Secret CISO 3/6: Rising Tide of Data Breaches, Legal Battles Ensue, Cybersecurity Research Forecasts Growth
Welcome to today's edition of Secret CISO, your daily source for the latest in cybersecurity news. Today, we're diving into the troubling trend of increasingly common data breaches. Tech analyst Carmi Levy describes the recent data breach at Laurentian University as 'depressingly familiar,' highlighting the urgent need for improved cybersecurity measures. In other news, American Express cardholders are grappling with the aftermath of a data breach, while American Vision Partners faces a lawsuit over a breach that exposed over 2 million patients' personal data. Meanwhile, Shields Health Care Group must face a proposed class action for failing to protect personal information. On the research front, insider-driven data loss incidents are costing companies an average of $15 million, according to Security Magazine. In response to these threats, cybersecurity market researchers are forecasting significant growth in global spending on security and risk management. In the legal sphere, restaurant chain Golden Corral was hit with a cluster of data breach class actions last month, and consumers have dismissed data breach lawsuits against Integris Health. Finally, we'll explore the latest vulnerabilities and patches, including two iOS zero-day vulnerabilities disclosed by Apple, and a massive data breach at Taiwanese telecom firm. Stay tuned for these stories and more in today's Secret CISO newsletter.
Data Breaches
American Express Data Breach
A notorious ransomware gang hacked a unit of insurance giant American Express, potentially compromising customer data. The breach may have exposed account numbers, expiration dates, and names. Source: Washington Post, CBS News.
Laurentian University Data Breach
Personal information data breach at Laurentian University is described as 'depressingly familiar' by tech analyst Carmi Levy. The university confirmed a limited data breach resulting from a broader cyber incident. Source: CTV News, Sudbury News.
Change Healthcare Cyberattack
A data breach at Change Healthcare impacted 40 facilities. UnitedHealth Group, which is associated with Change Healthcare, is facing a proposed class-action lawsuit over the breach. Source: SecurityWeek, Becker's Payer.
Eye-Clinic Servicer Data Breach
American Vision Partners faced a lawsuit over a data breach that exposed more than 2 million patients' personal information. The company is accused of disregarding cybersecurity best practices. Source: Bloomberg Law News.
Taiwanese Telecom Firm Data Breach
Taiwan's ministry of national defense confirmed that hackers stole sensitive information, including government and military documents, from a Taiwanese telecom firm. The scale of the breach is described as massive. Source: Business Insurance.
Security Research
Trade Risk and Food Security
Food import dependence is linked to higher food insecurity, especially in low-income countries. This research highlights the importance of domestic food production and the risks associated with relying on imports. Source: St. Louis Fed
Apple discloses 2 iOS zero-day vulnerabilities
Apple has disclosed two zero-day vulnerabilities in its iOS system, affecting the iPad mini 5th generation and later. No specific researchers were credited in the security disclosure. Source: TechTarget
Cybersecurity market researchers forecast significant growth
Global spending on security and risk management is predicted to increase by 14.3% in 2024, outpacing overall IT spending, according to Gartner. This indicates a growing emphasis on cybersecurity. Source: TechTarget
Hackers Exploit Misconfigured YARN, Docker, Confluence, Redis Servers for Crypto Mining
Hackers are exploiting misconfigured servers for crypto mining, according to security researcher Matt Muir. The activity has been codenamed Spinning YARN. Source: The Hacker News
Apple, Okta and others help human rights groups fight spyware
Tech companies including Apple and Okta are assisting human rights groups in combating spyware. Journalists and security researchers have become prime targets for governments seeking to halt their investigations. Source: Axios
Top CVEs
CVE-2024-22255
VMware ESXi, Workstation, and Fusion contain an information disclosure vulnerability in the UHCI USB controller. A malicious actor with administrative access to a virtual machine may exploit this issue to leak memory from the vmx. Source: CVE-2024-22255
CVE-2023-25681
LDAP users on IBM Spectrum Virtualize 8.5, configured to require multifactor authentication, can still authenticate to the CIM interface using only username and password. This does not affect local users with MFA configured or remote users authenticating via single sign-on. Source: CVE-2023-25681
CVE-2024-27308
Mio, a Metal I/O library for Rust, has a vulnerability when using named pipes on Windows. Mio may return invalid tokens that correspond to named pipes that have already been deregistered from the mio registry, potentially leading to a use-after-free scenario. Source: CVE-2024-27308
CVE-2022-22399
IBM Aspera Faspex 5.0.0 and 5.0.1 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. This could allow an attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking. Source: CVE-2022-22399
CVE-2024-22254
VMware ESXi contains an out-of-bounds write vulnerability. A malicious actor with privileges within the VMX process may trigger an out-of-bounds write leading to an escape of the VMX process. Source: CVE-2024-22254
CISO's Jobs
Director, Cybersecurity Strategy and Programs - KPMG US
This role at KPMG US presents a prime opportunity for cybersecurity experts aiming to shape and enforce security frameworks within a leading global network of professional services firms. The position is based in deferent locations, offering competitive benefits, including a 401(k) plan. Ideal candidates will engage in high-level strategic planning and program development to safeguard critical assets against evolving cyber threats.
Read more: https://www.linkedin.com/jobs/view/3847529229
VP / Director, Information Security Governance - Madison-Davis, LLC, New York City Metropolitan Area (Hybrid)
This position offers a unique blend of leadership and governance in the vibrant NYC area, with the flexibility of hybrid work. The role offers an attractive salary range of $190K-$230K/year and involves overseeing the implementation of information security policies and procedures to ensure compliance and protect the organization from information security risks.
Read more: https://www.linkedin.com/jobs/view/3809824232
Senior Director - Information Security GRC - Ryder System, Inc., Springfield, IL (Remote)
Operating remotely, this role focuses on Governance, Risk, and Compliance (GRC) within Ryder System, Inc., a major player in the logistics and transportation industry. The position, offering a salary range of $150K-$180K/year along with a 401(k) and additional benefits, is ideal for individuals looking to leverage their expertise in creating robust security postures and ensuring regulatory compliance.
Read more: https://www.linkedin.com/jobs/view/3847606910
Director of Information Technology and Security - LifeLabs Learning, Atlanta, GA (Remote)
This remote opportunity based out of Atlanta offers a salary range of $150K-$170K/year, including vision and 401(k) benefits. The role is perfect for candidates passionate about leveraging technology to enhance learning while ensuring the security and integrity of IT infrastructure and data within an innovative learning environment.
Read more: https://www.linkedin.com/jobs/view/3844045868
Director, Product Security - Snowflake, San Mateo, CA:
Snowflake's opening for a Director of Product Security in San Mateo represents a premier opportunity for experts in product-centric cybersecurity, with a salary range of $264,000 to $393,750 a year.This position offers a unique chance to join a rapidly growing team at the forefront of cloud data warehousing, delivering cutting-edge security solutions in a dynamic and innovative environment.
Final Words
And that's a wrap for today's edition of Secret CISO. As we've seen, data breaches are becoming depressingly familiar, with organizations from Laurentian University to American Express falling victim. It's a stark reminder of the importance of robust cybersecurity measures. But remember, cybersecurity isn't just an IT issue, it's a team sport. So, share this newsletter with your colleagues and friends to keep them in the loop. Let's work together to build a safer digital world.
Stay safe and see you tomorrow for more updates from the world of cybersecurity.