Secret CISO 3/13: Greater Western Water and Oakland data breaches, T-Mobile's $25K payouts, China's Volt Typhoon Hackers in US grid for 300 days, Sunflower Medical and Transak under investigation

Welcome to today's edition of the Secret CISO newsletter, where we bring you the latest and most impactful cybersecurity news. In today's headlines, Greater Western Water's ongoing billing issues have led to potential data breaches and delayed property settlements. Meanwhile, a data breach in Oakland has compromised sensitive personal information, leading to a class-action settlement.
T-Mobile customers are set to receive payments up to $25K next month following a data breach in 2022. The company agreed to a $350 million settlement, which will start being distributed in April. In other news, China's Volt Typhoon hackers have reportedly dwelled in the US electric grid for 300 days, according to a case study by ICS/OT security firm Dragos. Federman & Sherwood have initiated investigations into Sunflower Medical Group, P.A., and Community Care Alliance for data breaches. The exposed information potentially includes names, social security numbers, dates of birth, driver's license numbers, and medical information. Crypto firm Transak is facing a lawsuit over a data breach and delayed response, with claims that the firm failed to protect consumer data, leading to a security breach in September.
Lastly, a report by the Center for Internet Security revealed that 82% of schools have recently suffered cyber breaches, highlighting the need for robust cybersecurity measures in educational institutions. Stay tuned for more updates and remember, knowledge is the best defense against cyber threats.
Data Breaches
- 'Complete shambles': Data breaches and incorrect bills in Greater Western Water bungle: The company's long-running billing issues have led to potential data breaches and delayed property settlements. Source: The Age
- Oakland data breach class action settlement: The breach compromised sensitive personal information, including Social Security numbers, driver's license numbers, and medical information. Source: Top Class Actions
- T-Mobile customers to get payments up to $25K next month after data breach: The $350 million T-Mobile agreed to pay in a 2022 class action settlement will finally start going out to customers starting in April. Source: YouTube
- China's Volt Typhoon Hackers Dwelled in US Electric Grid for 300 Days: ICS/OT security firm Dragos published a case study describing an intrusion attributed to the notorious Chinese threat actor Volt Typhoon. Source: SecurityWeek
- Federman & Sherwood Investigates Sunflower Medical Group, P.A. for Data Breach: The law firm of Federman & Sherwood has initiated an investigation into a potential data breach at Sunflower Medical Group, P.A. Source: GlobeNewswire
Security Research
- "To stop food stamp theft, cyber security expert urges system changes": Cybersecurity expert Steve calls for government action to prevent food stamp theft, highlighting the need for system changes. Source: WHNT.com
- "Researchers find North Korean spy apps hosted in Google Play": Multiple Android apps, some of which passed Google's security vetting, have been discovered to be North Korean spy apps. Source: Ars Technica
- "Apple Drops Another WebKit Zero-Day Bug": A new vulnerability in Apple's WebKit could potentially allow an attacker to gain control in a worst-case scenario, according to a security researcher at Jamf. Source: Dark Reading
- "Palo Alto detects critical vulnerabilities in ICONICS SCADA systems, urges patching and remediation": Security researchers at Palo Alto's Unit42 division have detected critical vulnerabilities in ICONICS SCADA systems, urging immediate patching and remediation. Source: Industrial Cyber
- "Hacker goldmine: over 110,000 iOS apps expose hardcoded secrets, research finds": Cybernews researchers have found that over 110,000 iOS apps expose hardcoded secrets, calling into question the security standards of Apple's App Store. Source: Global Security Mag
Top CVEs
- CVE-2025-27407: A vulnerability in graphql-ruby, a Ruby implementation of GraphQL, allows remote code execution when loading a malicious schema definition from an untrusted source. Systems using GraphQL::Client to load external schemas via GraphQL introspection are particularly vulnerable. Patched versions have been released. Source: CVE-2025-27407
- CVE-2025-22870: A flaw in the matching of hosts against proxy patterns can lead to improper treatment of an IPv6 zone ID as a hostname component. For example, a request to a certain environment variable set could incorrectly match and not be processed as expected. Source: CVE-2025-22870
- CVE-2025-20138: A vulnerability in the CLI of Cisco IOS XR Software could allow an authenticated, local attacker to execute arbitrary commands as root on the underlying operating system of an affected device. This is due to insufficient validation of user arguments passed to specific CLI commands. Source: CVE-2025-20138
- CVE-2025-21852: A vulnerability in the Linux kernel could lead to a null pointer dereference if a BPF prog does not check if rx_sk is NULL. This could potentially lead to a system crash. A fix has been released. Source: CVE-2025-21852
- CVE-2025-20146: A vulnerability in the Layer 3 multicast feature of Cisco IOS XR Software could allow an unauthenticated, remote attacker to cause a line card to reset, resulting in a denial of service (DoS) condition. This is due to incorrect handling of malformed IPv4 multicast packets. Source: CVE-2025-20146
API Security
- CVE-2025-1257: A vulnerability in GitLab EE versions 12.3 to 17.7.7, 17.8 to 17.8.5, and 17.9 to 17.9.2 could allow an attacker to cause a denial of service condition by manipulating specific API. Source: CVE-2025-1257
- Bypassing SAML SSO authentication with parser differentials: Critical authentication bypass vulnerabilities (CVE-2025-25291 + CVE-2025-25292) were discovered in ruby-saml up to version 1.17.0. Attackers with a single valid signature can construct SAML assertions themselves and log in as any user. Source: Bypassing SAML SSO authentication
- GraphQL remote code execution: Loading a malicious schema definition in GraphQL::Schema.from_introspection or GraphQL::Schema::Loader.load can result in remote code execution. Any system which loads a schema by JSON from an untrusted source is vulnerable. Source: GraphQL remote code execution
- CVE-2025-25711: An issue in dtp.ae tNexus Airport View v.2.8 allows a remote attacker to escalate privileges via the ProfileID value to the [/tnexus/rest/admin/updateUser] API. Source: CVE-2025-25711
- CVE-2024-13871: A command injection vulnerability exists in the /check_image_and_trigger_recovery API endpoint of Bitdefender Box 1 (firmware version 1.3.11.490). This flaw allows an unauthenticated, network-adjacent attacker to execute arbitrary commands on the device, potentially leading to full remote code execution. Source: CVE-2024-13871
Sponsored by Wallarm API Security Solution
Final Words
That's it for today's edition of the Secret CISO newsletter. As always, we've covered a lot of ground, from data breaches at Greater Western Water and T-Mobile, to the ongoing investigations into Sunflower Medical Group and Community Care Alliance. We've also touched on the latest cybersecurity research, including the unsettling revelation that China's Volt Typhoon hackers spent nearly a year lurking in the US electric grid. Remember, staying informed is one of the best ways to stay secure.
So, don't forget to share this newsletter with your friends and colleagues to help them stay up-to-date on the latest in cybersecurity news.
Stay safe and secure out there!