Welcome to today's edition of Secret CISO, your daily source for the latest in cybersecurity news. Today, we're diving into a series of data breaches that have recently come to light. First on our list is a HIPAA privacy security breach that may affect patients treated by UT Health Science. The breach was discovered recently and could potentially compromise the privacy and security of patients' information. Next, we have news of a data breach at Nations Direct Mortgage. The company filed a notice of the breach with the Attorney General of Maine after discovering it on March 6, 2024. Over 83,000 people have been notified of the breach. Financial services firm WeRize has also fallen victim to a data breach. Preliminary investigations point to potential collusion by certain 'Company Personnel' who may have shared data in gross violation of policies. In other news, Eastern Radiologists is facing a lawsuit over a data breach affecting 890,000 individuals. The proposed class action alleges that ERI failed to implement reasonable data-security measures. We also cover how to verify a data breach, the rising trend of ransomware groups' data leak blogs, and the increasing number of data breaches despite companies' focus on cybersecurity. Finally, we delve into the world of cybersecurity research, exploring the evolution and future of research on Nature-based Solutions to societal challenges, the new data leak vulnerability affecting modern CPUs, and the complex web of national security, research, and diversity. Stay tuned for more updates and remember, knowledge is the first line of defense in cybersecurity.

Data Breaches

1. UT Health Science Center HIPAA Privacy Breach: A HIPAA breach was recently discovered at UT Health Science Center, potentially affecting the privacy and security of some patients. The extent of the breach and the number of affected patients are currently unknown. Source: UTHSC News
2. Nations Direct Mortgage Data Breach: Nations Direct Mortgage, LLC reported a data breach affecting over 83,000 individuals. The breach was discovered on March 6, 2024, and the company has since notified the Attorney General of Maine. Source: JD Supra
3. WeRize Data Breach: Financial services firm WeRize became the victim of a data breach, with preliminary investigations suggesting potential collusion by certain company personnel. The extent of the data shared and the number of affected customers are currently unknown. Source: Business Standard
4. Eastern Radiologists Data Breach: Eastern Radiologists is facing a proposed class action lawsuit over a data breach affecting 890,000 individuals. The plaintiffs allege that the company failed to implement reasonable data-security measures. Source: Bloomberg Law News
5. Nissan Data Breach: Nissan confirmed a data breach in December that compromised the data of 100,000 customers and employees. The company has not disclosed the nature of the compromised data. Source: Tech Times

Security Research

1. "The Evolution and Future of Research on Nature-based Solutions to Address Societal Challenges": This research proposes six pathways to advance the understanding of nature-based solutions for societal challenges, including economic and social development, human health, food security, and water security. Source: Nature
2. "How to Verify a Data Breach": Anurag Sen, a renowned security researcher, shares his methods for discovering sensitive data mistakenly published on the internet, providing valuable insights into data breach verification. Source: TechCrunch
3. "GhostRace – New Data Leak Vulnerability Affects Modern CPUs": Researchers from the Systems Security Research Group at IBM Research Europe and VUSec have discovered a new data leak vulnerability affecting modern CPUs, highlighting the need for robust hardware security. Source: The Hacker News
4. "Testing Limits: Navigating the Complex Web of National Security, Research and Diversity": This research highlights the challenges facing Canada's research security sector, which has been garnering widespread media attention since the beginning of the year. Source: University Affairs
5. "NIST NVD Disruption Sees CVE Enrichment on Hold": The disruption of the National Institute of Standards and Technology's National Vulnerability Database (NIST NVD) could significantly impact the security researcher community and organizations worldwide if not resolved quickly. Source: Infosecurity Magazine

Top CVEs

1. CVE-2021-38938: IBM Host Access Transformation Services (HATS) versions 9.6 through 9.6.1.4 and 9.7 through 9.7.0.3 store user credentials in plain text, which can be read by a local user. This vulnerability exposes sensitive user information, posing a security risk. Source: CVE-2021-38938
2. CVE-2023-28746: Intel(R) Atom(R) Processors may expose information through microarchitectural state after transient execution. This vulnerability could potentially enable an authenticated user to disclose information via local access. Source: CVE-2023-28746
3. CVE-2023-51369: SysBasics Customize My Account for WooCommerce has a Cross-Site Request Forgery (CSRF) vulnerability. This issue affects Customize My Account for WooCommerce: from n/a through... Source: CVE-2023-51369
4. CVE-2023-51522: Cozmoslabs Paid Member Subscriptions has a Cross-Site Request Forgery (CSRF) vulnerability. This issue affects Paid Member Subscriptions: from n/a through... Source: CVE-2023-51522
5. CVE-2023-50898: Sirv has a Missing Authorization vulnerability. This issue affects Sirv: from n/a through... Source: CVE-2023-50898

Final Words

That's it for today's edition of Secret CISO. We've covered a lot of ground, from the recent HIPAA breach affecting UT Health Science patients to the data breach at financial services firm WeRize. We've also delved into how to verify a data breach and the ongoing issue of rising data breaches despite increased focus on cybersecurity. Remember, knowledge is power. The more we know, the better we can protect ourselves and our organizations. So, don't keep this valuable information to yourself. Share Secret CISO with your colleagues and friends, and let's strengthen our defenses together. Stay safe, stay informed, and see you in the next edition of Secret CISO.