Welcome to today's issue of Secret CISO. We're diving into the 2025 Digital Operational Resilience Act and its potential impact on the data security landscape.

We'll also be discussing key trends in data privacy litigation that made headlines in 2024, including the Equifax Class Action Data Breach Settlement that left millions at risk of identity theft. In other news, we'll be looking at the recent data breach at Nebraska's Liberty First Credit Union, affecting over 50,000 individuals, and the HIPAA security rule violations that led to a hefty $1.7M fine.

We'll also be covering the recent fine imposed on Meta by Ireland over a data breach, and a disturbing data breach at a Calgary daycare. In the world of cybersecurity research, we'll be discussing the vulnerabilities discovered in AI model formats, a critical Windows Zero-Day vulnerability, and the potential plans of Russia to sabotage the US, according to a security expert.

Stay tuned for all this and more in today's issue of Secret CISO.

Data Breaches

1. Equifax Class Action Data Breach Settlement: Equifax, a major credit bureau, has reached a settlement following a data breach that exposed sensitive personal information such as Social Security numbers, birthdates, and addresses, putting millions at risk of identity theft. The settlement payment is expected to be disbursed soon. Source: West Alabama Watchman
2. Hackers Hit Nebraska's Liberty First Credit Union: Liberty First Credit Union in Lincoln, Nebraska, reported a data breach that may have affected 52,496 individuals. The financial impact of the breach is yet to be determined. Source: CU Times
3. Insider Breach, Email Attacks Net $1.7M in HIPAA Fines: The Office for Civil Rights (OCR) has fined Gulf Coast Health Center $1.7 million following an investigation into a data breach. The investigation found that the practice committed four HIPAA security rule violations, including failure to conduct a risk analysis. Source: Bank Info Security
4. Ireland Fines Meta 91 Million Euros Over EU Data Breach: Meta, the parent company of Facebook, has been fined 91 million euros by the Irish Data Protection Commission for failing to implement appropriate security measures to protect users' password data. This is one of the largest fines ever imposed under the EU's General Data Protection Regulation (GDPR). Source: Eastern Progress
5. Walsworth Publishing Sued Over Breach Affecting 107,700 People: Walsworth Publishing is facing a lawsuit following a data breach that exposed names, payment-card numbers, and other personal information of 107,700 individuals. The company is accused of failing to implement adequate data-security measures and provide timely notice of the breach. Source: Bloomberg Law News

Security Research

1. U.S. Phone Companies Hack: A significant hack of U.S. phone companies has raised concerns about the safety of text messages. Security researchers have been warning about such vulnerabilities for a long time. Source: CBC
2. Fake Video Conferencing Apps: Hackers are using fake video conferencing apps to steal data from Web3 professionals. The threat actors have set up fake companies using AI to increase their legitimacy. Source: The Hacker News
3. Russian Sabotage Plans: Security experts suggest that Russia may be planning to sabotage the U.S. The FBI has warned that such an event could happen. Source: NewsNationNow
4. Cybersecurity Compliance Behaviours in Banks: A study reveals limited research on leveraging human behaviours to improve cybersecurity compliance in banks. Source: ResearchGate
5. Critical Windows Zero-Day Vulnerability: Security researchers have revealed a critical vulnerability that affects all Windows Workstation and Server versions, allowing attackers to steal users' NTLM credentials. Source: Cybersecurity News

Top CVEs

1. CVE-2024-11321 - Hi e-learning LMS XSS Vulnerability: Hi e-learning Learning Management System (LMS) is susceptible to a Reflected XSS vulnerability due to improper neutralization of input during web page generation. This could allow attackers to inject malicious scripts that are executed when users access the affected pages. Source: CVE-2024-11321
2. CVE-2024-0130 - NVIDIA UFM Enterprise Vulnerability: NVIDIA UFM Enterprise, UFM Appliance, and UFM CyberAI contain a vulnerability where an attacker can cause an improper authentication issue by sending a malformed request through the Ethernet management interface. This could lead to escalation of privileges, data tampering, denial of service, and information disclosure. Source: CVE-2024-0130
3. CVE-2024-0139 - NVIDIA Base Command Manager Vulnerability: NVIDIA Base Command Manager and Bright Cluster Manager for Linux contain an insecure temporary file vulnerability. Successful exploitation of this vulnerability could lead to denial of service. Source: CVE-2024-0139
4. CVE-2024-47791 - Ruijie Reyee OS MQTT Broker Vulnerability: Ruijie Reyee OS versions 2.206.x up to but not including 2.320.x could allow an attacker to subscribe to partial possible topics in Ruijie MQTT broker, and receive partial messages being sent to and from the broker. Source: CVE-2024-47791
5. CVE-2024-48703 - PhpGurukul Medical Card Generation System XSS Vulnerability: PhpGurukul Medical Card Generation System v1.0 is vulnerable to Cross Site Scripting (XSS) in /admin/search-medicalcard.php via the searchdata parameter. This could allow attackers to inject malicious scripts that are executed when users access the affected pages. Source: CVE-2024-48703

API Security

1. Mini Program API plugin for WordPress Vulnerability (CVE-2024-11380): The Mini Program API plugin for WordPress is susceptible to Stored Cross-Site Scripting due to inadequate input sanitization and output escaping on user-supplied attributes. This allows authenticated attackers to inject arbitrary web scripts in pages that execute whenever a user accesses an injected page. Source: CVE-2024-11380
2. Smoove connector for Elementor forms plugin for WordPress Vulnerability (CVE-2024-11367): The Smoove connector for Elementor forms plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL. This allows unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. Source: CVE-2024-11367
3. Zabbix Frontend Vulnerability (CVE-2024-42327): A non-admin user account on the Zabbix frontend with the default User role, or with any other role that gives API access can exploit this vulnerability. An SQLi exists in the CUser class in the addRelatedObjects function, this function is being called from the CUser.get function which is available for every user who has API access. Source: CVE-2024-42327
4. Friends plugin for WordPress Vulnerability (CVE-2024-12028): The Friends plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several REST API endpoints. This allows unauthenticated attackers to send arbitrary friend requests on behalf of another website, accept the friend request for the targeted website, and then communicate with the site as an accepted friend. Source: CVE-2024-12028

Sponsored by Wallarm API Security Solution

Final Words

And that's a wrap for today's edition of the Secret CISO newsletter. We've covered everything from the 2025 Digital Operational Resilience Act to the latest data breaches and security research. Remember, staying informed is the first step in ensuring your organization's security.

If you found this information valuable, don't keep it to yourself. Share this newsletter with your colleagues and friends, and help them stay in the know as well. Stay safe, stay informed, and see you in the next edition of Secret CISO.