Welcome to today's edition of Secret CISO, where we unravel the tangled web of cybersecurity threats and solutions. In this issue, we delve into a series of alarming data breaches that have rocked industries from insurance to genetic testing, highlighting the vulnerabilities that persist in our digital landscape.

First, we explore the Erie Insurance data breach, which has sparked fears of identity theft and fraud. Meanwhile, 23andMe faces scrutiny over a breach that threatens to expose Canadians' genetic data amidst its bankruptcy woes. The healthcare sector isn't spared either, as Ocuco and Episource report significant data thefts impacting major U.S. law firms.

In a chilling development, a ransomware group is holding Paraguayan citizens' data hostage, demanding a hefty ransom. This incident underscores the escalating trend of cybercriminals targeting government data for financial gain.

On the technological frontier, the Cloud Security Alliance offers a new playbook for red teaming agentic AI systems, aiming to fortify defenses against these advanced technologies. Concurrently, a proposed House bill seeks to empower the NSA to develop an AI security playbook to counter potential threats from foreign AI applications.

We also spotlight the ongoing challenges in predicting CVE threats, as experts call for a more nuanced approach beyond conventional scoring systems. This is crucial as vulnerabilities like those in Dell's ControlVault3 and XWiki platforms continue to surface, posing significant security risks.

Stay informed and vigilant as we navigate these complex cybersecurity landscapes together. Dive into the full stories for a comprehensive understanding of today's most pressing security issues.

Data Breaches

1. Erie Insurance Data Breach: Erie Insurance discovered a data breach on June 7, 2025, prompting an investigation by Edelson Lechtzin LLP. The breach potentially exposed sensitive customer information, leading to concerns about identity theft and fraud. Source: Standard Journal
2. 23andMe Data Breach: The genetic testing company 23andMe faced a significant data breach, leading to a joint privacy investigation by Canada and the UK. The breach has raised alarms over the potential sale of Canadians' genetic information amidst the company's bankruptcy proceedings. Source: CBC
3. Ocuco and Episource Health Data Breaches: Two software firms, Ocuco and Episource, reported major health data theft incidents. These breaches have affected several large U.S. law firms, which have issued public notices regarding the compromised data. Source: BankInfoSecurity
4. OneGroup NY Data Breach: On June 6, 2025, OneGroup NY reported a data breach involving the leak of worker information provided to MEMIC Indemnity. The breach was discovered after a company email account was compromised, leading to a notification filed with the Vermont Attorney General. Source: JD Supra
5. Paraguayan Citizens' Data Ransom Threat: A ransomware group is threatening to release Paraguayan citizens' data unless a ransom of $7.4 million is paid. This incident highlights the growing trend of ransomware attacks targeting government data for financial gain. Source: BankInfoSecurity

Security Research

1. Cloud Security Alliance Offers Playbook for Red Teaming Agentic AI Systems: The Cloud Security Alliance has released a comprehensive playbook aimed at guiding security professionals, researchers, and AI engineers in red teaming agentic AI systems. Unlike traditional generative models, agentic AI can independently plan and reason, posing unique security challenges. The playbook provides strategies and methodologies to effectively test and secure these advanced AI systems. Source: Campus Technology
2. Dollars or Data Likely Motivated Albemarle County Cyber Incident, UVA Expert Says: A recent cyber incident in Albemarle County has raised numerous questions, with experts suggesting that the attack was likely motivated by financial gain or data acquisition. The incident highlights the ongoing challenges faced by local governments in securing their digital infrastructure against increasingly sophisticated cyber threats. Source: NBC29
3. Predicting CVE Threats Beyond Conventional Scores: Tod Beardsley, a vice president of security research, discusses the limitations of conventional CVE scoring systems in predicting the real-world impact of vulnerabilities. The research emphasizes the need for a more nuanced approach that considers factors beyond the basic CVSS scores to better prioritize and address security threats. Source: BankInfoSecurity
4. House Bill Would Task NSA with Developing AI Security Playbook to Counter China: In response to concerns about AI applications with ties to the Chinese Communist Party, a new House bill proposes that the NSA develop a comprehensive AI security playbook. This initiative aims to bolster national security by addressing potential vulnerabilities and threats posed by foreign AI technologies. Source: Nextgov
5. Do Not Click These Notifications On Your Phone: Security researcher Gabriele Digregorio has issued a warning about a security vulnerability affecting Android devices. Until Google releases a fix, users are advised to avoid clicking on suspicious notifications to prevent potential exploitation. This highlights the ongoing need for vigilance and timely updates in mobile security. Source: Forbes

