Secret CISO 1/31: DeepSeek AI's National Security Risks, FDA's Cybersecurity Warning, Rochester Schools and Albany Gastroenterology Data Breaches, AI and Security Research

Secret CISO 1/31: DeepSeek AI's National Security Risks, FDA's Cybersecurity Warning, Rochester Schools and Albany Gastroenterology Data Breaches, AI and Security Research

Welcome to today's issue of Secret CISO, where we delve into the latest cybersecurity news and insights. Today, we're focusing on the recent data breaches that have been making headlines.

First up, we examine the national security risks emerging from the DeepSeek AI data breach. This Chinese AI company's recent breach has raised serious concerns about national security, with the FDA warning of potential cybersecurity vulnerabilities in patient monitors. Next, we turn our attention to the education sector, where a data breach at Rochester schools exposed over 130,000 student records. This incident underscores the urgent need for robust data security measures in our educational institutions.

In the healthcare sector, Albany Gastroenterology Associates has filed a data breach notice after unauthorized access to patient information. This incident serves as a stark reminder of the vulnerability of healthcare data and the need for stringent security measures. In the retail sector, Circle K Gas Franchise has been hit with a data breach class action. The complaint alleges that Circle K's data security failures allowed hackers to compromise customer data.

Finally, we look at the rise of GenAI and how it's disrupting the delicate balance between innovation and data security. With rogue AI models exposing sensitive data without regulation, the risk of accidental data breaches and misuse is increasing. Stay tuned for more updates and remember, knowledge is the first line of defense in cybersecurity.

Data Breaches

  1. National Security Risks Emerge From DeepSeek AI Data Breach: Chinese artificial intelligence company DeepSeek AI suffered a significant data breach, raising national security concerns. The breach has exposed sensitive data, potentially compromising national security. Source: Evrimagaci
  2. FDA Warns of Cybersecurity Vulnerabilities in Patient Monitors: The FDA issued a warning about potential cybersecurity vulnerabilities in patient monitors. While no data breaches have been reported yet, the warning highlights the potential risks associated with the use of these monitors. Source: HealthExec
  3. Rochester Schools' Data Breach Exposes Over 130,000 Student Records: A data breach at Rochester schools has exposed the records of over 130,000 students. The breach has raised concerns about the security of student data. Source: 13WHAM
  4. Albany Gastroenterology Associates Files Data Breach Notice: Albany Gastroenterology Associates reported a data breach to the Vermont attorney general after unauthorized access to patient information was discovered. The breach highlights the need for robust security measures in healthcare. Source: Becker's ASC
  5. Circle K Gas Franchise Hit With Data Breach Class Action: Circle K Gas Franchise is facing a class-action lawsuit following a data breach. The complaint alleges that the company's data security failures allowed hackers to compromise customer data. Source: Law360

Security Research

  1. DeepSeek's AI Database Exposed Online: Chinese AI firm, DeepSeek, suffered a significant data breach, exposing sensitive data including chat history and secret keys. The breach was discovered by security experts at Wiz Research. Source: Business Today
  2. Holograms and AI for Uncrackable Optical Encryption System: Researchers have developed a new optical system that uses holograms to encode information, creating an uncrackable encryption system. This innovation comes as the demand for digital security grows. Source: Science Daily
  3. Los Alamos National Laboratory Partners with OpenAI: Los Alamos National Laboratory is partnering with OpenAI to conduct national security research. The partnership aims to leverage AI models for advanced research. Source: ABQ Journal
  4. AI and ML Security - Preventing Jailbreaks, Drop Tables, and Data Poisoning: Forrester's research focuses on the top three GenAI security use cases that security leaders need to worry about. The research aims to prevent jailbreaks, drop tables, and data poisoning. Source: Forrester
  5. Energy Security and Resilience - SMR's in the Arctic: Carleton University calls on leaders, researchers, engineers, and security experts to provide insights into defending high-risk assets in the Arctic. The research focuses on the security and resilience of Small Modular Reactors (SMRs). Source: Carleton University

Top CVEs

  1. CVE-2023-0092: An authenticated user with read access to the juju controller model can construct a remote request to download an arbitrary file from the controller. This vulnerability can potentially lead to unauthorized access to sensitive data. Source: CVE-2023-0092
  2. CVE-2022-1736: Ubuntu's configuration of gnome-control-center allows Remote Desktop Sharing to be enabled by unauthorized users, potentially leading to unauthorized remote access to the system. Source: CVE-2022-1736
  3. CVE-2020-11936: A vulnerability in gdbus setgid privilege could potentially be exploited by an attacker to gain unauthorized access or escalate privileges. Source: CVE-2020-11936
  4. CVE-2024-1211: A cross-site request forgery vulnerability has been discovered in GitLab CE/EE affecting all versions starting from 10.6. An attacker could potentially exploit this vulnerability to perform unauthorized actions on GitLab instances configured to use JWT as an OmniAuth. Source: CVE-2024-1211
  5. CVE-2023-6195: GitLab CE/EE is vulnerable to Server Side Request Forgery when an attacker uses a malicious URL in the markdown image value when importing a GitHub. This vulnerability can potentially be exploited to perform unauthorized actions or access sensitive data. Source: CVE-2023-6195

