Welcome to today's edition of Secret CISO, where we unravel the intricate web of cybersecurity events shaping our world. As we dive into the stories of July 19, 2025, we uncover a paradoxical trend in data breaches, where frequency is on the rise, yet the direct harm seems to be diminishing. This curious phenomenon is highlighted by the PowerSchool hack, which, despite its scale, has not significantly impacted victims.

Across the pond, the UK faces its own data breach dilemma, with a massive leak in Westminster shrouded in secrecy by a superinjunction. The implications for privacy and politics are profound, echoing concerns raised by breaches closer to home, such as those affecting educational institutions and healthcare providers in the US and Canada.

Meanwhile, the U.S. Agriculture Department's bold move to terminate foreign researchers underscores a growing focus on national security, a theme echoed by Purdue University's new partnership with Los Alamos National Laboratory. These initiatives aim to fortify defenses against potential threats, both cyber and physical.

In the realm of technology, ASUS faces scrutiny over vulnerabilities in its DriverHub software, while a study on hacked passwords reveals persistent security lapses among users. These findings serve as a stark reminder of the ongoing battle against cyber threats.

Finally, we delve into the technical intricacies of recent vulnerabilities, from Node.js to Mattermost, highlighting the critical need for vigilance and robust security measures. As we navigate these complex challenges, today's newsletter offers insights and strategies to empower you in safeguarding your digital landscape.

Data Breaches

1. Record High US Data Breaches Expected This Year: Despite a surge in data breaches, the impact on victims has decreased, even with significant incidents like the PowerSchool hack. This trend highlights a paradox where breaches are more frequent, but their direct harm is lessening. Source: SC Media.
2. Into The Breach: The UK's Secret Data Leak: A massive data breach has shocked Westminster, revealing the first use of a superinjunction to conceal its existence. The breach's scale and cost have significant implications for UK politics and privacy. Source: Bloomberg UK Politics.
3. B.C. College Warns Students of Data Breach: The College of New Caledonia in Prince George has alerted students about a data breach that may have compromised their personal information over several months. This incident raises concerns about the institution's cybersecurity measures. Source: Yahoo.
4. Mid America Physician Services Data Breach: A data breach at Mid America Physician Services has led to potential legal actions for privacy loss. Affected individuals are encouraged to explore legal options to recover damages. Source: Class Action.
5. Lewiston's Central Maine Healthcare Hit with Lawsuits Over Alleged Data Breach: Central Maine Healthcare is facing multiple class action lawsuits following allegations of a data breach affecting patient data. The legal proceedings could have significant repercussions for the healthcare provider. Source: Sun Journal.

Security Research

1. U.S. Agriculture Department Fires Foreign Researchers: The U.S. Agriculture Department has terminated 70 researchers from "countries of concern" as part of a new national security initiative aimed at safeguarding the U.S. food supply. This move is part of the 'National Farm Security Action Plan' to mitigate potential threats from foreign entities. Source.
2. EPA to Eliminate Office of Research and Development: The Environmental Protection Agency (EPA) is shutting down its Office of Research and Development, resulting in staff layoffs. This decision is part of broader budget cuts and restructuring efforts, raising concerns about the future of scientific research and environmental protection. Source.
3. The ASUS Dumpster Fire: A YouTube investigation reveals significant security vulnerabilities in ASUS's DriverHub software. Security researcher Paul, also known as "Mr Bruh," highlights the potential risks for users, urging ASUS to address these issues promptly. Source.
4. Purdue University and LANL Sign MOU for Security Research: Purdue University and Los Alamos National Laboratory have signed a Memorandum of Understanding to collaborate on research focused on national security. This partnership aims to advance research in cyber and hypersonic security. Source.
5. Hacked Password Study Highlights Weak Security Practices: A study by Cybernews reveals that many people continue to use weak passwords like "1234" and common names, including state names, posing significant security risks. The findings underscore the need for stronger password policies and user education. Source.

API Security

1. CVE-2025-27210: An incomplete fix has been identified for CVE-2025-23084 in Node.js, specifically affecting Windows device names like CON, PRN, and AUX. This vulnerability affects Windows users of path.join, potentially leading to security issues when handling these reserved device names. Source: Vulners.
2. @eslint/plugin-kit is vulnerable to Regular Expression Denial of Service attacks through ConfigCommentParser: The ConfigCommentParser#parseJSONLikeConfig API is vulnerable to a Regular Expression Denial of Service (ReDoS) attack due to an unanchored grouped expression. This vulnerability can lead to blocking execution and high CPU usage, posing a significant risk to applications using this package. Source: Vulners.
3. Exploit for CVE-2025-7783: The form-data boundary randomness vulnerability (CVE-2025-7783) allows attackers to predict the next random value, enabling them to manipulate requests. This exploit demonstrates how a vulnerable server can be tricked into sending unauthorized requests, potentially granting admin privileges without proper authorization. Source: Vulners.
4. CVE-2025-6227: Mattermost versions 10.5.x <= 10.5.7, 9.11.x <= 9.11.16 fail to negotiate a new token when accepting an invite. This flaw allows an attacker who intercepts both the invite and password to send synchronization payloads to the server that originally created the invite, potentially leading to unauthorized data access. Source: Vulners.

Sponsored by Wallarm API Security Solution

Final Words

As we wrap up today's edition of Secret CISO, it's clear that the cybersecurity landscape is as dynamic as ever. From the paradox of increasing data breaches with decreasing impacts in the US, to the shocking data leak in the UK, and the ongoing legal battles in healthcare, the stories we've covered today highlight the complex and ever-evolving nature of digital security.

We've also seen how national security measures are reshaping research landscapes, with the U.S. Agriculture Department's recent actions and the EPA's restructuring efforts. Meanwhile, the collaboration between Purdue University and Los Alamos National Laboratory promises advancements in cyber and hypersonic security research.

On the technical front, vulnerabilities like those in Node.js and the @eslint/plugin-kit remind us of the importance of vigilance and proactive measures in software security. The study on weak passwords further underscores the need for robust security practices at every level.

We hope you found today's insights valuable and thought-provoking. If you did, please consider sharing this newsletter with your friends and colleagues. Together, we can stay informed and better prepared to tackle the challenges of cybersecurity.

Until next time, stay secure and keep exploring the secrets of the digital world with Secret CISO!