Welcome to today's edition of Secret CISO, your daily dose of cybersecurity news and insights. Today, we're diving into a wave of data breaches that have swept across sectors and continents, from Roku's username and password leaks to a record-breaking breach in the French government that exposed up to 43 million people's data. We'll also look at the $4M data breach class action settlement approved by a Pennsylvania Federal Judge and the ongoing investigation into UnitedHealth's data breach by the U.S. Department of Health and Human Services. In academia, Stanford University reports a data breach impacting 27,000 individuals, while the healthcare sector grapples with breaches affecting over a million patients. Meanwhile, the FCC's updated data breach notification rules have gone into effect despite challenges. We'll also explore the latest research in cybersecurity, including vulnerabilities found in OpenAI ChatGPT and Google Gemini, the surge in SaaS assets, and the state of software security in 2024. Plus, we'll delve into how much Google paid researchers to find 'flaws' in Android, Chrome, and other products, and the risks associated with software-defined cars. Stay tuned for these stories and more in today's Secret CISO. Stay safe, stay informed.

Data Breaches

1. Roku Breach: Roku, a popular streaming platform, suffered a data breach leaking usernames and password combinations. The extent of the breach and the number of affected users is yet to be determined. Source: WRDW
2. French Government Data Breach: A French government department responsible for registering and assisting unemployed people fell victim to a mega data breach, exposing up to 43 million people's data. The breach is considered one of the largest in France's history. Source: The Register
3. UnitedHealth Data Breach: The U.S. Department of Health and Human Services launched an investigation into a cyberattack on UnitedHealth Group that allegedly breached sensitive data. The extent of the breach and the number of affected individuals is currently under investigation. Source: IAPP
4. Stanford University Data Breach: Stanford University reported a data breach that impacted 27,000 individuals. The breach exposed personal information of students, staff, and possibly alumni. Source: Spiceworks
5. Nissan Data Breach: Nissan is notifying roughly 100,000 individuals of a data breach resulting from a ransomware attack conducted by the Akira cybercrime group. The breach exposed personal and sensitive data of customers and employees. Source: SecurityWeek

Security Research

1. Addressing the Threat of Security Debt: Unveiling the State of Software Security 2024: Veracode's Chief Research Officer discusses the challenges of security debt and the importance of businesses addressing these issues. The article provides insights into the state of software security and the need for proactive measures. Source: GovTech
2. New Report Suggests Surge in SaaS Assets, Employee Data Sharing: Security researchers have observed a significant increase in software-as-a-service (SaaS) assets, indicating a potential rise in data sharing and associated security risks. The report provides a comprehensive overview of the current SaaS landscape. Source: Infosecurity Magazine
3. Researchers Find Flaws in OpenAI ChatGPT, Google Gemini: Salt Labs and HiddenLayer have identified security flaws in OpenAI's ChatGPT and Google's Gemini, highlighting the need for robust security measures as businesses increase their adoption of these technologies. The research provides valuable insights into potential vulnerabilities. Source: Security Boulevard
4. Germany's Zeitenwende turning point comes for military research: The article discusses the shift in Germany's approach to military research, with a focus on dual-use funding and security research for civilian applications. The piece provides an in-depth look at the changing landscape of military research in Germany. Source: Science|Business
5. Empowering each other: Female researchers share hard-won lessons on navigating: The article discusses the challenges faced by female researchers in balancing personal safety, cultural norms, and research goals. It provides insights into the experiences of female researchers and the importance of creating a supportive environment. Source: Virginia Tech News

Top CVEs

1. CVE-2021-44228 - Log4j Vulnerability: This critical vulnerability in Apache's Log4j logging library allows remote code execution, potentially affecting millions of applications. It's been widely exploited due to its high impact and ease of use. Source: CVE Details.
2. CVE-2021-34527 - Windows Print Spooler Remote Code Execution Vulnerability: Known as PrintNightmare, this vulnerability allows an attacker to take control of an affected system. It's highly publicized due to its impact on almost all Windows versions. Source: Microsoft Security Response Center.
3. CVE-2021-3156 - Sudo Heap-Based Buffer Overflow: This vulnerability, dubbed "Baron Samedit", allows a local user to gain root privileges. It's significant due to the widespread use of sudo in Unix-based systems. Source: CVE Details.
4. CVE-2021-26855 - Microsoft Exchange Server Remote Code Execution Vulnerability: This vulnerability allows an attacker to access on-premises Exchange Servers, enabling access to email accounts and installation of additional malware. It's been highly publicized due to its exploitation in the Hafnium attacks. Source: Microsoft Security Response Center.
5. CVE-2021-21985 - vSphere Client (HTML5) Remote Code Execution Vulnerability: This vulnerability in VMware's vSphere Client allows remote code execution with unrestricted privileges. It's significant due to the widespread use of vSphere in enterprise environments. Source: CVE Details.

Final Words

And that's a wrap for today's edition of Secret CISO. From the Roku breach to the record-breaking French government data leak, it's clear that the cybersecurity landscape is as dynamic as ever. But remember, knowledge is power. By staying informed, we can better prepare and protect ourselves and our organizations from these ever-evolving threats. If you found today's newsletter helpful, why not share it with your colleagues and friends? Let's work together to create a safer digital world. Until next time, stay safe and stay vigilant.