Secret CISO 1/15: PowerSchool's Nationwide Data Breach Compromises Student Info, Microsoft Battles Cybercriminals Bypassing AI Safety, Google Fellowship Winner Tackles Global Data Security

Secret CISO 1/15: PowerSchool's Nationwide Data Breach Compromises Student Info, Microsoft Battles Cybercriminals Bypassing AI Safety, Google Fellowship Winner Tackles Global Data Security

Welcome to today's issue of Secret CISO, where we bring you the latest updates on cybersecurity threats and solutions. Today, we're focusing on a nationwide security breach that has potentially compromised several Greater Cincinnati school districts. The breach, which has affected the PowerSchool software vendor, has led to the exposure of student information and teacher social security numbers.

In other news, Michigan has joined a $20M multistate data breach enforcement action, while EncompassCare has reported a data breach affecting consumers' social security numbers. On the technical front, we delve into the world of AI-driven ransomware groups and the rise of cybercriminal operations developing tools to bypass AI safety guardrails. We also highlight the achievements of a GW Engineering Ph.D. student who has won a prestigious Google Fellowship for his work in data security.

Finally, we discuss the latest vulnerabilities identified in various software and systems, including the PowerSchool data breach, the Microsoft Patch Tuesday release, and the Ivanti zero-day patching. Stay tuned for more updates and remember, knowledge is the first line of defense. Stay safe!

Data Breaches

  1. Greater Cincinnati School Districts Compromised in Nationwide Security Breach: Several school districts in Greater Cincinnati have reported a potential compromise of student information due to a nationwide security breach. The breach is believed to have affected the Student Information System (SIS) provided by PowerSchool, a software vendor for schools. Source: YouTube and Fairbury Journal News
  2. Teacher Social Security Numbers Included in PowerSchool Data Breach: A data breach at PowerSchool, a student information system provider, has reportedly impacted teacher's social security numbers across the Carolinas and the US. The extent of the breach is still being determined. Source: WBTV
  3. EncompassCare Data Breach Affecting Consumers' Social Security Numbers: EncompassCare filed a notice of data breach with the Attorney General of Massachusetts after discovering unauthorized access to consumers' social security numbers. The extent of the breach and the number of affected consumers is currently unknown. Source: JD Supra
  4. Michigan Joins $20M Multistate Data Breach Enforcement Action: Michigan has joined a $20 million multistate data breach enforcement action following a data breach that impacted 5.8 million customers. The action is in response to inadequate cybersecurity practices and lack of cooperation with state regulators. Source: SooLeader
  5. Robinhood to Pay $45M SEC Settlement Over Data Breach: Robinhood has agreed to pay a $45 million settlement to the SEC over a data breach and other violations. The fines connected to the 2021 data breach came in at $2 million. Source: Hacker News

Security Research

  1. AI-Driven Ransomware Group Strikes 85 Victims: A new AI-driven ransomware group has successfully targeted 85 victims, demonstrating the increasing sophistication of cyber threats. The group's tactics highlight the importance of robust security controls. Source: BankInfoSecurity
  2. Microsoft sues cybercriminal operation that developed tools to bypass AI safety guardrails: Microsoft is taking legal action against a cybercriminal operation that has developed tools to bypass AI safety measures. This case underscores the ongoing battle between tech companies and cybercriminals. Source: SiliconANGLE
  3. New Federal Playbook Aims to Boost AI Cyber Incident Sharing: A new federal playbook is encouraging organizations to establish comprehensive vulnerability disclosure policies. This move aims to enhance AI cyber incident sharing and improve overall cybersecurity. Source: GovInfoSecurity
  4. Hackers are exploiting a new Fortinet firewall bug to breach company networks: Security researchers have discovered that hackers are exploiting a newly found vulnerability in Fortinet firewalls to infiltrate corporate networks. This highlights the need for constant vigilance and timely patching in cybersecurity. Source: Yahoo Finance
  5. Apple Patches Flaw That Allows Kernel Security Bypassing: Apple has patched a flaw that allowed kernel security bypassing, emphasizing the importance of proactive monitoring for such anomalies. Advanced detection mechanisms can provide organizations with a crucial advantage in cybersecurity. Source: BankInfoSecurity

Top CVEs

  1. CVE-2025-23013 - Local Privilege Escalation in Yubico pam-u2f: In Yubico pam-u2f before 1.3.1, an issue allows for an authentication bypass in some configurations, leading to local privilege escalation. The attacker would require access to the system as an unprivileged user. Source: CVE-2025-23013
  2. CVE-2024-55591 - Authentication Bypass in FortiOS and FortiProxy: A vulnerability affecting FortiOS version 7.0.0 through 7.0.16 and FortiProxy version 7.0.0 through 7.0.19 and 7.2.0 through 7.2.12 allows a remote attacker to gain super-admin privileges via crafted requests to Node.js websocket. Source: CVE-2024-55591
  3. CVE-2024-11734 - Denial of Service in Keycloak: A denial of service vulnerability was found in Keycloak that could allow an administrative user with the right to change realm settings to disrupt the service by modifying any of the security headers and inserting newlines. Source: CVE-2024-11734
  4. CVE-2024-11736 - Sensitive Data Exposure in Keycloak: A vulnerability was found in Keycloak. Admin users may have to access sensitive server environment variables and system properties through user-configurable URLs. Source: CVE-2024-11736
  5. CVE-2024-7344 - Unsigned Software Execution in Howyar UEFI Application: Howyar UEFI Application "Reloader" (32-bit and 64-bit) is vulnerable to execution of unsigned software in a hardcoded manner. Source: CVE-2024-7344

