussions in school boards across the country, with many districts reporting significant data exposure.

Meanwhile, a security incident at the Syracuse Police network has raised concerns over compromised data, with the department working under wraps for more than two weeks. In the healthcare sector, the UnitedHealth data hack has impacted 1 in 2 Americans, marking the largest-ever health industry data breach. In legislative news, New York State now requires breach notices within 30 days, expanding regulator notifications and updating the definition of private information. We'll also be discussing a major lawsuit filed against Amazon, alleging the company collects time-stamped geolocation data and sensitive information about users.

Finally, we'll touch on the state of emergency declared in Dover as a potential cyber breach is investigated, and the update on a recent PowerSchool data breach heard by the Farmington-area school board. Stay tuned for all this and more in today's issue of Secret CISO.

Data Breaches

1. PowerSchool Data Breach: A data breach at PowerSchool has compromised data on more than 62 million students and 9.5 million teachers. Several school districts have reported significant data exposure. The breach occurred when attackers exploited a stolen account credential to access PowerSchool's customer support portal. Source: MSSP Alert and SC Media
2. Syracuse Police Network Security Breach: A security incident has impacted the Syracuse Police computer network, raising concerns over compromised data. The department has been working under wraps for more than two weeks. Source: CNY Central
3. UnitedHealth Data Hack: The latest tally for the largest-ever health industry data breach just got a lot bigger. UnitedHealth Group now said hackers stole records of a significant number of individuals. Source: USA Today
4. CenterPoint Energy Customer Data Breach: CenterPoint Energy is investigating reports of stolen customer data that was published on a cybercriminal forum. The company has confirmed the data breach. Source: WEHT
5. Berman & Rabin Data Breach: Law firm Berman & Rabin has suffered a data breach exposing personal information. Murphy Law Firm is investigating claims on behalf of all individuals whose information was exposed in the breach. Source: GlobeNewswire

Security Research

1. AI Takes Center Stage at ORNL: Security research at Oak Ridge National Laboratory is focusing on the potential and risks of AI. The research aims to explore AI's promise and menace in the 2020s. Source: R&D World
2. Brexit Impact on UK's Energy Security: Senior Researcher Niamh O Regan explores the impact of Brexit on UK's energy security. The research indicates that maintaining energy security has become more challenging post-Brexit. Source: Social Market Foundation
3. WhatsApp Privacy Bug Fix: Security researcher Tal Be'ery discovered a way to view and save 'View Once' media on WhatsApp Web. WhatsApp has released an update to fix this critical privacy bug. Source: India Today
4. Amazon Prime Security Warning: Security researchers have warned Amazon Prime users about a new hacking campaign aimed at stealing sensitive account data. Users are advised to be vigilant. Source: Forbes
5. DeepSeek Database Exposure: Security researchers at Wiz discovered that DeepSeek, a Chinese AI model provider, left a database open, exposing sensitive information. The incident highlights the real dangers of AI security. Source: The Register

Top CVEs

1. Use after free in DevTools in Google Chrome: A remote attacker could potentially exploit heap corruption via a crafted Chrome Extension in Google Chrome versions prior to 132.0.6834.159. This vulnerability is due to a use-after-free issue in DevTools. Source: CVE-2025-0762
2. Improper copying of files with rsync in octorpki: A potential local privilege escalation vulnerability has been identified in octorpki due to the improper use of the "-a" flag in rsync when copying files. This could be exploited in combination with another vulnerability that causes octorpki to process a malicious TAL file. Source: CVE-2021-3978
3. Missing output escaping in Twig: A vulnerability in the PHP template language Twig could allow an attacker to exploit missing output escaping when using the "??" operator. This issue has been fixed in the latest version of Twig. Source: CVE-2025-24374
4. Denial of Service in HX console: An attacker with access to an HX 10.0.0 and previous versions, may send specially-crafted data to the HX console, causing a Denial of Service due to file parsing containing exponential entity expansions in the consumer process. Source: CVE-2025-0617
5. Improper origin determination in axios: In axios versions before 1.7.8, the isURLSameOrigin.js function does not use a URL object when determining an origin, potentially leading to unwanted setAttribute('href',href) calls. Source: CVE-2024-57965

API Security

1. Hunk Companion < 1.9.0 - Unauthenticated Plugin Installation (CVE-2024-11972): This vulnerability allows unauthenticated requests to install and activate arbitrary Hunk Companion WordPress plugin before 1.9.0 from the WordPress.org repo, including vulnerable versions that have been closed. The exploit can be used by attackers to gain unauthorized access to the WordPress site. Source: vulners.com
2. kube-audit-rest (CVE-2025-24884): This vulnerability in kube-audit-rest, a simple logger of mutation/creation requests to the k8s api, could lead to the disclosure of previous values of kubernetes secrets in the audit messages if the "full-elastic-stack" example vector configuration was used for a real cluster. Source: vulners.com
3. Authentication Bypass in Fortinet Fortiproxy (CVE-2024-55591): This vulnerability allows attackers to bypass authentication on Fortinet devices running vulnerable firmware, potentially allowing unauthorized access to sensitive management interfaces. The exploit is demonstrated in a Proof of Concept (PoC) script. Source: vulners.com
4. Authentication Bypass in Fortinet Fortiproxy (CVE-2024-55591): This is another exploit for the same vulnerability as above, but this comprehensive all-in-one Python-based Proof of Concept script not only exploits the vulnerability but also performs pre-flight checks, runs initial or multiple commands post-exploit, and checks the device version against known vulnerable ranges. Source: vulners.com

Sponsored by Wallarm API Security Solution

Final Words

As we wrap up today's edition of Secret CISO, we want to remind you that the digital world is a battlefield. The data breaches we've discussed today, from PowerSchool to UnitedHealth, are stark reminders of the importance of robust cybersecurity measures. Whether it's protecting the sensitive data of millions of students and teachers, or safeguarding the health records of half the American population, the stakes have never been higher. And with new laws like the updated New York Data Breach Notification Law, the regulatory landscape is evolving just as rapidly as the threats we face. But remember, knowledge is power. By staying informed about the latest breaches and security research, you're already one step ahead.

If you found today's newsletter helpful, please consider sharing it with your friends and colleagues. Together, we can make the digital world a safer place. Stay safe and see you tomorrow!