Good morning! In today's edition of Secret CISO, we're diving into a whirlwind of data breaches and security vulnerabilities that have been making headlines. First up, we're looking at the hefty €91 million fine that Meta has been slapped with by Ireland's Data Protection Commission for failing to implement adequate security measures. This comes after a data breach that exposed users' password data. Next, we're discussing the aftermath of a data breach at Taylor University and the subsequent legal battles. The court refused to dismiss all claims filed by data breach victims, highlighting the tangible losses suffered by those affected. We also have news about a data breach at a Washington healthcare center, which has led to a lawsuit claiming that the center had no coverage for such incidents.

In the food delivery sector, Swiggy has admitted to data breaches and acknowledged its vulnerability to cyberattacks as it continues to grow and collect more data. Meanwhile, a lone Michigan Medicine employee was responsible for a breach that impacted 58K patients, though financial information was reportedly not exposed.

We're also covering the expansion of ransomware attacks to hybrid cloud environments, as reported by Microsoft, and the filing of class-action lawsuits against a medical billing company and genetic testing company 23andMe over data breaches. In the realm of AI, we're discussing how edge computing powered by AI could be the answer to the cloud's security issues.

Lastly, we're sharing updates on a series of critical flaws found in various systems and software, including Kia's remote system, Dell's security system, and more. Stay tuned for all this and more in today's Secret CISO newsletter. Stay safe and informed!

Data Breaches

1. Ireland Fines Meta 91 Mn Euros Over EU Data Breach: The Data Protection Commission in Ireland has fined Meta 91 million euros for failing to implement adequate security measures to protect users' password data. This is a significant fine that highlights the importance of robust data security practices. Source: Barron's
2. VICTIMS OF TAYLOR UNIVERSITY DATA BREACH SUFFERED COGNIZABLE LOSS: A federal district court in Fort Wayne, Indiana, has ruled that victims of a data breach at Taylor University suffered a cognizable loss. The court refused to dismiss all claims filed by data breach victims, indicating a growing recognition of the tangible impact of data breaches. Source: Westlaw
3. No coverage for data breach claims against Washington health care center, suit says: Scottsdale Insurance Co. has claimed it has no duty to defend a mental health care center in Washington in a lawsuit related to a data breach. This case underscores the importance of understanding the terms and conditions of cyber insurance policies. Source: Westlaw
4. Swiggy admits to data breaches, says business is vulnerable to cyberattacks: Indian food delivery giant, Swiggy, has admitted to data breaches and acknowledged that its business is vulnerable to cyberattacks. As the company grows and collects more data, the risk of significant failures in internal controls or data security increases. Source: Storyboard18
5. Lone Michigan Medicine employee responsible for breach that impacted 58K patients: A single employee at Michigan Medicine was responsible for a data breach that impacted 58,000 patients. However, financial information such as credit card and social security numbers were not exposed. This incident highlights the risk posed by insider threats. Source: HealthExec

Security Research

1. Check Point reveals first mobile crypto drainer on Google Play: Check Point Software has discovered the first mobile crypto drainer on Google Play, highlighting the increasing threat of cryptocurrency theft on mobile platforms. The incident serves as a reminder of the need for robust mobile security measures. Source: SecurityBrief Australia
2. Security protocol leverages quantum mechanics to shield data from attackers during cloud: Researchers have developed a security protocol that uses quantum mechanics to protect data during cloud operations. The protocol demonstrated a 96% accuracy rate while maintaining robust security measures. Source: Phys.org
3. 106 million Americans exposed as massive data leak rocks background check firm: A massive data leak at MC2 Data has exposed the personal information of 106 million Americans. The incident was discovered by the research team at Cybernews, highlighting the ongoing threat of data breaches. Source: WFIN
4. Critical flaws in Kia's remote system could have allowed hackers to control vehicles: Security researchers have discovered critical flaws in Kia Corp.'s dealer portal that could have allowed hackers to gain control of vehicles. The findings underscore the importance of cybersecurity in the automotive industry. Source: SiliconANGLE
5. NIST Calls for Major Overhaul in Typical Password Practices: The National Institute of Standards and Technology (NIST) is calling for a major overhaul in typical password practices. The move comes as security researchers continue to highlight the vulnerabilities associated with traditional password systems. Source: BankInfoSecurity

