All news with #sensitive data exposure tag

🔒 Navia Benefit Solutions says an unauthorized actor accessed its systems between December 22, 2025 and January 15, 2026, potentially exposing records for nearly 2.7 million people. The company discovered the activity on January 23, 2026 and launched an investigation, which found the actor acquired names, dates of birth, Social Security numbers, phone numbers, email addresses, plus HRA, FSA and COBRA enrollment details. Navia says claims and financial account information were not exposed. Affected individuals are being offered 12 months of identity protection and credit monitoring through Kroll, and federal law enforcement has been notified; no ransomware group has claimed responsibility.

🧠 In February 2026, cybersecurity firm Oversecured audited 10 popular Android mental‑health apps and found 1,575 vulnerabilities — 54 rated critical — across apps with a combined 14.7M+ installs. Findings include insecure local storage, hardcoded API endpoints, weak token generation using java.util.Random, and no root detection, contradicting many apps’ claims of full encryption. The report highlights the real risk of exposure of therapy transcripts, mood logs, and medication data and urges users to review permissions, update apps, and avoid third‑party sign‑ins.

🔒 Rockwell Automation reported two high-severity vulnerabilities in Verve Asset Manager affecting legacy components: the ADI server and the Ansible playbook. Both issues can result in unencrypted sensitive information being stored in environment variables or during playbook execution and are rated CVSS 7.2 and 7.9. Rockwell states the flaws are resolved in 1.42; organizations should upgrade and contact Rockwell TechConnect for assistance. CISA also recommends minimizing network exposure and using secure remote access such as up-to-date VPNs.

🔒 Cisco has disclosed a vulnerability (CVE-2026-20029) in Cisco ISE and ISE-PIC that could allow an authenticated administrator to read arbitrary files on the server due to improper XML parsing. Proof-of-concept exploit code exists though no active attacks are reported. Cisco assigns CVSS 4.9 (medium). Administrators should rotate credentials, limit who and what can reach ISE, and install the vendor patch as soon as service downtime allows.

🔒 LKQ has confirmed a cyber-attack targeting its Oracle E-Business Suite environment that exposed personal information for more than 9,070 individuals. The company reports the intrusion occurred on August 9 and was discovered on October 3, with a detailed data analysis finalised on December 1 and notifications sent on December 15. Compromised items include LKQ Employer Identification Numbers and Social Security numbers; LKQ took the EBS environment offline, engaged an external forensic firm, and is offering two years of complimentary credit monitoring and identity restoration through Cyberscout (a TransUnion company). LKQ says it has implemented additional safeguards, strengthened security monitoring, and reinforced policies and controls.

🔒 The New York Blood Center (NYBCe) confirmed that an unauthorized party accessed internal systems between January 20 and January 26, 2025, and copied files containing personal and health information for nearly 194,000 individuals. Compromised data includes names, Social Security numbers, driver's license or state ID numbers, bank account details for direct deposit, and health/test records. NYBCe says it moved quickly to contain the incident, is offering free identity protection through Experian, and has set up a call line for potentially affected people.

🔒 Schneider Electric disclosed a Files or Directories Accessible to External Parties vulnerability affecting Modicon M340 devices and the BMXNOE0100/BMXNOE0110 Ethernet modules that could allow remote actors to remove files, block firmware updates, and disrupt the device webserver. The issue is tracked as CVE-2024-5056 with a CVSS v4 base score of 6.9. Schneider released firmware fixes for BMXNOE0100 (SV3.60) and BMXNOE0110 (SV6.80) and recommends immediate mitigations including network segmentation, disabling FTP when not required, and configuring Access Control Lists per the device manual. CISA also advises isolating control networks, minimizing internet exposure, and using VPNs for remote access.

🔒 Siemens reported a vulnerability in Apogee PXC and Talon TC devices that allows unauthorized actors to download device database files via BACnet. Affected devices permit unauthenticated access to encrypted .db files that can contain passwords; the issue is tracked as CVE-2025-40757 with a CVSS v4 base score of 6.3. Siemens and CISA recommend changing default passwords, hardening network access, and isolating control networks. Exploitation is remotely feasible with low complexity; no public exploitation has been reported to CISA.

🔒 Resecurity’s HUNTER Team discovered that ClientId and ClientSecret values were inadvertently left in a publicly accessible appsettings.json file, exposing Azure AD credentials. These secrets permit direct authentication against Microsoft’s OAuth 2.0 endpoints and could allow attackers to impersonate trusted applications and access Microsoft 365 data. The exposed credentials could be harvested by automated bots or targeted adversaries. Organizations are advised to remove hardcoded secrets, rotate compromised credentials immediately, restrict public access to configuration files and adopt centralized secrets management such as Azure Key Vault.

