Welcome to today's edition of Secret CISO, where we unravel the tangled web of cybersecurity incidents and vulnerabilities that are shaping the digital landscape. In this issue, we delve into a series of alarming data breaches that have rocked various sectors, from education to healthcare, and even the tech giants we rely on daily.

Our journey begins in Oregon, where schools are grappling with a breach in their Canvas platform, potentially exposing sensitive student data. Meanwhile, Medtronic faces scrutiny over a massive breach affecting nearly 9 million records, and Vimeo users are reeling from a security incident linked to the notorious ShinyHunters gang.

As we traverse the globe, we find the Queensland education sector caught in a major security breach, while in Alberta, a voters list leak raises serious concerns for domestic violence victims. These incidents underscore the urgent need for robust data protection measures.

In the realm of cybersecurity innovation, we spotlight AIMap, an open-source tool designed to fortify AI endpoints, and highlight the vulnerabilities plaguing Australian small businesses due to inadequate cybersecurity plans.

Our exploration continues with a critical look at tech giants, as Google Chrome's AI model download raises privacy questions, and a security researcher exposes the White House app's tracking capabilities. Microsoft Edge also comes under fire for storing passwords unencrypted, posing a significant risk to user data.

Finally, we dissect the latest vulnerabilities, including CVE-2026-23927, CVE-2026-40004, and CVE-2026-43280, each presenting unique challenges and potential threats to systems worldwide.

Join us as we navigate these pressing issues, offering insights and strategies to safeguard your digital domain in an ever-evolving threat landscape.

Data Breaches

1. Oregon Schools Warn of Data Breach in Canvas Platform: Several school districts in Oregon, including Portland, Beaverton, and Tigard, have reported a data breach involving their online learning platform, Canvas. This breach may have exposed sensitive student information, prompting schools to alert parents and take precautionary measures. Source: KGW
2. Medtronic Under Investigation for Data Breach of Nearly 9 Million Records: Medtronic is currently under investigation following a data breach that compromised nearly 9 million records. The breach led to unauthorized access to sensitive information, raising significant privacy concerns and prompting a thorough investigation by legal authorities. Source: Morningstar
3. Vimeo Data Breach Exposed Personal Information of 119,000 People: Vimeo has disclosed a security incident that resulted in the exposure of personal information for approximately 119,000 users. The breach was linked to the Anodot breach, with the ShinyHunters gang responsible for the unauthorized access. Source: TechRadar
4. Queensland Education Sector Caught Up in Major Security Breach: A significant data breach has impacted the Queensland education sector, affecting over 200 institutions. The breach has led to the exposure of personal information of students and teachers, including names and school locations, but no evidence of passwords or financial data being accessed. Source: 9News
5. Alberta Voters List Leak Raises Concerns for Domestic Violence Victims: The misuse of an Alberta voters list by separatist organizers has led to a data breach, raising concerns for domestic violence victims whose information may have been exposed. This incident has sparked calls for a public inquiry to address the potential risks and privacy violations. Source: CBC

Security Research

1. AIMap: Open-source tool finds and tests exposed AI endpoints: Aashiq Ramachandran from Bishop Fox has developed AIMap, an open-source tool designed to identify and test exposed AI endpoints. This tool aims to enhance security by separating and analyzing AI endpoints, providing a proactive approach to securing AI systems. Source: Help Net Security
2. Australian small businesses lack cyber security plans, research finds: A study by Ipsos, commissioned by Optus, reveals that one in three Australian small businesses have experienced a cyber incident, yet many lack comprehensive cybersecurity plans. This highlights a significant vulnerability in the small business sector, emphasizing the need for improved cybersecurity measures. Source: SC Media
3. Google Chrome AI model: Is a 4GB file being downloaded without your permission?: Security researcher Alexander Hanff has raised concerns about Google's Chrome browser downloading a 4GB AI model without user consent. This issue brings up questions about transparency, data storage, and user privacy, urging users to be more vigilant about their browser settings. Source: Economic Times
4. Security researcher tears apart White House app and finds a tracking and security nightmare: A security researcher has decompiled the White House's new mobile app, uncovering hidden GPS-tracking capabilities and weak security protections. This discovery raises significant privacy and security concerns, highlighting the need for stricter app security standards. Source: Boing Boing
5. Microsoft Edge stores all your saved passwords unencrypted in memory: Security researcher Tom Jøran Sønstebyseter Rønning has found that Microsoft's Edge browser stores saved passwords unencrypted in memory. This vulnerability poses a significant risk to user data, prompting calls for Microsoft to enhance its password management security. Source: TechSpot

Top CVEs

1. CVE-2026-23927: A vulnerability in Agent 2 allows a user to inject an Oracle TNS connection string via the 'service' parameter. This can result in Agent 2 connecting to an attacker-controlled server, potentially leaking Oracle database credentials if they are stored in a named session. Source.
2. CVE-2026-40004: ZTE Cloud PC client uSmartview has a privilege escalation vulnerability in openssl.cnf. An attacker can locally execute arbitrary code and escalate privileges, posing a significant security risk. Source.
3. CVE-2026-43280: A vulnerability in the Linux kernel's drm/xe module allows an out-of-bounds kernel read due to a lack of bounds checking on the patindex value in the madvise IOCTL. This can be exploited by a malicious user to trigger unsafe array access, potentially leading to system compromise. Source.

Final Words

As we wrap up today's edition of Secret CISO, it's clear that the digital landscape is fraught with challenges, from data breaches affecting schools and healthcare giants to vulnerabilities in everyday tools like browsers and apps. Each story serves as a reminder of the importance of vigilance and proactive measures in safeguarding our digital lives.

Whether it's the exposure of sensitive student information in Oregon, the massive data breach at Medtronic, or the alarming findings in the White House app, these incidents underscore the critical need for robust cybersecurity practices. Meanwhile, tools like AIMap offer hope by providing new ways to secure AI systems, and research highlights the gaps in cybersecurity preparedness among small businesses.

In this interconnected world, sharing knowledge is key to staying ahead of threats. If you found today's insights valuable, please share this newsletter with your friends and colleagues. Together, we can foster a more secure digital environment for everyone.

Stay safe, stay informed, and see you in the next issue of Secret CISO!