Secret CISO 10/6: Disney and Comcast Data Breaches, Colorado Election Security Fallout, UK's Sellafield Fined for Infosec Blunders, Latest Cybersecurity Research Insights

Secret CISO 10/6: Disney and Comcast Data Breaches, Colorado Election Security Fallout, UK's Sellafield Fined for Infosec Blunders, Latest Cybersecurity Research Insights

Good Morning Secret CISO readers, In today's issue, we're diving into a whirlpool of data breaches and security blunders that have been making headlines. Disney is facing legal troubles as a lawsuit led by Scott Margel alleges negligence, breach of contract, and inadequate data protection measures.

Meanwhile, former Mesa County Clerk Tina Peters has been sentenced to 9 years in prison over a security breach tied to election equipment. Across the pond, the UK's Sellafield nuclear waste processing plant has been fined £333K for infosec blunders, violating the UK's Nuclear Industries Security Regulations 2003. In the world of telecommunications, a quarter-million Comcast subscribers had their data stolen from a debt collector, raising concerns about the security of personal financial information.

We also delve into the increasing threats against the judiciary, with a Colorado judge who sentenced election denier Tina Peters to prison receiving threats, leading to beefed-up security at the courthouse. In the realm of genetics, as 23andMe struggles, concerns surface about its handling of genetic data. And finally, we'll look at the latest cybersecurity best practices for businesses, and how to protect yourself from credit card fraud. Stay tuned for more updates and insights in the world of cybersecurity.

Data Breaches

  1. Disney's Legal Troubles Grow with Employee Data Breach Lawsuit: Disney is facing a lawsuit led by plaintiff Scott Margel, alleging negligence, breach of implied contract, and inadequate data protection measures. The lawsuit could potentially impact the company's reputation and financial standing. Source: DisneyDining
  2. Former Mesa County Clerk Tina Peters sentenced to 9 years in prison, county jail: Tina Peters, the former Mesa County Clerk, has been sentenced to 9 years in prison due to a security breach for elections equipment at the Mesa County Clerk and Recorder's office in May 2021. This case highlights the importance of maintaining security in public offices. Source: Colorado Politics
  3. UK's Sellafield nuke waste processing plant fined £333K for infosec blunders: The Sellafield nuclear waste processing plant in the UK has been fined £333K due to poor infosec practices. This incident underlines the importance of robust security measures in sensitive industries. Source: The Register
  4. A Quarter Million Comcast Subscribers Had Data Stolen From Debt Collector: Comcast is informing subscribers about a security breach where their information was stolen. This breach underscores the need for strong data protection measures across all sectors, including debt collection. Source: Slashdot
  5. China-linked security breach targeted U.S. wiretap systems: U.S. broadband providers were targeted in a cyberattack tied to the Chinese government that targeted wiretap requests. This incident highlights the ongoing cybersecurity threats posed by state actors. Source: CNBC

Security Research

  1. Critical Zimbra RCE vulnerability exploited, Patch Tuesday forecast: A severe Remote Code Execution (RCE) vulnerability in Zimbra, an open-source email platform, has been exploited. Simone Margaritelli, the researcher who discovered the vulnerability, warns of potential security breaches and malicious insider threats. Source: Help Net Security
  2. iOS and Android Security Scare: Two Apps Found Supporting 'Pig Butchering' Scheme: Group-IB researchers have discovered two apps on iOS and Android platforms that support a 'Pig Butchering' scheme, a type of advanced fee fraud. The iOS app remained on the App Store despite the report. Source: Slashdot
  3. Apple Releases Urgent iOS 18 Patch To Fix Major Password Vulnerability: Apple has released an urgent patch for iOS 18 to fix a major password vulnerability. The issue was discovered and reported by security researcher Bistrit Dahal. Source: HotHardware
  4. Google Pixel smartphone busted sending private user data back to Google every 15 minutes: Security researcher Aras Nazarovas has found that the Google Pixel 9 Pro XL periodically sends private user data back to Google. The smartphone also attempts to download and run new code. Source: TweakTown
  5. New Snapekit Rootkit Malware Targeting Arch Linux Users: Gen Threat Labs researchers have discovered a new sophisticated rootkit, named Snapekit, targeting Arch Linux users. The rootkit is considered highly sophisticated and poses a significant threat to the security of Arch Linux systems. Source: Cyber Security News

