Welcome to today's issue of Secret CISO! We've got a lot to unpack today, with a focus on the alarming rise in data breaches and leaks. First up, we delve into the new CJIS Security Policy guidelines and how they aim to protect your agency's data. We also take a look at the 2023 Data Breach Investigations Report from Verizon, which reveals that public sector incidents account for a significant portion of breaches.

In international news, a mysterious data hoarder has left over 90 million French records exposed, while the massive MC2 Data leak has compromised the private data of over 100 million Americans. The healthcare sector is also under threat, with I-MED's data breach exposing tens of thousands of patient files and CorrectCare settling a data breach lawsuit for $6.9 million.

In legal news, a recent federal court ruling has made it harder for plaintiffs to bring data breach claims. Meanwhile, thousands of US Congress emails are at risk of being taken over. We also explore how unprotected voter data can be used by foreign adversaries to disrupt Illinois elections, and how the hospitality industry is navigating privacy and data security challenges.

Stay tuned for more updates and expert insights into the world of cybersecurity. Stay safe and secure!

Data Breaches

1. Over 90 million French records exposed: A mysterious data hoarder has left instances open, exposing over 90 million French records. This database compiles information from multiple French-related data breaches and includes both known and unknown leaks. Source: CyberNews
2. MC2 Data Leak Exposes Private Data of Over 100 Million Americans: A massive data leak from MC2 has exposed the private data of nearly a third of U.S. citizens. This is the latest leak from a background check service. Source: The Cyber Express
3. I-MED data breach exposes 10,000s patient files: An intruder accessed I-MED's patient data, including medical reports and scan images, using info online for a year. This breach has exposed tens of thousands of patient files. Source: Crikey
4. CorrectCare Data Breach Lawsuit Settles for $6.9 Million: A data breach at CorrectCare exposed sensitive information and left the personal data of 600,000 individuals vulnerable. The lawsuit related to this breach has recently been settled for $6.9 million. Source: Healthcare Innovation
5. Thousands of US Congress Emails Exposed to Takeover: Security experts have warned against using work email addresses to sign-up to third-party sites, after discovering that thousands of US Congress emails were exposed to takeover. Source: Infosecurity Magazine

Security Research

1. Unprotected Data Could Impact Election: A security researcher found sensitive voter information accessible online, highlighting the potential for misuse by malicious actors. Source: AdVantageNews.com
2. DragonForce Ransomware, Salt Typhoon ISPs, ChatGPT SpAIware: Threat actors are increasingly using security research tools for malicious purposes, as evidenced by the discovery of a new ransomware variant by Palo Alto Networks Unit 42. Source: CISO Series
3. New Security Protocol Shields Data During Cloud-Based Computation: MIT researchers have developed a technique that ensures data remains secure during multiparty, cloud-based computation, offering a new layer of protection for cloud services. Source: MIT News
4. MC2 Data Leak Exposes Private Data of Over 100 Million Americans: A significant data leak from background-checking services has exposed the personal data of over 100 million Americans, highlighting the ongoing issue of data security. Source: The Cyber Express
5. AI-Written Malware is Here, and Going After Victims Already: HP Wolf Security researchers have discovered evidence of malware written by AI targeting victims, indicating a new level of sophistication in cyber threats. Source: TechRadar

Top CVEs

1. CVE-2024-20437: A vulnerability in Cisco IOS XE Software's web-based management interface could allow an unauthenticated, remote attacker to perform a cross-site request forgery (CSRF) attack and execute commands on the CLI of an affected device. The vulnerability is due to insufficient CSRF protections for the web-based management interface. Source: CVE-2024-20437
2. CVE-2024-20436: A vulnerability in the HTTP Server feature of Cisco IOS XE Software when the Telephony Service feature is enabled could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. The vulnerability is due to a null pointer dereference when accessing specific URLs. Source: CVE-2024-20436
3. CVE-2024-20433: A vulnerability in the Resource Reservation Protocol (RSVP) feature of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause an affected device to reload unexpectedly, resulting in a denial of service (DoS) condition. The vulnerability is due to a buffer overflow when processing crafted RSVP packets. Source: CVE-2024-20433
4. CVE-2024-47083: Power Platform Terraform Provider versions prior to 3.0.0 have an issue where sensitive information, specifically the client_secret used in the service principal authentication, may be exposed in logs. This exposure occurs due to an error in the logging code that causes the client_secret to not be properly masked when logs are persisted or viewed. Source: CVE-2024-47083
5. CVE-2024-20496: A vulnerability in the UDP packet validation code of Cisco SD-WAN vEdge Software could allow an unauthenticated, adjacent attacker to cause a denial of service (DoS) condition on an affected system. The vulnerability is due to incorrect handling of a specific type of malformed UDP packet. Source: CVE-2024-20496

Final Words

And that's a wrap for today's edition of Secret CISO. We hope you found these insights valuable in navigating the ever-evolving landscape of data security. Remember, staying informed is the first step in protecting your agency's data. If you found this newsletter helpful, please consider sharing it with your colleagues and friends.

Together, we can stay one step ahead of the threats and ensure our data remains secure. Stay safe, stay informed, and see you in the next edition of Secret CISO.