Welcome to today's issue of Secret CISO. We're diving into the world of data breaches, security research, and expert insights.

First up, we have a massive data breach at SRP Federal Credit Union exposing the personal information of over 240,000 members. In the wake of this, we're also seeing a surge in data breach class actions, with over 2,000 cases filed in 2023 alone. Eyewear giant Luxottica has agreed to a $250,000 settlement to resolve data breach litigation related to a 2020 hacking incident.

Meanwhile, residents in Rhode Island are being urged to protect their information following a statewide data breach. In an exclusive report, an interior designer has been arrested in connection with the HDFC Life Insurance data breach case. The suspect allegedly collaborated with a Hong Kong hacker to steal customer data. Indiana University Health has reported a security breach compromising some user data. In a related story, fake Ledger data breach emails are being used to trick victims into giving up recovery phrases. In the realm of security research, Swiss researchers have found security flaws in AI models, and a security expert has shared tips on how to protect your home while traveling.

Stay tuned for more updates on data breaches, security research, and expert insights. Stay safe, stay informed with Secret CISO.

Data Breaches

1. Massive data breach at federal credit union exposes 240,000 members: SRP Federal Credit Union has reported a data breach that exposed the personal information of more than 240,000 individuals. The extent of the data exposed and the potential impact on the affected individuals is yet to be determined. Source: CyberGuy
2. Data breach class actions are rapidly increasing: Over 2,000 data breach class actions were filed in 2023, tripling the number from 2022. The trend is expected to continue in 2024, highlighting the increasing importance of data security for businesses. Source: Directors and Boards
3. Luxottica Agrees $250,000 Settlement to Resolve Data Breach Litigation: Luxottica, the world's largest eyewear company, has agreed to settle class action data breach litigation related to a 2020 hacking incident. The settlement amount, however, does not reflect the potential long-term impact on the affected customers. Source: HIPAA Journal
4. State Benefits data breach impacts Rhode Island residents: All Rhode Island residents who receive widely-used state health benefits are urged to protect their information following a statewide data breach. The extent of the data exposed and the number of individuals affected is yet to be disclosed. Source: IndependentRI
5. Interior designer arrested in HDFC Life Insurance data breach case: A suspect collaborated with a Hong Kong hacker to steal customer data from HDFC Life Insurance. The attackers used email and WhatsApp to extort HDFC Life, highlighting the increasing sophistication of cybercriminals. Source: India Today

Security Research

1. Top US Banks Impacted by Third-Party Breaches: A significant number of top US banks were affected by third-party breaches last year, highlighting the need for improved security measures within the banking sector. Source: ITPro
2. Critical Vulnerability in Fortinet's FortiWLM: Security researcher Zach Hanley of Horizon3.ai discovered a critical vulnerability in Fortinet's FortiWLM. The company has since issued patches to address the issue. Source: SecurityWeek
3. Security Flaws in AI Models: Swiss researchers have discovered security flaws in AI models, demonstrating that adaptive attacks can bypass security measures. This research was presented at a specialized conference in Vienna. Source: SWI swissinfo.ch
4. Malicious Microsoft VSCode Extensions Target Developers: Security researcher Amit Assaraf has outlined how malicious Visual Studio Code extensions are targeting developers. Assaraf observed dozens of these extensions on the VSCode marketplace. Source: TechRadar
5. High-Rated Security Vulnerabilities in Google Chrome: Four high-rated security vulnerabilities have been discovered in Google Chrome. The researchers who discovered these vulnerabilities have earned a total of $75,000 in bug bounties. Users are advised to update Google Chrome immediately. Source: Forbes

Top CVEs

1. Adobe Acrobat Reader NULL Pointer Dereference Vulnerability (CVE-2023-21586): Adobe Acrobat Reader versions 22.003.20282 (and earlier), 22.003.20281 (and earlier) and 20.005.30418 (and earlier) are affected by a NULL Pointer Dereference vulnerability. An unauthenticated attacker could leverage this vulnerability to achieve an application denial-of-service in the context of the current user. User interaction is required for the exploitation of this issue. Source: CVE-2023-21586
2. IBM Db2 Denial of Service Vulnerability (CVE-2023-30443): IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 10.5, 11.1, and 11.5 is vulnerable to denial of service with a specially crafted request. Source: CVE-2023-30443
3. Acrobat Reader DC Out-of-Bounds Write Vulnerability (CVE-2022-44512): Acrobat Reader DC version 22.001.20085 (and earlier), 20.005.3031x (and earlier) and 17.012.30205 (and earlier) are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. User interaction is required for the exploitation of this issue. Source: CVE-2022-44512
4. Acrobat Reader DC Out-of-Bounds Write Vulnerability (CVE-2022-44513): Acrobat Reader DC version 22.001.20085 (and earlier), 20.005.3031x (and earlier) and 17.012.30205 (and earlier) are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. User interaction is required for the exploitation of this issue. Source: CVE-2022-44513
5. Acrobat Reader DC Use-After-Free Vulnerability (CVE-2022-44518): Acrobat Reader DC version 22.001.20085 (and earlier), 20.005.3031x (and earlier) and 17.012.30205 (and earlier) are affected by a use-after-free vulnerability that could result in arbitrary code execution in the context of the current user. User interaction is required for the exploitation of this issue. Source: CVE-2022-44518

API Security

1. WhoDB Allows Unbounded Memory Consumption in Authentication Middleware Can Lead to Denial of Service: A Denial of Service (DoS) vulnerability has been discovered in the authentication middleware of WhoDB. This vulnerability allows any client to cause memory exhaustion by sending large request bodies. The server reads the entire request body into memory without size limits, creating multiple copies during processing, which can lead to Out of Memory conditions. This affects all versions up to the latest one (v0.43.0). Source: vulners.com
2. CVE-2024-10548: The WP Project Manager plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.6.15 via the Project Task List REST API endpoint. This makes it possible for authenticated attackers, with Subscriber-level access and above, to extract sensitive data including the hashed passwords of project owners. Source: vulners.com

Sponsored by Wallarm API Security Solution

Final Words

And that's a wrap for today's edition of Secret CISO. We've covered a lot of ground, from the massive data breach at SRP Federal Credit Union to the increasing trend of data breach class actions. We've also touched on the importance of protecting your personal information following a data breach, and the steps companies like Luxottica are taking to resolve litigation related to such incidents. Remember, in this digital age, staying informed is your first line of defense.

Share this newsletter with your friends and colleagues to keep them in the loop too.

Let's work together to create a safer digital world. Until next time, stay secure!