API Security

  1. Git Credential Manager Carriage-Return Character Vulnerability: A mismatch in newline treatment between Git and Git Credential Manager (GCM) allows an attacker to craft a malicious remote URL that can leak credentials. This vulnerability is heightened when cloning from repositories with submodules. Source: Vulners.
  2. Gradio Blocked Path ACL Bypass Vulnerability: Gradio's Access Control List (ACL) for file paths can be bypassed by altering the letter case of a blocked file or directory path. This flaw enables attackers to circumvent security restrictions and access sensitive files that should be protected. This issue has been addressed in release version 5.6.0. Source: Vulners.
  3. Rasa Remote Code Execution Vulnerability: A vulnerability in Rasa allows an attacker who can load a maliciously crafted model remotely into a Rasa instance to achieve Remote Code Execution. This issue has been addressed in Rasa version 3.6.21. Source: Vulners.
  4. AquilaCMS Deserialization Vulnerability: A critical vulnerability was found in AquilaCMS 1.412.13. The manipulation of the argument PostBody.populate leads to deserialization. The attack may be launched remotely. The vendor was contacted early about this disclosure but did not respond. Source: Vulners.
  5. FortiOS and FortiProxy Authentication Bypass Vulnerability: An Authentication Bypass Using an Alternate Path or Channel vulnerability affecting FortiOS version 7.0.0 through 7.0.16 and FortiProxy version 7.0.0 through 7.0.19 and 7.2.0 through 7.2.12 allows a remote attacker to gain super-admin privileges via crafted requests to Node.js websocket. Source: Vulners.

Sponsored by Wallarm API Security Solution

Final Words

And that's a wrap for today's edition of Secret CISO. We've covered a lot of ground, from the nationwide security breach affecting several school districts to the latest data breaches impacting local school districts and the potential compromise of teacher social security numbers. In the world of cybersecurity, knowledge is power. By staying informed, we can better protect our systems and data against potential threats. So, if you found today's newsletter helpful, why not share it with your friends and colleagues? Let's work together to create a safer digital world.

Remember, cybersecurity isn't just about protecting systems; it's about safeguarding our way of life in the digital age. Stay safe, stay informed, and stay vigilant. See you in the next edition of Secret CISO.

Read more

Secret CISO 2/15: Americans to get $5k from data breach settlement, USAID accuses DOGE of security breach, PCSO denies data breach, DOGE faces largest data breach lawsuit, Star Solution Services and Fillmore County Hospital announce data breaches

Secret CISO 2/15: Americans to get $5k from data breach settlement, USAID accuses DOGE of security breach, PCSO denies data breach, DOGE faces largest data breach lawsuit, Star Solution Services and Fillmore County Hospital announce data breaches

Welcome to today's edition of Secret CISO, your daily dose of cybersecurity news. Today, we're diving into a series of data breaches that have left hundreds of Americans eligible for a chunk of a multi-million dollar payout. We'll also explore allegations against the Department

By Secret CISO
Secret CISO 2/14: St. Andrew's Senior System & PPL Electric hit by data breaches, Russian ransomware group claims responsibility, 2.7 billion records leaked in Mars Hydro breach, CAPTCHA trick bypasses security scanners

Secret CISO 2/14: St. Andrew's Senior System & PPL Electric hit by data breaches, Russian ransomware group claims responsibility, 2.7 billion records leaked in Mars Hydro breach, CAPTCHA trick bypasses security scanners

Hello there, Secret CISO readers! Today's newsletter is packed with the latest updates on data breaches and security research that you need to know. Firstly, we delve into the ongoing investigation into the data breach at St. Andrew's Resources for Seniors System. The breach has raised

By Secret CISO
Secret CISO 2/12: PowerSchool, DOGE, Mercer University, Duane Morris LLP under investigation for data breaches; Apple warns of security breach; Research reveals false sense of security with online scams

Secret CISO 2/12: PowerSchool, DOGE, Mercer University, Duane Morris LLP under investigation for data breaches; Apple warns of security breach; Research reveals false sense of security with online scams

Welcome to today's issue of Secret CISO, where we bring you the latest news on data breaches and security vulnerabilities. Today, we're looking at a series of data breaches impacting PowerSchool, DOGE, Mercer University, and more. Attorney General Jeff Jackson is investigating a recent data breach

By Secret CISO