Secret CISO 9/27: Meta's €91M Fine, Taylor University Breach, Swiggy's Vulnerability, Michigan Medicine Breach, Dell's Double Strike, Quantum Security Research

Secret CISO 9/27: Meta's €91M Fine, Taylor University Breach, Swiggy's Vulnerability, Michigan Medicine Breach, Dell's Double Strike, Quantum Security Research

Good morning! In today's edition of Secret CISO, we're diving into a whirlwind of data breaches and security vulnerabilities that have been making headlines. First up, we're looking at the hefty €91 million fine that Meta has been slapped with by Ireland's Data Protection Commission for failing to implement adequate security measures. This comes after a data breach that exposed users' password data. Next, we're discussing the aftermath of a data breach at Taylor University and the subsequent legal battles. The court refused to dismiss all claims filed by data breach victims, highlighting the tangible losses suffered by those affected. We also have news about a data breach at a Washington healthcare center, which has led to a lawsuit claiming that the center had no coverage for such incidents.

In the food delivery sector, Swiggy has admitted to data breaches and acknowledged its vulnerability to cyberattacks as it continues to grow and collect more data. Meanwhile, a lone Michigan Medicine employee was responsible for a breach that impacted 58K patients, though financial information was reportedly not exposed.

We're also covering the expansion of ransomware attacks to hybrid cloud environments, as reported by Microsoft, and the filing of class-action lawsuits against a medical billing company and genetic testing company 23andMe over data breaches. In the realm of AI, we're discussing how edge computing powered by AI could be the answer to the cloud's security issues.

Lastly, we're sharing updates on a series of critical flaws found in various systems and software, including Kia's remote system, Dell's security system, and more. Stay tuned for all this and more in today's Secret CISO newsletter. Stay safe and informed!

Data Breaches

  1. Ireland Fines Meta 91 Mn Euros Over EU Data Breach: The Data Protection Commission in Ireland has fined Meta 91 million euros for failing to implement adequate security measures to protect users' password data. This is a significant fine that highlights the importance of robust data security practices. Source: Barron's
  2. VICTIMS OF TAYLOR UNIVERSITY DATA BREACH SUFFERED COGNIZABLE LOSS: A federal district court in Fort Wayne, Indiana, has ruled that victims of a data breach at Taylor University suffered a cognizable loss. The court refused to dismiss all claims filed by data breach victims, indicating a growing recognition of the tangible impact of data breaches. Source: Westlaw
  3. No coverage for data breach claims against Washington health care center, suit says: Scottsdale Insurance Co. has claimed it has no duty to defend a mental health care center in Washington in a lawsuit related to a data breach. This case underscores the importance of understanding the terms and conditions of cyber insurance policies. Source: Westlaw
  4. Swiggy admits to data breaches, says business is vulnerable to cyberattacks: Indian food delivery giant, Swiggy, has admitted to data breaches and acknowledged that its business is vulnerable to cyberattacks. As the company grows and collects more data, the risk of significant failures in internal controls or data security increases. Source: Storyboard18
  5. Lone Michigan Medicine employee responsible for breach that impacted 58K patients: A single employee at Michigan Medicine was responsible for a data breach that impacted 58,000 patients. However, financial information such as credit card and social security numbers were not exposed. This incident highlights the risk posed by insider threats. Source: HealthExec

Security Research

  1. Check Point reveals first mobile crypto drainer on Google Play: Check Point Software has discovered the first mobile crypto drainer on Google Play, highlighting the increasing threat of cryptocurrency theft on mobile platforms. The incident serves as a reminder of the need for robust mobile security measures. Source: SecurityBrief Australia
  2. Security protocol leverages quantum mechanics to shield data from attackers during cloud: Researchers have developed a security protocol that uses quantum mechanics to protect data during cloud operations. The protocol demonstrated a 96% accuracy rate while maintaining robust security measures. Source: Phys.org
  3. 106 million Americans exposed as massive data leak rocks background check firm: A massive data leak at MC2 Data has exposed the personal information of 106 million Americans. The incident was discovered by the research team at Cybernews, highlighting the ongoing threat of data breaches. Source: WFIN
  4. Critical flaws in Kia's remote system could have allowed hackers to control vehicles: Security researchers have discovered critical flaws in Kia Corp.'s dealer portal that could have allowed hackers to gain control of vehicles. The findings underscore the importance of cybersecurity in the automotive industry. Source: SiliconANGLE
  5. NIST Calls for Major Overhaul in Typical Password Practices: The National Institute of Standards and Technology (NIST) is calling for a major overhaul in typical password practices. The move comes as security researchers continue to highlight the vulnerabilities associated with traditional password systems. Source: BankInfoSecurity

Top CVEs

  1. CVE-2024-47177 - CUPS Vulnerability: A flaw in CUPS, an open-source printing system, allows any value passed to FoomaticRIPCommandLine via a PPD file to be executed as a user-controlled command. This can lead to remote command execution when combined with other bugs. Source: CVE-2024-47177
  2. CVE-2024-47176 - CUPS Network Printing Vulnerability: CUPS, an open-source printing system, contains a vulnerability in its network printing functionality. It binds to INADDR_ANY:631, causing it to trust any packet from any source. This can lead to the introduction of a malicious printer to the system and ultimately enable an attacker to execute arbitrary commands remotely on the target machine without authentication. Source: CVE-2024-47176
  3. CVE-2024-8118 - Grafana Permission Flaw: In Grafana, the wrong permission is applied to the alert rule write API endpoint, allowing users with permission to write external alert instances to also write alert rules. Source: CVE-2024-8118
  4. CVE-2024-39431 - UMTS RLC Driver Vulnerability: In the UMTS RLC driver, there is a possible out of bounds write due to a missing bounds check. This could lead to remote denial of service with System execution privileges. Source: CVE-2024-39431
  5. CVE-2024-9166 - Unauthorized System Command Execution: A vulnerability in a device allows an unauthorized attacker to execute system commands with elevated privileges. This exploit is facilitated through the 'getcommand' query within the application, allowing the attacker to gain root access. Source: CVE-2024-9166

