Hello there, Welcome to today's edition of the Secret CISO newsletter, where we bring you the latest updates from the world of cybersecurity. Today, we're diving into a series of data breaches that have been making headlines. North Carolinians are now able to file claims against 23andMe following a data breach that took place in 2023. Meanwhile, Coinbase has disclosed that a recent breach affected nearly 70,000 of its customers and involved a $20 million ransom. In other news, five lawsuits have been filed against Neighbors Credit Union over a data breach, with cybercriminal group Black Suit allegedly leaking personal data of members on the dark web.

The fintech sector is also under threat, with nearly 42% of data breaches in top fintech firms stemming from third-party vendors. This highlights critical supply chain vulnerabilities that need to be addressed. In education, a Massachusetts teen has pleaded guilty to hacking into the PowerSchool system, causing a major data breach. This has led to 41 investigations into PowerSchool clients affected by the breach. We also have updates on the Ashley Madison data breach, a settlement in the TracFone Wireless data breach class action, and more. Stay tuned for more updates and remember, knowledge is the key to staying one step ahead in the cybersecurity game

Data Breaches

1. North Carolinians File Claims Against 23andMe Related to 2023 Data Breach: North Carolinians are now able to file claims against genetic testing company 23andMe, following a data breach in 2023. The Attorney General is investigating the company over the incident. Source: Fox Carolina
2. Five Lawsuits Target Neighbors Credit Union Over Data Breach: Neighbors Credit Union is facing five lawsuits following a data breach. The personal data of members was allegedly leaked on the dark web by the cybercriminal group Black Suit. Source: CU Times
3. Fintech Sector Faces Mounting Third-Party Security Breach Risks: Nearly 42% of data breaches in top fintech firms stem from third-party vendors, highlighting critical supply chain vulnerabilities. Source: SecurityBrief Asia
4. Massachusetts Teen Pleads Guilty to 2024 PowerSchool Data Breach: A Massachusetts teen has pleaded guilty to hacking into the PowerSchool system, causing a major data breach. Source: WITN
5. TracFone Wireless Data Breach Class Action Settlement: TracFone Wireless agreed to a class action lawsuit settlement to resolve claims that it failed to prevent a 2021 data breach that compromised customer data. Source: Top Class Actions

Security Research

1. Data Breaches in Oil and Gas Companies: Over half of the top oil and gas companies have suffered data breaches in the past month, according to Cybernews. This has potential implications for customers, partners, and investors. Source: Petroleum Australia
2. Windows Server Privilege Escalation Flaw: A flaw in Windows Server has been identified as a shortcut to privilege escalation, according to GovInfoSecurity. This behavior is of interest to security researchers due to its inherent power. Source: GovInfoSecurity
3. Hidden Dangers in Public EV Charging Stations: Security researchers have found hidden radios in public EV chargers that can brick Tesla vehicles and threaten energy infrastructure. Source: Autoblog
4. Cybercriminals Mimic Kling AI to Distribute Infostealer Malware: A new malware campaign disguised as the popular AI media platform Kling AI has been discovered by security researchers. The campaign is distributing infostealer malware. Source: Infosecurity Magazine
5. Flaw in Google Cloud Functions Sparks Broader Security Concerns: A flaw in Google Cloud Functions has sparked broader security concerns, according to Infosecurity Magazine. The issue, discovered by Tenable Research, allows attackers to exploit the deployment process of GCP Cloud. Source: Infosecurity Magazine

Top CVEs

1. CVE-2025-41232: Spring Security Aspects may not correctly locate method security annotations on private methods, leading to an authorization bypass. This vulnerability affects applications using @EnableMethodSecurity(mode=ASPECTJ) and spring-security-aspects with Spring Security method annotations on a private method. Source: CVE-2025-41232
2. CVE-2025-40775: BIND, a DNS server, can abort with an assertion failure if it receives a Transaction Signature (TSIG) with an invalid value in the algorithm field. This issue affects BIND 9 versions 9.20.0 through 9.20.8 and 9.21.0. Source: CVE-2025-40775
3. CVE-2019-16536: A stack overflow leading to Denial of Service (DoS) can be triggered by a malicious authenticated client in Clickhouse before a certain version. Source: CVE-2019-16536
4. CVE-2025-36535: The embedded web server lacks authentication and access controls, allowing unrestricted remote access. This could lead to configuration changes, operational disruption, or arbitrary code execution depending on the environment and exposed services. Source: CVE-2025-36535
5. CVE-2025-34027: The Versa Concerto SD-WAN orchestration platform is vulnerable to an authentication bypass in the Traefik reverse proxy configuration, allowing an attacker to access administrative endpoints. This issue is known to affect Concerto from 12.1.2 through 12.2.0. Source: CVE-2025-34027

API Security

1. Cisco Secure Network Analytics Manager API Vulnerability (CVE-2025-20257): A flaw in the API subsystem of Cisco Secure Network Analytics Manager and Cisco Secure Network Analytics Virtual Manager could allow an attacker with low privileges to generate false findings, leading to misleading alarms and alerts. The vulnerability stems from insufficient authorization enforcement on a specific API. Source: CVE-2025-20257
2. Cisco Unified Intelligence Center API Vulnerability (CVE-2025-20114): A vulnerability in the API of Cisco Unified Intelligence Center could allow an attacker to perform a horizontal privilege escalation attack. The flaw is due to insufficient validation of user-supplied parameters in API requests. Source: CVE-2025-20114
3. Cisco Unified Intelligence Center Privilege Escalation Vulnerability (CVE-2025-20113): A flaw in Cisco Unified Intelligence Center could allow an attacker to elevate privileges to Administrator for a limited set of functions. The vulnerability is due to insufficient server-side validation of user-supplied parameters in API or HTTP requests. Source: CVE-2025-20113
4. Java's ECDSA Signature Verification Vulnerability (CVE-2022-21449): This vulnerability affects Java's ECDSA signature verification and allows a malicious actor to bypass signature verification by using a signature with zero values. The project uses real and fake JWT tokens with EC signatures to showcase the issue on Java 17 without the security patch. Source: CVE-2022-21449

Sponsored by Wallarm API Security Solution

Final Words

And that's a wrap for today's edition of Secret CISO. We've covered a lot of ground, from the data breach claims against 23andMe to the recent Coinbase breach affecting nearly 70,000 members. We've also looked at the lawsuits targeting Neighbors Credit Union and the increasing security breach risks in the fintech sector. Remember, staying informed is the first step in protecting your data and your organization. Share this newsletter with your colleagues and friends to help them stay ahead of the curve too. In the world of cybersecurity, knowledge is power. So, keep learning, stay vigilant, and let's fight the good fight together. See you in the next edition of Secret CISO!