Good morning, Secret CISO readers! Today's newsletter is packed with the latest updates on data breaches and security issues from around the globe. First up, we have a report on Nine auditing its external data security after a breach exposed 16,000 readers. Then, we delve into the second PowerSchool breach confirmed by investigators, which has impacted school systems nationwide. In political news, a group chat security breach has left the White House in crisis, with Team Trump going in circles. Meanwhile, Change Healthcare is seeking dismissal of data breach lawsuits brought by consumers, and Trump officials are facing backlash over a national security breach.

In the healthcare sector, ESHYFT's data breach is under investigation, and Enzo Biochem has agreed to a $7.5 million class action lawsuit settlement over a 2023 data breach. We also have updates on investigations into data breaches at Farmers Bank & Trust, Concord Orthopaedics, and Crossroads Trading. In tech news, a leak of sensitive data has exposed personal details of US officials, and a Portuguese IT security expert has created an 'emoji' translator for adults. Finally, we wrap up with a slew of research updates on AI and cybersecurity, IoT security gaps, and new security plans from OpenAI.

Stay tuned for more details on these stories and much more. Stay safe and secure!

Data Breaches

1. Nine Audits External Data Security After Breach Exposes 16,000 Readers: Nine, a media company in Australia, is auditing its external data security after a breach exposed the details of some print subscribers. The breach has raised concerns about the security of customer data. Source: AFR
2. Second PowerSchool Data Breach Confirmed by Investigators: A second data breach at PowerSchool, a school management software provider, has been confirmed. The breach has impacted school systems nationwide, raising questions about the security of student data. Source: InForum
3. Change Healthcare Seeks Dismissal of Data Breach Lawsuits: Change Healthcare is seeking to dismiss lawsuits over a massive data breach last year. The company has filed a flurry of motions to dismiss, indicating the serious legal implications of data breaches. Source: About Lawsuits
4. ESHYFT Data Breach Under Investigation: The data breach at ESHYFT, a healthcare staffing platform, is under investigation. The breach has led to concerns over the security of sensitive personal and protected health information. Source: CBS 42
5. $7.5M Enzo Biochem Data Breach Class Action Settlement: Enzo Biochem has agreed to a $7.5 million class action lawsuit settlement to resolve claims it failed to prevent a 2023 data breach. The settlement highlights the financial impact of data breaches on companies. Source: Top Class Actions

Security Research

1. Portuguese IT security expert creates 'emoji' translator for adults: A Portuguese computer security expert has developed a free tool that translates the hidden meanings of emojis. This tool aims to help adults understand the coded language often used by younger generations. Source: Macau Business
2. Auburn Research Center to Expand AI and Cybersecurity Work: The Auburn University Center for Artificial Intelligence and Cybersecurity Engineering is expanding its security research. The center aims to build on the school's existing research and contribute to the development of AI and cybersecurity. Source: Government Technology
3. IoT Security Gaps Put Enterprises at Risk: IoT security and privacy researcher, Dennis Giese, highlights the weaknesses in IoT security through reverse engineering. These vulnerabilities make IoT devices easier to exploit, posing a significant risk to enterprises. Source: BankInfoSecurity
4. OpenAI's New Security Plan Rewards 'Critical' Bug Discovery: OpenAI has expanded its Cybersecurity Grant Program, which has funded 28 research projects addressing threats. The new security plan aims to reward the discovery of critical bugs, encouraging more researchers to participate. Source: BankInfoSecurity
5. Research reveals smart TV vulnerabilities threaten networks: Research by CYFOX has uncovered critical vulnerabilities in smart TVs that threaten corporate networks. This discovery highlights a broader industry security issue, emphasizing the need for more robust security measures. Source: SecurityBrief Australia

Top CVEs

1. CVE-2025-26909 - PHP Local File Inclusion in Hide My WP Ghost: A vulnerability in John Darrel Hide My WP Ghost allows PHP Local File Inclusion due to improper control of filename for include/require statement in PHP program. Affected versions are not specified. Source: CVE-2025-26909
2. CVE-2024-45356 - Unauthorized Access in Xiaomi Phone Framework: Xiaomi phone framework has a vulnerability that allows unauthorized access due to improper validation. Attackers can exploit this vulnerability to access sensitive information. Source: CVE-2024-45356
3. CVE-2025-29993 - HTTP Header Injection in PowerCMS: PowerCMS has a vulnerability that allows HTTP header injection. This can be exploited to send emails with tampered URLs, such as password reset links. Affected versions are not specified. Source: CVE-2025-29993
4. CVE-2025-2857 - Sandbox Escape in Firefox: A compromised child process in Firefox can cause the parent process to return an unintentionally powerful handle, leading to a sandbox escape. This vulnerability affects Firefox versions before 136.0.4, Firefox ESR before 128.8.1, and is only applicable to Windows. Source: CVE-2025-2857
5. CVE-2024-45361 - Protocol Flaw in Xiaomi Mi Connect Service APP: Xiaomi Mi Connect Service APP has a protocol flaw vulnerability due to flawed validation logic. This can be exploited by attackers to leak sensitive user information. Source: CVE-2024-45361

API Security

1. CVE-2025-2894 - Go1 Bionic Quadruped Robot Backdoor: The Go1, a consumer-level bionic quadruped robot, has an undocumented backdoor that allows the manufacturer or anyone with the correct API key to remotely control the device via the CloudSail remote access. This vulnerability can potentially lead to misuse of the robot. Source: CVE-2025-2894
2. CVE-2024-55073 - Hay-kot Mealie Broken Object Level Authorization: Hay-kot's mealie v2.2.0 has a Broken Object Level Authorization vulnerability in its /api/users/{user-id} component. This allows users to edit their own profiles to grant themselves more permissions or change their details. Source: CVE-2024-55073
3. CVE-2023-52998 - Linux Kernel Net: fec Vulnerability: The Linux kernel has resolved a vulnerability in its net: fec component. Previously, the system could run out of memory after hundreds of down/up the eth0 due to incorrect use of page_pool_release_page. The issue has been fixed by replacing it with page_pool_put_full_page. Source: CVE-2023-52998
4. CVE-2022-49753 - Linux Kernel Dmaengine Double Increment: The Linux kernel has resolved a vulnerability in its dmaengine component. The channel client_count was incorrectly incremented twice for public channels, leading to an incorrect client count and potential resource mismanagement. Source: CVE-2022-49753
5. CVE-2025-2855 - Elunez Eladmin Deserialization Vulnerability: Elunez eladmin up to 2.7 has a vulnerability in its /api/deploy/upload file's checkFile function. The manipulation of the servers argument leads to deserialization, which can be exploited by attackers. Source: CVE-2025-2855

Sponsored by Wallarm API Security Solution

Final Words

And that's a wrap for today's edition of Secret CISO. We've covered a lot of ground, from data breaches affecting thousands of readers to investigations into security breaches at the White House. It's clear that no organization is immune to these threats, and it's crucial to stay informed and vigilant. Remember, knowledge is power. By staying updated on the latest security news, you're taking a proactive step in protecting your organization.

So, why not share this newsletter with your colleagues and friends?

They might find it just as useful as you do. Stay safe, stay secure, and see you in the next edition of Secret CISO.