Top CVEs

1. CVE-2024-47177 - CUPS Vulnerability: A flaw in CUPS, an open-source printing system, allows any value passed to FoomaticRIPCommandLine via a PPD file to be executed as a user-controlled command. This can lead to remote command execution when combined with other bugs. Source: CVE-2024-47177
2. CVE-2024-47176 - CUPS Network Printing Vulnerability: CUPS, an open-source printing system, contains a vulnerability in its network printing functionality. It binds to INADDR_ANY:631, causing it to trust any packet from any source. This can lead to the introduction of a malicious printer to the system and ultimately enable an attacker to execute arbitrary commands remotely on the target machine without authentication. Source: CVE-2024-47176
3. CVE-2024-8118 - Grafana Permission Flaw: In Grafana, the wrong permission is applied to the alert rule write API endpoint, allowing users with permission to write external alert instances to also write alert rules. Source: CVE-2024-8118
4. CVE-2024-39431 - UMTS RLC Driver Vulnerability: In the UMTS RLC driver, there is a possible out of bounds write due to a missing bounds check. This could lead to remote denial of service with System execution privileges. Source: CVE-2024-39431
5. CVE-2024-9166 - Unauthorized System Command Execution: A vulnerability in a device allows an unauthorized attacker to execute system commands with elevated privileges. This exploit is facilitated through the 'getcommand' query within the application, allowing the attacker to gain root access. Source: CVE-2024-9166

API Security

1. CVE-2024-7713 - AI ChatBot with ChatGPT and Content Generator by AYS WordPress plugin vulnerability: This vulnerability in the AYS WordPress plugin (versions before 2.1.0) discloses the Open AI API Key, allowing unauthenticated users to obtain sensitive information. Users are advised to update to the latest version to mitigate this risk. Source: CVE-2024-7713
2. CVE-2024-8118 - Grafana alert rule write API endpoint vulnerability: In Grafana, incorrect permissions are applied to the alert rule write API endpoint. This allows users with permission to write external alert instances to also write alert rules, potentially leading to unauthorized changes. Users should update Grafana to the latest version to fix this issue. Source: CVE-2024-8118
3. Agnai Relative Path Traversal in Image Upload: A vulnerability in Agnai allows attackers to upload image files to any location on the server, potentially leading to unauthorized access or defacement. This does not affect installations using S3-compatible storage or self-hosting that is not publicly exposed. Users should update Agnai to the latest version to mitigate this risk. Source: GHSA-G54F-66MW-HV66
4. CVE-2024-47171 - Agnai image file upload vulnerability: In Agnai versions prior to 1.0.330, attackers can upload image files to any location on the server, potentially leading to unauthorized access or defacement. This does not affect agnai.chat, installations using S3-compatible storage, or self-hosting that is not publicly exposed. Users should update to version 1.0.330 or later to fix this issue. Source: CVE-2024-47171
5. Agnai File Disclosure Vulnerability: JSON via Path Traversal: A vulnerability in Agnai allows attackers to read arbitrary JSON files at any location on the server, potentially leading to unauthorized access to sensitive information. This only affects installations with JSON_STORAGE enabled. Users should update Agnai to the latest version to mitigate this risk. Source: GHSA-H355-HM5H-CM8H

Sponsored by Wallarm API Security Solution

Final Words

And that's a wrap for today's edition of Secret CISO. We've covered a lot of ground, from Meta's hefty fine for data breaches to the increasing vulnerability of businesses to cyberattacks. Remember, in the world of cybersecurity, knowledge is power. So, keep yourself informed and stay one step ahead of the hackers. If you found this newsletter helpful, why not share it with your colleagues?

They might find it useful too. And remember, we're all in this together. Stay safe, stay secure, and see you in the next edition of Secret CISO.