Secret CISO 6/9: Disney and Telangana Police Data Breaches, Security Culture Importance, Microsoft's Recall Feature Concerns

Secret CISO 6/9: Disney and Telangana Police Data Breaches, Security Culture Importance, Microsoft's Recall Feature Concerns

Welcome to today's issue of Secret CISO, where we delve into the latest cybersecurity news and breaches. Today, we're unpacking a major data breach at the Walt Disney Company, where user information from Club Penguin and internal workings at Disney Parks and Disney+ were compromised. In a similar vein, a 20-year-old from Delhi was arrested for hacking Hawk Eye and TSCOP applications of Telangana police, highlighting the ongoing global issue of data breaches.

We'll also be discussing the importance of fostering a strong information security culture, as human error continues to be a root cause of many breaches. In a shocking incident, an allegedly stolen truck rammed a security fence at Jacksonville International Airport, reminding us that physical security is just as crucial as digital. In other news, The New York Times' internal source code and data were leaked, and patient data was stolen in a hack, with senators alleging that patients were not informed.

A major data breach at the Agricultural Credit Policy Council (ACPC) that exposed sensitive information due to weak security practices. Stay tuned for more updates on the evolving cyber landscape, the future of identity in print infrastructure management, and how Microsoft is addressing security concerns. We'll also be sharing insights from security researchers and experts on the latest vulnerabilities and threats. Stay safe and informed with Secret CISO.

Data Breaches

  1. Disney Hacked! Major Data Breach at the Walt Disney Company: Disney has suffered a significant data breach, with user information from Club Penguin and internal workings at Disney Parks and Disney+ compromised. The extent of the breach and the potential impact on users and the company's operations are yet to be fully determined. Source: Inside the Magic
  2. 20-year-old from Delhi arrested for hacking Hawk Eye and TSCOP applications of Telangana police: A student from Noida has been arrested for hacking into the Hawk Eye and TSCOP applications of the Telangana police. The hacker had posted details of the breach on databreachforum.st, offering the compromised data. Source: The Hindu
  3. Reports: 'The New York Times' internal source code and data leaked: A hacker associated with Club Penguin breached Disney's servers, leading to the leak of 2.5GB of sensitive corporate data, which was part of a larger breach. The impact of this breach on the New York Times and its operations is still unclear. Source: Israel Hayom
  4. Patient data was stolen in a hack. Senators say no one told patients: A data breach has occurred affecting personal health data of patients. The Department of Health and Human Services is investigating whether UnitedHealth is responsible for the breach. The extent of the breach and the number of affected patients are yet to be determined. Source: KCCI
  5. Major data breach at Agricultural Credit Policy Council (ACPC) exposes sensitive information: A significant data breach at the Agricultural Credit Policy Council (ACPC) has exposed sensitive information. The breach has highlighted significant security weaknesses, including exposed sensitive information and weak security practices. Source: MB

Security Research

  1. Hacker who leaked, sold Telangana police data for 150$ arrested: A hacker who leaked and sold sensitive police data from Telangana was apprehended. The data breach was discovered by security researcher Srinivas Kodali, who expressed concern over the extensive data collection by Hyderabad police. Source: Siasat.com
  2. Cyber Security News Weekly Round-Up: ReversingLabs researchers detected a data wiping package as part of a sophisticated multi-step attack campaign. The round-up also covers other significant cyber threats and vulnerabilities of the week. Source: Cybersecuritynews.com
  3. Interview – Myriam Dunn Cavelty: Myriam Dunn Cavelty discusses the complexities of cyber security research and the need for evolving research methodologies. The interview provides insights into the challenges and future directions of security research. Source: E-International Relations
  4. Week in review: Atlassian Confluence RCE PoC, new Kali Linux, Patch Tuesday forecast: Security researchers published a proof-of-concept exploit that combines two vulnerabilities. The review also covers other significant security updates of the week. Source: HelpNetSecurity.com
  5. Research shows why 5G and microgrids make a resilient match: A study by NREL suggests that 5G features can support distributed controls and enhance the security and resilience of power systems. This research highlights the potential of 5G in improving the security of microgrids. Source: Smart Energy International

Top CVEs

  1. CVE-2023-51494 - Missing Authorization in Woo WooCommerce Product Vendors: This vulnerability affects WooCommerce Product Vendors and could allow unauthorized access to sensitive information. Users are advised to update to the latest version to mitigate this risk. Source: CVE-2023-51494
  2. CVE-2024-31252 - Missing Authorization in dFactory Responsive Lightbox: A security flaw in the dFactory Responsive Lightbox could potentially allow unauthorized users to gain access. It is recommended to update to the latest version to fix this vulnerability. Source: CVE-2024-31252
  3. CVE-2023-34003 - Missing Authorization in Woo WooCommerce Box Office: This vulnerability affects WooCommerce Box Office and could allow unauthorized access to sensitive information. Users are advised to update to the latest version to mitigate this risk. Source: CVE-2023-34003
  4. CVE-2024-31244 - Missing Authorization in Bricksforge: A security flaw in Bricksforge could potentially allow unauthorized users to gain access. It is recommended to update to the latest version to fix this vulnerability. Source: CVE-2024-31244
  5. CVE-2024-32778 - Missing Authorization in Contest Gallery: This vulnerability affects Contest Gallery and could allow unauthorized access to sensitive information. Users are advised to update to the latest version to mitigate this risk. Source: CVE-2024-32778

Final Words

And that's a wrap for today's edition of Secret CISO. From Disney's major data breach to the arrest of a hacker involved in a police data breach, it's clear that the world of cybersecurity is as dynamic and unpredictable as ever. Remember, fostering a strong security culture and staying informed are your best defenses against these threats.

So, don't forget to share this newsletter with your friends and colleagues to keep them in the loop too.

In the meantime, stay safe, stay secure, and keep an eye out for tomorrow's edition where we'll bring you more updates from the ever-evolving world of cybersecurity. Until then, this is your Secret CISO, signing off.

Read more

Secret CISO 11/24: Niantic's AI Map Data Breach, Baer's Furniture Co. Settlement, Netflix's Worst Leak, Microsoft's Security Failures, Irish Research on NHS Leak, Quantum-Proof Ethereum

Secret CISO 11/24: Niantic's AI Map Data Breach, Baer's Furniture Co. Settlement, Netflix's Worst Leak, Microsoft's Security Failures, Irish Research on NHS Leak, Quantum-Proof Ethereum

Welcome to today's edition of Secret CISO, your daily dose of the most impactful cybersecurity news. Today, we delve into the controversial use of Pokemon Go player data by Niantic to train AI map models, raising serious privacy concerns and potential data breach risks. We also discuss the

By Secret CISO