All news with #pii tag

Postmark MCP Connector Compromised via Malicious NPM

🔒 A malicious npm package named postmark-mcp was discovered inserting a hidden Bcc that forwarded copies of transactional emails to an attacker-controlled server. Koi Security identified the backdoor in version 1.0.16 after its risk engine flagged suspicious behavior, noting the package had been trusted across many prior releases. With roughly 1,500 weekly downloads, the single-line injection enabled broad exfiltration of password resets, invoices, and internal correspondence before the package was removed; Koi urges immediate removal, credential rotation, and audits of all MCP connectors.

Threat Modeling Your Digital Life Under Authoritarianism

🔒 The article argues that personal threat modeling must adapt as governments increasingly combine their extensive administrative records with corporate surveillance data. It details what kinds of government-held data exist, how firms augment those records, and the distinct dangers of targeted versus mass surveillance. Practical mitigations are discussed—encryption, scrubbing accounts, burner devices—and the piece stresses that every defensive choice is a trade-off tied to individual goals.

Interpol Operation Dismantles Large African Scam Rings

🛡️ Interpol-led Operation Contender 3.0 swept through 14 African countries between 28 July and 11 August 2025, targeting romance scams and sextortion networks and resulting in 260 arrests. Law enforcement, aided by private firms Group-IB and Trend Micro, seized 1,235 electronic devices and took down 81 cybercrime infrastructures. Investigations in Ghana, Senegal, Côte d’Ivoire and Angola identified 1,463 victims and estimated losses near $2.8 million.

Qantas Docking CEO Pay Signals Cyber Accountability Shift

🔒 Qantas' board docked CEO Vanessa Hudson and other executives after a June 30 cyber incident that exposed the personally identifiable information of nearly 6 million passengers, deducting A$800,000 from bonuses and cutting annual payouts by 15 percentage points. The move is being compared to high-profile past actions, such as Yahoo's 2017 bonus denial. Security leaders say the decision reflects a broader trend of boards and regulators holding top executives personally and financially accountable for cybersecurity failures.

Co-op Cyberattack Costs Group an Estimated £120 Million

🔒 In its latest half-year report the Co-operative Group said it expects to lose about £120 million in profits this financial year after a cyberattack forced temporary shutdowns of parts of its IT estate. The company reported that personal data for roughly 6.5 million members was stolen, prompting operational disruption across its supermarkets as well as its financial and funeral services. The identity of the attackers remains unclear and investigations are ongoing.

Cyber Risk Assessments: Making CISO Efforts Visible

🛡️ Cyber Risk Assessments enable CISOs to quantify enterprise cyber risk and demonstrate the impact of security work. They uncover vulnerabilities across infrastructure, networks and cloud data, helping teams prioritize remediation and allocate resources where they matter most. Assessments also support compliance with regulations such as GDPR and PCI DSS, delivering actionable reports that document progress for management.

Mass Exposure of Indian Bank NACH Transfer PDFs Repository

🔓 UpGuard discovered a publicly accessible Amazon S3 bucket containing roughly 273,160 PDF documents formatted as NACH MANDATE records that documented bank transfers in India. The files exposed unredacted bank account numbers, transaction amounts and, in many cases, individuals’ names, phone numbers and email addresses. A 55K-file sample (~42 GB) showed 38 financial institutions represented, with AyeFin appearing in nearly 60% of sampled records. UpGuard notified AyeFin and NPCI, escalated to CERT‑IN when the bucket continued to grow, and verified the repository was secured on September 4.

Enabling Enterprise Risk Management for Generative AI

🔒 This article frames responsible generative AI adoption as a core enterprise concern and urges business leaders, CROs, and CIAs to embed controls across the ERM lifecycle. It highlights unique risks—non‑deterministic outputs, deepfakes, and layered opacity—and maps mitigation approaches using AWS CAF for AI, ISO/IEC 42001, and the NIST AI RMF. The post advocates enterprise‑level governance rather than project‑by‑project fixes to sustain innovation while managing harm.

Co-op Reports £80M Operating Loss After Cyberattack

🔒 The Co-operative Group reported an £80 million operating profit loss in H1 2025 after an April cyberattack disrupted systems and trading. Management attributed the shortfall to £20 million of one‑off remediation costs and £60 million in lost sales while systems were offline, and said revenue fell by £206 million. The breach, linked to DragonForce and affiliates of Scattered Spider, exposed personal data for all 6.5 million members; four suspects have since been arrested. Despite the impact, Co-op reported £800 million of available liquidity and no immediate funding concerns.

Co-op Reports £206m Revenue Loss After Cyberattack

🛒 The Co-op revealed a £206m revenue shortfall resulting from a “malicious” cyber-attack in April after it temporarily shut down multiple systems to contain the threat. The retailer recorded an overall six-month loss of £80m to 5 July 2025 and said sales disruption is likely to continue into H2 2025. No remediation breakdown was provided, although a one-off non-underlying cost of £20m was logged. The intrusion has been linked to Scattered Spider, and UK authorities have made several arrests related to this and similar retail attacks.

