Welcome to today's edition of Secret CISO, where we bring you the latest and most impactful cybersecurity news. Today, we're focusing on a series of data breaches that have affected major companies and institutions, including National Public Data, Arden Claims Service, Fidelity Bank, and FlightAware.

In a shocking revelation, Rep. Ritchie Torres discussed a massive Social Security data breach on YouTube, where hackers reportedly stole over 2.9 billion records from National Public Data. Arden Claims Service also reported a data breach affecting 139,000 individuals, with social security numbers among the stolen data. Fidelity Bank was fined by NDPC for a data breach, found to have breached the Nigeria Data Protection Regulation and Act. FlightAware also suffered a possible exposure of social security numbers after a data breach, deeply regretting the incident.

The rise in data breaches has led to record settlements and investor claims, reflecting an increased focus on cybersecurity. Change Healthcare also confirmed a data breach that had wide impacts this year. In other news, security leaders are discussing the National Public Data breach, which exposed personally identifiable information. Rep. Ritchie Torres is hosting a conference to discuss the breach and what New Yorkers need to know to protect themselves.

Stay tuned for more updates and remember, knowledge is the key to cybersecurity. Stay informed, stay secure.

Data Breaches

1. National Public Data Massive Data Breach: Hackers stole over 2.9 billion records from National Public Data, a background check company. The breach exposed personally identifiable information (PII) such as names, phone numbers, mailing addresses, email addresses, and Social Security numbers. Source: YouTube and Security Magazine
2. Arden Claims Service Data Breach: Arden Claims Service reported a data breach affecting 138,890 individuals. The breach resulted in the theft of Social Security numbers among other personal data. Source: SecurityWeek
3. Fidelity Bank Data Breach: Fidelity Bank was fined N555.8m by the Nigeria Data Protection Commission (NDPC) for breaching the Nigeria Data Protection Regulation (NDPR) of 2019 and the Nigeria Data Protection (NDP) Act of 2023. Source: Channels Television
4. FlightAware Data Breach: FlightAware suffered a data security incident that potentially exposed the personal information of several thousand users, including some users' Social Security numbers. Source: Simple Flying
5. Toyota Data Breach: Toyota confirmed a major data breach after hackers posted stolen data on an underground forum. The breach resulted in the exposure of 240 GB of data, including employee and customer information. Source: TechRadar and Times of India

Security Research

1. Don't Reinvent the Wheel to Govern AIc: Dewey Murdick and Owen J. Daniels suggest in their op-ed that the existing regulatory framework can be adapted to govern AI, rather than creating new regulations from scratch. They argue that this approach can help avoid potential pitfalls and unintended consequences. Source: Georgetown University
2. Microsoft Patches Critical Copilot Studio Vulnerability Exposing Sensitive Data: A critical security flaw in Microsoft's Copilot Studio has been disclosed by cybersecurity researchers. The vulnerability could be exploited to access sensitive data, prompting Microsoft to release a patch to address the issue. Source: The Hacker News
3. New research: Malicious actors are imitating tech companies: Cybersecurity researchers have identified a fraudulent domain posing as Cado Security. The false domain was redirecting users to the organization's legitimate site, demonstrating a new tactic used by malicious actors. Source: Security Magazine
4. Slack AI can leak private data via prompt injection: A security flaw in Slack's AI could potentially leak private data through prompt injection. The vulnerability highlights the need for robust security measures in AI applications. Source: The Register
5. Microsoft Copilot Studio Exploit Leaks Sensitive Cloud Data: Researchers have discovered an exploit in Microsoft's Copilot Studio that can leak sensitive cloud data. The exploit was tested to create HTTP requests to access cloud data, revealing a significant security flaw. Source: Dark Reading

Top CVEs

1. Azure Managed Instance for Apache Cassandra Improper Access Control (CVE-2024-38175): An authenticated attacker can exploit this vulnerability to elevate privileges over Azure Managed Instance for Apache Cassandra. Microsoft has not yet released a patch. Source: CVE-2024-38175
2. Confluence Data Center and Server XSS and CSRF Vulnerability (CVE-2024-21690): This vulnerability allows an unauthenticated attacker to execute arbitrary HTML or JavaScript code on a victim's browser and force them to execute unwanted actions on a web application in which they're currently authenticated. Atlassian recommends upgrading to the latest version or a specified supported fixed version. Source: CVE-2024-21690
3. Plugin Data Sources Access Control Bypass (CVE-2024-6322): If a user or service account is granted access to any other data source, the ReqActions check for plugin data sources is bypassed, potentially leading to unauthorized access. The account must have prior query access to the impacted data source. Source: CVE-2024-6322
4. Pagination Class Cache Poisoning (CVE-2024-27185): The pagination class in an unspecified software includes arbitrary parameters in links, leading to a cache poisoning attack. The vendor has not yet provided a patch or workaround. Source: CVE-2024-27185
5. Umbraco Management API Information Disclosure (CVE-2024-43376): Some endpoints in the Umbraco Management API can return stack trace information, even when Umbraco is not in debug mode, potentially leading to information disclosure. The vendor has released a fix. Source: CVE-2024-43376

API Security

1. Logsign Unified SecOps Platform Directory Traversal Arbitrary Directory Deletion Vulnerability (CVE-2024-7603): This vulnerability allows remote attackers to delete arbitrary directories on affected installations of Logsign Unified SecOps Platform. The flaw exists within the HTTP API service, which lacks proper validation of user-supplied paths. Source: CVE-2024-7603
2. Logsign Unified SecOps Platform Incorrect Authorization Authentication Bypass Vulnerability (CVE-2024-7604): This vulnerability allows local attackers to bypass authentication on affected installations of Logsign Unified SecOps Platform. The flaw exists within the HTTP API service, which lacks proper validation of the user's license expiration date. Source: CVE-2024-7604
3. Docusign API package 8.142.14 for Salesforce Vulnerability (CVE-2024-39344): This vulnerability allows attackers to compromise the Apttus_DocuApi__DocusignAuthentication__mdt object installed via the marketplace from this package and disclose some keys. These disclosed components can be combined to create a valid session via the Docusign API. Source: CVE-2024-39344
4. Hide My Site plugin for WordPress Sensitive Information Exposure (CVE-2024-5880): This vulnerability allows unauthenticated attackers to gain unauthorized access to the REST API when password protection is enabled. Source: CVE-2024-5880
5. chillzhuang SpringBlade 4.1.0 SQL Injection Vulnerability (CVE-2024-8023): This vulnerability allows attackers to manipulate the file /api/blade-system/menu/list?updatexml, leading to SQL injection. Source: CVE-2024-8023

Sponsored by Wallarm API Security Solution

Final Words

That's it for today's edition of the Secret CISO newsletter. We hope you found these updates valuable and informative. Remember, staying informed is the first step in ensuring the security of your systems and data.

If you found this newsletter helpful, don't forget to share it with your colleagues and friends.

They might find it useful too! Stay safe, stay secure. See you in the next edition.