Welcome to today's issue of Secret CISO. We're diving deep into the world of data breaches and cybersecurity, with a particular focus on the education sector. Nationwide, schools are grappling with data breaches. PowerSchool, a widely used student information system, has been hit by a cyberattack, compromising student and teacher data across multiple states, including North Dakota, South Carolina, Alabama, and North Carolina.

In response, schools are ramping up their security measures and assessing the impact of the breach. Meanwhile, T-Mobile is facing legal repercussions from a massive data breach in 2021, resulting in a hefty fine from the Federal Trade Commission. In other news, security researchers are warning about China's naval build-up and the potential security threats it poses. They're also highlighting the challenges of passing a UN Cybercrime Treaty in the US. On the technical front, security flaws have been discovered in Motorola's Automated License Plate Recognition Cameras, potentially leaking data and video in real time.

Stay tuned for more updates on these stories and other breaking news in the world of cybersecurity. As always, stay safe and secure.

Data Breaches

1. Nationwide PowerSchool Data Breach: North Dakota IT department has implemented additional security measures in response to a nationwide data breach incident involving PowerSchool, an education technology platform. The extent of the impact is still being assessed. Source: Minot Daily News
2. T-Mobile Data Breach Lawsuit: T-Mobile faces another lawsuit following a massive data breach in 2021. This comes after the company was fined $15.75 million by the Federal Trade Commission last year due to repeated security breaches. Source: CNET
3. Shaker Heights Schools Data Breach: Shaker Heights schools in Cleveland have suffered a data breach, the details of which are yet to be disclosed. Source: Cleveland 19
4. PowerSchool Cyberattack: Andover Public Schools' student and teacher data have been compromised in a cyberattack on PowerSchool. The school is committed to protecting the security and privacy of all data. Source: KSN-TV
5. Alabama Public School Data Breach: A data breach has occurred in the student information system used by every Alabama public school. However, sensitive personal information like Social Security numbers for Alabama students and teachers could not have been accessed in the attack. Source: AL.com

Security Research

1. Defense think tank warns about China's naval build-up: A defense think tank has published a report on the development of the Chinese Communist Party's naval forces, warning about the potential security implications of China's naval build-up. Source: Taipei Times
2. UN Cybercrime Treaty Faces Longs Odds to US Passage: Security researchers have expressed concern about the potential passage of a UN Cybercrime Treaty in the US, citing potential implications for national security. Source: GovInfoSecurity
3. TRENDS Starts 2025 With a New Milestone; Obtains Information Security Management Certification: TRENDS Research & Advisory has received the ISO/IEC 27001:2022 certification for information security management, marking a new milestone in the organization's success record. Source: TRENDS Research
4. School shootings in 2024 fell just below prior year's record high: Security expert Ken Trump has published an essay on the National School Safety and Security Services website, discussing the near-record high number of school shootings in 2024 and making predictions for 2025. Source: K-12 Dive
5. Motorola Automated License Plate Recognition Cameras Aren't Just For Law Enforcement Anymore: A security researcher has discovered a flaw in Motorola's Automated License Plate Recognition cameras, which have exposed video feeds and leaked data. Source: PC Perspective

Top CVEs

1. CVE-2023-28120: A vulnerability in ActiveSupport can be exploited if the new bytesplice method is called on a SafeBuffer with untrusted user input, posing a potential security risk. Source: CVE-2023-28120
2. CVE-2024-27980: Due to improper handling of batch files in child_process.spawn / child_process.spawnSync, a malicious command line argument can inject arbitrary commands and achieve code execution even if the shell option is not used. Source: CVE-2024-27980
3. CVE-2023-38037: ActiveSupport::EncryptedFile writes contents that will be encrypted to a temporary file. The temporary file's permissions are defaulted to the user's current umask settings, meaning that it's possible for other users on the same system to read the contents of the temporary file. Source: CVE-2023-38037
4. CVE-2023-27539: There is a denial of service vulnerability in the header parsing component of an unspecified software. Source: CVE-2023-27539
5. CVE-2025-0291: Type Confusion in V8 in Google Chrome prior to 131.0.6778.264 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. Source: CVE-2025-0291

API Security

1. CVE-2023-23913: Rails-ujs, a Ruby on Rails unobtrusive scripting adapter, has a potential DOM-based cross-site scripting issue. This vulnerability is due to the misuse of the Clipboard API, which targets HTML elements assigned the contenteditable attribute. The issue arises when malicious HTML content from the clipboard, including a data-method, data-remote, or data-disable-with, is pasted. Source: vulners.com
2. CVE-2025-0194: GitLab CE/EE, from versions 17.4 to 17.7.1, has a security issue where access tokens may have been logged when API requests were made under specific conditions. This vulnerability could potentially expose sensitive user data. Source: vulners.com
3. CVE-2024-11423: The Ultimate Gift Cards for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data. This is due to a missing capability check on several REST API endpoints, allowing unauthenticated attackers to recharge a gift card balance without making a payment, or reduce gift card balances without purchasing. Source: vulners.com

Sponsored by Wallarm API Security Solution

Final Words

And that's a wrap for today's edition of Secret CISO. As we've seen, the cyber landscape is constantly evolving, with new threats and challenges emerging every day. From nationwide data breaches to vulnerabilities in our everyday tech, it's clear that cybersecurity is more important than ever. Remember, knowledge is power. By staying informed, we can all play a part in creating a safer digital world. So, don't keep this valuable information to yourself.

Share Secret CISO with your friends and colleagues, and let's spread the word about the importance of cybersecurity. Stay safe, stay informed, and see you in the next edition of Secret CISO.