Welcome to today's edition of Secret CISO, where we unravel the intricate web of cybersecurity threats and innovations shaping our digital landscape. In this issue, we delve into a series of alarming data breaches, groundbreaking security advancements, and critical vulnerabilities that demand your attention.

First, we uncover the breach of F5's BIG-IP environment by a nation-state actor, exposing sensitive data and revealing cracks in their security armor. Meanwhile, Capita faces a hefty £14 million fine for a breach affecting millions, and Ortho RI settles for $2.9 million after compromising patient information. These incidents underscore the severe financial and reputational consequences of inadequate data protection.

In a twist of legal drama, an American man is sentenced for cyber extortion involving Canadian students, highlighting the harsh penalties for cybercrime. Simultaneously, Lynch Carpenter investigates Pacific Seafood's data breach, emphasizing the legal repercussions companies face post-breach.

On the innovation front, CSIRO introduces a quantum-secure link, promising a new era of unbreakable data protection. Yet, vulnerabilities persist, as seen in Google Chrome's 'Use-After-Free' flaw and a massive leak in VS Code extensions, urging a reevaluation of software security practices.

Finally, we explore the interception of unencrypted satellite data from T-Mobile, exposing critical communications and spotlighting the urgent need for robust encryption. As we navigate these challenges, today's newsletter serves as a stark reminder of the ever-evolving cybersecurity landscape and the relentless pursuit of securing our digital world.

Data Breaches

1. F5 BIG-IP Environment Breached by Nation-State Actor: Application security giant F5 disclosed a data breach where a nation-state threat actor gained persistent, long-term access to their systems. This breach exposed sensitive data and highlighted vulnerabilities in F5's security infrastructure. Source: Dark Reading.
2. Capita to Pay £14 Million for Data Breach Impacting 6.6 Million People: Capita has been fined £14 million for a data breach that exposed the personal information of 6.6 million individuals. The breach underscores the importance of robust data protection measures and the financial repercussions of failing to safeguard sensitive information. Source: Bleeping Computer.
3. Ortho RI Patients Invited to Join $2.9 Million Settlement After Data Breach: Ortho RI has reached a $2.9 million settlement following a data breach that compromised patient information. Affected individuals can claim compensation for documented losses, highlighting the ongoing impact of data breaches on personal privacy. Source: WPRI.com.
4. Pacific Seafood Data Breach Investigated by Lynch Carpenter: Lynch Carpenter is investigating claims related to a data breach at Pacific Seafood, which may entitle affected individuals to compensation. This incident emphasizes the legal and financial consequences companies face following data breaches. Source: GlobeNewswire.
5. U.S. Man Sentenced to Prison Over Canadian Students' Data Breach: An American man received a four-year prison sentence after pleading guilty to cyber extortion in a data breach affecting Canadian students. This case highlights the severe legal penalties for cybercriminal activities. Source: CityNews Vancouver.

Security Research

1. Takeover of PA system at Harrisburg International Airport a 'wake-up call,' security expert says: A breach of the PA system at Harrisburg International Airport allowed an unauthorized individual to play a pre-recorded message, highlighting vulnerabilities in airport security systems. This incident serves as a reminder of the importance of securing communication systems against unauthorized access. Source: ABC27
2. Breakthrough quantum-secure link protects data using the laws of physics - CSIRO: CSIRO has developed a quantum-secure communication link that leverages the principles of quantum physics to protect data. This innovation marks a significant advancement in cybersecurity, offering a potentially unbreakable method of data protection. Source: CSIRO
3. Chrome 'Use-After-Free' Flaw Enables Arbitrary Code Execution - Cyber Press: A critical vulnerability in Google Chrome, identified as CVE-2025-11756, allows attackers to execute arbitrary code. Google has acknowledged the flaw and rewarded the researcher, emphasizing the importance of collaborative security research. Source: Cyber Press
4. Massive VS Code Secrets Leak Puts Focus on Extensions, AI: Wiz - DevOps.com: Security researchers at Wiz have uncovered a significant leak of secrets within Visual Studio Code extensions, raising concerns about the security of extensions and plugins. This incident underscores the need for improved security measures in software supply chains. Source: DevOps.com
5. Researchers Intercept Unencrypted Satellite Data from T-Mobile, Exposing Calls and Military Comms: Researchers have intercepted unencrypted satellite data from T-Mobile, revealing private calls and military communications. This discovery highlights the risks of relying on security by obscurity and the urgent need for encryption upgrades. Source: WebProNews

Top CVEs

1. CVE-2025-62381: sveltekit-superforms, a tool for SvelteKit forms, is vulnerable to prototype pollution in its parseFormData function. This flaw allows attackers to inject properties into Object.prototype, potentially causing denial of service, type confusion, and remote code execution in applications using these polluted objects. The issue has been addressed in later versions. Source: Vulners.
2. CVE-2025-62410: In happy-dom versions before 20.0.2, the --disallow-code-generation-from-strings flag fails to isolate untrusted JavaScript, allowing attackers to exploit prototype pollution. This can lead to hijacking of critical references and control flow manipulation. The vulnerability stems from an incomplete fix of a previous issue and has been resolved in newer updates. Source: Vulners.
3. CVE-2025-11832: Azure Access Technology's BLU-IC2 and BLU-IC4 are affected by a resource allocation vulnerability, allowing for flooding attacks. This issue impacts BLU-IC2 up to version 1.19.5 and BLU-IC4, potentially leading to service disruptions. Users are advised to update to the latest versions to mitigate this risk. Source: Vulners.

Final Words

As we wrap up today's edition of Secret CISO, it's clear that the world of cybersecurity is as dynamic and challenging as ever. From the breach of F5's BIG-IP environment by a nation-state actor to the hefty fines faced by Capita, these incidents remind us of the critical importance of robust security measures and the potential consequences of their absence.

We've also seen how legal actions, like the settlements involving Ortho RI and Pacific Seafood, underscore the ongoing impact of data breaches on individuals and organizations alike. Meanwhile, the sentencing of a cybercriminal involved in the Canadian students' data breach serves as a stark warning of the legal repercussions awaiting those who engage in such activities.

On the innovation front, CSIRO's quantum-secure communication link offers a glimpse into the future of data protection, while the vulnerabilities in Chrome and Visual Studio Code highlight the ever-present need for vigilance and collaboration in security research.

As we continue to navigate these complex challenges, let's remember the importance of staying informed and proactive. If you found today's insights valuable, please share this newsletter with your friends and colleagues. Together, we can build a more secure digital world.

Until next time, stay safe and vigilant!