Welcome to today's edition of Secret CISO, where we delve into the latest cybersecurity challenges and revelations that are shaking the digital world. In this issue, we uncover a series of alarming data breaches and vulnerabilities that highlight the ever-present threats to personal and organizational security.

First, we explore the alleged data breach at Colombia's tax authority, DIAN, which could potentially expose millions of citizens' records, raising questions about the robustness of governmental data protection. Meanwhile, the Washington Department of Licensing faces scrutiny for allegedly concealing a massive data breach for six years, affecting every resident with a driver's license or ID.

In the corporate realm, LexisNexis confirms a data breach, assuring containment but not without raising concerns about the security of legal and professional services. Similarly, the SoundCloud breach serves as a stark reminder of the need for comprehensive incident response strategies across enterprises.

On the individual front, Conduent's data breach notification letters prompt cybersecurity experts to advise on protective measures, while TikTok's decision to skip DM encryption sparks debates over user privacy. Additionally, a developer's shocking $82,000 bill due to a stolen Gemini API key underscores the financial risks of unsecured digital assets.

We also highlight critical vulnerabilities, such as the CVE-2026-28697 in Craft CMS and CVE-2025-66168 in Apache ActiveMQ, which demand immediate attention and action to prevent exploitation. These incidents, along with others, emphasize the urgent need for vigilance and proactive security measures in today's interconnected world.

Stay informed and prepared as we navigate these complex cybersecurity landscapes together.

Data Breaches

1. Alleged Data Breach at Colombia's Tax Authority Could Expose Millions of Citizens' Records: A suspected data breach at Colombia's national tax authority, DIAN, has raised significant concerns. The breach could potentially expose the personal records of millions of Colombian citizens, leading to widespread alarm and scrutiny over the security measures in place. Source: Colombia One
2. Attorney says WA DOL knew about massive data breach for 6 years: The Washington Department of Licensing (DOL) is under fire for allegedly knowing about a massive data breach for six years. This breach potentially exposed every Washington resident with a driver's license or ID, raising questions about the department's transparency and data protection protocols. Source: MyNorthwest
3. LexisNexis Confirms Data Breach, Says Threat Is Contained: LexisNexis has confirmed a data breach involving an unauthorized party accessing its systems. The company assures that the threat has been contained, but the incident highlights vulnerabilities in the legal and professional services sector. Source: Law360 Pulse
4. Modern incident response lessons from the SoundCloud breach: The SoundCloud breach serves as a critical lesson in incident response, emphasizing that such events are full enterprise crises rather than isolated security issues. This breach underscores the need for comprehensive response strategies across all organizational levels. Source: SC Media
5. On Your Side: Conduent Data Breach: What to do if you got a letter: Conduent Business Services has sent out data breach notification letters, prompting cybersecurity experts to advise affected individuals on protective measures. This breach highlights the importance of vigilance and proactive steps in safeguarding personal information. Source: KY3

Security Research

1. TikTok skips DM encryption, leaving privacy experts concerned: TikTok's decision to forgo end-to-end encryption for direct messages has raised alarms among privacy advocates. This choice allows TikTok to access and monitor user communications, sparking debates about user privacy and data security. Source: Cybernews.
2. LexisNexis Says Data Breach Has Been Contained; Hackers Claim Access to Government Data: LexisNexis confirmed a data breach that exposed sensitive government and enterprise credentials. Security researchers warn that this breach could lead to increased phishing attacks and social engineering exploits. Source: LawNext.
3. Cancer Center Research Study Hack Affects 1.2M: A cyberattack on a cancer center compromised the personal data of 1.2 million individuals. The breach highlights the vulnerability of healthcare institutions to cyber threats and the critical need for robust security measures. Source: BankInfoSecurity.
4. Dev stunned by $82K Gemini API key bill after theft: A developer faced an unexpected $82,000 bill due to the theft of their Gemini API key. This incident underscores the importance of securing API keys and the potential financial repercussions of their misuse. Source: The Register.
5. Fake Laravel Packages on Packagist Deploy RAT on Windows, macOS, and Linux: Security researchers discovered malicious Laravel packages on Packagist that deploy Remote Access Trojans (RATs) across multiple operating systems. This finding emphasizes the need for vigilance when using open-source software repositories. Source: The Hacker News.

Top CVEs

1. CVE-2026-28697: A critical vulnerability in Craft CMS allows authenticated administrators to execute Remote Code Execution (RCE) via Server-Side Template Injection (SSTI) in Twig template fields. By exploiting this, attackers can write malicious PHP scripts to web-accessible directories, leading to arbitrary command execution. This issue is resolved in versions 4.17.0-beta.1 and 5.9.0-beta.1. Source: Vulners.
2. CVE-2025-66168: Apache ActiveMQ suffers from an integer overflow vulnerability due to improper validation of the remaining length field in MQTT packets. This flaw can lead to unexpected behavior and potential security risks when interacting with non-compliant clients. The issue affects specific versions and is fixed in versions 5.19.2, 6.1.9, and 6.2.1. Source: Vulners.
3. CVE-2026-27446: Apache Artemis and ActiveMQ Artemis have a vulnerability allowing unauthenticated remote attackers to establish rogue broker connections, potentially leading to message injection or exfiltration. This impacts environments with untrusted Core protocol connections. Upgrading to Apache Artemis version 2.52.0 mitigates the issue. Source: Vulners.
4. CVE-2026-20062: A vulnerability in Cisco Secure Firewall ASA Software allows authenticated local attackers to copy files across contexts due to improper access controls for SCP operations. Exploitation requires administrative credentials and knowledge of file paths, posing a risk of unauthorized file access. Source: Vulners.
5. CVE-2026-2835: Pingora's HTTP Request Smuggling vulnerability allows attackers to desynchronize request framing, bypassing proxy-level controls and potentially hijacking sessions. This affects standalone deployments with certain backends. Upgrading to Pingora v0.8.0 or higher addresses the issue. Source: Vulners.

Final Words

As we wrap up today's edition of Secret CISO, it's clear that the digital landscape is fraught with challenges and opportunities. From the alleged data breach at Colombia's tax authority to the lessons learned from the SoundCloud incident, each story underscores the critical importance of robust cybersecurity measures. Whether it's the vulnerabilities in healthcare institutions or the unexpected financial repercussions faced by developers, these incidents remind us that vigilance and proactive strategies are essential in safeguarding our digital world.

We also explored the ongoing concerns over TikTok's privacy practices and the vulnerabilities in widely-used platforms like Craft CMS and Apache ActiveMQ. These stories highlight the ever-evolving nature of cyber threats and the need for continuous adaptation and improvement in our security protocols.

Thank you for joining us today. If you found this newsletter insightful, please consider sharing it with your friends and colleagues. Together, we can foster a more informed and secure digital community. Stay vigilant, stay informed, and we'll see you in the next edition of Secret CISO.