Hello there, Secret CISO readers! Today's newsletter is packed with the latest updates on data breaches and cybersecurity. In Scotland, a housing association has been reprimanded for a data breach involving residents' personal data. Meanwhile, KnowBe4 has acquired UK's Egress to create an advanced AI-driven platform to manage human risk, in light of the fact that 74% of data breaches involve human error. On the healthcare front, UnitedHealth Group reported a significant data breach compromising personal health information.

In a related story, a Connecticut Healthcare Company has agreed to pay $1.5M to end a data breach lawsuit. In the tech industry, Dutch chipmaker Nexperia confirmed a significant data breach after hackers accessed its systems. In Florida, a path to data breach immunity for companies has reached the Governor's desk. We also delve into the world of cybersecurity research, with ASU receiving three awards for research critical to national security.

We also highlight the importance of patch management advice for fixing IoT vulnerabilities. Stay tuned for more updates and remember, knowledge is power when it comes to cybersecurity. Stay safe and secure!

Data Breaches

1. Social housing provider reprimanded after data breach of antisocial behaviour case files: A Scottish housing association, owning nearly 5,000 properties, has been formally reprimanded for a data breach that exposed residents' personal information. The breach's details remain undisclosed. Source: PublicTechnology
2. UnitedHealth reports significant data breach; personal health info compromised: UnitedHealth Group Inc. disclosed that hackers stole a significant amount of health and personal data from its systems in February. The exact number of affected individuals and the nature of the stolen data are yet to be revealed. Source: Business Insurance
3. Dutch Chipmaker Nexperia Suffers a Data Breach That Exposed Sensitive Information: Global chipmaker Nexperia confirmed a significant data breach after hackers accessed some of its systems and potentially stole sensitive information. The company has not disclosed the extent of the breach or the type of data compromised. Source: CPO Magazine
4. USG involved in data breach of users' personal information, which may be posted online: The University System of Georgia (USG) alerted users of a data breach that occurred last May, potentially exposing users' personal information. The breach occurred after purchasing MOVEit Secure File Transfer. Source: WUGA
5. Coast Guard Reserve deals with data breach amid cybersecurity push: The Coast Guard Reserve alerted thousands of its personnel to a data breach nearly three months after someone improperly sent their personal information. The exact number of affected personnel and the nature of the exposed data are yet to be revealed. Source: Yahoo

Security Research

1. ASU Receives 3 Awards for Research Critical to National Security: Three researchers from the Ira A. Fulton Schools of Engineering at Arizona State University have been awarded grants for their work in national security. The research is expected to contribute significantly to the defense sector. Source: ASU News
2. Examining Fake News Sites Generating Chinese Propaganda: Researchers at The Citizen Lab have been investigating the spread of Chinese propaganda through fake news sites. The research provides valuable insights into the cyber threats posed by misinformation campaigns. Source: Radio Free Asia
3. Almost Every Chinese Keyboard App Has a Security Flaw: Researchers have discovered that almost all keyboard apps preinstalled on Android phones sold in China have a security flaw that reveals what users type. This discovery raises serious concerns about user privacy and data security. Source: MIT Technology Review
4. Patch Management Advice for Fixing IoT Vulnerabilities: Fortra's security research and development team provides advice on patch management for fixing IoT vulnerabilities. The research emphasizes the importance of keeping medical device software up to date to prevent security breaches. Source: Healthcare IT News
5. Researchers Detail Multistage Attack Hijacking Systems with SSLoad, Cobalt Strike: Researchers have detailed a multistage attack that hijacks systems using SSLoad and Cobalt Strike. The research provides valuable insights into the stealthy infiltration of systems and the gathering and transmission of sensitive information. Source: The Hacker News

Top CVEs

1. CVE-2023-47504: An Improper Authentication vulnerability in Elementor Website Builder allows unauthorized access to functionalities not properly constrained by ACLs. Source: CVE-2023-47504
2. CVE-2023-25790: Improper Authentication and Cross-site Scripting vulnerability in xtemos WoodMart allows XSS attacks. Source: CVE-2023-25790
3. CVE-2023-48763: Basic XSS vulnerability in Crocoblock JetFormBuilder allows Code Injection. Source: CVE-2023-48763
4. CVE-2024-20359: A vulnerability in Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software allows an authenticated, local attacker to execute arbitrary code with root-level privileges. Source: CVE-2024-20359
5. CVE-2023-51477: Improper Authentication vulnerability in BUDDYBOSS DMCC BuddyBoss Theme allows unauthorized access to functionalities not properly constrained by ACLs. Source: CVE-2023-51477

Final Words

And that's a wrap for today's edition of Secret CISO. As we've seen, data breaches continue to be a significant issue across various sectors, from healthcare to social housing. It's a stark reminder of the importance of robust cybersecurity measures and the role each of us plays in maintaining them. Remember, security is not a one-time event but a continuous process. Stay vigilant, stay informed, and most importantly, stay secure.

If you found today's newsletter helpful, why not share it with your colleagues and friends? Let's spread the word and help create a safer digital world for everyone. Until next time, keep those data fortresses secure!