Welcome to today's edition of Secret CISO, your daily dose of cybersecurity insights.

Today, we delve into the Middle East's race to digitize and the potential threats it poses to infrastructure. We also discuss the new PCI DSS standard that's set to land on March 31, making WAFs non-optional. In other news, NYU faces a data leak affecting millions of applicants, and we explore how PlexTrac is enhancing security workflows. We also shed light on a report showing that 1 in 7 U.S homeowners are uninsured. In the cloud space, we discuss why 44% of CISOs are changing their cloud service provider due to security concerns.

We also highlight the appointment of legal tech veteran Elie Francis to the Infinnium leadership team, a pioneer in Information Governance and Data Protection. We also touch on the overconfidence of UK's CNI, putting national security at risk, and how Jetstar is leveraging data analytics. In a surprising move, China bans facial recognition in hotels and bathrooms due to data leakage concerns. Finally, we discuss the recent court ruling on the Capital One hacker's sentence, the Bybit hack that targeted people, not systems, and the data leak on NYU's website affecting over 3 million applicants.

Stay tuned for more updates and remember, security isn't an afterthought — it's a core component of successful digital transformation.

Data Breaches

1. Millions Of NYU Applicants' Data Leaked On University Site: A significant data breach has occurred at New York University, with millions of applicants' personal information being leaked on the university's website. The breach is linked to a similar incident in 2023. Source: The Gazelle
2. Auto Insurer Fined for Data Breach That Impacted 45K New Yorkers: An unnamed auto insurer has been fined for a data breach that affected 45,000 New Yorkers. The breach was significant enough to warrant a fine, indicating a high level of impact. Source: Claims Journal
3. Appeals court rules Capital One hacker's sentence was too light: The hacker responsible for the massive 2019 Capital One data breach has had their sentence overruled by a US appeals court, which deemed it too lenient. This highlights the severity of the breach, which affected over 100 million individuals. Source: Finextra Research
4. Over 3 million applicants' data leaked on NYU's website: In a repeat of the earlier breach, over 3 million applicants' data has been leaked on NYU's website. The university is yet to comment on the breach. Source: DataBreaches.Net
5. Lafayette Federal Credit Union Data Breach Alert: Lafayette Federal Credit Union has announced a data breach that may have resulted in the theft of personal information, including names and Social Security numbers, of its clients. The potential impact of this breach is currently unknown. Source: Morningstar

Security Research

1. Richmond's ID Card Program for Undocumented Residents: A digital security expert warns of potential data security risks associated with Richmond's ID card program for undocumented residents. The well-intentioned initiative may inadvertently expose sensitive information if not properly secured. Source: CBS News
2. AI for Detecting and Preventing Data Breaches: Canopus Networks and UNSW Sydney have secured a $433K grant from the Australian Government for a project aimed at commercializing AI to detect and prevent data breaches in the cloud. This initiative bridges the gap between security research and industry. Source: Macau Business
3. Online Casinos Data Breach: Security researcher Lilith Wittmann has highlighted significant data protection issues in the online casino industry. Several online casinos have gone offline following a data breach, underscoring the need for improved security measures. Source: Heise
4. EDR Detection Validation Test by AV-Comparatives: AV-Comparatives has launched a groundbreaking EDR Detection Validation Test. This independent professional assessment of enterprise security solutions provides expert third-party insights into real-world security scenarios. Source: The Malaysian Reserve
5. Apple's Passwords App Security Flaw: A significant security flaw has been discovered in Apple's Passwords app. According to security analyst Georgia Cooke at ABI Research, the issue, which has potentially been present for years, involves the use of unencrypted HTTP connections, leaving users exposed to security risks. Source: CNET

Top CVEs

1. CVE-2025-0927 - Linux Kernel HFS+ File System Heap Overflow Vulnerability: A heap overflow vulnerability has been discovered in the HFS+ file system implementation in the Linux Kernel. An attacker could exploit this vulnerability by using a specially crafted file system image that, when mounted, could cause a denial of service (system crash) or possibly execute arbitrary code. Source: Vulners
2. CVE-2025-2645 - PHPGurukul Art Gallery Management System 1.0 Cross Site Scripting Vulnerability: A cross-site scripting vulnerability has been found in PHPGurukul Art Gallery Management System 1.0. The vulnerability affects an unknown function of the file /product.php. The manipulation of the argument artname leads to cross site scripting. The exploit has been disclosed to the public. Source: Vulners
3. CVE-2025-2643 - PHPGurukul Art Gallery Management System 1.0 SQL Injection Vulnerability: A critical SQL injection vulnerability has been found in PHPGurukul Art Gallery Management System 1.0. The vulnerability affects unknown code of the file /admin/edit-art-type-detail.php?editid=1. The manipulation of the argument arttype leads to sql injection. The exploit has been disclosed to the public. Source: Vulners
4. CVE-2025-29806 - Microsoft Edge (Chromium-based) Unauthorized Code Execution Vulnerability: An unauthorized code execution vulnerability has been found in Microsoft Edge (Chromium-based). The vulnerability allows an unauthorized attacker to execute code over a network. Source: Vulners
5. CVE-2025-30474 - Apache Commons VFS Sensitive Information Exposure Vulnerability: A vulnerability has been found in Apache Commons VFS that exposes sensitive information to an unauthorized actor. The FtpFileObject class can throw an exception when a file is not found, revealing the original URI in its message, which may include a password. Users are recommended to upgrade to version 2.10.0, which fixes the vulnerability. Source: Vulners

API Security

1. Relative Path Traversal vulnerability in Apache Commons VFS before 2.10.0 (CVE-2025-27553): A security flaw has been identified in Apache Commons VFS before version 2.10.0, where the 'resolveFile' method in the FileObject API could return file objects that are not a descendant of the base file when the path contains encoded ".." characters. Users are advised to upgrade to version 2.10.0 to mitigate this vulnerability. Source: vulners.com
2. Authorization Bypass vulnerability in Next.js (CVE-2025-29927): This vulnerability allows unauthorized access to the /api/hello endpoint in Next.js applications. The flaw can be exploited by nesting middleware 5x times into the special x-middleware-subrequest header. This issue affects older versions of Next.js (12 and 13) with a different naming convention for the middleware file (_middleware.js). Users are advised to update their Next.js applications to the latest version to avoid this vulnerability. Source: vulners.com

Sponsored by Wallarm API Security Solution

Final Words

And that's a wrap for today's edition of Secret CISO. As we've seen, the digital landscape is constantly evolving, and with it, the threats we face. From the Middle East's race to digitize to the new PCI DSS standards, it's clear that cybersecurity is more important than ever. Remember, security isn't just about protecting your systems, it's about safeguarding your business, your reputation, and most importantly, your customers. So, stay informed, stay vigilant, and most importantly, stay secure.

If you found today's newsletter helpful, why not share it with your colleagues? After all, in the world of cybersecurity, knowledge is the best defense. Until next time, stay safe out there.