Welcome to today's edition of Secret CISO, where we unravel the intricate web of cybersecurity challenges and triumphs shaping our digital landscape. In this issue, we delve into a series of alarming data breaches and regulatory actions that underscore the critical importance of robust data protection measures.

First, we explore the aftermath of the DataMaxx data breach, where affected individuals may claim up to $2500 from a class action settlement. This incident serves as a stark reminder of the legal and financial repercussions of inadequate data security.

Meanwhile, CalPrivacy's $45,000 fine against a data broker for Delete Act violations highlights the growing regulatory focus on data privacy, emphasizing the need for companies to adhere to stringent data protection laws.

In a concerning revelation, a court filing has exposed the mishandling of sensitive Social Security data by DOGE employees, raising questions about internal data management practices. Similarly, the Middlesex Sheriff's Office faces scrutiny following a breach that compromised private medical information, calling for enhanced security protocols within correctional facilities.

On the vendor management front, Adapt Integrated Health Care assures patient information safety despite a data breach at a third-party vendor, underscoring the risks associated with external partnerships.

In the realm of cybersecurity innovation, HackerOne's launch of the Good Faith AI Research Safe Harbor aims to protect ethical AI testing, fostering a secure environment for responsible research.

However, the threat landscape continues to evolve, with North Korea-linked hackers targeting developers through malicious VS Code projects, and critical vulnerabilities in AVEVA software enabling SYSTEM-level remote code execution.

Finally, we highlight several severe vulnerabilities, including CVE-2026-21962 affecting Oracle systems and CVE-2025-59466 in Node.js, which pose significant risks to data integrity and system stability.

Stay informed and vigilant as we navigate these complex cybersecurity challenges together.

Data Breaches

1. DataMaxx Data Breach Class Action Settlement: Individuals affected by the December 2023 DataMaxx data breach may be eligible to claim up to $2500 from a class action settlement. This breach has prompted significant legal action, highlighting the ongoing challenges in data security and the importance of robust protective measures. Source: Claim Depot.
2. CalPrivacy Announces $45000 Fine Against Data Broker for Delete Act Violations: A data broker has been fined $45,000 by CalPrivacy for violations of the Delete Act, underscoring the regulatory focus on data privacy and the enforcement of stringent data protection laws. This case serves as a reminder of the legal obligations companies face in managing consumer data. Source: Inside Privacy.
3. DOGE Employees Shared Social Security Data, Court Filing Shows: A court filing has revealed that employees detailed to the Social Security Administration shared sensitive data through a nonsecure server, raising concerns about internal data handling practices and the potential for misuse of personal information. This incident highlights the need for secure data management protocols. Source: The New York Times.
4. Middlesex Sheriff's Office Data Breach Compromised Private Medical Info: The Middlesex Sheriff's Office reported a data breach that compromised the private health information of inmates and others, emphasizing the vulnerabilities in data protection within correctional facilities. This breach has raised significant privacy concerns and calls for improved security measures. Source: The Boston Globe.
5. Adapt Integrated Health Care Reports Data Breach at Vendor, Assures Patient Info Safety: Adapt Integrated Health Care disclosed a data security incident at TriZetto, a third-party vendor, but assured that patient information remains safe. This incident highlights the risks associated with third-party vendors and the importance of comprehensive vendor management strategies. Source: KPIC.

Security Research

1. HackerOne launches Good Faith AI Research Safe Harbor to protect responsible AI testing: HackerOne has introduced a new framework designed to protect responsible AI testing, building on its Gold Standard Safe Harbor from 2022. This initiative aims to safeguard good-faith security research under the Computer Fraud and Abuse Act, promoting ethical AI testing practices. Source: SiliconANGLE, CyberScoop, Help Net Security
2. North Korea-Linked Hackers Target Developers via Malicious VS Code Projects: Security researchers have identified a campaign by North Korea-linked hackers targeting developers through malicious Visual Studio Code projects. This attack, first disclosed by OpenSourceMalware, highlights the increasing sophistication of threat actors in exploiting popular development tools. Source: The Hacker News
3. AI-supported vulnerability triage with the GitHub Security Lab Taskflow Agent: GitHub Security Lab has introduced an AI-supported taskflow agent to enhance vulnerability triage. This tool aids researchers in reviewing and reporting vulnerabilities more efficiently, ensuring thorough analysis before dissemination. Source: GitHub Blog
4. Unbreakable? Researchers warn quantum computers have serious security flaws: Researchers from Penn State have raised alarms about significant security vulnerabilities in quantum computers. Despite their potential, these flaws could undermine the perceived invulnerability of quantum computing systems. Source: ScienceDaily
5. Critical AVEVA Software Vulnerabilities Enable SYSTEM-Level Remote Code Execution: Security researcher Christopher Wu from Veracode discovered critical vulnerabilities in AVEVA software that allow remote code execution at the SYSTEM level. These findings emerged during an AVEVA-sponsored penetration testing engagement, underscoring the importance of rigorous security assessments. Source: CyberPress

Top CVEs

1. CVE-2026-21962: This vulnerability affects the Oracle HTTP Server and Oracle Weblogic Server Proxy Plug-in, allowing unauthenticated attackers with network access via HTTP to compromise the systems. It can lead to unauthorized creation, deletion, or modification of critical data. The vulnerability has a CVSS 3.1 Base Score of 10.0, indicating severe confidentiality and integrity impacts. Source: Vulners.
2. CVE-2025-59466: A bug in Node.js error handling causes "Maximum call stack size exceeded" errors to become uncatchable when asynchooks.createHook is enabled. This results in the process terminating instead of reaching process.on'uncaughtException', leading to denial-of-service crashes under specific conditions. Source: Vulners.
3. CVE-2025-36058: IBM Business Automation Workflow containers may disclose sensitive configuration information in a config map. This affects versions 25.0.0 through 25.0.0 Interim Fix 002, 24.0.1 through 24.0.1 Interim Fix 005, and 24.0.0 through 24.0.0 Interim Fix 006. Source: Vulners.
4. CVE-2025-36059: IBM Business Automation Workflow containers could allow a local user with access to the container to execute OS system calls. This vulnerability affects the same versions as CVE-2025-36058. Source: Vulners.
5. CVE-2026-0726: The Nexter Extension – Site Enhancements Toolkit plugin for WordPress is vulnerable to PHP Object Injection via deserialization of untrusted input. This vulnerability is present in all versions up to 4.4.6. It requires a POP chain from another plugin or theme to have an impact, potentially allowing actions like file deletion or code execution. Source: Vulners.

Final Words

As we wrap up today's edition of Secret CISO, it's clear that the landscape of cybersecurity is as dynamic as ever. From the DataMaxx data breach settlement to the critical vulnerabilities in AVEVA software, each story underscores the importance of vigilance and proactive measures in safeguarding our digital world.

The regulatory actions against data brokers and the revelations of internal data mishandling remind us that compliance and internal protocols are just as crucial as defending against external threats. Meanwhile, the advancements in AI-supported vulnerability triage and the introduction of safe harbors for AI research highlight the innovative strides being made to enhance security practices.

As we continue to navigate these challenges and innovations, remember that staying informed is our best defense. If you found today's insights valuable, please share this newsletter with your friends and colleagues. Together, we can build a more secure digital future.

Thank you for being a part of the Secret CISO community. Until next time, stay safe and stay informed!