Top CVEs

1. CVE-2025-3415: This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. Source: Vulners.
2. CVE-2024-38824: A directory traversal vulnerability in the recv_file method allows arbitrary files to be written to the master cache, posing a significant security risk by potentially allowing unauthorized file manipulation. Source: Vulners.
3. CVE-2025-49584: XWiki, a generic wiki platform, has a vulnerability where the title of every page whose reference is known can be accessed through the REST API. This could potentially expose sensitive information if page names are intentionally obfuscated. The issue has been fixed in recent updates. Source: Vulners.
4. CVE-2025-49580: In XWiki, pages can gain script or programming rights when they contain a link and the target of the link is renamed or moved, potentially leading to unauthorized script execution. This vulnerability has been addressed in the latest software updates. Source: Vulners.
5. CVE-2025-22236: A minion event bus authorization bypass vulnerability allows an attacker with access to a minion key to craft a message that may execute a job on other minions, posing a risk of unauthorized operations within the system. Source: Vulners.

API Security

1. CVE-2025-25215: An arbitrary free vulnerability exists in the cv_close functionality of Dell ControlVault3 prior to 5.15.10.14 and Dell ControlVault3 Plus prior to 6.2.26.36. A specially crafted ControlVault API call can lead to an arbitrary free, allowing attackers to forge a fake session and trigger this vulnerability. Source: Vulners.
2. CVE-2025-25050: An out-of-bounds write vulnerability exists in the cv_upgrade_sensor_firmware functionality of Dell ControlVault3 prior to 5.15.10.14 and Dell ControlVault3 Plus prior to 6.2.26.36. A specially crafted ControlVault API call can lead to an out-of-bounds write, which attackers can exploit by issuing an API call. Source: Vulners.
3. CVE-2025-24922: A stack-based buffer overflow vulnerability exists in the securebio_identify functionality of Dell ControlVault3 prior to 5.15.10.14 and Dell ControlVault3 Plus prior to 6.2.26.36. A specially crafted malicious cv_object can lead to arbitrary code execution, which attackers can trigger through an API call. Source: Vulners.
4. CVE-2025-24311: An out-of-bounds read vulnerability exists in the cv_send_blockdata functionality of Dell ControlVault3 prior to 5.15.10.14 and Dell ControlVault3 Plus prior to 6.2.26.36. A specially crafted ControlVault API call can lead to an information leak, which attackers can exploit by issuing an API call. Source: Vulners.
5. CVE-2025-49584: XWiki is a generic wiki platform. In XWiki Platform versions 10.9 through 16.4.6, 16.5.0-rc-1 through 16.10.2, and 17.0.0-rc-1, the title of every single page whose reference is known can be accessed through the REST API as long as an XClass with a page property is accessible. This vulnerability allows attackers to get titles of pages whose reference is known, potentially impacting confidentiality. This has been fixed in XWiki 16.4.7, 16.10.3, and 17.0.0. Source: Vulners.

Sponsored by Wallarm API Security Solution

Final Words

As we wrap up today's edition of Secret CISO, it's clear that the digital landscape is as dynamic as ever, with new challenges and innovations emerging daily. From the unsettling data breaches at Erie Insurance and 23andMe to the strategic advancements in AI security by the Cloud Security Alliance, the need for vigilance and proactive measures is more crucial than ever.

The stories we've shared today highlight the importance of staying informed and prepared. Whether it's understanding the implications of a ransomware threat in Paraguay or recognizing the vulnerabilities in Dell's ControlVault3, knowledge is your first line of defense. The evolving nature of cyber threats demands that we not only react but anticipate and strategize to protect our digital assets.

We hope you found today's insights valuable and that they empower you to make informed decisions in your cybersecurity journey. If you did, please consider sharing this newsletter with your friends and colleagues. By spreading awareness, we can collectively strengthen our defenses and foster a more secure digital environment for everyone.

Thank you for being a part of our community. Stay safe, stay informed, and we'll see you in the next edition of Secret CISO.