Welcome to today's edition of Secret CISO, where we unravel the intricate web of cybersecurity challenges and breakthroughs. In a world where data breaches are becoming alarmingly frequent, today's stories paint a vivid picture of the vulnerabilities and the relentless pursuit of security.

We begin with the unsettling news of a data breach affecting 27,500 Discord users in Hong Kong, a stark reminder of the risks posed by third-party vendors. Meanwhile, Panera Bread's settlement over a data breach offers a glimmer of hope for affected customers seeking compensation.

The Washington Post's encounter with the Cl0p cybercrime group underscores the sophistication of modern cyberattacks, while Dentsu's leak affecting LNER customer data highlights the critical need for robust data protection measures. In a similar vein, BayFirst National Bank's breach exposing Social Security Numbers raises alarms about personal data security.

On the research front, the dangers of Listeria biofilms call for enhanced food safety measures, and a breakthrough in translating C to Rust promises to bolster software security. Amazon's AI bug bounty program and Deutsche Telekom's BugBash event showcase collaborative efforts to fortify technology against vulnerabilities.

In the realm of mobile security, a commercial spyware targeting Samsung Galaxy users serves as a cautionary tale of the threats lurking in our devices. Meanwhile, vulnerabilities in widely-used software like NetScaler ADC, OneDrive for Android, and Microsoft components remind us of the ever-present need for vigilance and proactive security measures.

Join us as we delve deeper into these stories, exploring the implications and the path forward in the ever-evolving landscape of cybersecurity.

Data Breaches

1. Discord Data Breach Affects 27,500 Hong Kong Users: A data breach linked to a third-party customer service provider has impacted 27,500 Discord users in Hong Kong. The breach has raised concerns about the security measures of third-party vendors and their impact on user data privacy. Source: MLex.
2. Panera Bread Data Breach Settlement: Panera Bread has reached a settlement over a data breach that exposed sensitive customer information, including addresses. Affected customers are eligible to file claims for compensation as part of the $2.5 million settlement. Source: Hindustan Times.
3. Washington Post Data Breach Linked to Cl0p Attack: The Washington Post confirmed it was targeted in a ransomware attack by the Cl0p cybercrime group. The attack exploited vulnerabilities in Oracle's E-Business Suite, highlighting the ongoing threat of sophisticated cyberattacks on major organizations. Source: Teiss.
4. Dentsu Leak Compromises LNER Customer Data: A data breach at Dentsu has compromised customer data of LNER, affecting former, current, and some clients. The breach underscores the importance of robust data protection measures in safeguarding customer information. Source: Campaign.
5. BayFirst National Bank Data Breach Exposes SSNs: A data breach at BayFirst National Bank has exposed sensitive information, including Social Security Numbers. Affected individuals may be eligible for a class action lawsuit to seek compensation for the breach. Source: Class Action.

Security Research

1. Researchers say Listeria biofilms are particularly dangerous: Listeria monocytogenes, a microscopic organism, is responsible for severe foodborne illnesses. Recent research highlights the increased danger posed by Listeria biofilms, which can lead to more persistent and deadly infections. These findings underscore the need for enhanced food safety measures to mitigate risks associated with this pathogen. Source: Food Safety News.
2. Automatic C to Rust translation technology provides accuracy beyond AI: As the C programming language faces security limitations, a research team from KAIST has developed a technology that translates C code to Rust with high accuracy. This advancement aims to enhance software security by leveraging Rust's safety features, offering a promising solution for critical systems. Source: Tech Xplore.
3. Amazon rolls out AI bug bounty program: Amazon has launched a new AI bug bounty program, offering security researchers access to their technology to identify vulnerabilities. The company has already paid over $55,000 for 30 validated reports, demonstrating its commitment to improving AI security through collaborative efforts. Source: CyberScoop.
4. Commercial spyware targeted Samsung Galaxy users for months: Security researchers at Palo Alto Networks' Unit 42 have uncovered a previously unknown Android commercial spyware targeting Samsung Galaxy users. This spyware exploited a zero-day vulnerability, highlighting the ongoing threats to mobile device security and the need for vigilant protective measures. Source: iTnews.
5. Strengthening 5G security through collaboration: Insights from Deutsche Telekom's BugBash: Deutsche Telekom's BugBash event opened its network to top security researchers, leading to significant insights into 5G security. By employing unconventional and creative attack methods, the initiative has contributed to strengthening the security framework of 5G networks. Source: Ericsson Blog.

Top CVEs

1. Cross-Site Scripting (XSS) in NetScaler ADC and NetScaler Gateway: This vulnerability affects NetScaler ADC and NetScaler Gateway when configured as a Gateway or AAA virtual server. It allows attackers to execute scripts in the context of the user's browser, potentially leading to unauthorized access or data theft. Source: CVE-2025-12101.
2. Improper Limitation of Pathname in OneDrive for Android: A path traversal vulnerability in OneDrive for Android allows authorized attackers to elevate privileges by accessing restricted directories. This could lead to unauthorized data access or modification. Source: CVE-2025-60722.
3. Heap-based Buffer Overflow in Microsoft Graphics Component: This vulnerability allows unauthorized attackers to execute arbitrary code by exploiting a heap-based buffer overflow in the Microsoft Graphics Component. It poses a significant risk of remote code execution. Source: CVE-2025-60724.
4. Out-of-bounds Read in Windows Bluetooth RFCOM Protocol Driver: This vulnerability allows authorized attackers to disclose sensitive information by exploiting an out-of-bounds read in the Windows Bluetooth RFCOM Protocol Driver. It could lead to information leakage and potential data breaches. Source: CVE-2025-59513.
5. Exposure of Sensitive Information in Microsoft Office Excel: Unauthorized attackers can exploit this vulnerability to disclose sensitive information in Microsoft Office Excel. This exposure could lead to data breaches and unauthorized access to confidential data. Source: CVE-2025-59240.

Final Words

As we wrap up today's edition of Secret CISO, it's clear that the digital landscape is fraught with challenges and opportunities. From the Discord data breach affecting thousands in Hong Kong to the Panera Bread settlement, these incidents remind us of the critical importance of robust security measures and the vigilance required to protect sensitive information.

The Washington Post's encounter with the Cl0p cybercrime group and the Dentsu leak affecting LNER customers further highlight the persistent threats facing organizations today. Meanwhile, the BayFirst National Bank breach underscores the personal impact of data exposure, with Social Security Numbers at risk.

On a different note, the research on Listeria biofilms and the automatic C to Rust translation technology showcase the innovative strides being made in food safety and software security. Amazon's AI bug bounty program and the discovery of spyware targeting Samsung Galaxy users remind us of the evolving nature of threats and the collaborative efforts needed to counter them.

Deutsche Telekom's BugBash event exemplifies the power of collaboration in strengthening 5G security, while vulnerabilities like those in NetScaler ADC, OneDrive for Android, and Microsoft components highlight the ongoing need for vigilance and proactive measures.

We hope today's insights have been both informative and thought-provoking. If you found this newsletter valuable, please consider sharing it with your friends and colleagues. Together, we can foster a more secure digital environment for everyone.

Stay safe and see you in the next edition of Secret CISO!