API Security

  1. Cross-site request forgery in GitLab CE/EE: A vulnerability has been discovered in GitLab CE/EE affecting all versions starting from 10.6 prior to 16.9.7, starting from 16.10 prior to 16.10.5, and starting from 16.11 prior to 16.11.2. This vulnerability could potentially allow cross-site request forgery on GitLab instances configured to use JWT as an OmniAuth. Source: CVE-2024-1211
  2. Kubewarden-Controller information leak via AdmissionPolicyGroup Resource: The policy group feature in Kubewarden-Controller, introduced in the 1.17.0 release, could potentially allow an attacker to obtain information about resources that are out of their reach by leveraging a higher access to the cluster granted to the ServiceAccount token used to run the policy. Source: GHSA-756X-M4MJ-Q96C
  3. Privilege escalation vulnerability in VMware Aria Operations for Logs: A privilege escalation vulnerability has been found in VMware Aria Operations for Logs. A malicious actor with non-administrative privileges and network access to Aria Operations for Logs API may be able to perform certain operations in the context of an admin. Source: CVE-2025-22220
  4. OS Command Injection in Atlassian Bitbucket: Multiple API endpoints in Atlassian Bitbucket Server and Data Center 7.0.0 before version 7.6.17, from version 7.7.0 before version 7.17.10, from version 7.18.0 before version 7.21.4, from version 8.0.0 before version 8.0.3, from version 8.1.0 before version 8.1.3, and from version 8.2.0 before version 8.2.2, and from version 8.3.0 before 8.3.1 allows remote attackers with read permissions to a public or private Bitbucket repository to execute arbitrary code by sending a malicious HTTP request. Source: CVE-2022-36804
  5. PHP Object Injection in iControlWP – Multiple WordPress Site Manager: The iControlWP – Multiple WordPress Site Manager plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.4.5 via deserialization of untrusted input from the reqpars parameter. This vulnerability could potentially allow unauthenticated attackers to inject a PHP Object. Source: CVE-2024-13742

Sponsored by Wallarm API Security Solution

Final Words

As we wrap up today's edition of Secret CISO, we're reminded of the ever-evolving landscape of cybersecurity. From the national security risks emerging from the DeepSeek AI data breach to the FDA's warning of cybersecurity vulnerabilities in patient monitors, it's clear that the need for robust security measures is more critical than ever. We hope that our daily updates help you stay informed and prepared. Remember, knowledge is power, and in the world of cybersecurity, it's your best line of defense.

If you found today's newsletter helpful, please consider sharing it with your colleagues and friends.

Together, we can create a safer digital world. Stay safe, stay informed, and keep those secrets secure.

See you in the next edition of Secret CISO!

Read more

Secret CISO 2/15: Americans to get $5k from data breach settlement, USAID accuses DOGE of security breach, PCSO denies data breach, DOGE faces largest data breach lawsuit, Star Solution Services and Fillmore County Hospital announce data breaches

Secret CISO 2/15: Americans to get $5k from data breach settlement, USAID accuses DOGE of security breach, PCSO denies data breach, DOGE faces largest data breach lawsuit, Star Solution Services and Fillmore County Hospital announce data breaches

Welcome to today's edition of Secret CISO, your daily dose of cybersecurity news. Today, we're diving into a series of data breaches that have left hundreds of Americans eligible for a chunk of a multi-million dollar payout. We'll also explore allegations against the Department

By Secret CISO
Secret CISO 2/14: St. Andrew's Senior System & PPL Electric hit by data breaches, Russian ransomware group claims responsibility, 2.7 billion records leaked in Mars Hydro breach, CAPTCHA trick bypasses security scanners

Secret CISO 2/14: St. Andrew's Senior System & PPL Electric hit by data breaches, Russian ransomware group claims responsibility, 2.7 billion records leaked in Mars Hydro breach, CAPTCHA trick bypasses security scanners

Hello there, Secret CISO readers! Today's newsletter is packed with the latest updates on data breaches and security research that you need to know. Firstly, we delve into the ongoing investigation into the data breach at St. Andrew's Resources for Seniors System. The breach has raised

By Secret CISO
Secret CISO 2/12: PowerSchool, DOGE, Mercer University, Duane Morris LLP under investigation for data breaches; Apple warns of security breach; Research reveals false sense of security with online scams

Secret CISO 2/12: PowerSchool, DOGE, Mercer University, Duane Morris LLP under investigation for data breaches; Apple warns of security breach; Research reveals false sense of security with online scams

Welcome to today's issue of Secret CISO, where we bring you the latest news on data breaches and security vulnerabilities. Today, we're looking at a series of data breaches impacting PowerSchool, DOGE, Mercer University, and more. Attorney General Jeff Jackson is investigating a recent data breach

By Secret CISO