🔐 UpGuard discovered a publicly accessible Amazon S3 bucket tied to the United States Army Intelligence and Security Command (INSCOM) that contained clearly classified material, including an Oracle virtual appliance (.ova) with partitions labeled Top Secret and NOFORN. Downloadable artifacts included a plaintext ReadMe referencing the Red Disk cloud platform and a .jar used for intelligence tagging. The exposure also revealed private keys and hashed passwords linked to a third-party contractor. UpGuard notified INSCOM and the bucket was secured to prevent further access.

🔒 The UpGuard Cyber Risk team found an open rsync server owned by Level One Robotics that exposed 157 GB of files for more than 100 manufacturing customers, including major automakers. Exposed materials included factory CAD schematics, robotic configurations, NDA texts, VPN and badge request forms, employee ID scans, and corporate financial records. After notification, Level One closed the exposure promptly.

🔒 The UpGuard Cyber Risk Team discovered a publicly exposed, misconfigured NAS belonging to the Maryland Joint Insurance Association (JIA) that contained backup customer and operational files. The repository included full Social Security numbers, bank account and check images, insurance policy data, and plaintext administrative credentials including remote access and third-party ISO ClaimSearch logins. UpGuard notified JIA on discovery; the exposure was secured and is no longer active.

🔓 UpGuard's Cyber Risk Team discovered an Amazon S3 bucket named "tigerswanresumes" that was publicly accessible, exposing 9,402 resumes and application documents submitted to TigerSwan. The files contained contact details, work histories, and sensitive identifiers — including passports, partial Social Security numbers, driver’s license numbers, and 295 resumes claiming Top Secret/SCI clearances. UpGuard notified TigerSwan and followed up repeatedly; the bucket remained accessible for roughly a month before it was secured. TigerSwan said the exposure resulted from a former recruiting vendor.

⚠️ UpGuard disclosed a public data exposure affecting the Los Angeles County 211 helpline. An Amazon Web Services S3 bucket was configured for public access and contained database backups and CSV exports, including a 1.3GB t_contact export with records from 2010–2016. Exposed items included credentials (384 users, MD5-hashed passwords), contact lists, and over 200,000 detailed call notes describing abuse, suicidal ideation, addresses, phone numbers, and 33,000 Social Security numbers. After notification in March–April 2018 the bucket was secured within 24 hours, but the incident highlights critical cloud misconfiguration risks.

🔓 An UpGuard analyst discovered an unsecured Amazon S3 bucket belonging to Medcall Healthcare Advisors that publicly exposed roughly 7 GB of sensitive data. The datastore included intake PDFs, audio and video recordings of patient-operator-doctor calls, and CSV files containing full Social Security numbers and other PII. The bucket's ACL granted 'Everyone - Full Control', allowing anonymous read/write access and permission changes. Medcall closed the bucket after notification on August 31.

🔒 UpGuard's Cyber Risk Research team discovered and secured a public GitHub-based data exposure belonging to OneHalf, a business process outsourcing firm in the APAC region. The exposed repositories contained HR and medical databases with detailed personal records for hundreds of employees, plus banking account numbers for several corporate clients. UpGuard notified OneHalf and the repositories were taken private, likely preventing further exploitation of sensitive personal and business information.

🔓 UpGuard discovered a publicly accessible rsync repository exposing medical and personal data tied to Cohen Bergman Klepper Romano MDS PC, a Long Island practice. The repository contained over 42,000 patient records, more than three million medical notes, and physicians’ PII including Social Security numbers. A .pst backup and virtual disk revealed staff home addresses and family details. UpGuard’s notification led to the exposure being secured, underscoring the need for strong access controls and formal disclosure response procedures.

🔒 UpGuard disclosed that an unsecured MongoDB instance belonging to Neoclinical, an Australia–New Zealand clinical-trial matching service, exposed a database of 37,170 user profiles. The records included names, contact details, geocoordinates, dates of birth and structured answers to trial-qualification questions that revealed sensitive health information and potential illicit drug use. A researcher found the database on July 1, attempted email and phone contact, escalated to AWS on July 25, and public access was removed on July 26. UpGuard secured the database to prevent further public exposure.

🔒 UpGuard identified an unsecured AWS S3 bucket containing MSSQL backups linked to Spartan Technology, exposing records from 2008–2018. The dataset comprised roughly 60 GB across four backup files and documented about 5.2 million arrest events and approximately 26,000 unique defendants; around 17,000 unique Social Security numbers were present. Victim and witness records included names and phone numbers only. After notification on November 19, 2019, Spartan promptly removed public access and worked with researchers to secure the data.

🔒Two exposed third-party Facebook app datasets were discovered publicly accessible, including a 146 GB dump from Cultura Colectiva containing over 540 million records of comments, likes, reactions, account names and Facebook IDs. A separate At the Pool backup held profile fields and plaintext passwords for roughly 22,000 users. Both data sets resided in publicly readable Amazon S3 buckets, illustrating how misconfigured storage and long-lived third-party copies of user data create persistent leakage risk.