DeceptiveDevelopment: Social-Engineered Crypto Theft

🧩DeceptiveDevelopment is a North Korea-aligned actor active since 2023 that leverages advanced social-engineering to compromise software developers across Windows, Linux and macOS. Operators pose as recruiters on platforms like LinkedIn and deliver trojanized codebases and staged interviews using a ClickFix workflow to trick victims into executing malware. Their multiplaform toolset ranges from obfuscated Python and JavaScript loaders to Go and .NET backdoors that exfiltrate crypto, credentials and sensitive data. ESET's white paper and IoC repository provide full technical analysis and telemetry.

Boyd Gaming Reports Cyber Incident Exposing Employee Data

🔒 Boyd Gaming Corporation disclosed a cybersecurity incident in an SEC 8-K filing, saying an unauthorized third party accessed its internal IT systems and removed certain data. The company said the breach involved employee information and a limited number of other individuals, though it did not specify the data types or number affected. Boyd said operations were not impacted and it is working with cybersecurity experts and federal law enforcement while notifying regulators.

Microsoft Purview Study: 30% Reduction in Breach Risk

🔒 The Forrester Total Economic Impact™ study commissioned by Microsoft found that Microsoft Purview reduced the likelihood of data breaches by 30% for a composite organization, yielding more than $225,000 in annual savings from avoided incidents and fines. The report credits unified governance, automated classification, and fine‑tuned DLP policies with a 75% reduction in investigation time and 75% time savings for users searching and classifying data. Over three years the study shows $3.0M in benefits versus $633,000 in costs (NPV $2.3M; ROI 355%).

AI Growth Fuels Surge in Hardware and API Vulnerabilities

🛡️ Bugcrowd's annual "Inside the Mind of a CISO 2025: Resilience in an AI-Accelerated World" report warns that rapid, AI-assisted development is expanding the attack surface and exposing foundational weaknesses. Published September 23, the study links faster release cycles to gaps in access control, data protection and hardware security, and highlights rising API and network vulnerabilities. It calls for continuous offensive testing and collective intelligence to mitigate escalating risks.

Security Implications of Quantum Computing for CISOs

🔐 Quantum computing poses a long-term threat to public-key cryptography, with the potential to break RSA, ECC and Diffie-Hellman once scalable quantum machines exist. Although practical attacks on RSA-2048 are commonly estimated to be eight to fifteen years away, organizations with long-lived confidential data must act now. CISOs should begin a crypto-agility assessment, engage vendors about post-quantum cryptography, and brief leadership and boards to build a migration roadmap.

FBI Warns of Threat Actors Spoofing IC3 Reporting Website

⚠️ The FBI has issued a public service announcement warning that threat actors are creating spoofed versions of the IC3 cybercrime reporting site to steal personally identifiable information and facilitate fraud. The agency advises typing www.ic3.gov directly, avoiding sponsored search results and mismatched URLs, and never paying anyone claiming to be IC3 staff. Victims should report impersonation attempts to the legitimate IC3 portal and provide full details.

FBI warns of fake IC3 portals used by scammers online

⚠️ The FBI warns that cybercriminals are creating spoofed versions of the Internet Crime Complaint Center (IC3) website to harvest personally identifiable information and facilitate financial scams. The agency noted over 100 reports between December 2023 and February 2025 prompting a public service announcement and flagged domains that mimic ic3.gov. Users are advised to type www.ic3.gov directly, avoid sponsored search results, never share sensitive data, and remember the FBI will never ask for payment to recover funds.

Attackers Use AI Platforms to Generate Fake CAPTCHAs

🔐 Trend Micro researchers report cybercriminals are using AI-powered site builders like Lovable, Vercel and Netlify to rapidly create convincing fake CAPTCHA pages. Seen since January 2025 with a sharp escalation from February to April, these pages make phishing links appear legitimate and can help evade automated scanners by presenting a CAPTCHA before redirecting users to credential-stealing sites. Recommended mitigations include employee education, redirect-chain analysis and monitoring trusted domains for abuse.

New York Blood Center Breach Exposes 194,000 Records

🔒 The New York Blood Center (NYBCe) confirmed that an unauthorized party accessed internal systems between January 20 and January 26, 2025, and copied files containing personal and health information for nearly 194,000 individuals. Compromised data includes names, Social Security numbers, driver's license or state ID numbers, bank account details for direct deposit, and health/test records. NYBCe says it moved quickly to contain the incident, is offering free identity protection through Experian, and has set up a call line for potentially affected people.

One in Three Android Apps Expose Sensitive Data to Attackers

🔒 The 2025 Zimperium Global Mobile Threat Report finds that one in three Android apps and more than half of iOS apps leak sensitive information through insecure APIs, and nearly half of apps contain hardcoded secrets such as API keys. Client-side weaknesses let attackers tamper with apps, intercept traffic and bypass perimeter defences. The report recommends API hardening and app attestation to ensure API calls originate from genuine, untampered apps.