Top CVEs

  1. CVE-2024-47374 - LiteSpeed Technologies LiteSpeed Cache XSS Vulnerability: An XSS vulnerability has been identified in LiteSpeed Technologies LiteSpeed Cache, allowing for Stored XSS. The improper neutralization of input during web page generation is the root cause. Source: CVE-2024-47374.
  2. CVE-2024-47375 - Ashraf XLTab XSS Vulnerability: Ashraf XLTab – Accordions and Tabs for Elementor Page Builder has a Stored XSS vulnerability due to improper neutralization of input during web page generation. Source: CVE-2024-47375.
  3. CVE-2024-47372 - ThemeNcode LLC TNC PDF Viewer XSS Vulnerability: ThemeNcode LLC TNC PDF viewer is affected by a Stored XSS vulnerability, caused by improper neutralization of input during web page generation. Source: CVE-2024-47372.
  4. CVE-2024-47369 - WPWeb Social Auto Poster XSS Vulnerability: WPWeb Social Auto Poster has a Reflected XSS vulnerability due to improper neutralization of input during web page generation. Source: CVE-2024-47369.
  5. CVE-2024-9536 - ESAFENET CDG V5 SQL Injection Vulnerability: A critical vulnerability has been found in ESAFENET CDG V5, leading to SQL injection through the manipulation of the argument fileId in the file /MultiServerBackService?path=1. The attack can be launched remotely. Source: CVE-2024-9536.

Final Words

And that's a wrap for today's edition of Secret CISO. From Disney's legal woes to the sentencing of former Mesa County Clerk Tina Peters, it's clear that data breaches and security issues continue to be a pressing concern across various sectors. As we navigate this digital landscape, let's remember to stay vigilant and proactive in our cybersecurity measures.

Share this newsletter with your friends and colleagues to keep them in the loop too. After all, in the world of cybersecurity, knowledge is our best defense. Stay safe, stay informed, and see you in the next edition of Secret CISO.

Read more

Secret CISO 2/15: Americans to get $5k from data breach settlement, USAID accuses DOGE of security breach, PCSO denies data breach, DOGE faces largest data breach lawsuit, Star Solution Services and Fillmore County Hospital announce data breaches

Secret CISO 2/15: Americans to get $5k from data breach settlement, USAID accuses DOGE of security breach, PCSO denies data breach, DOGE faces largest data breach lawsuit, Star Solution Services and Fillmore County Hospital announce data breaches

Welcome to today's edition of Secret CISO, your daily dose of cybersecurity news. Today, we're diving into a series of data breaches that have left hundreds of Americans eligible for a chunk of a multi-million dollar payout. We'll also explore allegations against the Department

By Secret CISO
Secret CISO 2/14: St. Andrew's Senior System & PPL Electric hit by data breaches, Russian ransomware group claims responsibility, 2.7 billion records leaked in Mars Hydro breach, CAPTCHA trick bypasses security scanners

Secret CISO 2/14: St. Andrew's Senior System & PPL Electric hit by data breaches, Russian ransomware group claims responsibility, 2.7 billion records leaked in Mars Hydro breach, CAPTCHA trick bypasses security scanners

Hello there, Secret CISO readers! Today's newsletter is packed with the latest updates on data breaches and security research that you need to know. Firstly, we delve into the ongoing investigation into the data breach at St. Andrew's Resources for Seniors System. The breach has raised

By Secret CISO
Secret CISO 2/12: PowerSchool, DOGE, Mercer University, Duane Morris LLP under investigation for data breaches; Apple warns of security breach; Research reveals false sense of security with online scams

Secret CISO 2/12: PowerSchool, DOGE, Mercer University, Duane Morris LLP under investigation for data breaches; Apple warns of security breach; Research reveals false sense of security with online scams

Welcome to today's issue of Secret CISO, where we bring you the latest news on data breaches and security vulnerabilities. Today, we're looking at a series of data breaches impacting PowerSchool, DOGE, Mercer University, and more. Attorney General Jeff Jackson is investigating a recent data breach

By Secret CISO