Welcome to today's edition of Secret CISO, where we unravel the intricate web of cybersecurity challenges and breakthroughs shaping our digital world. In this issue, we delve into a series of alarming data breaches and vulnerabilities that underscore the urgent need for robust security measures across various sectors.

We begin with the First Circuit's decision to allow higher-ed student data breach claims to proceed, setting a precedent for accountability in educational institutions. Meanwhile, the Louvre Museum's recent security lapse has sparked a global conversation on safeguarding cultural treasures in the digital age.

In the healthcare sector, Synnovis faces scrutiny for a delayed breach notification, while Conduent grapples with financial fallout from a massive data breach affecting millions. GlobalLogic's Oracle-linked breach further highlights vulnerabilities in enterprise systems.

On the legislative front, the Cyber Security Bill is stirring debate among MSPs, potentially reshaping cybersecurity responsibilities. Meanwhile, new zero-day vulnerabilities in Cisco and Citrix systems signal advanced threats, demanding immediate attention.

In academia, the University of Michigan confronts espionage concerns, emphasizing the need for stringent security in research environments. As AI continues to evolve, CISOs are increasingly tasked with overseeing AI security, a critical shift in protecting against emerging threats.

Finally, Amazon's private AI bug bounty program showcases proactive measures in AI development, while recent CVEs reveal vulnerabilities in widely-used software, urging timely updates to safeguard against exploitation.

Stay informed and vigilant as we navigate these complex cybersecurity landscapes together.

Data Breaches

1. First Circuit Allows Higher-Ed Student Data Breach Claims: The District of Massachusetts has allowed claims related to a data breach affecting higher education students to proceed. The court denied the dismissal of an unjust enrichment claim, suggesting that the plaintiff's allegations regarding data security fees were plausible. Source.
2. Louvre Breach, SAP Overhaul, Landmark Data Ruling: The Louvre Museum in Paris faced a significant security lapse, leading to a burglary that exposed longstanding vulnerabilities. This incident has sparked discussions on digital security and the need for robust measures to protect cultural institutions. Source.
3. Synnovis to Notify NHS of Data Breach After Nearly 18 Months: Synnovis, a pathology lab services provider, is notifying its NHS partners about a data breach that occurred due to a Qilin ransomware attack. The breach, which took place 18 months ago, compromised patient data, raising concerns over delayed notifications. Source.
4. Conduent Faces Mounting Financial Losses from Data Breach: Conduent is experiencing significant financial losses due to a data breach affecting over 10.5 million customers. The breach has prompted lawsuits and investigations by lawyers and state regulators, highlighting the severe impact on the company. Source.
5. GlobalLogic Says Data on 10,000 Workers Exposed in Oracle-Linked Data Breach: A breach involving Oracle's E-Business Suite exposed data of 10,471 GlobalLogic employees. The incident, occurring between July and August 2025, involved the theft of sensitive employee information, underscoring vulnerabilities in enterprise software systems. Source.

Security Research

1. MSPs mull over impact of Cyber Security Bill: The Cyber Security Bill is causing a stir among Managed Service Providers (MSPs) as it proposes stricter regulations for those supplying critical national infrastructure. The bill aims to enhance the security posture of these providers, potentially increasing their compliance burden. This development is crucial as it could reshape the landscape of cybersecurity responsibilities for MSPs. Source: Computer Weekly.
2. Amazon: Cisco, Citrix 0-days indicate 'advanced' attacker: Security researchers have identified new zero-day vulnerabilities in Cisco and Citrix systems, dubbed CitrixBleed 2. These vulnerabilities are being exploited by advanced attackers, including nation-state actors and ransomware groups. The discovery underscores the need for robust security measures and timely patching to mitigate potential threats. Source: The Register.
3. 'A threat to our collective security' — more Chinese researchers charged at U of M: The University of Michigan is investigating the Shawn Xu laboratory after charges were filed against Chinese researchers for alleged security violations. This incident highlights ongoing concerns about intellectual property theft and espionage in academic settings. The case emphasizes the importance of safeguarding sensitive research and maintaining academic integrity. Source: Michigan Farm News.
4. Most CISOs now own AI security: Here's what that means for your business: A new study by HackerOne reveals that 84% of Chief Information Security Officers (CISOs) are now responsible for AI security, with 82% also overseeing data privacy. This shift indicates a growing recognition of AI's role in cybersecurity and the need for CISOs to adapt to emerging technologies. Businesses must prioritize AI security to protect against evolving threats. Source: SC Media.
5. Amazon opens private AI bug bounty to pressure-test Nova models: Amazon has launched a private AI bug bounty program to test the safety and reliability of its Nova models. This initiative invites security researchers and academic teams to identify vulnerabilities, aiming to enhance the robustness of AI systems. The program reflects Amazon's commitment to proactive security measures in AI development. Source: EdTech Innovation Hub.

Top CVEs

1. CVE-2025-64500: Symfony's HttpFoundation component had a vulnerability where the Request class improperly interpreted some PATH_INFO, potentially bypassing access control rules. This issue affected versions from 2.0.0 up to 5.4.50, 6.4.29, and 7.3.7, and has been fixed in the latest updates. Source.
2. CVE-2025-59118: Apache OFBiz had an Unrestricted Upload of File with Dangerous Type vulnerability affecting versions before 24.09.03. Users are advised to upgrade to version 24.09.03 to mitigate this risk. Source.
3. CVE-2025-13042: Google Chrome's V8 engine had an inappropriate implementation that allowed remote attackers to exploit heap corruption via a crafted HTML page. This issue was present in versions prior to 142.0.7444.166 and has since been addressed. Source.
4. CVE-2025-11367: N-central Software Probe versions below 2025.4 were vulnerable to Remote Code Execution. Users are encouraged to update to the latest version to protect against this exploit. Source.
5. CVE-2025-64099: Open Access Management (OpenAM) had a vulnerability in versions prior to 16.0.0, allowing attackers to inject custom claims into id_token or user_info, potentially assuming any identity. This has been fixed in version 16.0.0. Source.

Final Words

As we wrap up today's edition of Secret CISO, it's clear that the landscape of cybersecurity is ever-evolving, with each story painting a vivid picture of the challenges and triumphs in our field. From the courtroom battles over student data breaches to the Louvre's unexpected security lapse, these incidents remind us of the critical importance of vigilance and innovation in safeguarding our digital and physical worlds.

The ongoing discussions around the Cyber Security Bill and the revelations of zero-day vulnerabilities in major systems underscore the need for continuous adaptation and proactive measures. Meanwhile, the academic world faces its own set of challenges, as seen in the University of Michigan's investigation, highlighting the delicate balance between collaboration and security.

As CISOs increasingly take ownership of AI security, and companies like Amazon push the boundaries with AI bug bounties, it's evident that the future of cybersecurity is intertwined with emerging technologies. Staying informed and prepared is more crucial than ever.

We hope you found today's insights valuable and thought-provoking. If you did, please consider sharing this newsletter with your friends and colleagues. Together, we can foster a community of informed and proactive cybersecurity professionals, ready to tackle the challenges of tomorrow.

Until next time, stay secure and vigilant!