API Security

  1. CVE-2024-7713 - AI ChatBot with ChatGPT and Content Generator by AYS WordPress plugin vulnerability: This vulnerability in the AYS WordPress plugin (versions before 2.1.0) discloses the Open AI API Key, allowing unauthenticated users to obtain sensitive information. Users are advised to update to the latest version to mitigate this risk. Source: CVE-2024-7713
  2. CVE-2024-8118 - Grafana alert rule write API endpoint vulnerability: In Grafana, incorrect permissions are applied to the alert rule write API endpoint. This allows users with permission to write external alert instances to also write alert rules, potentially leading to unauthorized changes. Users should update Grafana to the latest version to fix this issue. Source: CVE-2024-8118
  3. Agnai Relative Path Traversal in Image Upload: A vulnerability in Agnai allows attackers to upload image files to any location on the server, potentially leading to unauthorized access or defacement. This does not affect installations using S3-compatible storage or self-hosting that is not publicly exposed. Users should update Agnai to the latest version to mitigate this risk. Source: GHSA-G54F-66MW-HV66
  4. CVE-2024-47171 - Agnai image file upload vulnerability: In Agnai versions prior to 1.0.330, attackers can upload image files to any location on the server, potentially leading to unauthorized access or defacement. This does not affect agnai.chat, installations using S3-compatible storage, or self-hosting that is not publicly exposed. Users should update to version 1.0.330 or later to fix this issue. Source: CVE-2024-47171
  5. Agnai File Disclosure Vulnerability: JSON via Path Traversal: A vulnerability in Agnai allows attackers to read arbitrary JSON files at any location on the server, potentially leading to unauthorized access to sensitive information. This only affects installations with JSON_STORAGE enabled. Users should update Agnai to the latest version to mitigate this risk. Source: GHSA-H355-HM5H-CM8H

Sponsored by Wallarm API Security Solution

Final Words

And that's a wrap for today's edition of Secret CISO. We've covered a lot of ground, from Meta's hefty fine for data breaches to the increasing vulnerability of businesses to cyberattacks. Remember, in the world of cybersecurity, knowledge is power. So, keep yourself informed and stay one step ahead of the hackers. If you found this newsletter helpful, why not share it with your colleagues?

They might find it useful too. And remember, we're all in this together. Stay safe, stay secure, and see you in the next edition of Secret CISO.

Read more

Secret CISO 4/3: Canvas LMC and Highline Public Schools Data Breaches, Zoll and Lockton Companies Class Action, Hamilton County Government's Response, GitHub's Security Expansion, Kaspersky Patches Chrome Flaw

Secret CISO 4/3: Canvas LMC and Highline Public Schools Data Breaches, Zoll and Lockton Companies Class Action, Hamilton County Government's Response, GitHub's Security Expansion, Kaspersky Patches Chrome Flaw

Welcome to today's edition of Secret CISO, where we delve into the latest happenings in the world of cybersecurity. Today, we're unpacking a series of data breaches that have sent shockwaves across various sectors. First up, we're looking at a data breach involving a

By Secret CISO
Secret CISO 4/2: Lucid PhaaS Targets 88 Countries, Data Breaches at AOD Federal Credit Union and Lee University, Oracle Denies Massive Breach, Twitter Faces Historic Data Leak, Researchers Warn of North Korea's Cyber Tactics

Secret CISO 4/2: Lucid PhaaS Targets 88 Countries, Data Breaches at AOD Federal Credit Union and Lee University, Oracle Denies Massive Breach, Twitter Faces Historic Data Leak, Researchers Warn of North Korea's Cyber Tactics

Hello there, In today's issue of Secret CISO, we're diving into the world of data breaches and cyber security incidents that have been making headlines. First off, we're looking at the Lucid PhaaS that has hit 169 targets in 88 countries using iMessage and

By Secret CISO
Secret CISO 4/1: Oracle's Patient Data Breach, APIsec's Security Lapse, Cherokee School District and PowerSchool Data Breaches, Hi-School Pharmacy's Settlement, Security Research on WordPress and Oracle Cloud

Secret CISO 4/1: Oracle's Patient Data Breach, APIsec's Security Lapse, Cherokee School District and PowerSchool Data Breaches, Hi-School Pharmacy's Settlement, Security Research on WordPress and Oracle Cloud

Welcome to today's issue of Secret CISO, your daily dose of the most impactful cybersecurity news. Today, we're diving into a series of data breaches and security lapses that have left companies and institutions scrambling to secure their systems. First on our list is API testing

By Secret CISO
Secret CISO 3/31: Signal Chat Leak Exposes US Military Info, Nine Entertainment and Sam's Club Face Data Breaches, 23andMe Bankruptcy Leaves Genetic Data in Limbo, Oracle Health Warns of Info Leak

Secret CISO 3/31: Signal Chat Leak Exposes US Military Info, Nine Entertainment and Sam's Club Face Data Breaches, 23andMe Bankruptcy Leaves Genetic Data in Limbo, Oracle Health Warns of Info Leak

Welcome to today's issue of Secret CISO, your daily dose of the most impactful cybersecurity news. Today, we're diving into the recent Signal chat leak that exposed sensitive US military information. A RUSI expert weighs in on the implications of this breach and raises questions about

By Secret CISO